On 08/02/2011 01:39 PM, Roel Hoek wrote: Hello Roel,
> I changed the config as proposed. The <AuthBy LDAP2> is handled with success, > but the second handler, <AuthBy FILE> fails again. > (AuthFILE REJECT: No such user: [email protected] [[email protected]]) > EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and > no handler can be found. Can you do the following: o EAPAnonymous %0 o Change the PEAP inner Handler to this: <Handler Realm=/^(|utwente.test2)$/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> The change is to have allow both empty realm and utwente.test2. Since the first EAP request establishes the identity, the first inner request will be empty. After that, when the identity is known, the realm can be looked up from the identity. If you do not want to allow empty realm, you can add an inner Handler that allows emtpy realm and has a (possibly dummy) AuthBy that is willing to do EAP. That will match the identity exchange and your current handler can then take care of the actual authentication. Please let us know if this works. Thanks! > Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler > 'Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', > Identifier 'PEAP-inner-utwente-test2' > Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: > productieoid-peap > Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 > Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 > Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 > Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 > Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 > Tue Aug 2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389 > Tue Aug 2 11:41:05 2011: INFO: Attempting to bind to LDAP server > oid.utwente.nl:389 > Tue Aug 2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...> > Tue Aug 2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla > Tue Aug 2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with > d3126217 [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 > [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: > Success > Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP > V2 Challenge: Success > Tue Aug 2 11:41:05 2011: DEBUG: Access challenged for [email protected]: > EAP MSCHAP V2 Challenge: Success > Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Challenge > . > . > . > Code: Access-Request > Identifier: UNDEF > Authentic: N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147> > Attributes: > EAP-Message = <2><2><0><6><26><3> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 172.31.178.10 > NAS-Identifier = "wlc-1" > NAS-Port = 13 > Calling-Station-Id = "00271026a434" > User-Name = "[email protected]" > > Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler > 'Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', > Identifier 'PEAP-inner-utwente-test2' > Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: > productieoid-peap > Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26 > Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 > Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 0, > Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, > Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: > add-vlan-attributes > Tue Aug 2 11:41:05 2011: DEBUG: Reading users file > /etc/radiator//users-wlan-peap_v3 > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with > [email protected] [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: > [email protected] [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with > DEFAULT [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT > [[email protected]] > Tue Aug 2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT, > Tue Aug 2 11:41:05 2011: DEBUG: Access accepted for [email protected] > Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Accept > > > ----------------------------------------------------------------------------------------------------------------- > # WLAN (utwente.test2) inner authentication (PEAP) > # > <Handler Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> > AuthByPolicy ContinueWhileAccept > AddToRequest > Calling-Station-Id=%{OuterRequest:Calling-Station-Id} > <AuthBy LDAP2> > Identifier productieoid-peap > EAPType MSCHAP-V2 > # Rest of the config > Version 2 > Host <.> > BindAddress <.> > FailureBackoffTime 10 > AuthDN <.> > AuthPassword <.> > BaseDN <.> > RcryptKey <.> > RewriteUsername s/^([^@]+).*/$1/ > RewriteUsername s/^\s*// > RewriteUsername s/\s*$// > UsernameAttr <.> > PasswordAttr <.> > AuthAttrDef orclisenabled, OIDactive, request > </AuthBy> > > <AuthBy FILE> > Identifier add-vlan-attributes > Filename %D/users-wlan-peap_v3 > NoCheckPassword > NoEAP > </AuthBy> > AuthLog authlogging-wlan-peap > Identifier PEAP-inner-utwente-test2 > Description WLAN > AuthLog authlogging-tent > > </Handler> > ----------------------------------------------------------------------------------------------------------------- > users-wlan-peap_v3: > > DEFAULT > Tunnel-Type = 1:VLAN, > Tunnel-Medium-Type = 1:Ether_802, > Tunnel-Private-Group-ID = 1:125 > > d3126217 > Tunnel-Type = 1:VLAN, > Tunnel-Medium-Type = 1:Ether_802, > Tunnel-Private-Group-ID = 1:131, > Login-LAT-Group = "qnet" > > . > . > . > > > On 2011-08-01 22:42, Heikki Vatiainen wrote: >> On 08/01/2011 02:44 PM, Roel Hoek wrote: > >> Hello Roel, > >>> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2 >>> Now, indeed, the user-name/identity is found in the users-file, and is >>> found in the LDAP-server, but now failed on EAP MSCHAP V2 (no >>> such user???) > >> Hmm, I was able to recreate this was two simple AuthBy FILEs too. >> However, I did not dig deeper to see why it fails. > >>> This has, I think, something to do that mschapv2 needs for challange and >>> responce the whole username including the realm. This works >>> with 'NoEAP', but not with EAPType MSCHAP-V2. > >> Can you restructure your configuration a little. The restructure would >> put two AuthBys into the PEAP inner Handler. The first does EAP and is >> the LDAP check while the second gets the attributes from the file after >> successful LDAP check. > >> Something like this should do it: > >> # WLAN (utwente.test2) inner authentication (PEAP) >> # >> <Handler Realm=utwente.test2, >> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >> AuthByPolicy ContinueWhileAccept >> <AuthBy LDAP2> >> Identifier productieoid-peap >> EAPType MSCHAP-V2 >> # Rest of the config >> </AuthBy> >> <AuthBy FILE> >> Identifier add-vlan-attributes >> Filename %D/users-wlan-peap >> NoCheckPassword >> NoEAP >> </AuthBy> > >> # Rest of the Handler >> </Handler> > >> The file users-wlan-peap would be the same as currently but without the >> Auth-Type check items: > >> d3126217 >> Tunnel-Type = 1:VLAN, >> Tunnel-Medium-Type = 1:Ether_802, >> Tunnel-Private-Group-ID = 1:131, >> Login-LAT-Group = "qnet" > >> # Rest of users-wlan-peap > >> This should still collect then user specific VLAN attributes but >> otherwise do the authentication the same for all users. > >> Please let us know how this works. > >> Thanks! >> Heikki > > >>> Code: Access-Request >>> Identifier: UNDEF >>> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y >>> Attributes: >>> EAP-Message = >>> <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0> >>> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>[email protected] >>> Message-Authenticator = >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>> NAS-IP-Address = 172.31.178.10 >>> NAS-Identifier = "wlc-1" >>> NAS-Port = 13 >>> Calling-Station-Id = "00271026a434" >>> User-Name = "[email protected]" >>> >>> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler >>> 'Realm=utwente.test2, >>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', >>> Identifier 'PEAP-inner-utwente-test2' >>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE: >>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file >>> /etc/radiator//users-wlan-peap >>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with >>> d3126217 [[email protected]] >>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: >>> productieoid-peap >>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389 >>> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server >>> oid.utwente.nl:389 >>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, >>> ou=Employees, cn=Users, o=university of twente,c=nl >>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla >>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED >>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with >>> d3126217 [[email protected]] >>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 >>> [[email protected]] >>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: >>> Success >>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 >>> Challenge: Success: d3126217 [[email protected]] >>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no >>> such user d3126217 >>> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 >>> failed: no such user d3126217 >>> Mon Aug 1 12:15:31 2011: INFO: Access rejected for [email protected]: >>> EAP MSCHAP V2 failed: no such user d3126217 >>> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump: >>> Code: Access-Reject >>> >>> >>> On 2011-07-30 08:19, Heikki Vatiainen wrote: >>>> On 07/29/2011 04:12 PM, Roel Hoek wrote: >>> >>>>> Thanks for you comment. Although it did not work. >>>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can >>>>> be found. >>> >>>> Unfortunately that's true. Taking another look at the configuration, the >>>> reason for this is the NoEAP option. Since EAP is not run for the inner >>>> authentication, the EAP identity will not be available. >>> >>>> Going back to your original configuration, would replacing "NoEAP" with >>>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE. >>> >>>> Thanks! >>>> Heikki >>> >>> >>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler >>>>> 'Realm=/utwente.test|utwente.test2/, >>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH >>>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST' >>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE: >>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25 >>>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25 >>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for >>>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump: >>>>> Code: Access-Request >>>>> Identifier: UNDEF >>>>> Authentic: >>>>> <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163> >>>>> Attributes: >>>>> EAP-Message = <2><0><0><27><1>[email protected] >>>>> Message-Authenticator = >>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>>>> NAS-IP-Address = 172.31.178.10 >>>>> NAS-Identifier = "wlc-1" >>>>> NAS-Port = 13 >>>>> Calling-Station-Id = "00271026a434" >>>>> User-Name = "" >>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner >>>>> authentication >>>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler >>>>> for PEAP inner authentication >>>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for >>>>> [email protected]: No Handler for PEAP inner authentication >>>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump: >>>>> *** Sending to 172.31.178.10 port 32770 .... >>>>> Code: Access-Reject >>>>> >>>>> ------------------------------------------------------------------- >>>>> <Handler Realm=utwente.test2, >>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >>>>> AuthByPolicy ContinueWhileReject >>>>> AddToRequest >>>>> Calling-Station-Id=%{OuterRequest:Calling-Station-Id} >>>>> <AuthBy FILE> >>>>> RewriteUsername s/^([^@]+).*/$1/ >>>>> RewriteUsername s/^\s*// >>>>> RewriteUsername s/\s*$// >>>>> Filename %D/users-wlan-peap >>>>> NoEAP >>>>> </AuthBy> >>>>> AuthLog authlogging-wlan-peap >>>>> Identifier PEAP-inner-utwente-test2 >>>>> Description WLAN >>>>> AuthLog authlogging-tent >>>>> </Handler> >>>>> >>>>> <Handler Realm=/utwente.test|utwente.test2/, >>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/> >>>>> <AuthBy FILE> >>>>> EAPType TTLS,PEAP >>>>> EAPTLS_CAFile >>>>> EAPTLS_CertificateFile >>>>> EAPTLS_CertificateType PEM >>>>> EAPTLS_PrivateKeyFile >>>>> EAPTLS_PrivateKeyPassword >>>>> EAPTLS_MaxFragmentSize 1024 >>>>> EAPTLS_SessionResumption 0 >>>>> AutoMPPEKeys >>>>> EAPTLS_PEAPBrokenV1Label >>>>> EAPTTLS_NoAckRequired >>>>> # %U (en %u (met realm)) zijn de Inner-auth username voor >>>>> PEAP >>>>> #EAPAnonymous %u >>>>> EAPAnonymous %0 >>>>> </AuthBy> >>>>> AuthLog authlogging-wlan >>>>> Identifier WLAN-OUTER-TEST >>>>> Description WLAN >>>>> AuthLog authlogging-tent >>>>> </Handler> >>>>> >>>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote: >>>>> >>>>>> Hello Roel, >>>>> >>>>>>> We experience a problem with a handler for authenticating wireless-lan >>>>>>> users. AuthBy-File for a PEAP-mschapV2 cannot match a user if >>>>>>> the outer and inner identity are not equal (normal situation). >>>>>>> It looks like the userfile is searched by the outer-identity, although >>>>>>> the inner-identity is used for authentication via LDAP. >>>>> >>>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section >>>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous. >>>>> >>>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then >>>>>> use User-Name attribute instead of EAP Identity to do the authentication. >>>>> >>>>>> With EAPAnonymous you can set the inner request User-Name the same as >>>>>> the EAP Identity is. >>>>> >>>>>> Please let us know if this works for you. >>>>> >>>>>> Thanks! >>>>>> Heikki >>>>> >>>>> >>>> _______________________________________________ >>>> radiator mailing list >>>> [email protected] >>>> http://www.open.com.au/mailman/listinfo/radiator >>> >>> >>> > > > -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
