Hi, we have a problem concerning authentication with PEAP/MSCHAP-V2. We want to use different handlers per realm the user authenticates with. This is the configuration which does not work:
------------------------------------------------------------------------------------- <AuthBy NTLM> Identifier ntlm-wifi2vlan Domain KIT NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 UsernameMatchesWithoutRealm EAPType MSCHAP-V2 </AuthBy> <AuthBy LDAP2> Identifier ldap-ad-kit-eap Include %D/server/KIT-DC-01 BaseDN dc=kit,dc=edu Timeout 5 ServerChecksPassword UsernameAttr sAMAccountName PasswordAttr EAPType PEAP EAPTLS_CAFile %D/certificates/chain-kit-ca.pem EAPTLS_CertificateFile %D/certificates/server.pem EAPTLS_CertificateType PEM EAPTLS_MaxFragmentSize 1000 EAPTLS_PrivateKeyFile %D/certificates/server.key EAPTLS_PEAPVersion 0 EAPTLS_PEAPBrokenV1Label AutoMPPEKeys </AuthBy> # this does work # <Handler TunnelledByPEAP=1> # this does not work <Handler TunnelledByPEAP=1, Realm=colubris-test> Identifier SCC-WLAN-colubris-test AuthBy ntlm-wifi2vlan </Handler> <Handler NAS-Identifier=colubris-wifi2vlan> AuthBy ldap-ad-kit-eap </Handler> ------------------------------------------------------------------------------------- In the comments you see that the problem is the check of the realm. I test this with eapol_test: /usr/bin/eapol_test \ -N 32:s:colubris-wifi2vlan -c conf.colubris -a xxx.xx.xx.xx -p 1812 -s "xxxxxxxxxxxxxxx" conf.colubris: network={ ssid="wifi2vlantest" pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="scc-netadmin-0001@colubris-test" password="xxxxxxxxxxxxxxxxx" ca_cert="/etc/ssl/certs/deutsche-telekom-root-ca-2.pem" phase2="auth=MSCHAPV2" anonymous_identity="qwerty@colubris-test" } I added some debug logging in the radiator source. Then I could see that the realm is empty. So if I check for "Realm=" instead for the real realm it works, too. If you need the radiator log file (debug level) just tell. Only two eapol_test attempts (one with the non-working and one with the working configuration) produce a 82K file. BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the checked realm is the one of the inner identity which seams reasonable for me. I'm also wondering where User-Name anonymous in the log comes from as I don't use "anonymous" as anonymous identity here. Can you help here? I need this because later I have to expand ntlm_auth with --require-membership-of= with a variable group name (though I had to patch radiator for this to work - there will be another email for this :) ). Thanks in advance Klara -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Klara Mall Netze und Telekommunikation (NET) Hermann-von-Helmholtz-Platz 1 76344 Eggenstein-Leopoldshafen Telefon: +49 721 608-28630 Telefon: +49 721 608-48946 E-Mail: klara.m...@kit.edu Web: http://www.scc.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator