(RADIATOR) Problems in PEAP ms-chap-v2 authentication

Hugh Irvine hugh at open.com.au
Sun Jun 27 03:05:59 CDT 2004 

Hello Paulo -

Thanks for sending the configuration file and debug.

The debug trace shows that the inner request is being handled by a  
different Handler than the one you show below, and the AuthBy in that  
other Handler does not have the EAPType defined.

regards

Hugh


On 26 Jun 2004, at 00:13, Paulo Valverde Costa wrote:

> Hi
>
> I am testing different eap methods, and I have successfully tested:
> eap-tls
>
> But, I have problems testing peap (ms-chap-v2).
>
> (see log file below).
>
> Any ideas how to resolve this?
>
>
>
> My radiator configuration is:
>
> ----------------------------------------------------------------------- 
> -----
> -------------
>
> <Handler Realm=/ci.uminho.pt$/>
>         Description Autentica Alunos - CIUM
>         RejectHasReason
>         RewriteUsername s/^([^@]+).*/$1/
>         <AuthBy LDAP2>
>                 AutoMPPEKeys
>                 AuthDN  
> cn=ambrosio,ou=funcionarios,dc=ci,dc=uminho,dc=pt
>                 AuthPassword xxxxxx
>                 BaseDN ou=alunos, dc=ci,dc=uminho,dc=pt
>                 ServerChecksPassword
>                 UsernameAttr sAMAccountName
>                 Description Autenticador por LDAP
>                 EAPTLS_CAFile /etc/radiator/certs/cacert.pem
>                 EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_MaxFragmentSize 1024
>                 EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPType PEAP,MSCHAP-V2, TTLS
>                 Host xxx.yyy.zzz.www
>                 AuthAttrDef Title, Class, reply
>                 AddToReply Tunnel-Type = VLAN, Tunnel-Medium-Type =
> Ether_802
>                 AuthAttrDef Company, Tunnel-Private-Group-ID, reply
>                 Port 389
>         </AuthBy>
> </Handler>
>
>
>
> ----------------------------------------------------------------------- 
> -----
> ---------------
>
>
>
> Fri Jun 25 14:40:03 2004: DEBUG: Packet dump:
> *** Received from 172.16.45.65 port 21807 ....
>
> Packet length = 158
> 01 98 00 9e b7 51 31 8e 3c 43 9e 21 b4 b6 ad 43
> 9c 5c 28 0c 01 17 75 73 65 72 31 40 74 65 73 74
> 65 2e 75 6d 69 6e 68 6f 2e 70 74 0c 06 00 00 05
> 78 1e 10 30 30 30 65 2e 64 37 63 64 2e 65 35 65
> 30 1f 10 30 30 30 62 2e 62 65 61 65 2e 66 34 35
> 38 06 06 00 00 00 08 50 12 65 e8 58 b5 cb b6 fa
> d6 1a 90 2e 1f 67 ae 42 c1 4f 1f 02 8b 00 1d 19
> 00 17 03 01 00 12 eb cb 77 b7 b5 b6 d1 c9 79 af
> 2f e9 e6 95 5e cc a4 ae 3d 06 00 00 00 13 05 06
> 00 00 04 d7 04 06 ac 10 2d 41 20 04 61 70
> Code:       Access-Request
> Identifier: 152
> Authentic:  <183>Q1<142><C<158>!<180><182><173>C<156>\(<12>
> Attributes:
>         User-Name = "user1 at teste.uminho.pt"
>         Framed-MTU = 1400
>         Called-Station-Id = "000e.d7cd.e5e0"
>         Calling-Station-Id = "000b.beae.f458"
>         Service-Type = Authenticate-Only
>         Message-Authenticator =
> e<232>X<181><203><182><250><214><26><144>.<31>g<174>B<193>
>         EAP-Message =
> <2><139><0><29><25><0><23><3><1><0><18><235><203>w<183><181><182><209>< 
> 201>y
> <175>/<233><230><149>^<204><164><174>
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Port = 1239
>         NAS-IP-Address = 172.16.45.65
>         NAS-Identifier = "ap"
>
> Fri Jun 25 14:40:03 2004: DEBUG: Handling request with Handler
> 'Realm=/uminho.pt$/'
> Fri Jun 25 14:40:03 2004: DEBUG:  Deleting session for
> user1 at teste.uminho.pt, 172.16.45.65, 1239
> Fri Jun 25 14:40:03 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> ldapauth
> Fri Jun 25 14:40:03 2004: DEBUG: Handling with EAP: code 2, 139, 29
> Fri Jun 25 14:40:03 2004: DEBUG: Response type 25
> Fri Jun 25 14:40:03 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Fri Jun 25 14:40:03 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  *<235><188><183><171><129><159> <5>h<182><191>wk<215><158>
> Attributes:
>         EAP-Message = <2><139><0><2><3><26>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 172.16.45.65
>         NAS-Identifier = "ap"
>         NAS-Port = 1239
>         Calling-Station-Id = "000b.beae.f458"
>
> Fri Jun 25 14:40:03 2004: DEBUG: Handling request with Handler  
> 'Realm=""'
> Fri Jun 25 14:40:03 2004: DEBUG:  Deleting session for , 172.16.45.65,  
> 1239
> Fri Jun 25 14:40:03 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Jun 25 14:40:03 2004: DEBUG: Handling with EAP: code 2, 139, 2
> Fri Jun 25 14:40:03 2004: DEBUG: Response type 3
> Fri Jun 25 14:40:03 2004: INFO: EAP Nak desires type 26
> Fri Jun 25 14:40:03 2004: DEBUG: EAP result: 1, Desired EAP type 26 not
> permitted
> Fri Jun 25 14:40:03 2004: INFO: Access rejected for anonymous: Desired  
> EAP
> type 26 not permitted
> Fri Jun 25 14:40:03 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Fri Jun 25 14:40:03 2004: DEBUG: Access challenged for
> user1 at teste.uminho.pt: EAP PEAP inner authentication redespatched to a
> Handler
>
>
> best regards,
> paulo
>
>
> ----------------------------------------------------------------------- 
> -----
> Paulo J. Valverde V. Costa
> Serviço de Comunicações - Campus de Gualtar - Universidade do Minho
> 4710-057 Braga, PORTUGAL
> Tel.: + 351 253 604023; Fax: + 351 253 604021
> e-mail: pcosta at ccom.uminho.pt
> http://www.ccom.uminho.pt
>
> ----------------------------------------------------------------------- 
> -----
>  "For it is far better to know something about everything
>       than to know all about one thing. This universality is the best."
>         Blaise Pascal (1623-1662); French scientist and philosopher.
> ----------------------------------------------------------------------- 
> -----
>
> This email is confidential. If you are not the intended recipient,
> you must not disclose or use the information contained in it.
> If you have received this mail in error, please tell us
> immediately by return email and delete the document.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list