Not sure if this is normal behavior or not as I am a bit new to Radiator, however it seems odd to me. Maybe someone can explain it or point out what I might be doing wrong?
Configuring a Radiator server (tried with both 4.15 & 4.16) to provide authentication for wireless, and most things have gone well. However I have come across something that doesn't seem quite right. If I only have handlers for the inner authentication that have a regex to match realms, Radiator doesn't seem to parse the request packet properly. If I include "generic" inner authentication handlers (which don't get used), then the handlers with the regex work just fine. Here is my working configuration: Foreground LogStdout DbDir /etc/radiator LogDir . DictionaryFile %D/dictionary Trace 4 AuthPort 1812 AcctPort 1813 include %D/clients.cfg DisabledRuntimeChecks CVE-2014-0160 <AuthBy NTLM> Identifier NTLM_MSCHAP_NoRealm UsernameMatchesWithoutRealm EAPType MSCHAP-V2 </AuthBy> <AuthBy FILE> Identifier FILE_OuterRequests Filename %D/dot1x_anon EAPType TTLS PEAP EAPAnonymous %0 EAPTLS_CAFile %D/certificates/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired AutoMPPEKeys EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4 </AuthBy> <Handler TunnelledByTTLS=1, Realm=/iit\.edu$/i> Identifier TTLS_INNER_IITdEDU AuthBy NTLM_MSCHAP_NoRealm </Handler> <Handler TunnelledByPEAP=1, Realm=/iit\.edu$/i> Identifier PEAP_INNER_IITdEDU AuthBy NTLM_MSCHAP_NoRealm </Handler> <Handler TunnelledByTTLS=1> Identifier TTLS_INNER_GENERIC AuthBy NTLM_MSCHAP_NoRealm </Handler> <Handler TunnelledByPEAP=1> Identifier PEAP_INNER_GENERIC AuthBy NTLM_MSCHAP_NoRealm </Handler> <Handler Realm=/^$/> Identifier NO_REALM AccountingHandled StripFromReply Reply-Message AddToReply Reply-Message="Misconfigured client: empty realm!" </Handler> <Handler Realm=/iit\.edu$/i> Identifier EAP_OUTER_IITdEDU AuthBy FILE_OuterRequests </Handler> This works as expected for "tu...@iit.edu" with the outer authentication being handled by the "EAP_OUTER_IITdEDU" and the inner authentication using "[TTLS|PEAP]_INNER_IITdEDU" correctly depending on client configuration. However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers and associated statements (i.e. no other changes to client config or anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches the regex and the inner request is then caught by "NO_REALM". Here is the debug from a request where things stop working as expected (I think the key is that in the packet dump, the username is in the "EAP-Message" field and not the "User-Name" field): Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler 'Realm=/iit\.edu$/i', Identifier 'EAP_OUTER_IITdEDU' Tue Feb 9 23:21:42 2016: DEBUG: Deleting session for anonym...@iit.edu, 192.168.50.70, 14337 Tue Feb 9 23:21:42 2016: DEBUG: Handling with Radius::AuthFILE: FILE_OuterRequests Tue Feb 9 23:21:42 2016: DEBUG: Handling with EAP: code 2, 5, 63, 21 Tue Feb 9 23:21:42 2016: DEBUG: Response type 21 Tue Feb 9 23:21:42 2016: DEBUG: EAP TTLS data, 3, 5, 4 Tue Feb 9 23:21:42 2016: DEBUG: EAP TTLS inner authentication request for Tue Feb 9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump: Code: Access-Request Identifier: UNDEF Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/ Attributes: EAP-Message = <2><0><0><18><1>tu...@iit.edu Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> User-Name = "" Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler 'Realm=/^$/', Identifier 'NO_REALM' Tue Feb 9 23:21:42 2016: DEBUG: Deleting session for , 192.168.50.70, Tue Feb 9 23:21:42 2016: INFO: Access rejected for : No AuthBy found Tue Feb 9 23:21:42 2016: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Reject Identifier: UNDEF Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/ Attributes: Reply-Message = "Misconfigured client: empty realm!" Tue Feb 9 23:21:42 2016: DEBUG: EAP Failure, elapsed time 0.135382 Tue Feb 9 23:21:42 2016: DEBUG: EAP result: 1, EAP TTLS inner authentication redispatched to a Handler Tue Feb 9 23:21:42 2016: DEBUG: AuthBy FILE result: REJECT, EAP TTLS inner authentication redispatched to a Handler Tue Feb 9 23:21:42 2016: INFO: Access rejected for anonym...@iit.edu: EAP TTLS inner authentication redispatched to a Handler Tue Feb 9 23:21:42 2016: DEBUG: Packet dump: *** Sending to 192.168.50.70 port 38670 .... Code: Access-Reject Identifier: 48 Authentic: <199><166><198><217>p55<139>9?<235>9<167><127><2><147> Attributes: EAP-Message = <4><5><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" Any help or insight would be appreciated. -- David Rose Sr. Network Engineer Office of Technology Services Illinois Institute of Technology (O) 312.567.3249 (F) 312.567.5968 ro...@iit.edu _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator