(RADIATOR) PEAPV0 in Radiator

Mike McCauley mikem at open.com.au
Tue Jun 10 19:16:44 CDT 2008 

Hi Tom,

I dont think you sent the whole config file to us?
I see from the log that there is an AuthBy OTP involved, but thats not shown 
in the config file excerpt you sent.

In any case, Radiator sets the MPPE keys when the EAPEXTENSIONS_RESULT_SUCCESS 
is received. Are you sure you sent that in the tunnel?

Cheers.


On Wednesday 11 June 2008 09:42, SecureW2 (List) wrote:
> Hi,
>
> I tried to use PEAPv0 in Radiator with our new SecureW2 PEAPv0 method and
> at the end I do receive an access-accept from Radiator but I did not get
> the required extension 33 request packet or the MPPE keys:
>
> ----------------------------------------------------------------------
> *** Received from 82.75.154.105 port 22468 ....
>
> Packet length = 180
> 01 86 00 b4 95 67 44 7d be e1 d7 28 f2 d3 9b 88
> 3a 5d 5f d6 01 0a 74 6f 6d 40 74 74 6c 73 0c 06
> 00 00 05 78 1e 10 30 30 30 66 2e 38 66 31 64 2e
> 37 36 32 30 1f 10 30 30 31 36 2e 36 66 37 65 2e
> 34 32 33 32 50 12 ad 5e 3a c3 37 cc 35 b0 90 7e
> f6 29 22 ad a2 9d 4f 39 02 08 00 37 19 80 00 00
> 00 2d 17 03 01 00 28 dc 65 d6 f9 05 0c 0e 7c 8e
> 40 a8 1b 6a 66 ef 74 83 cf f6 dd c8 8f 24 0d 81
> 4b 39 94 71 32 f6 67 bc bb a3 c9 dd 24 21 b6 3d
> 06 00 00 00 13 05 06 00 00 01 8d 06 06 00 00 00
> 02 04 06 c0 a8 02 02 20 0d 72 69 78 6f 6d 61 70
> 31 31 30 30
> Code:       Access-Request
> Identifier: 134
> Authentic:  <149>gD}<190><225><215>(<242><211><155><136>:]_<214>
> Attributes:
>         User-Name = "tom at ttls"
>         Framed-MTU = 1400
>         Called-Station-Id = "000f.8f1d.7620"
>         Calling-Station-Id = "0016.6f7e.4232"
>         Message-Authenticator =
> <173>^:<195>7<204>5<176><144>~<246>)"<173><162><157>
>         EAP-Message =
> <2><8><0>7<25><128><0><0><0>-<23><3><1><0>(<220>e<214><249><5><12><14>|<142
>>
> @<168><27>jf<239>t<131><207><246><221><200><143>$<13><129>K9<148>q2<246>g<1
>8 8><187><163><201><221>$!<182>
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Port = 397
>         Service-Type = Framed-User
>         NAS-IP-Address = 192.168.2.2
>         NAS-Identifier = "rixomap1100"
>
> Tue Jun 10 17:15:15 2008: DEBUG: Handling request with Handler 'Realm=ttls'
> Tue Jun 10 17:15:15 2008: DEBUG: Rewrote user name to tom
> Tue Jun 10 17:15:15 2008: DEBUG:  Deleting session for tom at ttls,
> 192.168.2.2, 397
> Tue Jun 10 17:15:15 2008: DEBUG: Handling with Radius::AuthFILE:
> Tue Jun 10 17:15:15 2008: DEBUG: Handling with EAP: code 2, 8, 55, 25
> Tue Jun 10 17:15:15 2008: DEBUG: Response type 25
> Tue Jun 10 17:15:15 2008: DEBUG: EAP PEAP inner authentication request for
> anonymous
> Tue Jun 10 17:15:15 2008: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <226><27><157><224>R<211>%rZ<165>/f<222><11>E<128>
> Attributes:
>         EAP-Message =
> <2><8><0><14><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 192.168.2.2
>         NAS-Identifier = "rixomap1100"
>         NAS-Port = 397
>         Calling-Station-Id = "0016.6f7e.4232"
>
> Tue Jun 10 17:15:15 2008: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Tue Jun 10 17:15:15 2008: DEBUG:  Deleting session for anonymous,
> 192.168.2.2, 397
> Tue Jun 10 17:15:15 2008: DEBUG: Handling with Radius::AuthOTP:
> Tue Jun 10 17:15:15 2008: DEBUG: Handling with EAP: code 2, 8, 14, 0
> Tue Jun 10 17:15:15 2008: DEBUG: Response type 0
> Tue Jun 10 17:15:15 2008: DEBUG: EAP result: 0,
> Tue Jun 10 17:15:15 2008: DEBUG: AuthBy OTP result: ACCEPT,
> Tue Jun 10 17:15:15 2008: DEBUG: Access accepted for anonymous
> Tue Jun 10 17:15:15 2008: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <226><27><157><224>R<211>%rZ<165>/f<222><11>E<128>
> Attributes:
>
> Tue Jun 10 17:15:15 2008: DEBUG: EAP result: 0, EAP PEAP inner
> authentication redespatched to a Handler
> Tue Jun 10 17:15:15 2008: DEBUG: AuthBy FILE result: ACCEPT, EAP PEAP inner
> authentication redespatched to a Handler
> Tue Jun 10 17:15:15 2008: DEBUG: Access accepted for tom
> Tue Jun 10 17:15:15 2008: DEBUG: Packet dump:
> *** Sending to 82.75.154.105 port 22468 ....
>
> Packet length = 20
> 02 86 00 14 eb f5 3a e6 79 85 2d 8a 70 bb 31 26
> 69 d6 bc 17
> Code:       Access-Accept
> Identifier: 134
> Authentic:  <235><245>:<230>y<133>-<138>p<187>1&i<214><188><23>
> Attributes:
> ----------------------------------------------------------------------
>
> As you can see Radiator simply send the ACCESS-ACCEPT without the MPPE
> keys..
>
> This is my config:
>
> ----------------------------------------------------------------------
> <Realm ttls>
>
>         RewriteUsername         s/^(.*?)\@.*$/$1/
>
>         <AuthBy FILE>
>                 Filename %D/users
>
>                 EAPType PEAP, TTLS, MSCHAP-V2
>
>                 #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CAFile /etc/ssl/chain.pem
>
>                 #EAPTLS_CertificateFile /etc/ssl/certs/svn.securew2.com.pem
>                 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateFile /etc/ssl/certs/tls.securew2.com.pem
>                 EAPTLS_CertificateType PEM
>
>                 #EAPTLS_PrivateKeyFile
> /etc/ssl/private/svn.securew2.com.key #EAPTLS_PrivateKeyFile
> %D/certificates/cert-srv.pem EAPTLS_PrivateKeyFile
> /etc/ssl/private/tls.securew2.com.key EAPTLS_PrivateKeyPassword xxx
>
>                 EAPTLS_MaxFragmentSize 1000
>
>                 #EAPTLS_PEAPBrokenV1Label 1
>
>                 EAPTLS_PEAPVersion 0
>
>                 AutoMPPEKeys
>
>                 EAPTLS_SessionResumption 1
>
>                 EAPTLS_SessionResumptionLimit 300
>
>         </AuthBy>
>
>         AcctLogFileName %D/detail
> </Realm>
> ----------------------------------------------------------------------
>
> Tom
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list