(RADIATOR) Radiator 3.19, TTLS & Validate Server Certificate with Odyssey

Christophe Wolfhugel wolf at oleane.net
Tue Oct 25 10:16:28 CDT 2005 

Hello.

I'm trying to have the following setup work with Odyssey having the
"Validate Server Certificate", and I'm now wondering wether this is
a client (Odyssey) issue or server issue.

The current EAP-TTLS setup works already fine without this option. Some
users using the Intel WPA client also work fine (but I can't know for sure
wether they validate or the Radius's certificate).

Server is Radiator 3.10, OpenSSL 0.9.8.
Client is Odyssey 4.04.0.2112 on W-2000.

The basic issue is here, in EAP_21.pem :

Tue Oct 25 17:04:48 2005: DEBUG: Handling with EAP: code 2, 4, 17
Tue Oct 25 17:04:48 2005: DEBUG: Response type 21
Tue Oct 25 17:04:48 2005: DEBUG: EAP TTLS data, 8576, 4, 2
Tue Oct 25 17:04:48 2005: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
Tue Oct 25 17:04:48 2005: DEBUG: EAP result: 1, EAP TLS Handshake unsuccessful:  20954: 1 - error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Tue Oct 25 17:04:48 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS Handshake unsuccessful:  20954: 1 - error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Tue Oct 25 17:04:48 2005: INFO: Access rejected for anonymous: EAP TLS Handshake unsuccessful:  20954: 1 - error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

My understanding is that somehow the client returns this error (ie Odyssey not
being able to decrypt something). Of course Odyssey knowns about the Root CA
having generated the server's certificate.

Odyssey's debugging says not much, this :

17:07:28.181 >>>>>>>> Starting authentication

17:07:28.181 ReceivedEvent
17:07:28.181 [DTL] Supplicant state machine: txRspId, id = 1, prev = 256
17:07:28.181 [NRM] Transmitting EAP-Response
17:07:28.181 SetThreadPriority(1) returned success
17:07:28.181 OdysseySupplicantMgr::DoThread() event loop
17:07:28.211 ++ EAPOL message received
17:07:28.211 Message dequeued
17:07:28.211 SetThreadPriority(0) returned success
17:07:28.211 [DTL] Received EAPOL packet
17:07:28.211 [NRM] Processing EAP-Request/21: code = 1, id = 2, length = 6
17:07:28.211 STATE_Auth() 6
17:07:28.211 [DTL] Supplicant state machine: txRspAuth, id = 2, prev = 1
17:07:28.211 [NRM] Transmitting EAP-Response
17:07:28.221 SetThreadPriority(1) returned success
17:07:28.231 ++ EAPOL message received
17:07:28.231 Message dequeued
17:07:28.231 SetThreadPriority(0) returned success
17:07:28.231 [DTL] Received EAPOL packet
17:07:28.231 [NRM] Processing EAP-Request/21: code = 1, id = 3, length =
1000
17:07:28.231 STATE_Auth() 6
17:07:28.231 [DTL] Supplicant state machine: txRspAuth, id = 3, prev = 2
17:07:28.231 [NRM] Transmitting EAP-Response
17:07:28.231 SetThreadPriority(1) returned success
17:07:28.241 ++ EAPOL message received
17:07:28.241 Message dequeued
17:07:28.241 SetThreadPriority(0) returned success
17:07:28.241 [DTL] Received EAPOL packet
17:07:28.241 [NRM] Processing EAP-Request/21: code = 1, id = 4, length =
908
17:07:28.241 STATE_Auth() 6
17:07:28.241 [DTL] Supplicant state machine: txRspAuth, id = 4, prev = 3
17:07:28.251 [NRM] Transmitting EAP-Response
17:07:28.251 SetThreadPriority(1) returned success
17:07:28.501 OdysseySupplicantMgr::DoThread() event loop
17:07:28.551 Configuring adapters
17:07:28.551 updating adapter {26A146D0-82A0-43C2-8F27-CE7CC94CFEE8}
17:07:28.551 STATE_Auth() 1
17:07:28.551 [DTL] Supplicant state machine: txLogoff
17:07:28.551 [NRM] Transmitting EAPOL-Logoff
17:07:28.551 STATE_Auth() 2
17:07:28.551 STATE_Auth() 2
17:07:28.551 LINK_LinkState() 1
17:07:28.551 ReceivedEvent
17:07:28.551 ++ Indication received: adapter is disconnected
17:07:28.551 SetThreadPriority(1) returned success
17:07:28.551 ++ Clearing message queue

And the excerpt from the radius.cfg :

<Handler Client-Identifier=GNR-AP, TunnelledByTTLS=1>
        <AuthBy FILE>
                Filename        %D/users-wifi-wpa
                NoDefault
        </AuthBy>
</Handler>
<Handler Client-Identifier=GNR-AP>
        AcctLogFileName         %L/detail-wpa
        <AuthBy FILE>
                Filename                %D/users-wifi-wpa
                NoDefault
                EAPType                 TTLS
                EAPTLS_SessionResumption 0
                EAPTLS_MaxFragmentSize  990
                EAPAnonymous            anonymous
                EAPTLS_CertificateType  PEM
                EAPTLS_CAFile           %D/dih-rootca.pem
                EAPTLS_CertificateFile  %D/dih-cert.pem
                EAPTLS_PrivateKeyFile   %D/dih-key.pem
                EAPTLS_PrivateKeyPassword lustucru
                AutoMPPEKeys
                SSLeayTrace             3
                #EAPTLS_PEAPVersion     1
        </AuthBy>
</Handler>

Any idea on how this could be trapped further (tcpdump available upon
request to have the complete exchange between the AP and the Radius).

-- 
Christophe Wolfhugel -+- wolf at oleane.net -+- France Telecom Transpac
13 rue de Javel, 75015 Paris, +33 1 5395 1121.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list