(RADIATOR) Latest patch set breaks TTLS authentication
Hugh Irvine
hugh at open.com.au
Wed May 30 06:30:28 CDT 2007
Hello Ernst -
Many thanks for your mail and bug report.
Mike is travelling at the moment but he will look at this as soon as
he can.
regards
Hugh
On 30 May 2007, at 19:07, Ernst Oudhof wrote:
> Hi,
>
> The latest patch set seems to break TTLS authentication even in a very
> simple configuration.
>
> by example:
>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy FILE>
> Filename %D/users
> </AuthBy>
> </Handler>
>
>
>
>
> <Handler EAP-Message=/.+/>
> <AuthBy FILE>
> Filename %D/users
> EAPType TTLS,PEAP
> EAPTLS_CAFile %D/root.pem
> EAPTLS_CertificateFile %D/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/cert-srv.pem
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> EAPAnonymous %0
> </AuthBy>
> </Handler>
>
>
> Relevant Debug logs
>
>
> *** Received from 127.0.0.1 port 34014 ....
> Code: Access-Request
> Identifier: 4
> Authentic: <253>aLF<215>e<172><218><244><241><208>*ur<172>r
> Attributes:
> User-Name = "ernst at mailfrom.nl"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = <2><4><0><128><21><0><23><3><1><0>
> <31><11>B7<212>X<26><233><237>
> \<<133><220>f<206><211><169>F^<164><197><137><138><30><174>
> {<158>c<30>zo<251><23><3><1><0>Pc<235><223>4d<233><145><170>D<11>
> $R<156><181><146><226><249><169><174><250>
> TW<200><191>t<196><134><217>]8<169><187>L<1>q%
> <136><245><238><223><207><19><197>P<244>PPcZW`<218>e]
> =<13><175>&<169><224>'<242><26><252>yF<148>r<172>T<227><0>W`<181><201>
> ?<192>o
> Message-Authenticator =
> `<151><184><205>?<240><128><2>W<223>R<21><152><1><253><25>
>
> Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
> 'EAP-Message=/.+/'
> Wed May 30 10:15:16 2007: DEBUG: Deleting session for
> ernst at mailfrom.nl,
> 127.0.0.1,
> Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
> Wed May 30 10:15:16 2007: DEBUG: Handling with EAP: code 2, 4, 128
> Wed May 30 10:15:16 2007: DEBUG: Response type 21
> Wed May 30 10:15:16 2007: DEBUG: EAP TTLS data, 3, 4, 3
> Wed May 30 10:15:16 2007: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "ernst at mailfrom.nl"
> User-Password = xxxxxxx
>
> Wed May 30 10:15:16 2007: DEBUG: EAP TTLS inner authentication
> request for
> ernst at mailfrom.nl
> Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Wed May 30 10:15:16 2007: DEBUG: Deleting session for
> ernst at mailfrom.nl,
> 127.0.0.1,
> Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
> Wed May 30 10:15:16 2007: DEBUG: Reading users file /etc/radiator/
> users
> Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE looks for match with
> ernst at mailfrom.nl [ernst at mailfrom.nl]
> Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE ACCEPT: :
> ernst at mailfrom.nl [ernst at mailfrom.nl]
> Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: ACCEPT,
> Wed May 30 10:15:16 2007: DEBUG: Access accepted for ernst at mailfrom.nl
> Wed May 30 10:15:16 2007: DEBUG: Returned TTLS tunnelled Diameter
> Packet
> dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: A<252><232>n>x<154>s<12><145><252><191><190>B<134>+
> Attributes:
>
> Wed May 30 10:15:16 2007: ERR: Could not handle an EAP request:
> Can't call
> method "delete_attr" on an undefined value at
> /usr/local/share/perl/5.8.8/Radius/EAP_21.pm line 427.
>
> Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: REJECT, Could not
> handle an EAP request
> Wed May 30 10:15:16 2007: INFO: Access rejected for ernst at mailfrom.nl:
> Could not handle an EAP request
> Wed May 30 10:15:16 2007: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 34014 ....
> Code: Access-Reject
> Identifier: 4
> Authentic: <253>aLF<215>e<172><218><244><241><208>*ur<172>r
> Attributes:
> Reply-Message = "Request Denied"
>
>
>
> The problem seems in the following piece of code in EAP_21.pm in a
> different configuration it gives similar errors on line 425
>
> # Also copy the reply atrs from the inner request for use
> later
> when the
> # handshake finishes, but dont reveal any MS-CHAP2-Success
> # Override any attrs that were previously sert (eg in the
> case where
> # TNC follows authentication, allowing TNC to override
> tunnels etc
> foreach (@{$tp->{rp}->{Attributes}})
> {
> $context->{last_reply_attrs}->change_attr($_->[0], $_->
> [1]);
> }
> $context->{last_reply_attrs}->delete_attr('MS-CHAP2-Success');
>
>
>
> regards,
>
> Ernst
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list