On 07/26/2011 06:14 PM, Roel Hoek wrote:
Hello Roel,
> We experience a problem with a handler for authenticating wireless-lan users.
> AuthBy-File for a PEAP-mschapV2 cannot match a user if
> the outer and inner identity are not equal (normal situation).
> It looks like the userfile is searched by the outer-identity, although the
> inner-identity is used for authentication via LDAP.
Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
"5.19.24 EAPAnonymous" for more info about EAPAnonymous.
Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
use User-Name attribute instead of EAP Identity to do the authentication.
With EAPAnonymous you can set the inner request User-Name the same as
the EAP Identity is.
Please let us know if this works for you.
Thanks!
Heikki
> We want for certain users a different reply-item (Tunnel-Private-Group-ID =
> 1:131). Default users get "Tunnel-Private-Group-ID = 1:125".
>
>
> Is this a bug or a configuration error?
>
>
>
> -------------------------------------------------------------------------------------
> part of logging:
>
> Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: 1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
> EAP-Message =
> <2><1><0>Q<26><2><1><0>L1:0<228><135><228><157>!<158>(-oL<26><178><213><199><0><0><0><0><0><0><0><0>>_<251>woZ;<156>-<13>r<204><W<179>DZ<173>,~<240>L<188><139><0>d3126217@utwente.test2
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter@utwente.test2"
>
> Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1',
> Identifier 'PEAP-inner-utwente-test2'
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user:
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2:
> productieoid-peap
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: INFO: Connecting to oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: INFO: Attempting to bind to LDAP server
> oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got result for uid=d3126217,
> ou=Employees, bla bla bla
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got chappassword: {rcrypt}<------>
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 looks for match with
> d3126217 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217
> [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge:
> Success
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2
> Challenge: Success: DEFAULT [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP: result: CHALLENGE, EAP
> MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP
> V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter@utwente.test2:
> EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: 1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
> EAP-Message =
> <1><2><0>=<26><3><1><0>8S=9B980A90DF101E2389BFC05B92F3DE116CBEEF18 M=success
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:Ether_802
> Tunnel-Private-Group-ID = 1:125
>
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication
> redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
> inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter@utwente.test2:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 ....
> Code: Access-Challenge
> Identifier: 217
> Authentic: <246>d:7<188><212>BEYlXK<20><156><19>*
> Attributes:
> EAP-Message =
> <1><10><0>k<25><1><23><3><1><0>`<18><183><136><170><169><204><141>dst<231><150>w<150><165>6<!!<171>c?<173>L<200><135>?#<219>"f<142><165>G'h<192>q<168>(<246><249><247><140>6<152>X<215><22><23><227><197><1>d<31><193>`+<245>a<142><10><224><6>a<21><233>[&,<133>G<232><A<195><188><165>z<23><208><169>@<17><225><226>Q.<185><142>|,<6>f<14><229>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Received from 172.31.178.10 port 32770 ....
> Code: Access-Request
> Identifier: 218
> Authentic: <231><3>)mlW<168><158>X<18>A<29><141>1<226><210>
> Attributes:
> User-Name = "jupiter@utwente.test2"
> Calling-Station-Id = "00271026a434"
> Called-Station-Id = "001874d28d00:eduroam"
> NAS-Port = 13
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> Airespace-WLAN-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 131
> EAP-Message = <2><10><0>`<25><1><23><3><1><0>
> ~<235>4<196><203><245><217>q<228>Jw<175><207><200>,<200><223><<2>i:<149>]<169>G<24><253><154>+K<29>C<23><3><1><0>0<207>{<235>i<253>a7<214>\<13><250><189><190><217>\<228><130>U><4>$<29><131><163><230>L<149><230><136><235>*<242><237>q<241><217><181>a<169><254><0>\B<14><215><155>R<8>
> Message-Authenticator =
> <214><202><221>j<3><11>~<177><153>z<217><183>D<149><211><135>
>
> --
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 25
> Tue Jul 26 16:36:46 2011: DEBUG: EAP PEAP inner authentication request for
> jupiter@utwente.test2
> Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
> Attributes:
> EAP-Message = <2><2><0><6><26><3>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter@utwente.test2"
>
> Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1',
> Identifier 'PEAP-inner-utwente-test2'
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user:
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2:
> productieoid-peap
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 0,
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
> [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP: result: ACCEPT,
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Jul 26 16:36:46 2011: DEBUG: Access accepted for jupiter@utwente.test2
> Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
> Attributes:
> EAP-Message = <3><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:Ether_802
> Tunnel-Private-Group-ID = 1:125
>
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication
> redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
> inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter@utwente.test2:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 ....
>
> -------------------------------------------------------------------------------------
> part of radiator.cfg:
>
> # WLAN (utwente.test2) inner authentication (PEAP)
> #
> <Handler Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>
> AuthByPolicy ContinueWhileReject
>
> # Hook om class-attrib te setten wanneer geen anonymous
> # (temp disabled):PreAuthHook file:"%D/hooks/anonymous.pl"
> AddToRequest
> Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
>
> <AuthBy FILE>
> AuthenticateAttribute User-Name
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/^\s*//
> RewriteUsername s/\s*$//
> Filename %D/users-wlan-peap
>
> # This tells the PEAP client what types of
> inner EAP requests
> # we will honour
> NoEAP
>
> </AuthBy>
> </AuthBy>
> </Handler>
>
> # WLAN outer authenticatie
> #
> <Handler Realm=/utwente.test|utwente.test2/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
> <AuthBy FILE>
> EAPType TTLS,PEAP
> EAPTLS_CAFile /etc/radiator/pki/CAs/chain.pem
> EAPTLS_CertificateFile /etc/radiator/pki/server/cert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/pki/server/key.pem
> EAPTLS_PrivateKeyPassword <---------->
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_SessionResumption 0
> AutoMPPEKeys
> EAPTLS_PEAPBrokenV1Label
> EAPTTLS_NoAckRequired
> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
> EAPAnonymous %u
> </AuthBy>
>
> # stuur de authorisatie logging naar:
> AuthLog authlogging-wlan
> Identifier WLAN-OUTER-TEST
> Description WLAN
> AuthLog authlogging-tent
> </Handler>
> -------------------------------------------------------------------------------------
> part of users-wlan-peap:
>
> DEFAULT Auth-Type = productieoid-peap
> Tunnel-Type = 1:VLAN,
> Tunnel-Medium-Type = 1:Ether_802,
> Tunnel-Private-Group-ID = 1:125
>
> d3126217 Auth-Type = productieoid-peap
> Tunnel-Type = 1:VLAN,
> Tunnel-Medium-Type = 1:Ether_802,
> Tunnel-Private-Group-ID = 1:131,
> Login-LAT-Group = "qnet"
>
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
