(RADIATOR) MSCHAPv2-over-PEAP with Radiator to RSA SECURID

Andreas Dietrich Andreas.Dietrich at controlware.de
Mon Nov 6 03:23:12 CST 2006 

Hello Hugh,

Thanks for the fast response.
My outer Handler is already authenticating against a file. In the PEAP part of the scenario it is
anonymous for outer handler and the mschapv2 user:password combination as inner handler.

So I try to precise my question: 
Is it possible to find out, why this final challenge between radiator and client is failing ?
And how do I take the attribute replied in the inner authentication procedure <ByRadius> and 
throw it into the final challenge for the outer handler ? This is because Trapeze seems to need the VLAN-Name tag
in outer PEAP procdeure.

A little hind for what I have done also to get it running to the point where I stuck now:
Because of the steelbelted Radius is not able to play with ms-chap, it gets problems when the 
following ms-chap tags are send inside the <AuthByRadius>. So I did:
StripFromRequest ConvertedFromEAPMSCHAPV2, MS-CHAP2-Response, MS- CHAP-Challenge

Could it be possible, that this breaks the communication between radiator and client in the final challenge ?
I tried to reintegrate them in the ReplyHook without success.



__________________________________________________

Mit freundlichen Grüßen / Regards

Andreas Dietrich

Controlware GmbH
Competence Center Communication Solutions
Waldstrasse 92, 63128 Dietzenbach

Büro: +49 (0)6074 858 545 
Mobil: +49 (0)172 6164633
Andreas.Dietrich at controlware.de
www.controlware.de

State-of-the-art Technology for Worldwide Telecommunications
__________________________________________________



>>> Hugh Irvine <hugh at open.com.au> 03.11.2006 22:52 >>>

Hello Andreas -

Thanks for your mail.

As far as I can see, Radiator is correctly authenticating with the  
RSA server, but when Radiator sends the final Challenge to the client  
nothing comes back. There should be a final exchange with the client  
to complete the authentication.

The answers to your other questions have to do with the above -  
Radiator only adds the reply attributes to the final access accept  
which is why you are not seeing any reply attributes. And because  
Radiator has a great number of vendor specific attributes in the  
dictionary, we have adopted the practice of prefixing all vendor  
specifics with the a tag indicating the vendor concerned.

I suggest you start with a simple AuthBy FILE in your outer Handler  
to verify that a simple client authentication works correctly, then  
move on to more complicated scenarios.

hope that helps

regards

Hugh


On 3 Nov 2006, at 21:40, Andreas Dietrich wrote:

> Hi everybody,
>
> at first some information about which kind of configuration I speak:
>
> 1st as supplicant: 802.1x standard xp sp2 client,
> 2nd as authenticator: trapeze mx200 wireless switch,
> 3rd as eap proxy: radiator,
> 4th as radius autenticaition server: RSA authentication manager 6.1  
> with steelbelted radius
>
> Authenticate the win xp client on the RSA with mschapv2 over peap.
> Because of the hash problem of RSA (it cannot deal with a hashed  
> password) I try the following:
>
> 802.1x credentials are Username: "user:PinTokencode" with empty  
> password.
> Radiator splits the username into two different credentials, which  
> are proxied to the RSA.
> After Accept from the RSA Radiator should inform Trapeze as the  
> Authenticator, that auth process was a success
>
>
> ###################  radius.cfg  
> #########################################
> Foreground
> LogStdout
> LogDir		c:/Program Files/Radiator
> DbDir		c:/Program Files/Radiator
> BindAddress 10.0.0.20
> Trace 		4
> <Client DEFAULT>
> 	Secret	mysecretwithtrapeze
> 	DupInterval 0
> </Client>
> <Handler ConvertedFromEAPMSCHAPV2=1>
> 	PreAuthHook file:"c:/Program Files/Radiator/userauth.pl"
> 	<AuthBy RADIUS>
> 		Retries 0
> 		LocalAddress 10.0.0.20
> 		Host 10.0.0.21
> 		Secret sharedsecretwithmyrsa
> 		AuthPort 1645
> 		AcctPort 1646
> 		StripFromRequest ConvertedFromEAPMSCHAPV2, MS-CHAP2-Response, MS- 
> CHAP-Challenge
> 	ReplyHook sub { 	my $p = ${$_[0]};\
> 				my $rp = ${$_[1]};\	
> 				my $op = ${$_[2]};\	
> 				my $sp = ${$_[3]};\	
> 				my $attrib = $p->get_attr('TRPZ-VLAN-Name');\
> 				$attrib="$attrib";\
> 				$rp->add_attr('TRPZ-VLAN-Name',$attrib);}
> 	</AuthBy>
> </Handler>
> <Handler TunnelledByPEAP=1>
> 	<AuthBy FILE>
> 		EAPType MSCHAP-V2
> 		EAP_PEAP_MSCHAP_Convert 1
> 	</AuthBy>
> </Handler>
> <Handler>
> 	<AuthBy FILE>
> 		Filename %D/users
> 		EAPType PEAP
>                                 EAPTLS_CAFile C:/Radiator/ 
> Radiator-3.15/certificates/demoCA/cacert.pem
>                                EAPTLS_CertificateFile C:/Radiator/ 
> Radiator-3.15/certificates/cert-srv.pem
>                                EAPTLS_CertificateType PEM
>                                EAPTLS_PrivateKeyFile C:/Radiator/ 
> Radiator-3.15/certificates/cert-srv.pem
>                                EAPTLS_PrivateKeyPassword whatever
>                                EAPTLS_MaxFragmentSize 1024
>                                AutoMPPEKeys
>                                SSLeayTrace 1
>                                EAPTLS_SessionResumptionLimit 10
>                                EAPTLS_PEAPVersion 1
> 	</AuthBy>
>
> </Handler>
> ###################  end ofradius.cfg  
> #########################################
>
> ###################  userauth.pl  
> #########################################
> sub
> {
>     my $p = ${$_[0]};
>     my $user = $p->get_attr('User-Name');
>    $user =~ /(.*)\:(.*)/;
>     my $user =$1;
>     my $pass =$2;
>         $user = "$user";
>         $pass = "$pass";
>         $p->change_attr('User-Name', $user);
>         $p->change_attr('User-Password', $pass);
>         $p->{DecodedPassword} = $pass;
> }
> ###################  end of userauth.pl  
> #########################################
>
>
>
> First sequences about PEAP communication are in the attached txt  
> file...
> ################### OUTPUT - LOGFILEl  
> #########################################
>
> *** Sending to 10.0.0.21 port 1645 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:   
> >X<189><169><127><246><226><238><131><161><21><145>_Y><167>
> Attributes:
> 	User-Name = "adietrich"
> 	User-Password =  
> <159>0<199><199>F:l<193><134><218><19><226><241><139><153>D
>
> Fri Nov  3 11:08:45 2006: DEBUG: AuthBy RADIUS result: IGNORE,
> Fri Nov  3 11:08:45 2006: DEBUG: EAP result: 2, EAP-MSCHAPV2  
> converted to Radius MSCHAPV2 and redespatched to a Handler
> Fri Nov  3 11:08:45 2006: DEBUG: AuthBy FILE result: IGNORE, EAP- 
> MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a Handler
> Fri Nov  3 11:08:45 2006: DEBUG: EAP result: 2, EAP PEAP inner  
> authentication redespatched to a Handler
> Fri Nov  3 11:08:45 2006: DEBUG: AuthBy FILE result: IGNORE, EAP  
> PEAP inner authentication redespatched to a Handler
> Fri Nov  3 11:08:46 2006: DEBUG: Packet dump:
>
>
> *** Received from 10.0.0.21 port 1645 ....
> Code:       Access-Accept
> Identifier: 1
> Authentic:  #<180><162>y9v<165><169>j<29><10>"f<159><14>.
> Attributes:
> 	Class =  
> "SBR2CL<136><181><238><163><133><130><217><218><131><128><17><128> 
> (<1><128><3><129><152><206><128><2><128><11><129><176><217><141><150>< 
> 171><209><228><233><177><218><128><18><128><14><129><136><181><238><16 
> 3><133><130><217><218><131><128><128><128><129><216>"
> 	TRPZ-VLAN-Name = "default"
>
> Fri Nov  3 11:08:46 2006: DEBUG: Received reply in AuthRADIUS for  
> req 1 from 10.0.0.21:1645
> Fri Nov  3 11:08:46 2006: DEBUG: Access accepted for adietrich: 
> 1234600905
> Fri Nov  3 11:08:47 2006: DEBUG: Converted EAP-MSCHAPV2 response  
> Packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:   
> >X<189><169><127><246><226><238><131><161><21><145>_Y><167>
> Attributes:
> 	Class =  
> "SBR2CL<136><181><238><163><133><130><217><218><131><128><17><128> 
> (<1><128><3><129><152><206><128><2><128><11><129><176><217><141><150>< 
> 171><209><228><233><177><218><128><18><128><14><129><136><181><238><16 
> 3><133><130><217><218><131><128><128><128><129><216>"
> 	TRPZ-VLAN-Name = "default"
> 	TRPZ-VLAN-Name = ""
>
> Fri Nov  3 11:08:47 2006: DEBUG: Access challenged for anonymous:  
> Converted MSCHAPV2 authentication success
> Fri Nov  3 11:08:47 2006: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:   
> vh<210>l<201><154><175><138><26>5w<159><230><174><136><221>
> Attributes:
>
> Fri Nov  3 11:08:47 2006: DEBUG: Access challenged for adietrich: 
> 1234600905: EAP PEAP Inner authentication challenged
> Fri Nov  3 11:08:47 2006: DEBUG: Packet dump:
> *** Sending to 10.0.0.170 port 20007 ....
> Code:       Access-Challenge
> Identifier: 9
> Authentic:  S<17><172>8,O<148><17>s%ivtT<11>w
> Attributes:
> 	EAP-Message = <1><8><0><6><25><0>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> ################### end of OUTPUT - LOGFILEl  
> #########################################
>
>
>
>
>
> Questions:
> Why is  TRPZ-VLAN-Name not inside the final Access challenge to  
> 10.0.0.170 ?
> And why isn't it an access accept instead of access challenge, send  
> to the trapeze ?
>
> How do I send the Trapeze attribute VLAN-NAME in the OUTER  
> AUTHENTICATION ?
>
> Why does Radiator uses the attribute Name TRPZ-VLAN-NAME instead of  
> default naming VLAN-NAME ?
>
> Any suggestion for solving the main problem ? Bypassing the problem  
> of mschap on client side without additional software on the client  
> or changing the authentification server from RSA to vaso or kobil ?
>
>
>
>
>
>
>
> __________________________________________________
>
> Mit freundlichen Grüßen / Regards
>
> Andreas Dietrich
>
> Controlware GmbH
> Competence Center Communication Solutions
> Waldstrasse 92, 63128 Dietzenbach
>
> Büro: +49 (0)6074 858 545
> Mobil: +49 (0)172 6164633
> Andreas.Dietrich at controlware.de 
> www.controlware.de 
>
> State-of-the-art Technology for Worldwide Telecommunications
> __________________________________________________
>
>
> <output.txt>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)? 
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/ 
Announcements on radiator-announce at open.com.au 
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list