Hi, > On 29 Sep 2017, at 20.04, <[email protected]> <[email protected]> wrote: > > Additional info: > Old servers: Windows 2008R2 – Radiator 4.14 > New servers: Windows 2016 – Radiator 4.19 > > > In our old configuration we have something like this: > > <Handler Identifier=LUMCusers> > Identifier LUMCusers_AD > <AuthBy GROUP> > AuthByPolicy ContinueWhileReject > <AuthBy LSA> > EAPType MSCHAP-V2 > DefaultDomain lumcnet > UsernameMatchesWithoutRealm > Group eduroam-wireless > AddToReply > Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420 > </AuthBy> > <AuthBy LSA> > EAPType MSCHAP-V2 > DefaultDomain lumcnet > UsernameMatchesWithoutRealm > Group lumc-wireless-1 > AddToReply > Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281 > </AuthBy> > </AuthBy> > </Handler> > > ... > > In the logfiles I see something like this: > > Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1', Identifier 'Handler_PEAP' > Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for [email protected], > 10.250.88.245, 8 > Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthHANDLER: > Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler > 'Auth_ActiveDirectory2' > Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler > 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2' > Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for [email protected], > 10.250.88.245, 8 > Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthGROUP: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26 > Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 > Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA looks for match with > testuser [[email protected]] > Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group membership for > \\LUMC-DC01, eduroam-wireless, testuser > Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is > not a member of any Group: testuser [[email protected]] > Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.044654 > Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such > user testuser > Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP > MSCHAP V2 failed: no such user testuser > Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26 > Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 > Fri Sep 29 18:44:47 2017: INFO: EAP Response type 26 in unexpected state. NAS > did RADIUS server failover for an ongoing EAP authentication? > Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006 > Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in > unexpected state. NAS did RADIUS server failover for an ongoing EAP > authentication? > ... > > The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections > actually works for a different kind of request I process. > ... >
Radiator 4.18 introduced more checks within EAP state machine along a new optional configuration option EAP_MSCHAPv2_UseMultipleAuthBys which should solve your problem. http://www.open.com.au/radiator/ref/EAP_MSCHAPv2_UseMultipleAuthBys.html#EAP_MSCHAPv2_UseMultipleAuthBys BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
