[RADIATOR] EAP-SIM Authentication

[M P]

Hello all,


In an EAP-SIM based authentication, when the Radiator receives an 
Access-Request, which attributes does the mobile number and the IMSI belongs to?


Regards,

 

Marvin
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment

[Martin Burton]

Hi Elias,

I notice that you don't explicitly specify the interface id as a string
on your user profile. It might be worth enclosing the interface id
within quotes within your user profile (i.e Framed-Interface-Id =
"10:1:1:1") as that might provoke your NAS to do the right thing.  Your
mileage might vary, but I've come across a few NASs that have
ill-defined or buggy dictionary logic and don't treat strings as
strings.  In one case I seem to recall having to use escapes to ensure
that the quotes appeared in the reply (e.g Some-Attr = "\"string\"").

HTH.

Cheers,

Martin

On 21/08/2011 17:19, Elias wrote:
> Thanks Martin. Our NAS is always assigning this value as
> 3130:3a31:3a31:3a31 (using the Hex representation as you pointed out)
> instead of 10:1:1:1. Will check with our NAS vendor then. Thanks!
> 
> 
> On 08/21/2011 11:45 PM, Martin Burton wrote:
>> On 21/08/2011 15:21, Elias wrote:
>>> AVP: l=10  t=Framed-Interface-Id(96): 31303a313a313a31
>> That's just the raw hex representation of the ASCII string
>>
>> 31 = 1
>> 30 = 0
>> 3a = :
>>
>> so, 10:1:1:1 as expected.
>>
>>
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au 
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Martin Burton
Senior Systems Administrator   \\\|||///
Special Projects Team \\  ^ ^  //
Wellcome Trust Sanger Institute(  6 6  )
-oOOo-(_)-oOOo---
  http://www.sanger.ac.uk



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment

[Elias]

Thanks Martin. Our NAS is always assigning this value as 
3130:3a31:3a31:3a31 (using the Hex representation as you pointed out) 
instead of 10:1:1:1. Will check with our NAS vendor then. Thanks!



On 08/21/2011 11:45 PM, Martin Burton wrote:


On 21/08/2011 15:21, Elias wrote:

AVP: l=10  t=Framed-Interface-Id(96): 31303a313a313a31

That's just the raw hex representation of the ASCII string

31 = 1
30 = 0
3a = :

so, 10:1:1:1 as expected.




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment

[Martin Burton]

On 21/08/2011 15:21, Elias wrote:
> AVP: l=10  t=Framed-Interface-Id(96): 31303a313a313a31

That's just the raw hex representation of the ASCII string

31 = 1
30 = 0
3a = :

so, 10:1:1:1 as expected.


-- 
Martin Burton
Senior Systems Administrator   \\\|||///
Special Projects Team \\  ^ ^  //
Wellcome Trust Sanger Institute(  6 6  )
-oOOo-(_)-oOOo---
  http://www.sanger.ac.uk



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment

[Elias]

Hi,

We're trying to use the attribute Framed-Interface-Id but the allocation 
always fails. The output from RADIATOR shows the correct Id being 
assigned, but a packet trace shows otherwise. How can we properly assign 
this attribute?


[root@radtest radiator]# ./radpwtst -user dual_stack06@v6test -password 
ds06 -s 10.56.254.100 -noacct -trace

Sun Aug 21 11:46:04 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Sun Aug 21 11:46:04 2011: DEBUG: Packet dump:
..
Sun Aug 21 11:46:04 2011: DEBUG: Packet dump:
*** Received from 10.56.254.100 port 1645 
Code:   Access-Accept
Identifier: 154
Authentic:  w<131><210><189>7<255><217>\<158><148>Y<173><246><28><177><142>
Attributes:
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Unisphere-Virtual-Router = "HOME"
*Framed-Interface-Id = "10:1:1:1"*
Framed-IPv6-Prefix = 1000::/64


### Packet capture ###
Frame 3: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 
00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 10.56.254.100 (10.56.254.100), Dst: 
10.56.254.100 (10.56.254.100)

User Datagram Protocol, Src Port: 45988 (45988), Dst Port: sightline (1645)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x85 (133)
Length: 119
Authenticator: 7d76375e8e182997f9c7c5ae3ba7ce83
[The response to this request is in frame 4]
Attribute Value Pairs
AVP: l=21  t=User-Name(1): dual_stack06@v6test
AVP: l=6  t=Service-Type(6): Framed(2)
AVP: l=6  t=NAS-IP-Address(4): 203.63.154.1
AVP: l=14  t=NAS-Identifier(32): 203.63.154.1
AVP: l=6  t=NAS-Port(5): 1234
AVP: l=11  t=Called-Station-Id(30): 123456789
AVP: l=11  t=Calling-Station-Id(31): 987654321
AVP: l=6  t=NAS-Port-Type(61): Async(0)
AVP: l=18  t=User-Password(2): Encrypted

No. TimeSourceDestination   Protocol 
Info
  4 6.13934610.56.254.100 10.56.254.100 
RADIUS   Access-Accept(2) (id=133, l=74)


Frame 4: 116 bytes on wire (928 bits), 116 bytes captured (928 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 
00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 10.56.254.100 (10.56.254.100), Dst: 
10.56.254.100 (10.56.254.100)

User Datagram Protocol, Src Port: sightline (1645), Dst Port: 45988 (45988)
Radius Protocol
Code: Access-Accept (2)
Packet identifier: 0x85 (133)
Length: 74
Authenticator: 1435dfa93534eecd1cf14b7ada051737
[This is a response to a request in frame 3]
[Time from request: 0.008358000 seconds]
Attribute Value Pairs
AVP: l=6  t=Framed-IP-Address(8): Assigned
AVP: l=6  t=Framed-IP-Netmask(9): 255.255.255.255
AVP: l=12  t=Vendor-Specific(26) v=ERX(4874)
* AVP: l=10  t=Framed-Interface-Id(96): 31303a313a313a31*
AVP: l=20  t=Framed-IPv6-Prefix(97): 1000::/64



### Setup information ###

[root@radtest radiator]# radiusd -v
This is Radiator 4.8 on radtest

[root@radtest radiator]# grep Framed-Interface-Id dictionary
ATTRIBUTE   Framed-Interface-Id 96  string


### User profile ###
dual_stack06@v6test   User-Password= "ds06"
 
Framed-IP-Address = 255.255.255.254,
 Framed-IP-Netmask  
 = 255.255.255.255,
 
Unisphere-Virtual-Router = HOME,
 Framed-Interface-Id   
= 10:1:1:1,
 
Framed-IPv6-Prefix   = 1000::/64,
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about IP Pool.

[Heikki Vatiainen]

On 08/20/2011 09:07 PM, Faisal Imtiaz wrote:

Hello Faisal,

> I am currently using Raditor configured with mysql for authenticating 
> DSL Subscribers. So far we have been allocating fixed IP addresses & 
> framed routes as needed for the subscribers.
> 
> We have  bunch of subscribers who need to be on dynamic IP's.   There is 
> a RADPOOL table, that I can add  addresses to either manually or via 
> AddressPool...
> 
> What I am having trouble with is on What do I need to 'define' for the 
> user so that Radiator will get an IP address from the RADPOOL Table ?
> and What code if any I need to put in radius.cfg for this to happen.

Please see goodies/addressallocator.cfg in Radiator distribution package
for an example.

The idea is to run the normal authentication first followed by AuthBy
DYNADDRESS. The AuthByPolicy should be set so that DYNADDRESS is only
used if the normal authentication first succeeds.

You should probably keep your existing Handler and AuthBy as they are
and add a new Handler to match the dynaddress users. This new Handler
would have two AuthBys where the first does normal authentication
followed by the second AuthBy that does address allocation from AddressPool.

You can also have more AuthBys if needed, but the above is a simple
extension of your current setup shown below.

Best regards,
Heikki

> Many Thanks in advance.
> ===
> here is what my AuthBy looks like
> 
> 
>  # MySQL DB, DB radius, host localhost
>  DBSource dbi:mysql:xxx
>  DBUsername x
>  DBAuth xxx
> 
>  # Define Table and Columns for Authentication
>  AuthSelect select PASSWORD, SERVICETYPE, 
> FRAMEDPROTOCOL, TRAFFICSHAPE, ACL, PORTLIMIT, TIMELEFT, IPPOOL, FRAMEDI$
>  from SUBSCRIBERS where USERNAME = %0
>  AuthColumnDef 0, Password, check
>  AuthColumnDef 1, GENERIC, check
>  AuthColumnDef 2, GENERIC, reply
>  AuthColumnDef 3, GENERIC, reply
>  AuthColumnDef 4, GENERIC, reply
>  AuthColumnDef 5, GENERIC, reply
>  AuthColumnDef 6, GENERIC, reply
>  AuthColumnDef 7, GENERIC, reply
>  AuthColumnDef 8, GENERIC, reply
>  AuthColumnDef 9, GENERIC, reply
>  AuthColumnDef 10, GENERIC, reply
>  AuthColumnDef 11, GENERIC, reply
>  AuthColumnDef 12, GENERIC, reply
> 
>  # Define Table and Columns for Accounting
>  AccountingTable ACCOUNTING
>  AcctColumnDef   USERNAME,User-Name
>  AcctColumnDef   TIME_STAMP,Timestamp,formatted-date,\
>  '%Y/%m/%e %H:%M:%S'
>  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>  AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>  AcctColumnDef   NASPORT,NAS-Port,integer
>  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> 
> =
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] changing from auth by file to auth by pam

[Heikki Vatiainen]

On 08/19/2011 02:06 PM, Richard Dunne wrote:

Hello Richard,

> I have added the RewriteUsername s/^([^@]+).*/$1/ which does remove the
> linux.com realm . But still even withthis and  the correct password i get a
> failure .

You need to change the config to support EAP-TTLS with PAP. When you
need to use a non-plaintext passwod store, such as /etc/shadow in Linux,
you can not use EAP-MSCHAP-V2 because EAP-MSCHAP-V2 also uses
non-plaintext passwords. In other words, both ends of authentication
process can not use differently hashed passwords.



Service passwd
UsernameMatchesWithoutRealm
AddToReply Extreme-Netlogin-Vlan = 



The tunnelling protocol is now TTLS and there's no need for EAPType anymore.

Fortunately Linux clients seem to support TTLS/PAP so this should be
possible. Both inner and outer identities should have @linux.com for
this configuration to work.

Note that TTLS/PAP is not the only protocol that supports plain text
tunnelled passwords, but it's widely available with Linux clients.

Thanks!
Heikki

> Fri Aug 19 11:35:56 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
> 
> Fri Aug 19 11:35:56 2011: DEBUG: Rewrote user name to root
> 
> Fri Aug 19 11:35:56 2011: DEBUG:  Deleting session for r...@linux.com,
> 172.30.3.251, 
> 
> Fri Aug 19 11:35:56 2011: DEBUG: Handling with PAM service passwd
> 
> Fri Aug 19 11:35:56 2011: DEBUG: PAM is asking for 1: 'Password'
> 
> Fri Aug 19 11:35:59 2011: DEBUG: AuthBy PAM result: REJECT, Authentication
> failure: 
> 
> Fri Aug 19 11:35:59 2011: INFO: Access rejected for root: Authentication
> failure: 
> 
> Fri Aug 19 11:35:59 2011: DEBUG: Returned PEAP tunnelled packet dump:
> 
>  
> 
> From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
> Behalf Of Richard Dunne
> Sent: 19 August 2011 11:05
> To: 'Heikki Vatiainen'
> Cc: radiator@open.com.au
> Subject: [RADIATOR] changing from auth by file to auth by pam
> 
>  
> 
> Hello all 
> 
>  
> 
> Im having a problem moving from Auth by FILE to PAM 
> 
>  
> 
> The handler is 
> 
> 
> 
> Filename %D/users
> 
> #Service passwd
> 
> UsernameMatchesWithoutRealm
> 
> AddToReply Extreme-Netlogin-Vlan = 
> 
> EAPType MSCHAP-V2
> 
> 
> 
> 
> 
>  
> 
> Works perfect and  give the following, rewrites the username to pat. Which
> is perfect 
> 
>  
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
> 
> Fri Aug 19 11:13:31 2011: DEBUG:  Deleting session for p...@linux.com,
> 172.30.3.251, 
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with Radius::AuthFILE: 
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with EAP: code 2, 233, 68, 26
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Response type 26
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Reading users file ./users
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE looks for match with pat
> [p...@linux.com]
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE REJECT: No such user: pat
> [p...@linux.com]
> 
> Fri Aug 19 11:13:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such user pat
> 
> Fri Aug 19 11:13:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2
> failed: no such user pat
> 
> Fri Aug 19 11:13:31 2011: INFO: Access rejected for p...@linux.com: EAP
> MSCHAP V2 failed: no such user pat
> 
> Fri Aug 19 11:13:31 2011: DEBUG: Returned PEAP tunnelled packet dump:
> 
>  
> 
>  
> 
>  
> 
> When I change it to auth by PAM
> 
>  
> 
> Handler becomes 
> 
> The handler is 
> 
> 
> 
> Service passwd
> 
> UsernameMatchesWithoutRealm
> 
> AddToReply Extreme-Netlogin-Vlan = cc
> 
> EAPType MSCHAP-V2
> 
> 
> 
> 
> 
>  
> 
> I get an error which is using the full username p...@linux.com. I need the
> @linux.conm removed 
> 
> Fri Aug 19 11:25:21 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
> 
> Fri Aug 19 11:25:21 2011: DEBUG:  Deleting session for p...@linux.com,
> 172.30.3.251, 
> 
> Fri Aug 19 11:25:21 2011: DEBUG: Handling with PAM service login
> 
> Fri Aug 19 11:25:21 2011: DEBUG: PAM is asking for 1: 'Password'
> 
> Fri Aug 19 11:25:23 2011: DEBUG: AuthBy PAM result: REJECT, User not known
> to the underlying authentication module: 
> 
> Fri Aug 19 11:25:23 2011: INFO: Access rejected for p...@linux.com: User not
> known to the underlying authentication module: 
> 
> Fri Aug 19 11:25:23 2011: DEBUG: Returned PEAP tunnelled packet dump:
> 
>  
> 
>  
> 
> IM using the UsernameMatchesWithoutRealm and some regexp rewrite , but the
> damn @linux won't go away .
> 
>  
> 
>  
> 
>  
> 
> Any ideas ?
> 
>  
> 
> Regards  Richard 
> 
>  
> 
>  
> 
>  
> 
> 
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanni