On 08/19/2011 02:06 PM, Richard Dunne wrote:
Hello Richard,
> I have added the RewriteUsername s/^([^@]+).*/$1/ which does remove the
> linux.com realm . But still even withthis and the correct password i get a
> failure .
You need to change the config to support EAP-TTLS with PAP. When you
need to use a non-plaintext passwod store, such as /etc/shadow in Linux,
you can not use EAP-MSCHAP-V2 because EAP-MSCHAP-V2 also uses
non-plaintext passwords. In other words, both ends of authentication
process can not use differently hashed passwords.
<Handler TunnelledByTTLS=1, Realm=linux.com>
<AuthBy PAM>
Service passwd
UsernameMatchesWithoutRealm
AddToReply Extreme-Netlogin-Vlan = cccc
</AuthBy>
</Handler>
The tunnelling protocol is now TTLS and there's no need for EAPType anymore.
Fortunately Linux clients seem to support TTLS/PAP so this should be
possible. Both inner and outer identities should have @linux.com for
this configuration to work.
Note that TTLS/PAP is not the only protocol that supports plain text
tunnelled passwords, but it's widely available with Linux clients.
Thanks!
Heikki
> Fri Aug 19 11:35:56 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:35:56 2011: DEBUG: Rewrote user name to root
>
> Fri Aug 19 11:35:56 2011: DEBUG: Deleting session for [email protected],
> 172.30.3.251,
>
> Fri Aug 19 11:35:56 2011: DEBUG: Handling with PAM service passwd
>
> Fri Aug 19 11:35:56 2011: DEBUG: PAM is asking for 1: 'Password'
>
> Fri Aug 19 11:35:59 2011: DEBUG: AuthBy PAM result: REJECT, Authentication
> failure:
>
> Fri Aug 19 11:35:59 2011: INFO: Access rejected for root: Authentication
> failure:
>
> Fri Aug 19 11:35:59 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Richard Dunne
> Sent: 19 August 2011 11:05
> To: 'Heikki Vatiainen'
> Cc: [email protected]
> Subject: [RADIATOR] changing from auth by file to auth by pam
>
>
>
> Hello all
>
>
>
> Im having a problem moving from Auth by FILE to PAM
>
>
>
> The handler is <Handler TunnelledByPEAP=1, Realm=linux.com>
>
> <AuthBy FILE>
>
> Filename %D/users
>
> #Service passwd
>
> UsernameMatchesWithoutRealm
>
> AddToReply Extreme-Netlogin-Vlan = cccc
>
> EAPType MSCHAP-V2
>
> </AuthBy>
>
> </Handler>
>
>
>
> Works perfect and give the following, rewrites the username to pat. Which
> is perfect
>
>
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:13:31 2011: DEBUG: Deleting session for [email protected],
> 172.30.3.251,
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with Radius::AuthFILE:
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with EAP: code 2, 233, 68, 26
>
> Fri Aug 19 11:13:31 2011: DEBUG: Response type 26
>
> Fri Aug 19 11:13:31 2011: DEBUG: Reading users file ./users
>
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE looks for match with pat
> [[email protected]]
>
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE REJECT: No such user: pat
> [[email protected]]
>
> Fri Aug 19 11:13:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such user pat
>
> Fri Aug 19 11:13:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2
> failed: no such user pat
>
> Fri Aug 19 11:13:31 2011: INFO: Access rejected for [email protected]: EAP
> MSCHAP V2 failed: no such user pat
>
> Fri Aug 19 11:13:31 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
>
>
>
>
> When I change it to auth by PAM
>
>
>
> Handler becomes
>
> The handler is <Handler TunnelledByPEAP=1, Realm=linux.com>
>
> <AuthBy PAM>
>
> Service passwd
>
> UsernameMatchesWithoutRealm
>
> AddToReply Extreme-Netlogin-Vlan = cccccccccccccc
>
> EAPType MSCHAP-V2
>
> </AuthBy>
>
> </Handler>
>
>
>
> I get an error which is using the full username [email protected]. I need the
> @linux.conm removed
>
> Fri Aug 19 11:25:21 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:25:21 2011: DEBUG: Deleting session for [email protected],
> 172.30.3.251,
>
> Fri Aug 19 11:25:21 2011: DEBUG: Handling with PAM service login
>
> Fri Aug 19 11:25:21 2011: DEBUG: PAM is asking for 1: 'Password'
>
> Fri Aug 19 11:25:23 2011: DEBUG: AuthBy PAM result: REJECT, User not known
> to the underlying authentication module:
>
> Fri Aug 19 11:25:23 2011: INFO: Access rejected for [email protected]: User not
> known to the underlying authentication module:
>
> Fri Aug 19 11:25:23 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
>
>
> IM using the UsernameMatchesWithoutRealm and some regexp rewrite , but the
> damn @linux won't go away .
>
>
>
>
>
>
>
> Any ideas ?
>
>
>
> Regards Richard
>
>
>
>
>
>
>
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
