On 08/03/2011 06:22 PM, Roel Hoek wrote: Hello Roel,
> I changed the Handler Realm match as specified and changed EAPAnonymous to > %0. Now the right handler handels the request and the > username/identity is found by AuthBy FILE. (after stripping off the realm). > So it works now! > I also added an extra Handler to handel PEAP when no identity is known yet. Good to hear it works. About the extra handler: if someone leaves out the @realm part and uses just the username for the inner identity, then the whole authentication is done using the extra Handler. I did not try the code but I'd say this is what would happen. The default Filename is %D/users, so you may want to check if the extra Handler does what you expect with realmless identities. Thanks! > Thanks for your help! > > <Handler Realm=/^$/, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> > <AuthBy FILE> > Identifier PEAP-inner-without-realm > EAPType MSCHAP-V2 > NoCheckPassword > </AuthBy> > </Handler> > <Handler Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> > AuthByPolicy ContinueWhileAccept > RewriteUsername s/^([^@]+).*/$1/ > RewriteUsername s/^\s*// > RewriteUsername s/\s*$// > > <AuthBy LDAP2> > Identifier PEAP-inner-productieoid-peap > EAPType MSCHAP-V2 > # Rest of the config > </AuthBy> > <AuthBy FILE> > Identifier add-vlan-attributes > Filename %D/users-wlan-peap_v3 > NoCheckPassword > NoEAP > </AuthBy> > </Handler> > > -------------------------------------------------------------------------------------------------------------- > > Code: Access-Request > Identifier: UNDEF > Authentic: <232><174><210><229>+M<192> <152>L<148><31>.o!T > Attributes: > EAP-Message = <2><0><0><27><1>[email protected] > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 172.31.178.10 > NAS-Identifier = "wlc-1" > NAS-Port = 13 > Calling-Station-Id = "00271026a434" > User-Name = "" > > Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=/^$/, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', > Identifier '' > Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: > PEAP-inner-without-realm > Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 0, 27, 1 > Wed Aug 3 17:15:24 2011: DEBUG: Response type 1 > Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge > Wed Aug 3 17:15:24 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 > Challenge > Wed Aug 3 17:15:24 2011: DEBUG: Access challenged for : EAP MSCHAP-V2 > Challenge > Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Challenge > . > . > . > Code: Access-Request > Identifier: UNDEF > Authentic: <150><207><169><232>HP-<233><201><25><185><247>E<129><207>" > Attributes: > EAP-Message = > <2><1><0>Q<26><2><1><0>L1qwo<236><185><7><241>b@p<169><10><221><136>r<186><0><0><0><0><0><0><0><0><248><150>m<239><163><133>L!<219>G'<199><240>Vt<131><21><251><193>S<245><18><224><155><0>[email protected] > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 172.31.178.10 > NAS-Identifier = "wlc-1" > NAS-Port = 13 > Calling-Station-Id = "00271026a434" > User-Name = "[email protected]" > > Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler > 'Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', > Identifier 'PEAP-inner-utwente-test2' > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: > productieoid-peap > Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 > Wed Aug 3 17:15:24 2011: DEBUG: Response type 26 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217 > Wed Aug 3 17:15:24 2011: INFO: Connecting to oid.utwente.nl:389 > Wed Aug 3 17:15:24 2011: INFO: Attempting to bind to LDAP server <.> > Wed Aug 3 17:15:24 2011: DEBUG: LDAP got result for uid=d3126217, <.> > Wed Aug 3 17:15:24 2011: DEBUG: LDAP got chappassword: <.> > Wed Aug 3 17:15:24 2011: DEBUG: LDAP got orclisenabled: ENABLED > Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 looks for match with > d3126217 [[email protected]] > Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 > [[email protected]] > Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: > Success > Wed Aug 3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP > V2 Challenge: Success > Wed Aug 3 17:15:24 2011: DEBUG: Access challenged for d3126217: EAP MSCHAP > V2 Challenge: Success > Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Challenge > . > . > . > Code: Access-Request > Identifier: UNDEF > Authentic: <30>B<132><240>:<19>6<159><187><31>Zo\T<175>* > Attributes: > EAP-Message = <2><2><0><6><26><3> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 172.31.178.10 > NAS-Identifier = "wlc-1" > NAS-Port = 13 > Calling-Station-Id = "00271026a434" > User-Name = "[email protected]" > > Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler > 'Realm=utwente.test2, > Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', > Identifier 'PEAP-inner-utwente-test2' > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: > productieoid-peap > Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26 > Wed Aug 3 17:15:24 2011: DEBUG: Response type 26 > Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 0, > Wed Aug 3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, > Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: > add-vlan-attributes > Wed Aug 3 17:15:24 2011: DEBUG: Reading users file > /etc/radiator//users-wlan-peap_v3 > Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthFILE looks for match with > d3126217 [[email protected]] > Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthFILE ACCEPT: : d3126217 > [[email protected]] > Wed Aug 3 17:15:24 2011: DEBUG: AuthBy FILE result: ACCEPT, > Wed Aug 3 17:15:24 2011: DEBUG: Access accepted for d3126217 > Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Accept > Identifier: UNDEF > Authentic: <30>B<132><240>:<19>6<159><187><31>Zo\T<175>* > Attributes: > EAP-Message = <3><2><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > Tunnel-Type = 1:VLAN > Tunnel-Medium-Type = 1:Ether_802 > Tunnel-Private-Group-ID = 1:131 > Login-LAT-Group = "qnet" > > > > Regards, > > Roel Hoek > ICT Service Centre > University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands > Telephone +31 53 489 4598, Fax +31 53 489 2383 > [email protected]; http://www.utwente.nl/icts > > > On 2011-08-02 21:55, Heikki Vatiainen wrote: >> On 08/02/2011 01:39 PM, Roel Hoek wrote: > >> Hello Roel, > >>> I changed the config as proposed. The <AuthBy LDAP2> is handled with >>> success, but the second handler, <AuthBy FILE> fails again. >>> (AuthFILE REJECT: No such user: [email protected] >>> [[email protected]]) >>> EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and >>> no handler can be found. > >> Can you do the following: >> o EAPAnonymous %0 >> o Change the PEAP inner Handler to this: > >> <Handler Realm=/^(|utwente.test2)$/, >> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> > >> The change is to have allow both empty realm and utwente.test2. > >> Since the first EAP request establishes the identity, the first inner >> request will be empty. After that, when the identity is known, the realm >> can be looked up from the identity. > >> If you do not want to allow empty realm, you can add an inner Handler >> that allows emtpy realm and has a (possibly dummy) AuthBy that is >> willing to do EAP. That will match the identity exchange and your >> current handler can then take care of the actual authentication. > >> Please let us know if this works. > >> Thanks! > >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler >>> 'Realm=utwente.test2, >>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', >>> Identifier 'PEAP-inner-utwente-test2' >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: >>> productieoid-peap >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >>> Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 >>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 >>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 >>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217 >>> Tue Aug 2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389 >>> Tue Aug 2 11:41:05 2011: INFO: Attempting to bind to LDAP server >>> oid.utwente.nl:389 >>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...> >>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla >>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with >>> d3126217 [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 >>> [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: >>> Success >>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP >>> V2 Challenge: Success >>> Tue Aug 2 11:41:05 2011: DEBUG: Access challenged for >>> [email protected]: EAP MSCHAP V2 Challenge: Success >>> Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: >>> Code: Access-Challenge >>> . >>> . >>> . >>> Code: Access-Request >>> Identifier: UNDEF >>> Authentic: N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147> >>> Attributes: >>> EAP-Message = <2><2><0><6><26><3> >>> Message-Authenticator = >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>> NAS-IP-Address = 172.31.178.10 >>> NAS-Identifier = "wlc-1" >>> NAS-Port = 13 >>> Calling-Station-Id = "00271026a434" >>> User-Name = "[email protected]" >>> >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler >>> 'Realm=utwente.test2, >>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', >>> Identifier 'PEAP-inner-utwente-test2' >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: >>> productieoid-peap >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26 >>> Tue Aug 2 11:41:05 2011: DEBUG: Response type 26 >>> Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 0, >>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, >>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: >>> add-vlan-attributes >>> Tue Aug 2 11:41:05 2011: DEBUG: Reading users file >>> /etc/radiator//users-wlan-peap_v3 >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with >>> [email protected] [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: >>> [email protected] [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with >>> DEFAULT [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT >>> [[email protected]] >>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT, >>> Tue Aug 2 11:41:05 2011: DEBUG: Access accepted for [email protected] >>> Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump: >>> Code: Access-Accept >>> >>> >>> ----------------------------------------------------------------------------------------------------------------- >>> # WLAN (utwente.test2) inner authentication (PEAP) >>> # >>> <Handler Realm=utwente.test2, >>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >>> AuthByPolicy ContinueWhileAccept >>> AddToRequest >>> Calling-Station-Id=%{OuterRequest:Calling-Station-Id} >>> <AuthBy LDAP2> >>> Identifier productieoid-peap >>> EAPType MSCHAP-V2 >>> # Rest of the config >>> Version 2 >>> Host <.> >>> BindAddress <.> >>> FailureBackoffTime 10 >>> AuthDN <.> >>> AuthPassword <.> >>> BaseDN <.> >>> RcryptKey <.> >>> RewriteUsername s/^([^@]+).*/$1/ >>> RewriteUsername s/^\s*// >>> RewriteUsername s/\s*$// >>> UsernameAttr <.> >>> PasswordAttr <.> >>> AuthAttrDef orclisenabled, OIDactive, request >>> </AuthBy> >>> >>> <AuthBy FILE> >>> Identifier add-vlan-attributes >>> Filename %D/users-wlan-peap_v3 >>> NoCheckPassword >>> NoEAP >>> </AuthBy> >>> AuthLog authlogging-wlan-peap >>> Identifier PEAP-inner-utwente-test2 >>> Description WLAN >>> AuthLog authlogging-tent >>> >>> </Handler> >>> ----------------------------------------------------------------------------------------------------------------- >>> users-wlan-peap_v3: >>> >>> DEFAULT >>> Tunnel-Type = 1:VLAN, >>> Tunnel-Medium-Type = 1:Ether_802, >>> Tunnel-Private-Group-ID = 1:125 >>> >>> d3126217 >>> Tunnel-Type = 1:VLAN, >>> Tunnel-Medium-Type = 1:Ether_802, >>> Tunnel-Private-Group-ID = 1:131, >>> Login-LAT-Group = "qnet" >>> >>> . >>> . >>> . >>> >>> >>> On 2011-08-01 22:42, Heikki Vatiainen wrote: >>>> On 08/01/2011 02:44 PM, Roel Hoek wrote: >>> >>>> Hello Roel, >>> >>>>> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2 >>>>> Now, indeed, the user-name/identity is found in the users-file, and is >>>>> found in the LDAP-server, but now failed on EAP MSCHAP V2 (no >>>>> such user???) >>> >>>> Hmm, I was able to recreate this was two simple AuthBy FILEs too. >>>> However, I did not dig deeper to see why it fails. >>> >>>>> This has, I think, something to do that mschapv2 needs for challange and >>>>> responce the whole username including the realm. This works >>>>> with 'NoEAP', but not with EAPType MSCHAP-V2. >>> >>>> Can you restructure your configuration a little. The restructure would >>>> put two AuthBys into the PEAP inner Handler. The first does EAP and is >>>> the LDAP check while the second gets the attributes from the file after >>>> successful LDAP check. >>> >>>> Something like this should do it: >>> >>>> # WLAN (utwente.test2) inner authentication (PEAP) >>>> # >>>> <Handler Realm=utwente.test2, >>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >>>> AuthByPolicy ContinueWhileAccept >>>> <AuthBy LDAP2> >>>> Identifier productieoid-peap >>>> EAPType MSCHAP-V2 >>>> # Rest of the config >>>> </AuthBy> >>>> <AuthBy FILE> >>>> Identifier add-vlan-attributes >>>> Filename %D/users-wlan-peap >>>> NoCheckPassword >>>> NoEAP >>>> </AuthBy> >>> >>>> # Rest of the Handler >>>> </Handler> >>> >>>> The file users-wlan-peap would be the same as currently but without the >>>> Auth-Type check items: >>> >>>> d3126217 >>>> Tunnel-Type = 1:VLAN, >>>> Tunnel-Medium-Type = 1:Ether_802, >>>> Tunnel-Private-Group-ID = 1:131, >>>> Login-LAT-Group = "qnet" >>> >>>> # Rest of users-wlan-peap >>> >>>> This should still collect then user specific VLAN attributes but >>>> otherwise do the authentication the same for all users. >>> >>>> Please let us know how this works. >>> >>>> Thanks! >>>> Heikki >>> >>> >>>>> Code: Access-Request >>>>> Identifier: UNDEF >>>>> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y >>>>> Attributes: >>>>> EAP-Message = >>>>> <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0> >>>>> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>[email protected] >>>>> Message-Authenticator = >>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>>>> NAS-IP-Address = 172.31.178.10 >>>>> NAS-Identifier = "wlc-1" >>>>> NAS-Port = 13 >>>>> Calling-Station-Id = "00271026a434" >>>>> User-Name = "[email protected]" >>>>> >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler >>>>> 'Realm=utwente.test2, >>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', >>>>> Identifier 'PEAP-inner-utwente-test2' >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE: >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file >>>>> /etc/radiator//users-wlan-peap >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with >>>>> d3126217 [[email protected]] >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: >>>>> productieoid-peap >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217 >>>>> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389 >>>>> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server >>>>> oid.utwente.nl:389 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, >>>>> ou=Employees, cn=Users, o=university of twente,c=nl >>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla >>>>> bla >>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with >>>>> d3126217 [[email protected]] >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 >>>>> [[email protected]] >>>>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: >>>>> Success >>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP >>>>> V2 Challenge: Success: d3126217 [[email protected]] >>>>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no >>>>> such user d3126217 >>>>> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP >>>>> V2 failed: no such user d3126217 >>>>> Mon Aug 1 12:15:31 2011: INFO: Access rejected for >>>>> [email protected]: EAP MSCHAP V2 failed: no such user d3126217 >>>>> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump: >>>>> Code: Access-Reject >>>>> >>>>> >>>>> On 2011-07-30 08:19, Heikki Vatiainen wrote: >>>>>> On 07/29/2011 04:12 PM, Roel Hoek wrote: >>>>> >>>>>>> Thanks for you comment. Although it did not work. >>>>>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can >>>>>>> be found. >>>>> >>>>>> Unfortunately that's true. Taking another look at the configuration, the >>>>>> reason for this is the NoEAP option. Since EAP is not run for the inner >>>>>> authentication, the EAP identity will not be available. >>>>> >>>>>> Going back to your original configuration, would replacing "NoEAP" with >>>>>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE. >>>>> >>>>>> Thanks! >>>>>> Heikki >>>>> >>>>> >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler >>>>>>> 'Realm=/utwente.test|utwente.test2/, >>>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH >>>>>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST' >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE: >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25 >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25 >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request >>>>>>> for >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump: >>>>>>> Code: Access-Request >>>>>>> Identifier: UNDEF >>>>>>> Authentic: >>>>>>> <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163> >>>>>>> Attributes: >>>>>>> EAP-Message = <2><0><0><27><1>[email protected] >>>>>>> Message-Authenticator = >>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>>>>>> NAS-IP-Address = 172.31.178.10 >>>>>>> NAS-Identifier = "wlc-1" >>>>>>> NAS-Port = 13 >>>>>>> Calling-Station-Id = "00271026a434" >>>>>>> User-Name = "" >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP >>>>>>> inner authentication >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler >>>>>>> for PEAP inner authentication >>>>>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for >>>>>>> [email protected]: No Handler for PEAP inner authentication >>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump: >>>>>>> *** Sending to 172.31.178.10 port 32770 .... >>>>>>> Code: Access-Reject >>>>>>> >>>>>>> ------------------------------------------------------------------- >>>>>>> <Handler Realm=utwente.test2, >>>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1> >>>>>>> AuthByPolicy ContinueWhileReject >>>>>>> AddToRequest >>>>>>> Calling-Station-Id=%{OuterRequest:Calling-Station-Id} >>>>>>> <AuthBy FILE> >>>>>>> RewriteUsername s/^([^@]+).*/$1/ >>>>>>> RewriteUsername s/^\s*// >>>>>>> RewriteUsername s/\s*$// >>>>>>> Filename %D/users-wlan-peap >>>>>>> NoEAP >>>>>>> </AuthBy> >>>>>>> AuthLog authlogging-wlan-peap >>>>>>> Identifier PEAP-inner-utwente-test2 >>>>>>> Description WLAN >>>>>>> AuthLog authlogging-tent >>>>>>> </Handler> >>>>>>> >>>>>>> <Handler Realm=/utwente.test|utwente.test2/, >>>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/> >>>>>>> <AuthBy FILE> >>>>>>> EAPType TTLS,PEAP >>>>>>> EAPTLS_CAFile >>>>>>> EAPTLS_CertificateFile >>>>>>> EAPTLS_CertificateType PEM >>>>>>> EAPTLS_PrivateKeyFile >>>>>>> EAPTLS_PrivateKeyPassword >>>>>>> EAPTLS_MaxFragmentSize 1024 >>>>>>> EAPTLS_SessionResumption 0 >>>>>>> AutoMPPEKeys >>>>>>> EAPTLS_PEAPBrokenV1Label >>>>>>> EAPTTLS_NoAckRequired >>>>>>> # %U (en %u (met realm)) zijn de Inner-auth username >>>>>>> voor PEAP >>>>>>> #EAPAnonymous %u >>>>>>> EAPAnonymous %0 >>>>>>> </AuthBy> >>>>>>> AuthLog authlogging-wlan >>>>>>> Identifier WLAN-OUTER-TEST >>>>>>> Description WLAN >>>>>>> AuthLog authlogging-tent >>>>>>> </Handler> >>>>>>> >>>>>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote: >>>>>>> >>>>>>>> Hello Roel, >>>>>>> >>>>>>>>> We experience a problem with a handler for authenticating >>>>>>>>> wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a >>>>>>>>> user if >>>>>>>>> the outer and inner identity are not equal (normal situation). >>>>>>>>> It looks like the userfile is searched by the outer-identity, >>>>>>>>> although the inner-identity is used for authentication via LDAP. >>>>>>> >>>>>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section >>>>>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous. >>>>>>> >>>>>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will >>>>>>>> then >>>>>>>> use User-Name attribute instead of EAP Identity to do the >>>>>>>> authentication. >>>>>>> >>>>>>>> With EAPAnonymous you can set the inner request User-Name the same as >>>>>>>> the EAP Identity is. >>>>>>> >>>>>>>> Please let us know if this works for you. >>>>>>> >>>>>>>> Thanks! >>>>>>>> Heikki >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> radiator mailing list >>>>>> [email protected] >>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>> >>>>> >>>>> >>> >>> >>> > > > -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
