(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

Hugh Irvine hugh at open.com.au
Sun Apr 15 20:56:31 CDT 2007 

Hello Rogier -

Thanks for the additional information and your patience.

It turns out the problem you are seeing is due to the use of MSCHAP- 
V2 in the "inner" processing, which delays the availability of the  
"inner" identity until after the processing of the tunnelled request.

Here is the relevant portion of the debug at http://www.iverdahl.net/ 
pub/radiator-trace/sc2-peap.txt:

.....

Fri Apr  6 18:49:42 2007: DEBUG: EAP PEAP inner authentication  
request for anonymous at iverdahl.net
Fri Apr  6 18:49:42 2007: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  |2<193><223><247>Yn<171>_<13>TR<17><217>J<20>
Attributes:
         EAP-Message = <2><10><0><26><1>test at visitor.iverdahl.net
         Message-Authenticator =  
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
         User-Name = "anonymous at iverdahl.net"
         NAS-IP-Address = 10.0.0.20
         NAS-Port = 548
         Calling-Station-Id = "000b.6c52.1a49"

Fri Apr  6 18:49:42 2007: DEBUG: Handling request with Handler  
'TunnelledByPEAP=1, Realm=iverdahl.net'
Fri Apr  6 18:49:42 2007: DEBUG: Rewrote user name to anonymous
Fri Apr  6 18:49:42 2007: DEBUG:  Deleting session for  
anonymous at iverdahl.net, 10.0.0.20, 548
Fri Apr  6 18:49:42 2007: DEBUG: Handling with Radius::AuthLDAP2:  
Iverdahl-LDAP
Fri Apr  6 18:49:42 2007: DEBUG: Handling with EAP: code 2, 10, 26
Fri Apr  6 18:49:42 2007: DEBUG: Response type 1
Fri Apr  6 18:49:42 2007: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Fri Apr  6 18:49:42 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP  
MSCHAP-V2 Challenge
Fri Apr  6 18:49:42 2007: DEBUG: Access challenged for anonymous: EAP  
MSCHAP-V2 Challenge
Fri Apr  6 18:49:42 2007: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  |2<193><223><247>Yn<171>_<13>TR<17><217>J<20>
Attributes:

.....

As you can see, the EAP-Message in the tunnelled request contains the  
"inner" username that you have configured, but the MSCHAP-V2  
processing occurs later.

One (very ugly) way to try to get around this might be to use this  
for your "inner" Handler:


<Handler TunnelledByPEAP=1, EAP-Message=/visitor.iverdahl.net/>
	.....
</Handler>


Please let me know how you get on.

regards

Hugh


On 16 Apr 2007, at 00:09, Rogier Krieger wrote:

> On 4/14/07, Hugh Irvine <hugh at open.com.au> wrote:
>> Could you also tell me what outer username you used in all cases as
>> well as what client supplicant you used?
>
> In all cases, the supplicant is the PalmOS 802.1x supplicant from
> their ESU (Enterprise Security Update). That one is more (easily)
> configurable than its WinXP counterpart, in that I can set an outer
> and inner identity. If you would like screen shots of the supplicant
> setup, let me know.
>
> For the various scenarios (sc1 to sc4), I used the following outer and
> inner identities.
>
> # Outer identity        Inner identity
> 1 iverdahl.net          iverdahl.net
> 2 iverdahl.net          visitor.iverdahl.net
> 3 visitor.iverdahl.net  iverdahl.net
> 4 visitor.iverdahl.net  visitor.iverdahl.net
>
>
> I expect Radiator to always handle the inner EAP authentication with a
> handler based on the realm of the inner identity. For TTLS it does,
> for PEAP it seems to select its handler based upon the outer identity
> realm. As I mentioned in my original message, I get the following
> results for my four scenarios:
>
> # Expected              TTLS result     PEAP result
> 1 iverdahl.net          OK              OK
> 2 visitor.iverdahl.net  OK              FAIL (iverdahl.net)
> 3 iverdahl.net          OK              FAIL (visitor.iverdahl.net)
> 4 visitor.iverdahl.net  OK              OK
>
> Note: 'Expected' corresponds with the 'Inner identity' in the table
> above. It is only repeated for clarity. Results mentioning 'FAIL'
> indicate Radiator handled the inner EAP authentication with the realm
> mentioned in parentheses instead of the 'expected' realm.
>
> Does the above clarify things? I am getting a suspicion that WinXP's
> PEAP would not have this issue, as it does not (to my knowledge) allow
> setting a different outer identity and my PalmOS supplicant does allow
> such tweaking.
>
> If there is more information that I can provide, please let me know.
>
> Cheers,
>
> Rogier



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list