(RADIATOR) PEAP and Filter-ID

Berndt Sevcik berndt.sevcik at tgm.ac.at
Thu Jan 20 03:00:35 CST 2005


Thanks for the information. We are using TTLS for our Apple Clients.  
The Windows Clients are using PEAP. The problem is that a PEAP option  
is available on the Mac but it is not working.

When I look at the debug I get an access-accept message:
*** Sending to 10.3.4.5 port 1347 ....
Code:       Access-Accept
Identifier: 209
Authentic:  ?{<0><0>F"<0><0><25>x<0><0><187><21><0><0>
Attributes:
         Filter-Id = "Enterasys:version=1:policy=ITS"
         EAP-Message = <3><9><0><4>
         Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
         MS-MPPE-Send-Key = "<167>93JbD<11>
<22><13><170><243>d<161><7><7>8)<233><240>J<227><223><179>)Q6<20>ENd<253 
 ><206><136><191><163>b<189>Q<155>4><155>$<10><161><15><234>z1"
         MS-MPPE-Recv-Key =
"<135><228><213><238>[<24><220>3BT<2><7>N<199><248>fNV<0><243>=<160>r<22 
2>'<25><242>buD<18><133><189><154>F<143><174><203><253><211><15><154><18 
1>3<10><229><198>}<208>:"

But the communication is not working. It looks like that the apple  
client is not accepting the key. The configuration works with the  
Windows Supplicant and PEAP without problems. We are using MAC OS X  
Version 10.3.7.

Thats the output from the debug:

Some idea about it? Is someone using MAC OS and PEAP? Has someone tipps  
for the config?

Thanks
Berndt

Here the last version of my config:
<AuthBy FILE>
     Identifier OUTERAuthentication
     Filename %D/users
     EAPType PEAP,TTLS
     EAPTLS_CAFile %D/certificates/cacert.pem
     EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
     EAPTLS_CertificateType PEM
     EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
     EAPTLS_PrivateKeyPassword whatever
     EAPTLS_MaxFragmentSize 1000
     AutoMPPEKeys
</AuthBy>

<Handler TunnelledByPEAP=1>
     <AuthBy LDAP2>
         RewriteUsername s/(.*)\\(.*)/$2/
         Identifier      LDAPPEAPAuthentication
         RcryptKey       2lisNjsRp8sfWLa
         Host            10.2.4.22
         AuthDN          cn=admin,dc=tgm,dc=ac,dc=at
         AuthPassword    sUpp.rT
         BaseDN          dc=tgm,dc=ac,dc=at
         UsernameAttr    uid
         PasswordAttr    rcryptPassword
         AuthAttrDef     radiusAuthType,GENERIC,check
         ReplyAttr       radiusReplyItem
         # Debug 255
         EAPType MSCHAP-V2
     </AuthBy>
</Handler>

<Handler>
     RewriteUsername s/(.*)\\(.*)/$2/
     AuthBy OUTERAuthentication
     # PostProcessingHook  
file:"/root/Radiator-3.11/goodies/ttls-berndt.pl"
     # AddToReply Filter-Id = Enterasys:version=1:policy=ITS
</Handler>

Am 20.01.2005 um 02:16 schrieb Mike McCauley:

> Hello Berndt,
>
> the problem here is that (at present) reply attributes are not copied  
> from the
> inner to the outer request in the case of TTLS-MSCHAPv2.
> This is because the MSCHAPv2 usually requires any inner reply  
> attributes, and
> they should not be propagated to the outer request. All other types of  
> inner
> request will result in inner reply attributes being copied to the outer
> reply.
>
> Are you able to use anything other than MSCHAPv2 inside your TTLS?
>
> Cheers.
>
>
> On Thursday 20 January 2005 00:44, Berndt Sevcik wrote:
>> A small addendum to my last mail:
>>
>> I tried tt with two different authentication mechanism:
>>   PEAP - is working
>>   TTLS - is not working
>>
>> Sorry for the error.
>>
>> Has sonemone an idea for TTLS?
>>
>> Regards
>> Berndt
>>
>> Am Mit, den 19.01.2005 schrieb Hugh Irvine um 8:48:
>>> Hello Berndt -
>>>
>>> Have you installed all the latest patches?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>> On 19 Jan 2005, at 18:15, Berndt Sevcik wrote:
>>>> I am using already the latest version of Radiator (3.11).
>>>>
>>>> Berndt
>>>>
>>>> Am 19.01.2005 um 00:51 schrieb Hugh Irvine:
>>>>> Hello Berndt -
>>>>>
>>>>> There is only one Access-Accept returned to the access point.
>>>>>
>>>>> The first Access-Accept is dealt with inside Radiator and causes an
>>>>> Access-Challenge to be sent to the NAS to complete the MS-CHAP
>>>>> authentication.
>>>>>
>>>>> Can you please tell me what version of Radiator you are using? The
>>>>> latest version is Radiator 3.11 plus patches.
>>>>>
>>>>> Please try the latest version and let me know how you get on.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>> On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
>>>>>> I configured 802.1x authentication with PEAP. Why do I get two  
>>>>>> Access
>>>>>> Accept messages?
>>>>>>
>>>>>> I also added with AddToReply an attribute to the answer message
>>>>>> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included  
>>>>>> in
>>>>>> the
>>>>>> first access accept message. Why message is investigated by the
>>>>>> access
>>>>>> point? When the last one is interpreted by the access point how  
>>>>>> can I
>>>>>> assign the Filter-ID Attribut also to this one?
>>>>>>
>>>>>> I also attached my config at the end.
>>>>>>
>>>>>> Thanks
>>>>>> Berndt
>>>>>>
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
>>>>>> 'Client-Identifier = IntegerVLANTag'
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG:  Deleting session for  
>>>>>> berndt.sevcik,
>>>>>> 10.3.4.5,
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>>>>> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
>>>>>> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
>>>>>> 10.2.4.22:389)
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
>>>>>> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword:
>>>>>> {rcrypt}xxxx
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>>>>> with
>>>>>> berndt.sevcik
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
>>>>>> Packet
>>>>>> dump:
>>>>>> Code:       Access-Accept
>>>>>> Identifier: UNDEF
>>>>>> Authentic:
>>>>>> <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
>>>>>> Attributes:
>>>>>>         MS-CHAP2-Success =
>>>>>> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
>>>>>>         MS-MPPE-Send-Key =
>>>>>> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<13 
>>>>>> 6><
>>>>>> 166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
>>>>>>         MS-MPPE-Recv-Key =
>>>>>> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><1 
>>>>>> 97>
>>>>>> <222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
>>>>>>         Filter-Id = "Enterasys:version=1:policy=ITS"
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
>>>>>> authentication challenged
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for  
>>>>>> berndt.sevcik:
>>>>>> EAP TTLS Inner authentication challenged
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Sending to 10.3.4.5 port 1046 ....
>>>>>> Code:       Access-Challenge
>>>>>> Identifier: 112
>>>>>> Authentic:  p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
>>>>>> Attributes:
>>>>>>         EAP-Message =
>>>>>> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192>< 
>>>>>> 137
>>>>>>
>>>>>>> Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><2 
>>>>>>> 41>
>>>>>>
>>>>>> ;
>>>>>> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<1 
>>>>>> 61>
>>>>>> <230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q< 
>>>>>> 141
>>>>>>
>>>>>> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<2 
>>>>>> 40>
>>>>>> "Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231>< 
>>>>>> 219
>>>>>>
>>>>>>> +g]<25>
>>>>>>
>>>>>> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><24 
>>>>>> 6><
>>>>>> 147>A]<209>v<1><222><13><8><17>g<169><143>(X!
>>>>>> <15>H<169>9<248>*<141>z?
>>>>>> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222 
>>>>>> ><1
>>>>>> 63><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128 
>>>>>> >La
>>>>>> <237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>? 
>>>>>> <229>b
>>>>>>         Message-Authenticator =
>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Received from 10.3.4.5 port 1046 ....
>>>>>> Code:       Access-Request
>>>>>> Identifier: 113
>>>>>> Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>>>>> Attributes:
>>>>>>         Message-Authenticator = &{<137>o<187>Dl  
>>>>>> <197><235>o7<25>G<8>#
>>>>>>         User-Name = "berndt.sevcik"
>>>>>>         State = ""
>>>>>>         NAS-IP-Address = 10.3.4.5
>>>>>>         NAS-Port = 2
>>>>>>         NAS-Port-Type = Wireless-IEEE-802-11
>>>>>>         Calling-Station-Id = "00-0d-93-89-cc-6f"
>>>>>>         Framed-MTU = 1000
>>>>>>         EAP-Message = <2><7><0><6><21><0>
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
>>>>>> 'Client-Identifier = IntegerVLANTag'
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG:  Deleting session for  
>>>>>> berndt.sevcik,
>>>>>> 10.3.4.5, 2
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Sending to 10.3.4.5 port 1046 ....
>>>>>> Code:       Access-Accept
>>>>>> Identifier: 113
>>>>>> Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>>>>> Attributes:
>>>>>>         MS-MPPE-Send-Key =
>>>>>> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<20 
>>>>>> 0><
>>>>>> 220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><21 
>>>>>> 0>I
>>>>>> s<169><150><175>Kp#<201><236><151>W"
>>>>>>         MS-MPPE-Recv-Key =
>>>>>> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<15 
>>>>>> 1>Q
>>>>>> H<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
>>>>>> <190><7><222><19><31>k<<223>&<199>"
>>>>>>         EAP-Message = <3><7><0><4>
>>>>>>         Message-Authenticator =
>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>
>>>>>> My config:
>>>>>>
>>>>>> # Foreground
>>>>>> LogStdout
>>>>>> LogDir          /var/log/radiator
>>>>>> LogFile         %L/radiator.log
>>>>>>
>>>>>> DbDir           /etc/radiator
>>>>>> PidFile         /var/run/radiusd.pid
>>>>>> Trace           4
>>>>>>
>>>>>> AuthPort 1645
>>>>>> AcctPort 1646
>>>>>>
>>>>>> <Client 10.3.4.5>
>>>>>>         Secret  secret
>>>>>>         Identifier IntegerVLANTag
>>>>>> </Client>
>>>>>>
>>>>>> <Handler Client-Identifier = IntegerVLANTag>
>>>>>> <AuthBy LDAP2>
>>>>>>     EAPType PEAP,TTLS
>>>>>>     EAPTLS_CAFile %D/certificates/cacert.pem
>>>>>>     EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
>>>>>>     EAPTLS_CertificateType PEM
>>>>>>     EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
>>>>>>     EAPTLS_PrivateKeyPassword whatever
>>>>>>     EAPTLS_MaxFragmentSize 1000
>>>>>>     AutoMPPEKeys
>>>>>>     #RewriteUsername s/(.*)\\(.*)/$2/
>>>>>>     RcryptKey   whatever
>>>>>>     Host                10.2.4.22
>>>>>>     AuthDN              cn=admin,dc=tgm,dc=ac,dc=at
>>>>>>     AuthPassword        whatever
>>>>>>     BaseDN              dc=tgm,dc=ac,dc=at
>>>>>>     UsernameAttr        uid
>>>>>>     PasswordAttr        rcryptPassword
>>>>>>     AuthAttrDef         radiusAuthType,GENERIC,check
>>>>>>     #ReplyAttr       radiusReplyItem
>>>>>>     Debug 255
>>>>>>     AddToReply Filter-Id = Enterasys:version=1:policy=ITS
>>>>>> </AuthBy>
>>>>>>   #  PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>>>>>> </Handler>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive
>>>>> (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,  
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database  
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>>> systems.
>>>>
>>>>  -----------------------------------------
>>>>  TGM - Die Schule der Technik
>>>>  IT-Service
>>>>  A-1200 Wien, Wexstr. 19-23
>>>>  Tel. +43(1)33126/316 Fax: +43(1)33126/154
>>>>  E-Mail: berndt.sevcik at tgm.ac.at
>>>>  -----------------------------------------
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia    
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
  -----------------------------------------
  TGM - Die Schule der Technik
  IT-Service
  A-1200 Wien, Wexstr. 19-23
  Tel. +43(1)33126/316 Fax: +43(1)33126/154
  E-Mail: berndt.sevcik at tgm.ac.at
  -----------------------------------------

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list