[RADIATOR] EAP-TTLS authentication problem

Wed Dec 10 05:17:52 CST 2014

Hi all,

I have been trying to authenticate my users using EAP-TTLS as outer and
 MSCHAP-V2 as inner authentication. My handlers as following in the
configuration file:

<Handler TunnelledByTTLS=1>
<AuthBy FILE>
        Filename %D/users-eap
    # This tells the TTLS client what types of inner EAP requests
    # we will honour
    EAPType MSCHAP-V2
AddToReply
User-Name=%{User-Name},MS-CHAP-Challenge=%{MS-CHAP-Challenge},MS-CHAP2-Response=%{MS-CHAP2-Response}
</AuthBy>
</Handler>

<Handler Realm=employee>
  <AuthBy FILE>
Filename %D/users-eap
EAPType TTLS
EAPTLS_PrivateKeyPassword whatever
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_MaxFragmentSize 1000
EAPTTLS_NoAckRequired
AutoMPPEKeys
  </AuthBy>
 </Handler>

I connect with my device to the SSID (the AP is an Aruba), and I'm asked to
enter a username and a password. I enter a correct username and password,
and then I see the certificate of the authentication server (the demo
certificate from the goodies). After accepting the certificate in the
device, I get the message "Wrong username or password". However, in the log
it can be seen an "Access-Accept" for that User-Name as following:

Tue Dec  9 09:38:13 2014 000000: DEBUG: Access accepted for bengi at employee
Tue Dec  9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled Diameter
Packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
Attributes:
User-Name = "bengi at employee"
MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
MS-CHAP2-Response =
Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>

Part of the log regarding to these handlers:

Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:
>
> *** Received from 217.124.187.81 port 49159 ....
> Packet length = 232
> 01 ec 00 e8 3a da 51 af d9 aa 99 02 4b 23 b1 8b
> e7 67 3b 50 01 10 62 65 6e 67 69 40 65 6d 70 6c
> 6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
> 20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
> 2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
> 3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
> 3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
> 06 00 00 00 01 0c 06 00 00 04 4c 4f 15 02 01 00
> 13 01 62 65 6e 67 69 40 65 6d 70 6c 6f 79 65 65
> 1a 15 00 00 39 e7 05 0f 45 6d 70 6c 6f 79 65 65
> 42 65 6e 67 69 1a 19 00 00 39 e7 06 13 39 63 3a
> 31 63 3a 31 32 3a 63 65 3a 34 31 3a 63 63 1a 18
> 00 00 39 e7 0a 12 69 6e 73 74 61 6e 74 2d 43 45
> 3a 34 31 3a 43 43 50 12 c5 30 bf 8e 1c ec 68 2d
> af 8c 28 e7 85 09 37 c4
> Code:       Access-Request
> Identifier: 236
> Authentic:  :<218>Q<175><217><170><153><2>K#<177><139><231>g;P
> Attributes:
> User-Name = "bengi at employee"
> NAS-IP-Address = 192.168.88.241
> NAS-Port = 0
> NAS-Identifier = "9C-1C-12-CE-41-CC"
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = <2><1><0><19><1>bengi at employee
> Aruba-Essid-Name = "EmployeeBengi"
> Aruba-Location-Id = "9c:1c:12:ce:41:cc"
> Aruba-AP-Group = "instant-CE:41:CC"
> Message-Authenticator =
> <197>0<191><142><28><236>h-<175><140>(<231><133><9>7<196>
> Called-Station-Id = "9C-1C-12-CE-41-CC"
> Calling-Station-Id = "70_3E_AC_09_5A_11"
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler
> 'Realm=employee', Identifier ''
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for
> bengi at employee, 192.168.88.241, 0
> Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with EAP: code 2, 1, 19, 1
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Response type 1
> Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS Challenge
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Access challenged for
> bengi at employee: EAP TTLS Challenge
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:
> *** Sending to 217.124.187.81 port 49159 ....
> Packet length = 46
> 0b ec 00 2e 11 8a 1f 2d d8 bf 43 9e fa a4 65 32
> 52 2e 71 2e 4f 08 01 02 00 06 15 20 50 12 ca 56
> cb 01 02 57 fb 6a 17 3b f4 72 b9 1e 6b 77
> Code:       Access-Challenge
> Identifier: 236
> Authentic:  <17><138><31>-<216><191>C<158><250><164>e2R.q.
> Attributes:
> EAP-Message = <1><2><0><6><21>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump
>
> ....
....
....

> *** Received from 217.124.187.81 port 49159 ....
> Packet length = 372
> 01 f0 01 74 7c 63 ac b2 a9 c6 0a 59 5f ed 09 d2
> 9d 9e d9 fb 01 10 62 65 6e 67 69 40 65 6d 70 6c
> 6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
> 20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
> 2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
> 3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
> 3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
> 06 00 00 00 01 0c 06 00 00 04 4c 4f a1 02 05 00
> 9f 15 80 00 00 00 95 17 03 01 00 90 5e e2 2d ca
> b1 e7 e8 3a 40 8d ed bc 83 fe be de 70 e6 1b b2
> 63 f5 50 40 db 2a 61 55 e9 a1 69 12 ed 50 45 7e
> 50 62 aa b4 bc 60 77 c5 8b a5 fb 74 7a 0e 7b 43
> a1 eb 81 6b fb bc 57 0e ff 3c 0b b6 6a a2 36 2d
> 84 c8 84 b6 bb fb 6f 35 20 44 64 29 96 6a 54 6f
> 72 78 1e 3f 3c 26 57 57 4b d7 b2 7b 06 31 61 5d
> b1 ce 95 14 7d 72 06 03 f0 45 76 31 ac 3f 20 14
> 2d ed 3f aa a0 8e 86 33 09 c6 93 47 14 32 68 5a
> 92 8b d3 ea 34 97 45 1c 66 d8 df a5 1a 15 00 00
> 39 e7 05 0f 45 6d 70 6c 6f 79 65 65 42 65 6e 67
> 69 1a 19 00 00 39 e7 06 13 39 63 3a 31 63 3a 31
> 32 3a 63 65 3a 34 31 3a 63 63 1a 18 00 00 39 e7
> 0a 12 69 6e 73 74 61 6e 74 2d 43 45 3a 34 31 3a
> 43 43 50 12 97 6b fe f0 32 58 33 d6 75 12 7c c0
> 51 ae 74 18
> Code:       Access-Request
> Identifier: 240
> Authentic:  |c<172><178><169><198><10>Y_<237><9><210><157><158><217><251>
> Attributes:
> User-Name = "bengi at employee"
> NAS-IP-Address = 192.168.88.241
> NAS-Port = 0
> NAS-Identifier = "9C-1C-12-CE-41-CC"
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> <2><5><0><159><21><128><0><0><0><149><23><3><1><0><144>^<226>-<202><177><231><232>:@<141><237><188><131><254><190><222>p<230><27><178>c<245>P@<219>*aU<233><161>i<18><237>PE~Pb<170><180><188>`w<197><139><165><251>tz<14>{C<161><235><129>k<251><188>W<14><255><<11><182>j<162>6-<132><200><132><182><187><251>o5
> Dd)<150>jTorx<30>?<&WWK<215><178>{<6>1a]<177><206><149><20>}r<6><3><240>Ev1<172>?
> <20>-<237>?<170><160><142><134>3<9><198><147>G<20>2hZ<146><139><211><234>4<151>E<28>f<216><223><165>
> Aruba-Essid-Name = "EmployeeBengi"
> Aruba-Location-Id = "9c:1c:12:ce:41:cc"
> Aruba-AP-Group = "instant-CE:41:CC"
> Message-Authenticator = <151>k<254><240>2X3<214>u<18>|<192>Q<174>t<24>
> Called-Station-Id = "9C-1C-12-CE-41-CC"
> Calling-Station-Id = "70_3E_AC_09_5A_11"
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler
> 'Realm=employee', Identifier ''
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for
> bengi at employee, 192.168.88.241, 0
> Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with EAP: code 2, 5, 159,
> 21
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Response type 21
> Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP TTLS data, 3, 5, 4
> Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP TTLS inner authentication
> request for bengi at employee
> Tue Dec  9 09:38:13 2014 000000: DEBUG: TTLS Tunnelled Diameter Packet
> dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
> Attributes:
> User-Name = "bengi at employee"
> MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
> MS-CHAP2-Response =
> Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1', Identifier ''
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for
> bengi at employee, 192.168.88.241,
> Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Reading users file
> /usr/local/etc/radiator/bengi/databases/users-eap
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE looks for match
> with bengi at employee [bengi at employee]
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE ACCEPT: :
> bengi at employee [bengi at employee]
> Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Access accepted for bengi at employee
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled Diameter
> Packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
> Attributes:
> User-Name = "bengi at employee"
> MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
> MS-CHAP2-Response =
> Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
> Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS inner
> authentication redispatched to a Handler
> Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS inner authentication redispatched to a Handler
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Access challenged for
> bengi at employee: EAP TTLS inner authentication redispatched to a Handler
> Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:
> *** Sending to 217.124.187.81 port 49159 ....
> Packet length = 199
> 0b f0 00 c7 e4 a4 2d 1f b5 f7 05 82 01 7f ef 4c
> 08 77 26 52 4f a1 01 06 00 9f 15 80 00 00 00 95
> 17 03 01 00 90 3b 61 06 45 54 11 24 e2 ed 1a 59
> a4 b2 19 a5 75 1b 1a 3e 3f 51 02 62 9a 2a 12 40
> da 51 ee 1a 62 51 39 42 20 cd 31 78 07 48 48 11
> ea 23 a5 9c 41 98 9c 27 1c 9e 2e 7f b5 19 00 72
> 99 83 2f 94 f4 1d 3d c6 7c cf 71 e1 85 e0 a8 1d
> b4 97 b2 95 6b fe 8c 4f d0 74 36 e1 23 d8 24 d2
> 99 af 97 3b 30 80 b6 44 22 75 21 1b 0d a8 7f 54
> a2 c5 99 60 3b 17 8e 97 64 a2 e2 60 5d 6d 09 44
> ce b4 81 3e 61 e4 8e 25 c1 4e 9b 46 0d 84 04 a7
> de a2 ef 9d 5d 50 12 86 04 b8 4e 35 6c ec 7a e7
> 7a fb 5e ec 8d 63 f8
> Code:       Access-Challenge
> Identifier: 240
> Authentic:  <228><164>-<31><181><247><5><130><1><127><239>L<8>w&R
> Attributes:
> EAP-Message =
> <1><6><0><159><21><128><0><0><0><149><23><3><1><0><144>;a<6>ET<17>$<226><237><26>Y<164><178><25><165>u<27><26>>?Q<2>b<154>*<18>@<218>Q<238><26>bQ9B
> <205>1x<7>HH<17><234>#<165><156>A<152><156>'<28><158>.<127><181><25><0>r<153><131>/<148><244><29>=<198>|<207>q<225><133><224><168><29><180><151><178><149>k<254><140>O<208>t6<225>#<216>$<210><153><175><151>;0<128><182>D"u!<27><13><168><127>T<162><197><153>`;<23><142><151>d<162><226>`]m<9>D<206><180><129>>a<228><142>%<193>N<155>F<13><132><4><167><222><162><239><157>]
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>

I was wondering if someone can suggest a solution for this case.

Best regards,
Bengi Saglam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20141210/0a230c37/attachment-0001.html 