Hi,

> On 5 Oct 2017, at 5.11, s.schw...@lumc.nl wrote:
> 
> I have 1 more question while I'm at it..
> 
> After using this UseMultipleAuthBys method, I get a different results than 
> what I had on my old server.
> See the result below:
> 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
> Wed Oct  4 13:22:22 2017: DEBUG:  Deleting session for useracco...@lumc.nl, 
> 172.16.71.249, 0
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthHANDLER: 
> Wed Oct  4 13:22:22 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 
> 'Auth_ActiveDirectory'
> Wed Oct  4 13:22:22 2017: DEBUG: Handling request with Handler 
> 'Identifier=^(Handler_PEAP|Handler_TTLS|Handler_From_QManage)$', Identifier 
> 'Auth_ActiveDirectory'
> Wed Oct  4 13:22:22 2017: DEBUG:  Deleting session for useracco...@lumc.nl, 
> 172.16.71.249, 0
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthGROUP: 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with 
> useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for 
> \\DomainController, eduroam-wireless, useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is 
> not a member of any Group: useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.073829
> Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP V2 failed: no such user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with 
> useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for 
> \\DomainController, lumc-wireless-1, useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is 
> not a member of any Group: useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP V2 failed: no such user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with 
> useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for 
> \\DomainController, lumc-wireless-2, useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is 
> not a member of any Group: useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP V2 failed: no such user useraccount
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with 
> useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for 
> \\DomainController, lumc-wireless-3, useraccount
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is 
> not a member of any Group: useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user useraccount
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP V2 failed: no such user useraccount
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA looks for match with 
> useraccount [useracco...@lumc.nl]
> Wed Oct  4 13:22:23 2017: DEBUG: Checking LSA Group membership for 
> \\DomainController, lumc-wireless-4, useraccount
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA ACCEPT: : useraccount 
> [useracco...@lumc.nl]

here “useraccount” is part of lumc-wireless-4 group

> Wed Oct  4 13:22:23 2017: WARNING: Could not LogonUserNetworkMSCHAP (V2): 
> 3221225581, 0, The user name or password is incorrect.
> Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000005
> Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication 
> failure
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP-V2 Authentication failure

so the password is verified and the verification fails “REJECT, EAP MSCHAP-V2 
Authentication failure"

as configured AuthByPolicy is ContinueWhileReject, rest of AuthBys in AuthBy 
GROUP are evaluated but 
as EAP-MSCHAPv2 already failed, rest of AuthBy LSAs return “REJECT, EAP 
MSCHAP-V2 mschaptype Response in state FAILED"

> Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype 
> Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype 
> Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
> Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000003
> Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype 
> Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP 
> MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 
> mschaptype Response in state FAILED
> Wed Oct  4 13:22:23 2017: DEBUG: AuthBy HANDLER result: REJECT, EAP MSCHAP-V2 
> mschaptype Response in state FAILED
> Wed Oct  4 13:22:23 2017: INFO: Access rejected for useracco...@lumc.nl: EAP 
> MSCHAP-V2 mschaptype Response in state FAILED
> 
> 
> While processing the multiple auth by's and a user provided a wrong password 
> I was used to seeing this behavior:
> Lets say the user account was part of AD group 2
> Processing will proceed with the first couple of groups and then give this 
> result each time
> DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: 
> useraccount [useracco...@lumc.nl]
> Once it arrived at the proper group for that user account, while the user had 
> provided the wrong password it would say
> WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name 
> or password is incorrect.
> After that it would continue processing the other groups again (don't see why 
> it would do this, but whatever :D) unless it was the last group check.

that’s because of AuthPolicy for AuthBy GROUP has been configured to 
ContinueWhileReject.

> Incase there were still groups left to check, it would process those and then 
> exit with the message below again
> DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: 
> useraccount [useracco...@lumc.nl]
> 
> In my resulting logfile why a user account was denied access, the reason 
> provided was " LSA User is not a member of any Group" instead of " The user 
> name or password is incorrect".
> 
> However I don't understand what exactly is going on now on my new setup.

hopefully my explanation above shed some light on a reason.

> Would it actually be possible to just stop processing entirely after it 
> encountered one " WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 
> 0, The user name or password is incorrect." Message? Since that way in my 
> resulting logfile I at least would always see usefull messages as to why an 
> authentication has been rejected (compared having to look at the debug 
> output).
> 

a reject reason you will now see in your AuthLog is 

"EAP MSCHAP-V2 mschaptype Response in state FAILED”.

If evaluating AuthBys would stop after EAP-MSCHAPv2 password verification 
failure, 
the reject reason would be 

"EAP MSCHAP-V2 Authentication failure”.


I tried to create an example config where group based attributes would have 
been assigned 
with AuthBy FILE which is de facto method currently for doing that, but it 
doesn’t work with 
EAP-MSCHAPv2, so I created a feature request for handling group based 
attributes 
(as VLAN ID assignment) in a case like this.


BR
-- 
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to