On 02/07/2013 11:59 PM, Johnson, Neil M wrote: > My goal was to select an inner handler based on the Client Identifier (now > passed in as OSC-Client-Identifier), Called-Station-Id, and the > User-Name's Realm.
The problem is this: the tunnelled inner request in the log is the first EAP message in this EAP authentication session carrying the EPA Identity method. Since the identity is not known yet, but it will be once the request has been processed, EAPAnonymous or anything else can not set the correct User-Name for the tunnelled request. Once this request has been processed, then e.g., EAPAnonymous %0 works. Below is one construct that I thought about once: the purpose of the first Handler is to do the actual authentication. However, the first message carrying the Identity will not match the Handler's checklist, so the request will hit the second Handler. This will establish the identity and return Challenge. The subsequent requests from the client will then match the first Handler. If something would actually try to authenticate using the second Handler, this would always fail. <Handler TunnelledByPEAP=1, Realm=example.com> Identifier inner-main-handler <AuthBy FILE> Identifier inner-main-authby Filename %D/users UsernameMatchesWithoutRealm NoDefault EAPType MSCHAP-V2 </AuthBy> </Handler> <Handler TunnelledByPEAP=1> Identifier inner-identity-bootstrap-handler <AuthBy FILE> Identifier inner-identity-bootstrap-authby Filename /dev/null NoDefault EAPType MSCHAP-V2 </AuthBy> </Handler> Thanks, Heikki > From my config: > # Handler PEAP requests for "uiowa.edu" realm > <Handler OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, > TunnelledByPEAP=1, Realm=/(uiowa\.edu$)/i > > AuthByPolicy ContinueUntilAcceptOrChallenge > AuthBy authUIOWA > AuthBy authUIOWA_Quarantine > AuthBy authEduroam_test_users > > AuthLog authlogger > </Handler> > > I tried adding the PreHandlerHook code to copy the "OSC-Client-Identifier" > attribute to the inner tunnel as you suggested, but I also needed to copy > the "Called-Station-Id" attribute as well. > > Now I've run into an issue that the first inner request had the > "User-Name" attribute set to "", which makes it fail the Realm check. It > appears in subsequent inner tunnel request. > > Trace output below: > > Thu Feb 7 15:28:32 2013 320803: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 59428 .... > Code: Access-Request > Identifier: 113 > Authentic: s<221><191>8<160>PG<137>2<8><7>V<128>[W<18> > Attributes: > User-Name = "wlantes...@uiowa.edu" > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-IEEE-802-11 > Connect-Info = "CONNECT 11Mbps 802.11b" > Called-Station-Id = "eduroam" > EAP-Message = <2><6><0>`<25><0><23><3><1><0> > Wg^<133>e<128><163><185>t<171><238>V#1&<219><221><185>q_M<225><238>'<23>O_] > <208>-<222><251><23><3><1><0>0<168>oY<246>-<187><148>w;<243>4-%<141>i<201>< > 245><22><221>Y;<133><148><183>.<176><21><240>g<242><203><180><164>5<243><19 > 0><157>2<176><180><188><138><133>F<131>.PN > Message-Authenticator = > <222><133><236><252><249><150><9>y<6><223>'\<183><2>i<228> > OSC-Client-Identifier = "fromUIOWA" > > Thu Feb 7 15:28:32 2013 322779: DEBUG: Handling request with Handler > 'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, > Realm=/(uiowa\.edu$)/i ', Identifier '' > Thu Feb 7 15:28:32 2013 323727: DEBUG: PreProcessing Hook: called. > Thu Feb 7 15:28:32 2013 324738: DEBUG: Deleting session for > wlantes...@uiowa.edu, 127.0.0.1, > Thu Feb 7 15:28:32 2013 325580: DEBUG: Handling with Radius::AuthLSA: > Thu Feb 7 15:28:32 2013 326562: DEBUG: Handling with EAP: code 2, 6, 96, > 25 > Thu Feb 7 15:28:32 2013 327395: DEBUG: Response type 25 > Thu Feb 7 15:28:32 2013 329030: DEBUG: EAP PEAP inner authentication > request for > Thu Feb 7 15:28:32 2013 330409: DEBUG: PEAP Tunnelled request Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: O<227>x%<<238><130><166><133><203><143>5<195>-<135><166> > Attributes: > EAP-Message = <2><6><0><21><1>wlantes...@uiowa.edu > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > User-Name = "" <-- Null User Name > OSC-Client-Identifier = "fromUIOWA" > > Thu Feb 7 15:28:32 2013 332695: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1', Identifier '' > Thu Feb 7 15:28:32 2013 333811: DEBUG: Deleting session for , 127.0.0.1, > Thu Feb 7 15:28:32 2013 335132: DEBUG: Handling with Radius::AuthLSA: > authUIOWA > Thu Feb 7 15:28:32 2013 336242: DEBUG: Handling with EAP: code 2, 6, 21, 1 > Thu Feb 7 15:28:32 2013 337089: DEBUG: Response type 1 > Thu Feb 7 15:28:32 2013 344248: DEBUG: EAP result: 3, EAP MSCHAP-V2 > Challenge > Thu Feb 7 15:28:32 2013 345188: DEBUG: AuthBy LSA result: CHALLENGE, EAP > MSCHAP-V2 Challenge > Thu Feb 7 15:28:32 2013 346450: DEBUG: Access challenged for : EAP > MSCHAP-V2 Challenge > > > -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator