Hi,

> On 29 Sep 2017, at 20.04, <s.schw...@lumc.nl> <s.schw...@lumc.nl> wrote:
>  
> Additional info: 
>                 Old servers: Windows 2008R2 – Radiator 4.14
>                 New servers: Windows 2016 – Radiator 4.19
>  
>  
> In our old configuration we have something like this:
>  
> <Handler Identifier=LUMCusers> 
>      Identifier LUMCusers_AD
>     <AuthBy GROUP>
>       AuthByPolicy ContinueWhileReject
>           <AuthBy LSA>
>              EAPType MSCHAP-V2
>              DefaultDomain lumcnet
>              UsernameMatchesWithoutRealm
>              Group eduroam-wireless
>              AddToReply 
> Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420
>           </AuthBy>
>           <AuthBy LSA>
>              EAPType MSCHAP-V2
>              DefaultDomain lumcnet
>              UsernameMatchesWithoutRealm
>              Group lumc-wireless-1
>              AddToReply 
> Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281
>           </AuthBy>
>     </AuthBy>
> </Handler>
>  
> ...
>  
> In the logfiles I see something like this:
>  
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
> Fri Sep 29 18:44:47 2017: DEBUG:  Deleting session for testu...@lumc.nl, 
> 10.250.88.245, 8
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthHANDLER:
> Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 
> 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 
> 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG:  Deleting session for testu...@lumc.nl, 
> 10.250.88.245, 8
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthGROUP:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA looks for match with 
> testuser [testu...@lumc.nl]
> Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group membership for 
> \\LUMC-DC01, eduroam-wireless, testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is 
> not a member of any Group: testuser [testu...@lumc.nl]
> Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.044654
> Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP V2 failed: no such user testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26
> Fri Sep 29 18:44:47 2017: INFO: EAP Response type 26 in unexpected state. NAS 
> did RADIUS server failover for an ongoing EAP authentication?
> Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006
> Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in 
> unexpected state. NAS did RADIUS server failover for an ongoing EAP 
> authentication?
> ...
>  
> The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections 
> actually works for a different kind of request I process.
> ...
>  

Radiator 4.18 introduced more checks within EAP state machine along a new 
optional configuration option EAP_MSCHAPv2_UseMultipleAuthBys 
which should solve your problem.

http://www.open.com.au/radiator/ref/EAP_MSCHAPv2_UseMultipleAuthBys.html#EAP_MSCHAPv2_UseMultipleAuthBys


BR
-- 
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to