(RADIATOR) Latest patch set breaks TTLS authentication

Mike McCauley mikem at open.com.au
Wed May 30 17:27:30 CDT 2007 

Hello Ernst,

thanks for reporting this problem. We have now fixed the patch set. We 
apologise for any inconvenience.

Cheers.

On Wednesday 30 May 2007 19:07, Ernst Oudhof wrote:
> Hi,
>
> The latest patch set seems to break TTLS authentication even in a very
> simple configuration.
>
> by example:
>
>
> <Handler TunnelledByTTLS=1>
>         <AuthBy FILE>
>                 Filename %D/users
>         </AuthBy>
> </Handler>
>
>
>
>
> <Handler EAP-Message=/.+/>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType TTLS,PEAP
>                 EAPTLS_CAFile %D/root.pem
>                 EAPTLS_CertificateFile %D/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/cert-srv.pem
>                 EAPTLS_MaxFragmentSize 1024
>                 AutoMPPEKeys
>                 EAPAnonymous %0
>         </AuthBy>
> </Handler>
>
>
> Relevant Debug logs
>
>
> *** Received from 127.0.0.1 port 34014 ....
> Code:       Access-Request
> Identifier: 4
> Authentic:  <253>aLF<215>e<172><218><244><241><208>*ur<172>r
> Attributes:
>         User-Name = "ernst at mailfrom.nl"
>         NAS-IP-Address = 127.0.0.1
>         Calling-Station-Id = "02-00-00-00-00-01"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>         EAP-Message = <2><4><0><128><21><0><23><3><1><0>
> <31><11>B7<212>X<26><233><237>\<<133><220>f<206><211><169>F^<164><197><137>
><138><30><174>{<158>c<30>zo<251><23><3><1><0>Pc<235><223>4d<233><145><170>D<
>11>$R<156><181><146><226><249><169><174><250>
> TW<200><191>t<196><134><217>]8<169><187>L<1>q%<136><245><238><223><207><19>
><197>P<244>PPcZW`<218>e]=<13><175>&<169><224>'<242><26><252>yF<148>r<172>T<2
>27><0>W`<181><201>?<192>o Message-Authenticator =
> `<151><184><205>?<240><128><2>W<223>R<21><152><1><253><25>
>
> Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
> 'EAP-Message=/.+/'
> Wed May 30 10:15:16 2007: DEBUG:  Deleting session for ernst at mailfrom.nl,
> 127.0.0.1,
> Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
> Wed May 30 10:15:16 2007: DEBUG: Handling with EAP: code 2, 4, 128
> Wed May 30 10:15:16 2007: DEBUG: Response type 21
> Wed May 30 10:15:16 2007: DEBUG: EAP TTLS data, 3, 4, 3
> Wed May 30 10:15:16 2007: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>         User-Name = "ernst at mailfrom.nl"
>         User-Password = xxxxxxx
>
> Wed May 30 10:15:16 2007: DEBUG: EAP TTLS inner authentication request for
> ernst at mailfrom.nl
> Wed May 30 10:15:16 2007: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Wed May 30 10:15:16 2007: DEBUG:  Deleting session for ernst at mailfrom.nl,
> 127.0.0.1,
> Wed May 30 10:15:16 2007: DEBUG: Handling with Radius::AuthFILE:
> Wed May 30 10:15:16 2007: DEBUG: Reading users file /etc/radiator/users
> Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE looks for match with
> ernst at mailfrom.nl [ernst at mailfrom.nl]
> Wed May 30 10:15:16 2007: DEBUG: Radius::AuthFILE ACCEPT: :
> ernst at mailfrom.nl [ernst at mailfrom.nl]
> Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: ACCEPT,
> Wed May 30 10:15:16 2007: DEBUG: Access accepted for ernst at mailfrom.nl
> Wed May 30 10:15:16 2007: DEBUG: Returned TTLS tunnelled Diameter Packet
> dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  A<252><232>n>x<154>s<12><145><252><191><190>B<134>+
> Attributes:
>
> Wed May 30 10:15:16 2007: ERR: Could not handle an EAP request: Can't call
> method "delete_attr" on an undefined value at
> /usr/local/share/perl/5.8.8/Radius/EAP_21.pm line 427.
>
> Wed May 30 10:15:16 2007: DEBUG: AuthBy FILE result: REJECT, Could not
> handle an EAP request
> Wed May 30 10:15:16 2007: INFO: Access rejected for ernst at mailfrom.nl:
> Could not handle an EAP request
> Wed May 30 10:15:16 2007: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 34014 ....
> Code:       Access-Reject
> Identifier: 4
> Authentic:  <253>aLF<215>e<172><218><244><241><208>*ur<172>r
> Attributes:
>         Reply-Message = "Request Denied"
>
>
>
> The problem seems in the following piece of code in EAP_21.pm in a
> different configuration it gives similar errors on line 425
>
>         # Also copy the reply atrs from the inner request for use later
> when the
>         # handshake finishes, but dont reveal any MS-CHAP2-Success
>         # Override any attrs that were previously sert (eg in the case
> where # TNC follows authentication, allowing TNC to override tunnels etc
> foreach (@{$tp->{rp}->{Attributes}})
>         {
>             $context->{last_reply_attrs}->change_attr($_->[0], $_->[1]);
>         }
>         $context->{last_reply_attrs}->delete_attr('MS-CHAP2-Success');
>
>
>
> regards,
>
> Ernst
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list