(RADIATOR) Latest patch set breaks TTLS authentication

Ernst Oudhof e.oudhof at mailfrom.nl
Wed May 30 04:07:59 CDT 2007


Hi,

The latest patch set seems to break TTLS authentication even in a very
simple configuration.

by example:


<Handler TunnelledByTTLS=1>
        <AuthBy FILE>
                Filename %D/users
        </AuthBy>
</Handler>




<Handler EAP-Message=/.+/>
        <AuthBy FILE>
                Filename %D/users
                EAPType TTLS,PEAP
                EAPTLS_CAFile %D/root.pem
                EAPTLS_CertificateFile %D/cert-srv.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/cert-srv.pem
                EAPTLS_MaxFragmentSize 1024
                AutoMPPEKeys
                EAPAnonymous %0
        </AuthBy>
</Handler>


Relevant Debug logs


*** Received from 127.0.0.1 port 34014 ....
Code:       Access-Request
Identifier: 4
Authentic:  <253>aLF<215>e<172><218><244><241><208>*ur<172>r
Attributes:
        User-Name = "ernst at mailfrom.nl"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = <2><4><0><128><21><0><23><3><1><0>
<31><11>B7<212>X<26><233><237>\<<133><220>f<206><211><169>F^<164><197><137><138><30><174>{<158>c<30>zo<251><23><3><1><0>Pc<235><223>4d<233><145><170>D<11>$R<156><181><146><226><249><169><174><250>
TW<200><191>t<196><134><217>]8<169><187>L<1>q%<136><245><238><223><207><19><197>P<244>PPcZW`<218>e]=<13><175>&<169><224>'<242><26><252>yF<148>r<172>T<227><0>W`<181><201>?<192>o
        Message-Authenticator =
`<151><184><205>?<240><128><2>W<223>R<21><152><1><253><25>

Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
'EAP-Message=/.+/'
Wed May 30 10:15:16 2007: DEBUG:  Deleting session for ernst at mailfrom.nl,
127.0.0.1,
Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
Wed May 30 10:15:16 2007: DEBUG: Handling with EAP: code 2, 4, 128
Wed May 30 10:15:16 2007: DEBUG: Response type 21
Wed May 30 10:15:16 2007: DEBUG: EAP TTLS data, 3, 4, 3
Wed May 30 10:15:16 2007: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       UNDEF
Identifier: UNDEF
Authentic:  UNDEF
Attributes:
        User-Name = "ernst at mailfrom.nl"
        User-Password = xxxxxxx

Wed May 30 10:15:16 2007: DEBUG: EAP TTLS inner authentication request for
ernst at mailfrom.nl
Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
'TunnelledByTTLS=1'
Wed May 30 10:15:16 2007: DEBUG:  Deleting session for ernst at mailfrom.nl,
127.0.0.1,
Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
Wed May 30 10:15:16 2007: DEBUG: Reading users file /etc/radiator/users
Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE looks for match with
ernst at mailfrom.nl [ernst at mailfrom.nl]
Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE ACCEPT: :
ernst at mailfrom.nl [ernst at mailfrom.nl]
Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: ACCEPT,
Wed May 30 10:15:16 2007: DEBUG: Access accepted for ernst at mailfrom.nl
Wed May 30 10:15:16 2007: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  A<252><232>n>x<154>s<12><145><252><191><190>B<134>+
Attributes:

Wed May 30 10:15:16 2007: ERR: Could not handle an EAP request: Can't call
method "delete_attr" on an undefined value at
/usr/local/share/perl/5.8.8/Radius/EAP_21.pm line 427.

Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: REJECT, Could not
handle an EAP request
Wed May 30 10:15:16 2007: INFO: Access rejected for ernst at mailfrom.nl:
Could not handle an EAP request
Wed May 30 10:15:16 2007: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 34014 ....
Code:       Access-Reject
Identifier: 4
Authentic:  <253>aLF<215>e<172><218><244><241><208>*ur<172>r
Attributes:
        Reply-Message = "Request Denied"



The problem seems in the following piece of code in EAP_21.pm in a
different configuration it gives similar errors on line 425

        # Also copy the reply atrs from the inner request for use later
when the
        # handshake finishes, but dont reveal any MS-CHAP2-Success
        # Override any attrs that were previously sert (eg in the case where
        # TNC follows authentication, allowing TNC to override tunnels etc
        foreach (@{$tp->{rp}->{Attributes}})
        {
            $context->{last_reply_attrs}->change_attr($_->[0], $_->[1]);
        }
        $context->{last_reply_attrs}->delete_attr('MS-CHAP2-Success');



regards,

Ernst

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list