Thanks for the feedback, I have it working now with the EAP_MSCHAPv2_UseMultipleAuthBys workaround until I have implemented the convert method.
I have 1 more question while I'm at it.. After using this UseMultipleAuthBys method, I get a different results than what I had on my old server. See the result below: Wed Oct 4 13:22:22 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP' Wed Oct 4 13:22:22 2017: DEBUG: Deleting session for [email protected], 172.16.71.249, 0 Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthHANDLER: Wed Oct 4 13:22:22 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory' Wed Oct 4 13:22:22 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS|Handler_From_QManage)$', Identifier 'Auth_ActiveDirectory' Wed Oct 4 13:22:22 2017: DEBUG: Deleting session for [email protected], 172.16.71.249, 0 Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthGROUP: Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:22 2017: DEBUG: Response type 26 Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, eduroam-wireless, useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.073829 Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:22 2017: DEBUG: Response type 26 Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-1, useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004 Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:22 2017: DEBUG: Response type 26 Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-2, useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004 Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:22 2017: DEBUG: Response type 26 Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [[email protected]] Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-3, useraccount Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004 Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:23 2017: DEBUG: Response type 26 Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [[email protected]] Wed Oct 4 13:22:23 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-4, useraccount Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA ACCEPT: : useraccount [[email protected]] Wed Oct 4 13:22:23 2017: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect. Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000005 Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 Authentication failure Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:23 2017: DEBUG: Response type 26 Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004 Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:23 2017: DEBUG: Response type 26 Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004 Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26 Wed Oct 4 13:22:23 2017: DEBUG: Response type 26 Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000003 Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: DEBUG: AuthBy HANDLER result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED Wed Oct 4 13:22:23 2017: INFO: Access rejected for [email protected]: EAP MSCHAP-V2 mschaptype Response in state FAILED While processing the multiple auth by's and a user provided a wrong password I was used to seeing this behavior: Lets say the user account was part of AD group 2 Processing will proceed with the first couple of groups and then give this result each time DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] Once it arrived at the proper group for that user account, while the user had provided the wrong password it would say WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect. After that it would continue processing the other groups again (don't see why it would do this, but whatever :D) unless it was the last group check. Incase there were still groups left to check, it would process those and then exit with the message below again DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [[email protected]] In my resulting logfile why a user account was denied access, the reason provided was " LSA User is not a member of any Group" instead of " The user name or password is incorrect". However I don't understand what exactly is going on now on my new setup. Would it actually be possible to just stop processing entirely after it encountered one " WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect." Message? Since that way in my resulting logfile I at least would always see usefull messages as to why an authentication has been rejected (compared having to look at the debug output). Kind regards, Stephan Schwarz -----Original Message----- From: radiator [mailto:[email protected]] On Behalf Of Tuure Vartiainen Sent: Monday, October 2, 2017 3:57 PM To: radiator <[email protected]> Subject: Re: [RADIATOR] Cannot process multiple AuthBy sections during authentication request Hi Stephan, > On 2 Oct 2017, at 13.48, <[email protected]> <[email protected]> wrote: > > I saw the disclaimer saying EAP_MSCHAPv2_UseMultipleAuthBys should be > avoided, but instead try to use EAP_PEAP_MSCHAP_Convert. > What would normally be the recommended situation to use the > EAP_PEAP_MSCHAP_Convert at? > When you are proxying requests to RADIUS server which does not support EAP-MSCHAPv2 but can still handle ordinary RADIUS-MSCHAPV2. http://www.open.com.au/radiator/ref/EAP_PEAP_MSCHAP_Convert.html#EAP_PEAP_MSCHAP_Convert Currently, EAP_MSCHAPv2_UseMultipleAuthBys is a kind of a workaround, but should not be needed in a future. > > Since we share our infrastructure, we use a proxy RADIUS server (also > radiator) in order to forward the requests to the customer network for > request handling. Would the best practice generally be to use the convert > part at the proxy or on the validating RADIUS server? > To do the conversion at the proxying RADIUS server. BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
