[RADIATOR] Question about regex matching realm in handlers

Wed, 10 Feb 2016 13:33:18 -0800 

Not sure if this is normal behavior or not as I am a bit new to
Radiator, however it seems odd to me. Maybe someone can explain it or
point out what I might be doing wrong?

Configuring a Radiator server (tried with both 4.15 & 4.16) to provide
authentication for wireless, and most things have gone well. However I
have come across something that doesn't seem quite right. If I only have
handlers for the inner authentication that have a regex to match realms,
Radiator doesn't seem to parse the request packet properly.

If I include "generic" inner authentication handlers (which don't get
used), then the handlers with the regex work just fine.

Here is my working configuration:

Foreground
LogStdout
DbDir           /etc/radiator
LogDir          .
DictionaryFile  %D/dictionary
Trace           4
AuthPort 1812
AcctPort 1813
include %D/clients.cfg
DisabledRuntimeChecks CVE-2014-0160
<AuthBy NTLM>
        Identifier NTLM_MSCHAP_NoRealm
        UsernameMatchesWithoutRealm
        EAPType MSCHAP-V2
</AuthBy>
<AuthBy FILE>
        Identifier FILE_OuterRequests
        Filename %D/dot1x_anon
        EAPType TTLS PEAP
        EAPAnonymous %0
        EAPTLS_CAFile %D/certificates/cacert.pem
        EAPTLS_CertificateFile %D/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_PEAPVersion 0
        EAPTTLS_NoAckRequired
        AutoMPPEKeys
        EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4
</AuthBy>
<Handler TunnelledByTTLS=1, Realm=/iit\.edu$/i>
        Identifier TTLS_INNER_IITdEDU
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1, Realm=/iit\.edu$/i>
        Identifier PEAP_INNER_IITdEDU
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByTTLS=1>
        Identifier TTLS_INNER_GENERIC
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1>
        Identifier PEAP_INNER_GENERIC
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler Realm=/^$/>
        Identifier NO_REALM
        AccountingHandled
        StripFromReply Reply-Message
        AddToReply Reply-Message="Misconfigured client: empty realm!"
</Handler>
<Handler Realm=/iit\.edu$/i>
        Identifier EAP_OUTER_IITdEDU
        AuthBy FILE_OuterRequests
</Handler>



This works as expected for "tu...@iit.edu" with the outer authentication
being handled by the "EAP_OUTER_IITdEDU" and the inner authentication
using "[TTLS|PEAP]_INNER_IITdEDU" correctly depending on client
configuration.

However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
and associated statements (i.e. no other changes to client config or
anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
the regex and the inner request is then caught by "NO_REALM". Here is
the debug from a request where things stop working as expected (I think
the key is that in the packet dump, the username is in the "EAP-Message"
field and not the "User-Name" field):

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/iit\.edu$/i', Identifier 'EAP_OUTER_IITdEDU'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for
anonym...@iit.edu, 192.168.50.70, 14337
Tue Feb  9 23:21:42 2016: DEBUG: Handling with Radius::AuthFILE:
FILE_OuterRequests
Tue Feb  9 23:21:42 2016: DEBUG: Handling with EAP: code 2, 5, 63, 21
Tue Feb  9 23:21:42 2016: DEBUG: Response type 21
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS data, 3, 5, 4
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS inner authentication request for
Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
        EAP-Message = <2><0><0><18><1>tu...@iit.edu
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = ""

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/^$/', Identifier 'NO_REALM'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for , 192.168.50.70,
Tue Feb  9 23:21:42 2016: INFO: Access rejected for : No AuthBy found
Tue Feb  9 23:21:42 2016: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
        Reply-Message = "Misconfigured client: empty realm!"

Tue Feb  9 23:21:42 2016: DEBUG: EAP Failure, elapsed time 0.135382
Tue Feb  9 23:21:42 2016: DEBUG: EAP result: 1, EAP TTLS inner
authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: INFO: Access rejected for anonym...@iit.edu:
EAP TTLS inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: Packet dump:
*** Sending to 192.168.50.70 port 38670 ....
Code:       Access-Reject
Identifier: 48
Authentic:  <199><166><198><217>p55<139>9?<235>9<167><127><2><147>
Attributes:
        EAP-Message = <4><5><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"



Any help or insight would be appreciated.

-- 
David Rose
Sr. Network Engineer
Office of Technology Services
Illinois Institute of Technology
(O) 312.567.3249
(F) 312.567.5968
ro...@iit.edu 


_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to