(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9

Terry Simons galimore at mac.com
Fri Jul 16 11:45:06 CDT 2004


Hi Scott, Mike, Hugh.  ;-)

I'd like to suggest that perhaps it is less than favorable to turn off 
server certificate validation in a production environment because it 
basically allows Man in The Middle attacks to be carried out on users 
in a fashion that a user wouldn't even realize what was going on.

A better solution that purchasing a certificate might be to run your 
own CA and create your own certificates.  In fact, this is a much 
better and more secure solution than even using somebody like Verisign.

If you were running a verisign CA signed server certificate for 802.1X 
authentication, I could also request a verisign server certificate, and 
hand it to your user to pull off a Man in the Middle attack.  Because 
your client is going to verify Verisign (because that's what your 
certificate was signed against), they will also allow my server 
certificate (which was also signed by verisign).  This is a bad idea in 
general, and should probably be avoided.

If you use a private CA to sign your server and client certificates, 
the attacker is not going to be able to produce certificates signed by 
that CA, so they will have a much harder time pulling off a Man in the 
Middle attack.

Anyway, I'm not trying to tell you what to do, but there are 
implications to consider when dealing with 802.1X and ensuring the 
security of your users, and unfortunately the brunt of the work falls 
on the administrator, especially when dealing with certificates.  :-)

Cheers,

- Terry

On Jul 16, 2004, at 4:59 AM, Scott Xiao - ANTlabs wrote:

> Thanks Hugh, yes,it's one option;the other one I think is,I need let 
> the
> customer to purchase an official certificate for the Radius server from
> ,maybe,Verisign,for the convenience of wlan users because it will not 
> be
> very secure without " validate server certificate" comparatively any 
> way.
> Thanks,Hugh and Mike!
> Scott
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, July 16, 2004 4:07 PM
> To: scottxiao at antlabs.com
> Cc: radiator at open.com.au; Mike McCauley
> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not 
> permitted:
> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco 
> arionet1100
> AP and Radiator 3.9
>
>
>
> Hello Scott -
>
> If the authentication succeeds without "validate server certificate" on
> XP then that is what you should tell your users to do.
>
> regards
>
> Hugh
>
>
> On 16 Jul 2004, at 16:29, Scott Xiao - ANTlabs wrote:
>
>> Hi,
>> In the config file,I changed back my EAPtype as before and now
>> authentication succeeded.So what Mike suggested,to comment out REALM
>> DEFAULT
>> ,is the key point to resolve the problem (Desired EAP type 25 not
>> permitted)
>> ,thanks!!
>> My other question as I asked before is,now I disabled "validate server
>> certificate" on client,how can I let the authentication pass without
>> requiring the XP client to  install any  specific certificate?Thanks.
>> Cheers
>> Scott
>>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>> Behalf Of Scott Xiao - ANTlabs
>> Sent: Friday, July 16, 2004 11:06 AM
>> To: radiator at open.com.au
>> Cc: Hugh Irvine; Mike McCauley
>> Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
>> problem
>> with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
>> AP and
>> Radiator 3.9
>>
>>
>> Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
>> problem....
>> I have modified the configuration file according to your advice:
>> 1.comment out the <Realm DEFAULT>
>> 2.Change EAPType to PEAP  round the other way with MSChAP-V2
>> Below is the udpated config file. But when I try to authenticate after
>> restart the service,it still  give me the erorr " Access rejected for
>> idatesta: Desired EAP type 25 not permitted" ,See the log below after
>> the
>> config file in the email please.What is the problem?For Inner
>> authentication,do I have to use defuser instead of mySQL?
>> Thanks for reminder of the the maillist,actually I believe I have been
>> in
>> the mail list for 2 days,I received a lot of email from other
>> subscribers
>> regarding their questions.
>> Please advise,thanks!
>> Rgds
>> Scott
>>
>> conifig file mysql-peap.cfg  (running with /usr/bin/perl
>> /usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
>> ........
>>
>> <Handler TunnelledByPEAP=1>
>>
>>         RewriteUsername s/(.*)\\(.*)/$2/
>>
>> #<Realm DEFAULT>
>>
>>     AuthByPolicy ContinueWhileAccept
>>    <AuthBy SQL>
>>         DBSource        dbi:mysql:idausrdb
>>         DBUsername
>>         DBAuth
>>         AcctColumnDef   USERNAME,User-Name
>>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>         AcctColumnDef   NASPORT,NAS-Port,integer
>> #       EAPType MSCHAP-V2
>>         EAPType PEAP
>>     </AuthBy>
>>
>> #</Realm>
>>
>> </Handler>
>>
>> <Handler>
>>
>>    <AuthBy SQL>
>>         DBSource        dbi:mysql:idausrdb
>>         DBUsername
>>         DBAuth
>>         AcctColumnDef   USERNAME,User-Name
>>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>         AcctColumnDef   NASPORT,NAS-Port,integer
>>
>>    #    EAPType PEAP
>>         EAPType MSCHAP-V2
>>
>>        </AuthBy>
>>
>>
>> The log file:
>> [root at FC radius]# tail -50 logfile | more
>> Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
>> Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
>> Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25 
>> not
>> permitte
>> d
>> Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired
>> EAP
>> type 2
>> 5 not permitted
>> Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
>> *** Sending to 192.168.123.9 port 1647 ....
>> Code:       Access-Reject
>> Identifier: 18
>> Authentic:  <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>> Attributes:
>>         Reply-Message = "Request Denied"
>>         Proxy-State = 181
>>
>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>> *** Received from 192.168.123.9 port 1647 ....
>> Code:       Access-Request
>> Identifier: 19
>> Authentic:  <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>> Attributes:
>>         User-Name = "idatesta"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "000f.34db.6690"
>>         Calling-Station-Id = "000c.f108.37bf"
>>         Message-Authenticator =
>> Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
>>         EAP-Message = <2><1><0><13><1>idatesta
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Port = 419
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 10.0.0.1
>>         NAS-Identifier = "ps-ap"
>>         Proxy-State = 182
>>
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
>> Fri Jul 16 00:51:39 2004: DEBUG:  Deleting session for idatesta,
>> 10.0.0.1,
>> 419
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
>> Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
>> Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 
>> Challenge
>> Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
>> MSCHAP-V2 Challenge
>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>> -----Original Message-----
>> From: Mike McCauley [mailto:mikem at open.com.au]
>> Sent: Friday, July 16, 2004 6:42 AM
>> To: Scott Xiao - ANTlabs
>> Cc: Hugh Irvine
>> Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem with
>> my
>> 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
>> Radiator
>> 3.9
>>
>>
>> Hello Scott,
>>
>> Your email was identified as spam by my spamassassin, mostly due to
>> html
>> content. Its lucky I got to see it. Please dont use HTML.
>>
>> BTW, it would be better if you address any future technical questions
>> you
>> might have to the Radiator mailing list. That way others can learn
>> from the question and answer, and possibly contribute in areas
>> where I am not expert. Also, we have other staff on the mailing list
>> who can respond when I am not available.
>>
>> You can join the Radiator mailing list by sending email with the
>> single word subscribe in the body (not in the subject line) to
>> radiator-request at open.com.au
>> There is an archive at http://www.open.com.au/archives/radiator/
>>
>> If you require a guaranteed response to your questions, you should
>> consider
>> a support contract, see http://www.open.com.au/support.html
>>
>> The problem you report is due to the fact that you have your EAP types
>> around
>> the wrong way, in that the Handler which handles the inner request is
>> type
>> PEAP, and the Realm is type MSCHAP-V2. They should be round the other
>> way.
>> Also you have a Realm DEFAULT which will get all requests, including
>> the
>> inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing
>> Realms
>> and
>> Handlers is generally a bad idea.
>>
>> Cheers.
>>
>>
>>
>>
>> On Thu, 15 Jul 2004 09:52 pm, you wrote:
>>> Spam detection software, running on the system "server1.open.com.au",
>>> has
>>> identified this incoming email as possible spam.  The original 
>>> message
>>> has been attached to this so you can view it (if it isn't spam) or
>>> block
>>> similar future email.  If you have any questions, see
>>> postmaster at open.com.au for details.
>>>
>>> Content preview:  Hi,Mike, Can you advise?Thanks! Scott
>>>
>>> Content analysis details:   (5.3 points, 5.0 required)
>>>
>>>  pts rule name              description
>>> ---- ----------------------
>>> -------------------------------------------------- 0.8 HTML_30_40
>>>   BODY: Message is 30% to 40% HTML
>>>  0.1 HTML_FONTCOLOR_RED     BODY: HTML font color is red
>>>  0.2 HTML_FONT_FACE_BAD     BODY: HTML font face is not a word
>>>  0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
>>>  0.0 HTML_MESSAGE           BODY: HTML included in message
>>>  0.5 HTML_TITLE_EMPTY       BODY: HTML title contains no text
>>>  1.1 RCVD_IN_SORBS_MISC     RBL: SORBS: sender is open proxy server
>>>                             [203.125.41.199 listed in 
>>> dnsbl.sorbs.net]
>>>  0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
>>>                             [203.125.41.199 listed in 
>>> dnsbl.sorbs.net]
>>>  0.1 RCVD_IN_NJABL          RBL: Received via a relay in
>>> dnsbl.njabl.org
>>>                             [203.125.41.199 listed in 
>>> dnsbl.njabl.org]
>>>  1.1 RCVD_IN_DSBL           RBL: Received via a relay in 
>>> list.dsbl.org
>>>
>>> [<http://dsbl.org/listing?ip=203.125.41.199>]
>>>  1.1 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
>>>                             [203.125.41.199 listed in 
>>> dnsbl.njabl.org]
>>>
>>> The original message was not completely plain text, and may be unsafe
>>> to
>>> open with some email clients; in particular, it may contain a virus,
>>> or confirm that your address can receive spam.  If you wish to view
>>> it, it may be safer to save it to a file and open it with an editor.
>>
>> --
>> Mike McCauley                               mikem at open.com.au
>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, 
>> WWW
>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> http://www.open.com.au
>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, 
>> TLS,
>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list