(RADIATOR) PEAPV0 in Radiator

SecureW2 (List) list at securew2.com
Tue Jun 10 18:42:32 CDT 2008 

Hi,

I tried to use PEAPv0 in Radiator with our new SecureW2 PEAPv0 method and at
the end I do receive an access-accept from Radiator but I did not get the
required extension 33 request packet or the MPPE keys:

----------------------------------------------------------------------
*** Received from 82.75.154.105 port 22468 ....

Packet length = 180
01 86 00 b4 95 67 44 7d be e1 d7 28 f2 d3 9b 88
3a 5d 5f d6 01 0a 74 6f 6d 40 74 74 6c 73 0c 06
00 00 05 78 1e 10 30 30 30 66 2e 38 66 31 64 2e
37 36 32 30 1f 10 30 30 31 36 2e 36 66 37 65 2e
34 32 33 32 50 12 ad 5e 3a c3 37 cc 35 b0 90 7e
f6 29 22 ad a2 9d 4f 39 02 08 00 37 19 80 00 00
00 2d 17 03 01 00 28 dc 65 d6 f9 05 0c 0e 7c 8e
40 a8 1b 6a 66 ef 74 83 cf f6 dd c8 8f 24 0d 81
4b 39 94 71 32 f6 67 bc bb a3 c9 dd 24 21 b6 3d
06 00 00 00 13 05 06 00 00 01 8d 06 06 00 00 00
02 04 06 c0 a8 02 02 20 0d 72 69 78 6f 6d 61 70
31 31 30 30
Code:       Access-Request
Identifier: 134
Authentic:  <149>gD}<190><225><215>(<242><211><155><136>:]_<214>
Attributes:
        User-Name = "tom at ttls"
        Framed-MTU = 1400
        Called-Station-Id = "000f.8f1d.7620"
        Calling-Station-Id = "0016.6f7e.4232"
        Message-Authenticator =
<173>^:<195>7<204>5<176><144>~<246>)"<173><162><157>
        EAP-Message =
<2><8><0>7<25><128><0><0><0>-<23><3><1><0>(<220>e<214><249><5><12><14>|<142>
@<168><27>jf<239>t<131><207><246><221><200><143>$<13><129>K9<148>q2<246>g<18
8><187><163><201><221>$!<182>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 397
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.2
        NAS-Identifier = "rixomap1100"

Tue Jun 10 17:15:15 2008: DEBUG: Handling request with Handler 'Realm=ttls'
Tue Jun 10 17:15:15 2008: DEBUG: Rewrote user name to tom
Tue Jun 10 17:15:15 2008: DEBUG:  Deleting session for tom at ttls,
192.168.2.2, 397
Tue Jun 10 17:15:15 2008: DEBUG: Handling with Radius::AuthFILE:
Tue Jun 10 17:15:15 2008: DEBUG: Handling with EAP: code 2, 8, 55, 25
Tue Jun 10 17:15:15 2008: DEBUG: Response type 25
Tue Jun 10 17:15:15 2008: DEBUG: EAP PEAP inner authentication request for
anonymous
Tue Jun 10 17:15:15 2008: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <226><27><157><224>R<211>%rZ<165>/f<222><11>E<128>
Attributes:
        EAP-Message =
<2><8><0><14><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "anonymous"
        NAS-IP-Address = 192.168.2.2
        NAS-Identifier = "rixomap1100"
        NAS-Port = 397
        Calling-Station-Id = "0016.6f7e.4232"

Tue Jun 10 17:15:15 2008: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Tue Jun 10 17:15:15 2008: DEBUG:  Deleting session for anonymous,
192.168.2.2, 397
Tue Jun 10 17:15:15 2008: DEBUG: Handling with Radius::AuthOTP:
Tue Jun 10 17:15:15 2008: DEBUG: Handling with EAP: code 2, 8, 14, 0
Tue Jun 10 17:15:15 2008: DEBUG: Response type 0
Tue Jun 10 17:15:15 2008: DEBUG: EAP result: 0,
Tue Jun 10 17:15:15 2008: DEBUG: AuthBy OTP result: ACCEPT,
Tue Jun 10 17:15:15 2008: DEBUG: Access accepted for anonymous
Tue Jun 10 17:15:15 2008: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <226><27><157><224>R<211>%rZ<165>/f<222><11>E<128>
Attributes:

Tue Jun 10 17:15:15 2008: DEBUG: EAP result: 0, EAP PEAP inner
authentication redespatched to a Handler
Tue Jun 10 17:15:15 2008: DEBUG: AuthBy FILE result: ACCEPT, EAP PEAP inner
authentication redespatched to a Handler
Tue Jun 10 17:15:15 2008: DEBUG: Access accepted for tom
Tue Jun 10 17:15:15 2008: DEBUG: Packet dump:
*** Sending to 82.75.154.105 port 22468 ....

Packet length = 20
02 86 00 14 eb f5 3a e6 79 85 2d 8a 70 bb 31 26
69 d6 bc 17
Code:       Access-Accept
Identifier: 134
Authentic:  <235><245>:<230>y<133>-<138>p<187>1&i<214><188><23>
Attributes:
----------------------------------------------------------------------

As you can see Radiator simply send the ACCESS-ACCEPT without the MPPE
keys..

This is my config:

----------------------------------------------------------------------
<Realm ttls>

        RewriteUsername         s/^(.*?)\@.*$/$1/

        <AuthBy FILE>
                Filename %D/users

                EAPType PEAP, TTLS, MSCHAP-V2

                #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                EAPTLS_CAFile /etc/ssl/chain.pem

                #EAPTLS_CertificateFile /etc/ssl/certs/svn.securew2.com.pem
                #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateFile /etc/ssl/certs/tls.securew2.com.pem
                EAPTLS_CertificateType PEM

                #EAPTLS_PrivateKeyFile /etc/ssl/private/svn.securew2.com.key
                #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyFile /etc/ssl/private/tls.securew2.com.key
                EAPTLS_PrivateKeyPassword xxx

                EAPTLS_MaxFragmentSize 1000

                #EAPTLS_PEAPBrokenV1Label 1

                EAPTLS_PEAPVersion 0

                AutoMPPEKeys

                EAPTLS_SessionResumption 1

                EAPTLS_SessionResumptionLimit 300

        </AuthBy>

        AcctLogFileName %D/detail
</Realm>
----------------------------------------------------------------------

Tom

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list