Hello, The problem here was that the LEAP identity being sent by the client was [EMAIL PROTECTED], and although you had a RewriteUsername to rewrite the Radius user name it had no effect on the LEAP identity.
We have now posted a patch so that RewriteUsername also affects the LEAP identity. That should fix your problem. The new version of EAP_17.pm has also been attached. PLs let us know how you get on. Cheers. On Mon, 10 Nov 2003 01:17 pm, [EMAIL PROTECTED] wrote: > Hi everyone, > > I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap. > But I have a problem in leap (everything looks like OK in peap) and > can't see what is incorrect. > > > (Prerequisite(summary)) > 1.Radiator server version is 3.7.1 applied newest(?) patches > (downloading at 21 Oct.) > 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition > 3.Username is include "@domain-suffix" > (When excluding "@domain-suffix" from Username, test is passed) > 4.User-Authentication is using DBFile. > 5.config_file is like below. > ------------------------------------------------------------------- > #Foreground > #LogStdout > LogDir /var/log > #DbDir /etc/raddb > AuthPort 1812 > AcctPort 1813 > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco > # User a lower trace level in production systems: > Trace 4 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # You will probably want to add other Clients to suit your site, > # one for each NAS you want to work with > <Client aaa.bbb.ccc.ddd> > Secret test > DupInterval 0 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > </Client> > > # This is where we autneticate a PEAP inner request, which will be an EAP > # request. The username of the inner request will be anonymous, although > # the identity of the EAP request will be the real username we are > # trying to authenticate. > <Handler TunnelledByPEAP=1> > #<AuthBy FILE> > <AuthBy DBFILE> > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # This tells the PEAP client what types of inner EAP > requests # we will honour > EAPType PEAP,MSCHAP-V2 > </AuthBy> > </Handler> > > > # The original PEAP request from a NAS will be sent to a matching > # Realm or Handler in the usual way, where it will be unpacked and the > inner aut hentication > # extracted. > # The inner authentication request will be sent again to a matching > # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to > sele ct > # a specific handler, or else you can use EAPAnonymous to set a username > and rea lm > # which can be used to select a Realm clause for the inner request. > # This allows you to select an inner authentication method based on Realm, > and/o r the > # fact that they were tunnelled. You can therfore act just as a PEAP > server, or also > # act as the AAA/H home server, and authenticate PEAP requests locally or > proxy # them to another remote server based on the realm of the inner > authenticaiton r equest. > # In this basic example, both the inner and outer authentication are > authenticat ed > # from a file by AuthBy FILE > <Handler> > #<AuthBy FILE> > <AuthBy DBFILE> > # The username of the outer authentication > # must be in this file to get anywhere. In this example, > # it requires an entry for 'anonymous' which is the > standard use rname > # in the outer requests, and it also requires an entry for > the # actual user name who is trying to connect (ie the 'Login name' > entered > # in the Funk Odyssey 'Edit Profile Properties' page > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # EAPType sets the EAP type(s) that Radiator will honour. > # Options are: MD5-Challenge, One-Time-Password > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 > # Multiple types can be comma separated. With the default > (most # preferred) type given first > EAPType PEAP,MSCHAP-V2,LEAP > > # EAPTLS_CAFile is the name of a file of CA certificates > # in PEM format. The file can contain several CA > certificates # Radiator will first look in EAPTLS_CAFile then in # > EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile > /home/test/ca/ca2.pem > > # EAPTLS_CAPath is the name of a directory containing CA > # certificates in PEM format. The files each contain one > # CA certificate. The files are looked up by the CA > # subject name hash value > EAPTLS_CAPath /home/test/ca > > # EAPTLS_CertificateFile is the name of a file containing > # the servers certificate. EAPTLS_CertificateType > # specifies the type of the file. Can be PEM or ASN1 > # defaults to ASN1 > EAPTLS_CertificateFile /home/test/ca/cert2.pem > EAPTLS_CertificateType PEM > > # EAPTLS_PrivateKeyFile is the name of the file containing > # the servers private key. It is sometimes in the same file > # as the server certificate (EAPTLS_CertificateFile) > # If the private key is encrypted (usually the case) > # then EAPTLS_PrivateKeyPassword is the key to descrypt it > EAPTLS_PrivateKeyFile /home/test/ca/key2.pem > EAPTLS_PrivateKeyPassword test1234 > > # EAPTLS_RandomFile is an optional file containing > # randdomness > # EAPTLS_RandomFile %D/certificates/random > > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt > # size that will be replied by Radiator. It must be small > # enough to fit in a single Radius request (ie less than > 4096) # and still leave enough space for other attributes # Aironet APs > seem to need a smaller MaxFragmentSize # (eg 1024) than the default of > 2048. Others need even smaller s izes. > EAPTLS_MaxFragmentSize 1024 > > # EAPTLS_DHFile if set specifies the DH group file. It > # may be required if you need to use ephemeral DH keys. > # EAPTLS_DHFile %D/certificates/cert/dh > > > # If EAPTLS_CRLCheck is set and the client presents a > certifica te > # then Radiator will look for a certificate revocation list > (CRL ) > # for the certificate issuer > # when authenticating each client. If a CRL file is not > found, o r > # if the CRL says the certificate has neen revoked, the > authenti cation will > # fail with an error: > # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > # One or more CRLs can be named with the EAPTLS_CRLFile > paramete r. > # Alternatively, CRLs may follow a file naming convention: > # the hash of the issuer subject name > # and a suffix that depends on the serial number. > # eg ab1331b2.r0, ab1331b2.r1 etc. > # You can find out the hash of the issuer name in a CRL > with # openssl crl -in crl.pem -hash -noout > # CRLs with tis name convention > # will be searched in EAPTLS_CAPath, else in the openssl > # certificates directory typically > /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. > # A CRL files can be generated with openssl like this: > # openssl ca -gencrl -revoke cert-clt.pem > # openssl ca -gencrl -out crl.pem > # Use of these flags requires Net_SSLeay-1.21 or later > #EAPTLS_CRLCheck > #EAPTLS_CRLFile %D/certificates/crl.pem > #EAPTLS_CRLFile %D/certificates/revocations.pem > > # Some clients, depending on their configuration, may > require yo u to specify > # MPPE send and receive keys. This _will_ be required if > you sel ect > # 'Keys will be generated automatically for data privacy' > in the Funk Odyssey > # client Network Properties dialog. > # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key > # in the final Access-Accept > AutoMPPEKeys > > # You can enable some warning messages from the Net::SSLeay > # module by setting SSLeayTrace to an integer from 1 to 4 > # 1=ciphers, 2=trace, 3=dump data > SSLeayTrace 4 > > # You can configure the User-Name that will be used for the > inne r > # authentication. Defaults to 'anonymous'. This can be > useful # when proxying the inner authentication. If tehre is a realm, i t > can > # be used to choose a local Realm to handle the inner > authentica tion. > # %0 is replaced with the EAP identitiy > # EAPAnonymous [EMAIL PROTECTED] > > # You can enable or disable support for TTLS Session > Resumption and > # PEAP Fast Reconnect with the EAPTLS_SessionResumption > flag. # Default is enabled > #EAPTLS_SessionResumption 0 > > # You can limit how long after the initial session that a > sessio n can be resumed > # with EAPTLS_SessionResumptionLimit (time in seconds). > Defaults to 43200 > # (12 hours) > #EAPTLS_SessionResumptionLimit 10 > > # You can control which version of the draft PEAP protocol > to ho nour > # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for > unusua l clients, > # such as Funk Odyssey Client 2.22 or later. > EAPTLS_PEAPVersion 0 > </AuthBy> > </Handler> > ------------------------------------------------------------------- > > > (Results) > detail in below. > ------------------------------------------------------------------- > Sat Nov 8 15:27:19 2003: DEBUG: Finished reading configuration file > '/etc/eap_p eap.cfg' > Sat Nov 8 15:27:19 2003: DEBUG: Reading dictionary file > '/etc/radiator/dictiona ry' > Sat Nov 8 15:27:19 2003: DEBUG: Reading dictionary file > '/etc/radiator/dictiona ry.cisco' > Sat Nov 8 15:27:20 2003: DEBUG: Creating authentication port 0.0.0.0:1812 > Sat Nov 8 15:27:20 2003: DEBUG: Creating accounting port 0.0.0.0:1813 > Sat Nov 8 15:27:20 2003: NOTICE: Server started: Radiator 3.7.1 on > test1.test.com Sat Nov 8 15:29:32 2003: DEBUG: Packet dump: > *** Received from aaa.bbb.ccc.ddd port 1457 .... > Code: Access-Request > Identifier: 158 > Authentic: -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30> > Attributes: > User-Name = "[EMAIL PROTECTED]" > cisco-avpair = "ssid=TEST-SPOT" > NAS-IP-Address = aaa.bbb.ccc.ddd > Called-Station-Id = "000c30da9d03" > Calling-Station-Id = "00022d559b41" > NAS-Identifier = "Test-AP-1" > NAS-Port = 37 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-IEEE-802-11 > Service-Type = Login > EAP-Message = <2><20><0><27><1>[EMAIL PROTECTED] > Message-Authenticator = > <248>6<152>4<171><26><244><210>c3%1z<151>S<152> > > Sat Nov 8 15:29:32 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:32 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:32 2003: DEBUG: Handling request with Handler '' > Sat Nov 8 15:29:32 2003: DEBUG: Deleting session for [EMAIL PROTECTED], a > aa.bbb.ccc.ddd, 37 > Sat Nov 8 15:29:32 2003: DEBUG: Handling with Radius::AuthDBFILE: > Sat Nov 8 15:29:32 2003: DEBUG: Handling with EAP: code 2, 20, 27 > Sat Nov 8 15:29:32 2003: DEBUG: Response type 1 > Sat Nov 8 15:29:33 2003: DEBUG: EAP result: 3, EAP PEAP Challenge > Sat Nov 8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP PEAP > Challe nge > Sat Nov 8 15:29:33 2003: DEBUG: Packet dump: > *** Sending to aaa.bbb.ccc.ddd port 1457 .... > Code: Access-Challenge > Identifier: 158 > Authentic: -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30> > Attributes: > EAP-Message = <1><21><0><6><25> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Sat Nov 8 15:29:33 2003: DEBUG: Packet dump: > *** Received from aaa.bbb.ccc.ddd port 1458 .... > Code: Access-Request > Identifier: 159 > Authentic: r<216><178><194><202>|<15><129>bdj<165><236>G<139><173> > Attributes: > User-Name = "[EMAIL PROTECTED]" > cisco-avpair = "ssid=TEST-SPOT" > NAS-IP-Address = aaa.bbb.ccc.ddd > Called-Station-Id = "000c30da9d03" > Calling-Station-Id = "00022d559b41" > NAS-Identifier = "Test-AP-1" > NAS-Port = 37 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-IEEE-802-11 > Service-Type = Login > EAP-Message = <2><21><0><6><3><17> > Message-Authenticator = > <221><216><210><166><187><199>Y<229>%<185>)<247> <255><199><246><158> > > Sat Nov 8 15:29:33 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:33 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:33 2003: DEBUG: Handling request with Handler '' > Sat Nov 8 15:29:33 2003: DEBUG: Deleting session for [EMAIL PROTECTED], a > aa.bbb.ccc.ddd, 37 > Sat Nov 8 15:29:33 2003: DEBUG: Handling with Radius::AuthDBFILE: > Sat Nov 8 15:29:33 2003: DEBUG: Handling with EAP: code 2, 21, 6 > Sat Nov 8 15:29:33 2003: DEBUG: Response type 3 > Sat Nov 8 15:29:33 2003: INFO: EAP Nak desires type 17 > Sat Nov 8 15:29:33 2003: DEBUG: EAP result: 3, EAP LEAP Challenge > Sat Nov 8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP LEAP > Challe nge > Sat Nov 8 15:29:33 2003: DEBUG: Packet dump: > *** Sending to aaa.bbb.ccc.ddd port 1458 .... > Code: Access-Challenge > Identifier: 159 > Authentic: r<216><178><194><202>|<15><129>bdj<165><236>G<139><173> > Attributes: > EAP-Message = > <1><22><0>&<17><1><0><8><202>|<190><158><214><153>"<182>na [EMAIL PROTECTED] > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Sat Nov 8 15:29:45 2003: DEBUG: Packet dump: > *** Received from aaa.bbb.ccc.ddd port 1459 .... > Code: Access-Request > Identifier: 160 > Authentic: <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11> > Attributes: > User-Name = "[EMAIL PROTECTED]" > cisco-avpair = "ssid=TEST-SPOT" > NAS-IP-Address = aaa.bbb.ccc.ddd > Called-Station-Id = "000c30da9d03" > Calling-Station-Id = "00022d559b41" > NAS-Identifier = "Test-AP-1" > NAS-Port = 37 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-IEEE-802-11 > Service-Type = Login > EAP-Message = > <2><22><0>6<17><1><0><24><169><153><196>f<169>%up<188>s<19 > 3><199><129>v<162><136><186><174><127><217><152>O<197><181>[EMAIL PROTECTED] >m Message-Authenticator = y<4><235>[EMAIL PROTECTED]<178><189>E<128>%<135>#<244><157> > > Sat Nov 8 15:29:45 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:45 2003: DEBUG: Rewrote user name to nagataki > Sat Nov 8 15:29:45 2003: DEBUG: Handling request with Handler '' > Sat Nov 8 15:29:45 2003: DEBUG: Deleting session for [EMAIL PROTECTED], a > aa.bbb.ccc.ddd, 37 > Sat Nov 8 15:29:45 2003: DEBUG: Handling with Radius::AuthDBFILE: > Sat Nov 8 15:29:45 2003: DEBUG: Handling with EAP: code 2, 22, 54 > Sat Nov 8 15:29:45 2003: DEBUG: Response type 17 > Sat Nov 8 15:29:45 2003: DEBUG: Radius::AuthDBFILE looks for match with > nagatak [EMAIL PROTECTED] > Sat Nov 8 15:29:45 2003: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no > such us er [EMAIL PROTECTED] > Sat Nov 8 15:29:45 2003: INFO: Access rejected for nagataki: EAP MSCHAP V2 > fail ed: no such user [EMAIL PROTECTED] > Sat Nov 8 15:29:45 2003: DEBUG: Packet dump: > *** Sending to aaa.bbb.ccc.ddd port 1459 .... > Code: Access-Reject > Identifier: 160 > Authentic: <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11> > Attributes: > EAP-Message = <4><22><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request > Denied" > ------------------------------------------------------------------- > > What does cause the problems? > > So I need you help for resolving problems. > Please give me any ideas. > > Thank you in advance. > > Best Regards. > > Masa > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
# EAP_17.pm # # Module for handling Authentication via EAP type 17 (Cisco LEAP) # based on LEAP protocol description at # http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 2003 Open System Consultants # $Id: EAP_17.pm,v 1.3 2003/07/19 00:54:09 mikem Exp mikem $ # package Radius::EAP_17; use Radius::MSCHAP; use Radius::Context; use Digest::MD5; use strict; $Radius::EAP::EAP_17::proto_version = 1; ##################################################################### # request # Called by EAP.pm when a request is received for this protocol type sub request { my ($classname, $self, $context, $p, $type, $typedata) = @_; # This should be request containing 8 octet peer challenge # Generate accept containing peer response and session key my ($protocol, $unused, $count) = unpack('C C C', $typedata); return ($main::REJECT, 'EAP LEAP unsupport version') unless $protocol == $Radius::EAP::EAP_17::proto_version; my ($apc, $name) = unpack("x x x a$count a*", $typedata); my ($user, $result, $reason) = $self->get_user($context->{identity}, $p); if (!$user || $result != $main::ACCEPT) { $self->eap_failure($p->{rp}, $context); return ($main::REJECT, "EAP MSCHAP V2 failed: no such user $context->{identity}"); } my $apr = &Radius::MSCHAP::ChallengeResponse($apc, $context->{leap_session_key}); my $message = pack('C C C C a24 a*', $Radius::EAP::EAP_TYPE_LEAP, $Radius::EAP::EAP_17::proto_version, 0, # Unused 24, # response bytecount $apr, # 24 octets $name); $self->eap_reply($p->{rp}, $context, $Radius::EAP::EAP_CODE_RESPONSE, $message); # session key my $md5digest = Digest::MD5::md5 ($context->{leap_session_key} . $apc . $apr . $context->{leap_peer_challenge} . $context->{leap_peer_response}); my $sk = $p->encode_mppe_key($md5digest, $p->{Client}->{Secret}); $p->{rp}->add_attr('cisco-avpair', "leap:session-key=$sk"); return ($main::ACCEPT, 'EAP LEAP Accept'); } ##################################################################### # Called by EAP.pm when an EAP Response/Identity is received # $self is ref to the current AuthBy sub response_identity { my ($classname, $self, $context, $p) = @_; # Send 8 octet Peer Challenge, should get Response with the Peer response # in it next. $context->{leap_peer_challenge} = &Radius::Util::random_string(8); my $message = pack('C C C a8 a*', $Radius::EAP::EAP_17::proto_version, 0, # Unused 8, # challenge bytecount $context->{leap_peer_challenge}, # 8 octets $context->{identity}); $self->eap_request($p->{rp}, $context, $Radius::EAP::EAP_TYPE_LEAP, $message); return ($main::CHALLENGE, 'EAP LEAP Challenge'); } ##################################################################### # Called by EAP.pm when an EAP Response (other than Identity) # is received sub response { my ($classname, $self, $context, $p, $type, $typedata) = @_; # This should be Peer response to Peer Challenge sent before # The context hold previous Peer challenge my ($protocol, $unused, $count) = unpack('C C C', $typedata); return ($main::REJECT, 'EAP LEAP unsupported version') unless $protocol == $Radius::EAP::EAP_17::proto_version; my ($peer_response, $name) = unpack("x x x a$count a*", $typedata); my $identity = $context->{identity}; $identity =~ s/@[EMAIL PROTECTED]// if $self->{UsernameMatchesWithoutRealm}; if (defined $self->{RewriteUsername}) { my $rule; foreach $rule (@{$self->{RewriteUsername}}) { # We use an eval so an error in the pattern wont kill us. eval("\$identity =~ $rule"); &main::log($main::LOG_ERR, "Error while rewriting identity $identity: $@") if $@; &main::log($main::LOG_DEBUG, "Rewrote identity to $identity"); } } my ($user, $result, $reason) = $self->get_user($identity, $p); if (!$user || $result != $main::ACCEPT) { $self->eap_failure($p->{rp}, $context); return ($main::REJECT, "EAP LEAP failed: no such user $identity"); } # Got a user record for this user. Need the plaintext password now my $password = $self->get_plaintext_password($user); my $usersessionkey; # Returned by check_mschap my $check_result = $self->check_mschap ($p, $context->{identity}, $password, $context->{leap_peer_challenge}, $peer_response, \$usersessionkey); if ($check_result) { # AP response is correct, issue accept # Should get request with peer challenge next $context->{leap_peer_response} = $peer_response; # Need this later for MPPE keys $context->{leap_session_key} = $usersessionkey; # Need this later for MPPE keys $self->eap_success($p->{rp}, $context); return ($main::ACCEPT); } else { # AP Respone is incorrect, issue Reject/EAP Failure $self->eap_failure($p->{rp}, $context); return ($main::REJECT, 'Bad LEAP Password'); } } 1;
