I'm trying to debug a problem with PEAP/MSCHAPv2 authentication against LDAP as part of spinning up eduroam. I've included the relevant Handlers from the configuration below, and the inner authentication part of the (sanitized) log from an attempt to authenticate. Despite the password being correct, the authentication fails.
This configuration works for MSCHAPv2 without PEAP (i.e. using the TunneledByPEAP Handler as the actual handler instead of the PEAP outer handler) if I have the RewriteUsername uncommented. I've tried to stick to the eduroam recipes for Radiator as much as possible, but I'm having trouble getting the MSCHAP auth to use the "username@realm" syntax while having LDAP search on just the username portion to find the user. Any ideas? TIA... -- %% Christopher A. Bongaarts %% [email protected] %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% ----radiator config excerpt---- <Handler Client-Identifier=WIRELESS, TunnelledByPEAP=1, Realm=/^(.*\.)?umn\.edu$/i> # umn.edu - that's us! authenticate locally. # MUST PRECEDE outer tunnel handler in the conf file! Identifier WIRELESS-IN <AuthBy GROUP> # Strip the realm from all requests # so LDAP will match against the bare username #RewriteUsername s/^([^@]+).*/$1/ # let eap handling fall thru to next levels NoEAP <AuthBy LDAP2> Host ldapserver-1.tc.umn.edu include %D/ldap-common.cfg AuthAttrDef umnValidUntil, ValidTo, check AuthAttrDef umnValidAfter, ValidFrom, check </AuthBy> <AuthBy LDAP2> Host ldapserver-2.tc.umn.edu include %D/ldap-common.cfg AuthAttrDef umnValidUntil, ValidTo, check AuthAttrDef umnValidAfter, ValidFrom, check </AuthBy> </AuthBy> AuthLog myauthlog </Handler> <Handler Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i> # umn inbound, outer tunnel handler Identifier WIRELESS-IN-TUNNEL <AuthBy FILE> # file containing word "anonymous" less quotes on its own line Filename %D/dot1x_anon EAPType PEAP EAPAnonymous %0 EAPTLS_CAFile %D/eaptls-cas.crt EAPTLS_CertificateChainFile %D/eaptls.crt EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/eaptls.key EAPTLS_PEAPBrokenV1Label 1 EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys </AuthBy> AuthLog myauthlog AcctLogFileName %L/%Y/wireless_tunnel_detail.%y%m%d </Handler> -----file: dot1x_anon----- anonymous -----file: ldap-common.cfg----- AuthDN cn=Radius Manager, ou=Application Services, o=University of Minnesota, c=US AuthPassword (insert pw here) BaseDN o=University of Minnesota, c=US UsernameAttr uid EncryptedPasswordAttr umnNTPasswordHash Version 3 # include all attributes needed for authz later AuthAttrDef umnXythosStatus, X-Xythos-Status, request AuthAttrDef umnADMemberOf, X-AD-Member, request # EAP Type settings EAPType MSCHAP-V2 UsernameMatchesWithoutRealm # don't bother looking up DEFAULT user if auth fails NoDefault # persist connections as long as possible HoldServerConnection -----log message for attempted auth---- Thu Nov 1 16:25:22 2012: DEBUG: Packet dump: *** Received from 192.168.XX.XX port 20000 .... Code: Access-Request Identifier: 134 Authentic: <163><211>\<191><27><216><0><162><189><200>4d/Co<219> Attributes: NAS-Port-Id = "AP419/2" Calling-Station-Id = "60-67-20-XX-XX-XX" Called-Station-Id = "00-0B-0E-XX-XX-XX:Eduroam" Service-Type = Framed-User User-Name = "[email protected]" NAS-Port = 46701 EAP-Message = <2><8><0>k<25><0><23><3><1><0>`{<163>y<177><239><241><15><179>y<239><30>G<207><230><149><141><144><246>"<208><239><255><175><12><169><154>#U<242>^r<249>)(%<252><214>V<150><174><196><168><191><170>_<20>,<177>,z<215><229>{<153>?<187>B. <191><208><167><142>l<N<221><173>i-><247><133>&<189><12>$<<14><173><211>)n<201><204><21>O#<233>m<201><166><154><0>5<130> NAS-Port-Type = Wireless-IEEE-802-11 NAS-IP-Address = 192.168.XX.XX NAS-Identifier = "Trapeze" Message-Authenticator = r<18><165>lI<170><144><173>.<205><239><231><209><11>7<232> Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler 'Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i' Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for [email protected], 192.168.241.21, 46701 Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthFILE: Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 8, 107, 25 Thu Nov 1 16:25:22 2012: DEBUG: Response type 25 Thu Nov 1 16:25:22 2012: DEBUG: EAP PEAP inner authentication request for [email protected] Thu Nov 1 16:25:22 2012: DEBUG: PEAP Tunnelled request Packet dump: Code: Access-Request Identifier: UNDEF Authentic: ;<231>$D<236> <242><186>D<182><254>=K<219><128>r Attributes: EAP-Message = <2><8><0>B<26><2><8><0>A1<175><9><147><134>NvH<140><191><253>]<194>D<7><229><235><0><0><0><0><0><0><0><0><201><192><223>+<192>$<185>4<20><175><155>H<135>Q<158>O<246><170>~w5Jk<28><0>[email protected] Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> User-Name = "[email protected]" NAS-IP-Address = 192.168.241.21 NAS-Identifier = "Trapeze" NAS-Port = 46701 Calling-Station-Id = "60-67-20-XX-XX-XX" Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler 'Client-Identifier=WIRELESS, TunnelledByPEAP=1, Realm=/^(.*\.)?umn\.edu$/i' Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for [email protected], 192.168.241.21, 46701 Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthGROUP: Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthLDAP2: Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 8, 66, 26 Thu Nov 1 16:25:22 2012: DEBUG: Response type 26 Thu Nov 1 16:25:22 2012: INFO: Connecting to ldapserver-1.tc.umn.edu:389 Thu Nov 1 16:25:22 2012: INFO: Attempting to bind to LDAP server lde-a.tc.umn.edu:389 Thu Nov 1 16:25:22 2012: DEBUG: LDAP got result for cn=Christopher A Bongaarts-2,ou=People,o=University of Minnesota,c=US Thu Nov 1 16:25:22 2012: DEBUG: LDAP got umnNTPasswordHash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Thu Nov 1 16:25:22 2012: DEBUG: LDAP got umnXythosStatus: A Thu Nov 1 16:25:22 2012: DEBUG: Radius::AuthLDAP2 looks for match with cab [[email protected]] Thu Nov 1 16:25:22 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : cab [[email protected]] Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Thu Nov 1 16:25:22 2012: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 Authentication failure Thu Nov 1 16:25:22 2012: INFO: Access rejected for [email protected]: EAP MSCHAP-V2 Authentication failure Thu Nov 1 16:25:22 2012: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Reject Identifier: UNDEF Authentic: ;<231>$D<236> <242><186>D<182><254>=K<219><128>r Attributes: EAP-Message = <4><8><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 3, EAP PEAP inner authentication redespatched to a Handler Thu Nov 1 16:25:22 2012: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redespatched to a Handler Thu Nov 1 16:25:22 2012: DEBUG: Access challenged for [email protected]: EAP PEAP inner authentication redespatched to a Handler Thu Nov 1 16:25:22 2012: DEBUG: Packet dump: *** Sending to 192.168.XX.XX port 20000 .... Code: Access-Challenge Identifier: 134 Authentic: <163><211>\<191><27><216><0><162><189><200>4d/Co<219> Attributes: EAP-Message = <1><9><0>+<25><0><23><3><1><0> :<153><245><156><209><27>\v<166>_<212><252>B<182><225>J<221><20><178>}K<148><247>t<183>3WDE<11>F<218> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Thu Nov 1 16:25:22 2012: DEBUG: Packet dump: *** Received from 192.168.XX.XX port 20000 .... Code: Access-Request Identifier: 135 Authentic: <231>tVW<234><201>F<219>4[<175><149><163><10><228><6> Attributes: NAS-Port-Id = "AP419/2" Calling-Station-Id = "60-67-20-XX-XX-XX" Called-Station-Id = "00-0B-0E-XX-XX-XX:Eduroam" Service-Type = Framed-User User-Name = "[email protected]" NAS-Port = 46701 EAP-Message = <2><9><0>+<25><0><23><3><1><0> <177>7<189>:/<2>c:<244><137><177><190><241><21><140>,<216><188><127>1W><217><127>bN<181><149><215><20><23>u NAS-Port-Type = Wireless-IEEE-802-11 NAS-IP-Address = 192.168.XX.XX NAS-Identifier = "Trapeze" Message-Authenticator = A?<170><182><216>e<212>s_y<151>i|9<19>~ Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler 'Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i' Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for [email protected], 192.168.241.21, 46701 Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthFILE: Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 9, 43, 25 Thu Nov 1 16:25:22 2012: DEBUG: Response type 25 Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 1, PEAP Authentication Failure Thu Nov 1 16:25:22 2012: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication Failure Thu Nov 1 16:25:22 2012: INFO: Access rejected for [email protected]: PEAP Authentication Failure Thu Nov 1 16:25:22 2012: DEBUG: Packet dump: *** Sending to 192.168.XX.XX port 20000 .... Code: Access-Reject Identifier: 135 Authentic: <231>tVW<234><201>F<219>4[<175><149><163><10><228><6> Attributes: EAP-Message = <4><9><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" -----end of log----- _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
