(RADIATOR) EAP MD5-Challenge faild
Mike McCauley
mikem at open.com.au
Fri Mar 7 17:05:28 CST 2003
Hello Hagen,
thanks for your note.
There are 2 issues here:
1. MD5-Challenge is incompatible with AuthBy SYSTEM. To authenticate an
MD5-Challenge request requires the server to have access to the plaintext
password, and that is not possible with any of the Unix password encryption
schemes. BTW, the State variable is not required for EAP MD5-Challenge
authentication. Its presence or absence is not relevant.
2. We have had other reports that there is a separate problem with the
MD5-Challenge as implemented by the Smartswitch 2200. I will use the data you
have sent to investigate that further. It would be helpfule if you would send
me privately the correct password for the test at test.de user shown in your log
below.
Cheers.
On Sat, 8 Mar 2003 12:13 am, owner-radiator at open.com.au wrote:
> From mikem at server1.open.com.au Fri Mar 7 07:13:49 2003
> Received: from schreiadler.hs-harz.de (schreiadler.hs-harz.de
> [194.95.16.227]) by server1.open.com.au (8.11.6/8.11.0) with ESMTP id
> h27DDm821588 for <radiator at open.com.au>; Fri, 7 Mar 2003 07:13:49 -0600
> Received: from LAPOPP1 ([194.95.16.196]) by schreiadler.hs-harz.de
> (Netscape Messaging Server 3.6) with SMTP id AAA1A4464
> for <radiator at open.com.au>; Fri, 7 Mar 2003 14:13:31 +0100
> From: "Hagen Oppermann" <hoppermann at hs-harz.de>
> To: <radiator at open.com.au>
> Subject: EAP MD5-Challenge faild
> Date: Fri, 7 Mar 2003 14:13:31 +0100
> Message-ID: <IOEELEPNIONEDKAPHHIOEEJGCAAA.hoppermann at hs-harz.de>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
>
> Hi,
> I`m a newbie pertaining radiator and eap (md5-challenge).
>
> We are trying to authenticate(802.1x) users on a Smartswitch 2200 and
> radiator radiusdeamon.
> I'm afraid the problem is the state attribute.
> The server sends an Access-Challenge without a State attribute
> but receives an empty state attribute with the next Access-Request.
>
> ############################################################
> ################### Radius-Log #############################
> ############################################################
>
> Fri Mar 7 13:54:50 2003: DEBUG: Packet dump:
> *** Received from 192.168.14.2 port 10246 ....
>
> Packet length = 89
> 01 0b 00 59 fb 41 00 00 53 42 00 00 41 0f 00 00
> 59 50 00 00 50 12 ba ed c7 01 4d 1d 1a 74 e9 7e
> 55 73 dc b0 7d 66 01 0e 74 65 73 74 40 74 65 73
> 74 2e 64 65 04 06 c0 a8 0e 02 05 06 00 00 00 08
> 4f 13 02 01 00 11 01 74 65 73 74 40 74 65 73 74
> 2e 64 65 0c 06 00 00 03 e8
> Code: Access-Request
> Identifier: 11
> Authentic: <251>A<0><0>SB<0><0>A<15><0><0>YP<0><0>
> Attributes:
> Message-Authenticator =
> <186><237><199><1>M<29><26>t<233>~Us<220><176>}f
> User-Name = "test at test.de"
> NAS-IP-Address = 192.168.14.2
> NAS-Port = 8
> EAP-Message = <2><1><0><17><1>test at test.de
> Framed-MTU = 1000
>
> Fri Mar 7 13:54:50 2003: DEBUG: Handling request with Handler
> 'Realm=test.de'
> Fri Mar 7 13:54:50 2003: DEBUG: Deleting session for test at test.de,
> 192.168.14.2, 8
> Fri Mar 7 13:54:50 2003: DEBUG: Handling with Radius::AuthSYSTEM:
> Fri Mar 7 13:54:50 2003: DEBUG: Handling with EAP: code 2, 1, 17
> Fri Mar 7 13:54:50 2003: DEBUG: Response type 1
> Fri Mar 7 13:54:50 2003: DEBUG: Access challenged for test at test.de: EAP
> MD5-Challenge
> Fri Mar 7 13:54:50 2003: DEBUG: Packet dump:
> *** Sending to 192.168.14.2 port 10246 ....
>
> Packet length = 68
> 0b 0b 00 44 f8 61 04 87 26 01 46 2d a0 66 49 75
> e9 23 34 55 4f 1e 01 02 00 1c 04 10 b0 73 84 f5
> 19 c6 44 64 43 e0 82 13 84 99 8e 30 72 61 64 69
> 75 73 50 12 31 68 cd 85 28 73 a0 e6 1a 03 c2 4b
> 89 09 ea bc
> Code: Access-Challenge
> Identifier: 11
> Authentic: <251>A<0><0>SB<0><0>A<15><0><0>YP<0><0>
> Attributes:
> EAP-Message =
> <1><2><0><28><4><16><176>s<132><245><25><198>DdC<224><130><19><132><153><14
>2
>
> >0radius
>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Mar 7 13:54:50 2003: DEBUG: Packet dump:
> *** Received from 192.168.14.2 port 10246 ....
>
> Packet length = 108
> 01 0c 00 6c 0f 26 00 00 e3 79 00 00 16 2a 00 00
> 06 05 00 00 50 12 bd ef 22 42 62 50 ae 3e ff 8e
> e5 39 08 df 00 68 01 0e 74 65 73 74 40 74 65 73
> 74 2e 64 65 18 02 04 06 c0 a8 0e 02 05 06 00 00
> 00 08 0c 06 00 00 03 e8 4f 24 02 02 00 22 04 10
> 7a 17 d6 1c 03 52 57 42 6d a7 0e 26 24 5d b1 3e
> 74 65 73 74 40 74 65 73 74 2e 64 65
> Code: Access-Request
> Identifier: 12
> Authentic: <15>&<0><0><227>y<0><0><22>*<0><0><6><5><0><0>
> Attributes:
> Message-Authenticator =
> <189><239>"BbP<174>><255><142><229>9<8><223><0>h
> User-Name = "test at test.de"
> State = ""
> NAS-IP-Address = 192.168.14.2
> NAS-Port = 8
> Framed-MTU = 1000
> EAP-Message =
> <2><2><0>"<4><16>z<23><214><28><3>RWBm<167><14>&$]<177>>test at test.de
>
> Fri Mar 7 13:54:51 2003: DEBUG: Handling request with Handler
> 'Realm=test.de'
> Fri Mar 7 13:54:51 2003: DEBUG: Deleting session for test at test.de,
> 192.168.14.2, 8
> Fri Mar 7 13:54:51 2003: DEBUG: Handling with Radius::AuthSYSTEM:
> Fri Mar 7 13:54:51 2003: DEBUG: Handling with EAP: code 2, 2, 34
> Fri Mar 7 13:54:51 2003: DEBUG: Response type 4
> Fri Mar 7 13:54:51 2003: DEBUG: getpwnam got test at test.de,
> $1$e70DdlyY$D94fe5cwqH2wFAmp.RO7d1, 502, 502, , , , /home/test at test.de,
> /bin/bash,
> Fri Mar 7 13:54:51 2003: DEBUG: Radius::AuthSYSTEM looks for match with
> test at test.de
> Fri Mar 7 13:54:51 2003: DEBUG: Radius::AuthSYSTEM ACCEPT:
> Fri Mar 7 13:54:51 2003: INFO: Access rejected for test at test.de: EAP
> MD5-Challenge failed
> Fri Mar 7 13:54:51 2003: DEBUG: Packet dump:
> *** Sending to 192.168.14.2 port 10246 ....
>
> Packet length = 60
> 03 0c 00 3c 98 fc c1 c7 4e 7c 77 2a e0 a5 43 13
> bf e5 3d 49 4f 06 04 02 00 04 50 12 6c 39 1b a8
> 71 90 25 c0 91 d9 77 e0 dd d0 9b 74 12 10 52 65
> 71 75 65 73 74 20 44 65 6e 69 65 64
> Code: Access-Reject
> Identifier: 12
> Authentic: <15>&<0><0><227>y<0><0><22>*<0><0><6><5><0><0>
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> ############################################################
> ###################### radius.cfg ##########################
> ############################################################
>
> #Foreground
> #LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client 192.168.14.2>
> Secret wichtig
> </Client>
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Realm test.de>
> <AuthBy SYSTEM>
> EAPType MD5
> </AuthBy>
> </Realm>
>
> <Realm DEFAULT>
> <AuthBy FILE>
> Filename %D/users
> </AuthBy>
> # Log accounting to a detail file
> AcctLogFileName %L/detail
> </Realm>
> #########################################################
>
> Hope anyone finds the time and can help me with a short notice.
>
>
> Mit freundlichen Grüßen / Best regards
> Hagen Oppermann
>
> Hochschule Harz
> University of Applied Studies and Research
> Hochschulrechenzentrum
> Friedrichstraße 57-59
> 38855 Wernigerode
> Deutschland / Germany
>
> Tel : +49 3943 659 908
> Fax : +49 3943 659 950
> E-mail: hoppermann at hs-harz.de
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list