(RADIATOR) MSCHAPv2-over-PEAP with Radiator to RSA SECURID

Andreas Dietrich Andreas.Dietrich at controlware.de
Fri Nov 3 04:40:56 CST 2006 

Hi everybody,

at first some information about which kind of configuration I speak:

1st as supplicant: 802.1x standard xp sp2 client, 
2nd as authenticator: trapeze mx200 wireless switch, 
3rd as eap proxy: radiator, 
4th as radius autenticaition server: RSA authentication manager 6.1 with steelbelted radius

Authenticate the win xp client on the RSA with mschapv2 over peap.
Because of the hash problem of RSA (it cannot deal with a hashed password) I try the following: 

802.1x credentials are Username: "user:PinTokencode" with empty password.
Radiator splits the username into two different credentials, which are proxied to the RSA.
After Accept from the RSA Radiator should inform Trapeze as the Authenticator, that auth process was a success


###################  radius.cfg #########################################
Foreground
LogStdout
LogDir		c:/Program Files/Radiator
DbDir		c:/Program Files/Radiator
BindAddress 10.0.0.20
Trace 		4
<Client DEFAULT>
	Secret	mysecretwithtrapeze
	DupInterval 0
</Client>
<Handler ConvertedFromEAPMSCHAPV2=1>
	PreAuthHook file:"c:/Program Files/Radiator/userauth.pl"
	<AuthBy RADIUS>
		Retries 0
		LocalAddress 10.0.0.20
		Host 10.0.0.21
		Secret sharedsecretwithmyrsa
		AuthPort 1645
		AcctPort 1646
		StripFromRequest ConvertedFromEAPMSCHAPV2, MS-CHAP2-Response, MS-CHAP-Challenge
	ReplyHook sub { 	my $p = ${$_[0]};\
				my $rp = ${$_[1]};\	
				my $op = ${$_[2]};\	
				my $sp = ${$_[3]};\	
				my $attrib = $p->get_attr('TRPZ-VLAN-Name');\
				$attrib="$attrib";\
				$rp->add_attr('TRPZ-VLAN-Name',$attrib);}
	</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
	<AuthBy FILE>
		EAPType MSCHAP-V2
		EAP_PEAP_MSCHAP_Convert 1
	</AuthBy>
</Handler>
<Handler>
	<AuthBy FILE>
		Filename %D/users
		EAPType PEAP
                                EAPTLS_CAFile C:/Radiator/Radiator-3.15/certificates/demoCA/cacert.pem
                               EAPTLS_CertificateFile C:/Radiator/Radiator-3.15/certificates/cert-srv.pem
                               EAPTLS_CertificateType PEM
                               EAPTLS_PrivateKeyFile C:/Radiator/Radiator-3.15/certificates/cert-srv.pem
                               EAPTLS_PrivateKeyPassword whatever
                               EAPTLS_MaxFragmentSize 1024
                               AutoMPPEKeys
                               SSLeayTrace 1
                               EAPTLS_SessionResumptionLimit 10
                               EAPTLS_PEAPVersion 1
	</AuthBy>

</Handler>
###################  end ofradius.cfg #########################################

###################  userauth.pl #########################################
sub
{
    my $p = ${$_[0]};
    my $user = $p->get_attr('User-Name');
   $user =~ /(.*)\:(.*)/;
    my $user =$1;
    my $pass =$2;
        $user = "$user";
        $pass = "$pass";
        $p->change_attr('User-Name', $user);
        $p->change_attr('User-Password', $pass);
        $p->{DecodedPassword} = $pass;
}
###################  end of userauth.pl #########################################



First sequences about PEAP communication are in the attached txt file...
################### OUTPUT - LOGFILEl #########################################

*** Sending to 10.0.0.21 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  >X<189><169><127><246><226><238><131><161><21><145>_Y><167>
Attributes:
	User-Name = "adietrich"
	User-Password = <159>0<199><199>F:l<193><134><218><19><226><241><139><153>D

Fri Nov  3 11:08:45 2006: DEBUG: AuthBy RADIUS result: IGNORE, 
Fri Nov  3 11:08:45 2006: DEBUG: EAP result: 2, EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a Handler
Fri Nov  3 11:08:45 2006: DEBUG: AuthBy FILE result: IGNORE, EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a Handler
Fri Nov  3 11:08:45 2006: DEBUG: EAP result: 2, EAP PEAP inner authentication redespatched to a Handler
Fri Nov  3 11:08:45 2006: DEBUG: AuthBy FILE result: IGNORE, EAP PEAP inner authentication redespatched to a Handler
Fri Nov  3 11:08:46 2006: DEBUG: Packet dump:


*** Received from 10.0.0.21 port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:  #<180><162>y9v<165><169>j<29><10>"f<159><14>.
Attributes:
	Class = "SBR2CL<136><181><238><163><133><130><217><218><131><128><17><128>(<1><128><3><129><152><206><128><2><128><11><129><176><217><141><150><171><209><228><233><177><218><128><18><128><14><129><136><181><238><163><133><130><217><218><131><128><128><128><129><216>"
	TRPZ-VLAN-Name = "default"

Fri Nov  3 11:08:46 2006: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.0.21:1645
Fri Nov  3 11:08:46 2006: DEBUG: Access accepted for adietrich:1234600905
Fri Nov  3 11:08:47 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  >X<189><169><127><246><226><238><131><161><21><145>_Y><167>
Attributes:
	Class = "SBR2CL<136><181><238><163><133><130><217><218><131><128><17><128>(<1><128><3><129><152><206><128><2><128><11><129><176><217><141><150><171><209><228><233><177><218><128><18><128><14><129><136><181><238><163><133><130><217><218><131><128><128><128><129><216>"
	TRPZ-VLAN-Name = "default"
	TRPZ-VLAN-Name = ""

Fri Nov  3 11:08:47 2006: DEBUG: Access challenged for anonymous: Converted MSCHAPV2 authentication success
Fri Nov  3 11:08:47 2006: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  vh<210>l<201><154><175><138><26>5w<159><230><174><136><221>
Attributes:

Fri Nov  3 11:08:47 2006: DEBUG: Access challenged for adietrich:1234600905: EAP PEAP Inner authentication challenged
Fri Nov  3 11:08:47 2006: DEBUG: Packet dump:
*** Sending to 10.0.0.170 port 20007 ....
Code:       Access-Challenge
Identifier: 9
Authentic:  S<17><172>8,O<148><17>s%ivtT<11>w
Attributes:
	EAP-Message = <1><8><0><6><25><0>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

################### end of OUTPUT - LOGFILEl #########################################





Questions:
Why is  TRPZ-VLAN-Name not inside the final Access challenge to 10.0.0.170 ?
And why isn't it an access accept instead of access challenge, send to the trapeze ?

How do I send the Trapeze attribute VLAN-NAME in the OUTER AUTHENTICATION ?

Why does Radiator uses the attribute Name TRPZ-VLAN-NAME instead of default naming VLAN-NAME ?

Any suggestion for solving the main problem ? Bypassing the problem of mschap on client side without additional software on the client or changing the authentification server from RSA to vaso or kobil ?







__________________________________________________

Mit freundlichen Grüßen / Regards

Andreas Dietrich

Controlware GmbH
Competence Center Communication Solutions
Waldstrasse 92, 63128 Dietzenbach

Büro: +49 (0)6074 858 545 
Mobil: +49 (0)172 6164633
Andreas.Dietrich at controlware.de
www.controlware.de

State-of-the-art Technology for Worldwide Telecommunications
__________________________________________________


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: output.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20061103/f05b3641/attachment.txt>

More information about the radiator mailing list