Not sure if this is normal behavior or not as I am a bit new to
Radiator, however it seems odd to me. Maybe someone can explain it or
point out what I might be doing wrong?
Configuring a Radiator server (tried with both 4.15 & 4.16) to provide
authentication for wireless, and most things have gone well. However I
have come across something that doesn't seem quite right. If I only have
handlers for the inner authentication that have a regex to match realms,
Radiator doesn't seem to parse the request packet properly.
If I include "generic" inner authentication handlers (which don't get
used), then the handlers with the regex work just fine.
Here is my working configuration:
Foreground
LogStdout
DbDir /etc/radiator
LogDir .
DictionaryFile %D/dictionary
Trace 4
AuthPort 1812
AcctPort 1813
include %D/clients.cfg
DisabledRuntimeChecks CVE-2014-0160
<AuthBy NTLM>
Identifier NTLM_MSCHAP_NoRealm
UsernameMatchesWithoutRealm
EAPType MSCHAP-V2
</AuthBy>
<AuthBy FILE>
Identifier FILE_OuterRequests
Filename %D/dot1x_anon
EAPType TTLS PEAP
EAPAnonymous %0
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
AutoMPPEKeys
EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4
</AuthBy>
<Handler TunnelledByTTLS=1, Realm=/iit\.edu$/i>
Identifier TTLS_INNER_IITdEDU
AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1, Realm=/iit\.edu$/i>
Identifier PEAP_INNER_IITdEDU
AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByTTLS=1>
Identifier TTLS_INNER_GENERIC
AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1>
Identifier PEAP_INNER_GENERIC
AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler Realm=/^$/>
Identifier NO_REALM
AccountingHandled
StripFromReply Reply-Message
AddToReply Reply-Message="Misconfigured client: empty realm!"
</Handler>
<Handler Realm=/iit\.edu$/i>
Identifier EAP_OUTER_IITdEDU
AuthBy FILE_OuterRequests
</Handler>
This works as expected for "[email protected]" with the outer authentication
being handled by the "EAP_OUTER_IITdEDU" and the inner authentication
using "[TTLS|PEAP]_INNER_IITdEDU" correctly depending on client
configuration.
However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
and associated statements (i.e. no other changes to client config or
anywhere else) and restart Radiator, "[email protected]" no longer matches
the regex and the inner request is then caught by "NO_REALM". Here is
the debug from a request where things stop working as expected (I think
the key is that in the packet dump, the username is in the "EAP-Message"
field and not the "User-Name" field):
Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/iit\.edu$/i', Identifier 'EAP_OUTER_IITdEDU'
Tue Feb 9 23:21:42 2016: DEBUG: Deleting session for
[email protected], 192.168.50.70, 14337
Tue Feb 9 23:21:42 2016: DEBUG: Handling with Radius::AuthFILE:
FILE_OuterRequests
Tue Feb 9 23:21:42 2016: DEBUG: Handling with EAP: code 2, 5, 63, 21
Tue Feb 9 23:21:42 2016: DEBUG: Response type 21
Tue Feb 9 23:21:42 2016: DEBUG: EAP TTLS data, 3, 5, 4
Tue Feb 9 23:21:42 2016: DEBUG: EAP TTLS inner authentication request for
Tue Feb 9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
EAP-Message = <2><0><0><18><1>[email protected]
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = ""
Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/^$/', Identifier 'NO_REALM'
Tue Feb 9 23:21:42 2016: DEBUG: Deleting session for , 192.168.50.70,
Tue Feb 9 23:21:42 2016: INFO: Access rejected for : No AuthBy found
Tue Feb 9 23:21:42 2016: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
Reply-Message = "Misconfigured client: empty realm!"
Tue Feb 9 23:21:42 2016: DEBUG: EAP Failure, elapsed time 0.135382
Tue Feb 9 23:21:42 2016: DEBUG: EAP result: 1, EAP TTLS inner
authentication redispatched to a Handler
Tue Feb 9 23:21:42 2016: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
inner authentication redispatched to a Handler
Tue Feb 9 23:21:42 2016: INFO: Access rejected for [email protected]:
EAP TTLS inner authentication redispatched to a Handler
Tue Feb 9 23:21:42 2016: DEBUG: Packet dump:
*** Sending to 192.168.50.70 port 38670 ....
Code: Access-Reject
Identifier: 48
Authentic: <199><166><198><217>p55<139>9?<235>9<167><127><2><147>
Attributes:
EAP-Message = <4><5><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Any help or insight would be appreciated.
--
David Rose
Sr. Network Engineer
Office of Technology Services
Illinois Institute of Technology
(O) 312.567.3249
(F) 312.567.5968
[email protected]
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
