-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Heikki,
I changed the config as proposed. The <AuthBy LDAP2> is handled with success, but the second handler, <AuthBy FILE> fails again. (AuthFILE REJECT: No such user: [email protected] [[email protected]]) EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and no handler can be found. Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2' Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 Tue Aug 2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389 Tue Aug 2 11:41:05 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389 Tue Aug 2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla Tue Aug 2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Aug 2 11:41:05 2011: DEBUG: Access challenged for [email protected]: EAP MSCHAP V2 Challenge: Success Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Challenge . . . Code: Access-Request Identifier: UNDEF Authentic: N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147> Attributes: EAP-Message = <2><2><0><6><26><3> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> NAS-IP-Address = 172.31.178.10 NAS-Identifier = "wlc-1" NAS-Port = 13 Calling-Station-Id = "00271026a434" User-Name = "[email protected]" Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2' Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26 Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 0, Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes Tue Aug 2 11:41:05 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3 Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with [email protected] [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: [email protected] [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [[email protected]] Tue Aug 2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT, Tue Aug 2 11:41:05 2011: DEBUG: Access accepted for [email protected] Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Accept - ----------------------------------------------------------------------------------------------------------------- # WLAN (utwente.test2) inner authentication (PEAP) # <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> AuthByPolicy ContinueWhileAccept AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id} <AuthBy LDAP2> Identifier productieoid-peap EAPType MSCHAP-V2 # Rest of the config Version 2 Host <.> BindAddress <.> FailureBackoffTime 10 AuthDN <.> AuthPassword <.> BaseDN <.> RcryptKey <.> RewriteUsername s/^([^@]+).*/$1/ RewriteUsername s/^\s*// RewriteUsername s/\s*$// UsernameAttr <.> PasswordAttr <.> AuthAttrDef orclisenabled, OIDactive, request </AuthBy> <AuthBy FILE> Identifier add-vlan-attributes Filename %D/users-wlan-peap_v3 NoCheckPassword NoEAP </AuthBy> AuthLog authlogging-wlan-peap Identifier PEAP-inner-utwente-test2 Description WLAN AuthLog authlogging-tent </Handler> - ----------------------------------------------------------------------------------------------------------------- users-wlan-peap_v3: DEFAULT Tunnel-Type = 1:VLAN, Tunnel-Medium-Type = 1:Ether_802, Tunnel-Private-Group-ID = 1:125 d3126217 Tunnel-Type = 1:VLAN, Tunnel-Medium-Type = 1:Ether_802, Tunnel-Private-Group-ID = 1:131, Login-LAT-Group = "qnet" . . . On 2011-08-01 22:42, Heikki Vatiainen wrote: > On 08/01/2011 02:44 PM, Roel Hoek wrote: > > Hello Roel, > >> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2 >> Now, indeed, the user-name/identity is found in the users-file, and is found >> in the LDAP-server, but now failed on EAP MSCHAP V2 (no >> such user???) > > Hmm, I was able to recreate this was two simple AuthBy FILEs too. > However, I did not dig deeper to see why it fails. > >> This has, I think, something to do that mschapv2 needs for challange and >> responce the whole username including the realm. This works >> with 'NoEAP', but not with EAPType MSCHAP-V2. > > Can you restructure your configuration a little. The restructure would > put two AuthBys into the PEAP inner Handler. The first does EAP and is > the LDAP check while the second gets the attributes from the file after > successful LDAP check. > > Something like this should do it: > > # WLAN (utwente.test2) inner authentication (PEAP) > # > <Handler Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> > AuthByPolicy ContinueWhileAccept > <AuthBy LDAP2> > Identifier productieoid-peap > EAPType MSCHAP-V2 > # Rest of the config > </AuthBy> > <AuthBy FILE> > Identifier add-vlan-attributes > Filename %D/users-wlan-peap > NoCheckPassword > NoEAP > </AuthBy> > > # Rest of the Handler > </Handler> > > The file users-wlan-peap would be the same as currently but without the > Auth-Type check items: > > d3126217 > Tunnel-Type = 1:VLAN, > Tunnel-Medium-Type = 1:Ether_802, > Tunnel-Private-Group-ID = 1:131, > Login-LAT-Group = "qnet" > > # Rest of users-wlan-peap > > This should still collect then user specific VLAN attributes but > otherwise do the authentication the same for all users. > > Please let us know how this works. > > Thanks! > Heikki > > >> Code: Access-Request >> Identifier: UNDEF >> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y >> Attributes: >> EAP-Message = >> <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0> >> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>[email protected] >> Message-Authenticator = >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >> NAS-IP-Address = 172.31.178.10 >> NAS-Identifier = "wlc-1" >> NAS-Port = 13 >> Calling-Station-Id = "00271026a434" >> User-Name = "[email protected]" >> >> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler >> 'Realm=utwente.test2, >> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', >> Identifier 'PEAP-inner-utwente-test2' >> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE: >> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file >> /etc/radiator//users-wlan-peap >> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with >> d3126217 [[email protected]] >> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: >> productieoid-peap >> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389 >> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server >> oid.utwente.nl:389 >> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, >> ou=Employees, cn=Users, o=university of twente,c=nl >> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla >> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED >> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with >> d3126217 [[email protected]] >> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 >> [[email protected]] >> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: >> Success >> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 >> Challenge: Success: d3126217 [[email protected]] >> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no >> such user d3126217 >> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 >> failed: no such user d3126217 >> Mon Aug 1 12:15:31 2011: INFO: Access rejected for [email protected]: >> EAP MSCHAP V2 failed: no such user d3126217 >> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump: >> Code: Access-Reject >> >> >> On 2011-07-30 08:19, Heikki Vatiainen wrote: >>> On 07/29/2011 04:12 PM, Roel Hoek wrote: >> >>>> Thanks for you comment. Although it did not work. >>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be >>>> found. >> >>> Unfortunately that's true. Taking another look at the configuration, the >>> reason for this is the NoEAP option. Since EAP is not run for the inner >>> authentication, the EAP identity will not be available. >> >>> Going back to your original configuration, would replacing "NoEAP" with >>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE. >> >>> Thanks! >>> Heikki >> >> >>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler >>>> 'Realm=/utwente.test|utwente.test2/, >>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH >>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST' >>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE: >>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25 >>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25 >>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for >>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump: >>>> Code: Access-Request >>>> Identifier: UNDEF >>>> Authentic: <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163> >>>> Attributes: >>>> EAP-Message = <2><0><0><27><1>[email protected] >>>> Message-Authenticator = >>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>>> NAS-IP-Address = 172.31.178.10 >>>> NAS-Identifier = "wlc-1" >>>> NAS-Port = 13 >>>> Calling-Station-Id = "00271026a434" >>>> User-Name = "" >>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner >>>> authentication >>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler >>>> for PEAP inner authentication >>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for [email protected]: >>>> No Handler for PEAP inner authentication >>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump: >>>> *** Sending to 172.31.178.10 port 32770 .... >>>> Code: Access-Reject >>>> >>>> ------------------------------------------------------------------- >>>> <Handler Realm=utwente.test2, >>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >>>> AuthByPolicy ContinueWhileReject >>>> AddToRequest >>>> Calling-Station-Id=%{OuterRequest:Calling-Station-Id} >>>> <AuthBy FILE> >>>> RewriteUsername s/^([^@]+).*/$1/ >>>> RewriteUsername s/^\s*// >>>> RewriteUsername s/\s*$// >>>> Filename %D/users-wlan-peap >>>> NoEAP >>>> </AuthBy> >>>> AuthLog authlogging-wlan-peap >>>> Identifier PEAP-inner-utwente-test2 >>>> Description WLAN >>>> AuthLog authlogging-tent >>>> </Handler> >>>> >>>> <Handler Realm=/utwente.test|utwente.test2/, >>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/> >>>> <AuthBy FILE> >>>> EAPType TTLS,PEAP >>>> EAPTLS_CAFile >>>> EAPTLS_CertificateFile >>>> EAPTLS_CertificateType PEM >>>> EAPTLS_PrivateKeyFile >>>> EAPTLS_PrivateKeyPassword >>>> EAPTLS_MaxFragmentSize 1024 >>>> EAPTLS_SessionResumption 0 >>>> AutoMPPEKeys >>>> EAPTLS_PEAPBrokenV1Label >>>> EAPTTLS_NoAckRequired >>>> # %U (en %u (met realm)) zijn de Inner-auth username voor >>>> PEAP >>>> #EAPAnonymous %u >>>> EAPAnonymous %0 >>>> </AuthBy> >>>> AuthLog authlogging-wlan >>>> Identifier WLAN-OUTER-TEST >>>> Description WLAN >>>> AuthLog authlogging-tent >>>> </Handler> >>>> >>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote: >>>> >>>>> Hello Roel, >>>> >>>>>> We experience a problem with a handler for authenticating wireless-lan >>>>>> users. AuthBy-File for a PEAP-mschapV2 cannot match a user if >>>>>> the outer and inner identity are not equal (normal situation). >>>>>> It looks like the userfile is searched by the outer-identity, although >>>>>> the inner-identity is used for authentication via LDAP. >>>> >>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section >>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous. >>>> >>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then >>>>> use User-Name attribute instead of EAP Identity to do the authentication. >>>> >>>>> With EAPAnonymous you can set the inner request User-Name the same as >>>>> the EAP Identity is. >>>> >>>>> Please let us know if this works for you. >>>> >>>>> Thanks! >>>>> Heikki >>>> >>>> >>> _______________________________________________ >>> radiator mailing list >>> [email protected] >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> > - -- Met vriendelijke groeten, Roel Hoek ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands Telephone +31 53 489 4598, Fax +31 53 489 2383 [email protected]; http://www.utwente.nl/icts -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk430+4ACgkQJwlRSGnYBcZnvwCdFHFHgukvPSOEewciNwIczumt DNQAoK79HTthH7M32AfTKjgAHLpHFwxH =EAbN -----END PGP SIGNATURE----- _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
