Hi Tuure, This explains why that worked on 4.14 and not on the servers where 4.19 is installed! Thanks. I should be able to fix this now at least. I saw the disclaimer saying EAP_MSCHAPv2_UseMultipleAuthBys should be avoided, but instead try to use EAP_PEAP_MSCHAP_Convert. What would normally be the recommended situation to use the EAP_PEAP_MSCHAP_Convert at?
Since we share our infrastructure, we use a proxy RADIUS server (also radiator) in order to forward the requests to the customer network for request handling. Would the best practice generally be to use the convert part at the proxy or on the validating RADIUS server? Kind regards, Stephan Schwarz -----Original Message----- From: radiator [mailto:[email protected]] On Behalf Of Tuure Vartiainen Sent: Monday, October 2, 2017 12:27 PM To: radiator <[email protected]> Subject: Re: [RADIATOR] Cannot process multiple AuthBy sections during authentication request Hi, > On 29 Sep 2017, at 20.04, <[email protected]> <[email protected]> wrote: > > Additional info: > Old servers: Windows 2008R2 – Radiator 4.14 > New servers: Windows 2016 – Radiator 4.19 > > > In our old configuration we have something like this: > > <Handler Identifier=LUMCusers> > Identifier LUMCusers_AD > <AuthBy GROUP> > AuthByPolicy ContinueWhileReject > <AuthBy LSA> > EAPType MSCHAP-V2 > DefaultDomain lumcnet > UsernameMatchesWithoutRealm > Group eduroam-wireless > AddToReply > Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420 > </AuthBy> > <AuthBy LSA> > EAPType MSCHAP-V2 > DefaultDomain lumcnet > UsernameMatchesWithoutRealm > Group lumc-wireless-1 > AddToReply > Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281 > </AuthBy> > </AuthBy> > </Handler> > > ... > > In the logfiles I see something like this: > > Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1', Identifier 'Handler_PEAP' > Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for > [email protected], 10.250.88.245, 8 Fri Sep 29 18:44:47 2017: DEBUG: Handling > with Radius::AuthHANDLER: > Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler > 'Auth_ActiveDirectory2' > Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler > 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2' > Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for > [email protected], 10.250.88.245, 8 Fri Sep 29 18:44:47 2017: DEBUG: Handling > with Radius::AuthGROUP: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26 > Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 Fri Sep 29 18:44:47 > 2017: DEBUG: Radius::AuthLSA looks for match with testuser > [[email protected]] Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group > membership for \\LUMC-DC01, eduroam-wireless, testuser Fri Sep 29 > 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a > member of any Group: testuser [[email protected]] Fri Sep 29 18:44:47 > 2017: DEBUG: EAP Failure, elapsed time 0.044654 Fri Sep 29 18:44:47 > 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user testuser Fri > Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP > V2 failed: no such user testuser Fri Sep 29 18:44:47 2017: DEBUG: Handling > with Radius::AuthLSA: > Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26 > Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 Fri Sep 29 18:44:47 > 2017: INFO: EAP Response type 26 in unexpected state. NAS did RADIUS server > failover for an ongoing EAP authentication? > Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006 > Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in > unexpected state. NAS did RADIUS server failover for an ongoing EAP > authentication? > ... > > The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections > actually works for a different kind of request I process. > ... > Radiator 4.18 introduced more checks within EAP state machine along a new optional configuration option EAP_MSCHAPv2_UseMultipleAuthBys which should solve your problem. http://www.open.com.au/radiator/ref/EAP_MSCHAPv2_UseMultipleAuthBys.html#EAP_MSCHAPv2_UseMultipleAuthBys BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
