(RADIATOR) PEAPV1-GTC implementation

SecureW2 (List) list at securew2.com
Thu Jun 5 02:47:41 CDT 2008 

Hi,

I am having trouble getting my new SecureW2 PEAPV1-GTC implementation
working with Radiator and I was hoping if you could shed some light on it.

It is failing in the ACCESS-ACCEPT send by the inner GTC module:

------------------ GTC Response Tunneled in PEAP sent by SecureW2 ----------

*** Received from 82.75.154.105 port 27803 ....

Packet length = 180
01 e7 00 b4 b0 cc 03 df 3e f8 72 e0 38 29 d8 f8 6c d0 5b 65 01 0a 74 6f 6d
40 74 74 6c 73 0c 06 00 00 05 78 1e 10 30 30 30 66 2e 38 66 31 64 2e
37 36 32 30 1f 10 30 30 31 61 2e 37 33 39 31 2e
37 36 31 30 50 12 54 12 ef 07 bd 38 fa 73 4c f3 ca 68 2d 32 11 27 4f 39 02
08 00 37 19 81 00 00 00 2d 17 03 01 00 28 ce be 0d 48 f0 05 18 1f 71 dc fc
61 71 04 c7 0e a4 c3 b9 58 99 7e 47 76 24
c5 1b 02 50 ea ab c7 9f 8d 21 74 76 90 b3 dc 3d
06 00 00 00 13 05 06 00 00 01 5c 06 06 00 00 00
02 04 06 c0 a8 02 02 20 0d 72 69 78 6f 6d 61 70
31 31 30 30
Code:       Access-Request
Identifier: 231
Authentic:  <176><204><3><223>><248>r<224>8)<216><248>l<208>[e
Attributes:
        User-Name = "tom at ttls"
        Framed-MTU = 1400
        Called-Station-Id = "000f.8f1d.7620"
        Calling-Station-Id = "001a.7391.7610"
        Message-Authenticator = T<18><239><7><189>8<250>sL<243><202>h-2<17>'
        EAP-Message =
<2><8><0>7<25><129><0><0><0>-<23><3><1><0>(<206><190><13>H<240><5><24><31>q<
220><252>aq<4><199><14><164><195><185>X<153>~Gv$<197><27><2>P<234><171><199>
<159><141>!tv<144><179><220>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 348
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.2
        NAS-Identifier = "rixomap1100"

Wed Jun  4 21:51:08 2008: DEBUG: Handling request with Handler 'Realm=ttls'
Wed Jun  4 21:51:08 2008: DEBUG: Rewrote user name to tom Wed Jun  4
21:51:08 2008: DEBUG:  Deleting session for tom at ttls, 192.168.2.2, 348 Wed
Jun  4 21:51:08 2008: DEBUG: Handling with Radius::AuthFILE:
Wed Jun  4 21:51:08 2008: DEBUG: Handling with EAP: code 2, 8, 55 Wed Jun  4
21:51:08 2008: DEBUG: Response type 25 Wed Jun  4 21:51:08 2008: DEBUG: EAP
PEAP inner authentication request for anonymous Wed Jun  4 21:51:08 2008:
DEBUG: PEAP Tunnelled request Packet dump:

------------- Tunneled GTC Response sent internally by Radiator to GTC -----

Code:       Access-Request
Identifier: UNDEF
Authentic:  ]<137>"<0><254>8<181>r<214>}_<178><246>I<16>|
Attributes:
        EAP-Message = <2><1><0><14><6>zolavin38
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "anonymous"
        NAS-IP-Address = 192.168.2.2
        NAS-Identifier = "rixomap1100"
        NAS-Port = 348
        Calling-Station-Id = "001a.7391.7610"

Wed Jun  4 21:51:08 2008: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Wed Jun  4 21:51:08 2008: DEBUG:  Deleting session for anonymous,
192.168.2.2, 348 Wed Jun  4 21:51:08 2008: DEBUG: Handling with
Radius::AuthOTP:
Wed Jun  4 21:51:08 2008: DEBUG: Handling with EAP: code 2, 1, 14 Wed Jun  4
21:51:08 2008: DEBUG: Response type 6 Wed Jun  4 21:51:08 2008: DEBUG: EAP
result: 0, Wed Jun  4 21:51:08 2008: DEBUG: AuthBy OTP result: ACCEPT, Wed
Jun  4 21:51:08 2008: DEBUG: Access accepted for anonymous Wed Jun  4
21:51:08 2008: DEBUG: Returned PEAP tunnelled packet dump:

------------------ GTC ACCESS-ACCEPT ----------

Code:       Access-Accept
Identifier: UNDEF
Authentic:  ]<137>"<0><254>8<181>r<214>}_<178><246>I<16>|
Attributes:
        EAP-Message = <3><1><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Jun  4 21:51:08 2008: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler Wed Jun  4 21:51:08 2008: DEBUG:
AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redespatched to
a Handler Wed Jun  4 21:51:08 2008: DEBUG: Access challenged for tom: EAP
PEAP inner authentication redespatched to a Handler Wed Jun  4 21:51:08
2008: DEBUG: Packet dump:
*** Sending to 82.75.154.105 port 27803 ....

Packet length = 112
0b e7 00 70 89 b4 5b 6d f7 16 a3 4b 29 09 cc 66 ba 35 cd e1 4f 4a 01 09 00
48 19 01 17 03 01 00
18 7a 9a ba 58 45 b0 99 16 48 47 eb 6d 9d 32 f5
39 cd da 7c 8c 40 2f e0 bc 17 03 01 00 20 75 2e
41 15 7b 26 82 ef 13 43 a7 3c b8 a5 22 69 f0 2a 20 f3 53 f3 8a 67 7d 52 24
b5 eb 23 e0 01 50 12
56 0c 63 9d 7e 82 83 a3 d5 5e 8a 32 3d 82 21 89
Code:       Access-Challenge
Identifier: 231
Authentic:  <176><204><3><223>><248>r<224>8)<216><248>l<208>[e
Attributes:
        EAP-Message =
<1><9><0>H<25><1><23><3><1><0><24>z<154><186>XE<176><153><22>HG<235>m<157>2<
245>9<205><218>|<140>@/<224><188><23><3><1><0>
u.A<21>{&<130><239><19>C<167><<184><165>"i<240>*
<243>S<243><138>g}R$<181><235>#<224><1>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

When decrypted in SecureW2 there are two application_data messages, one 24
bytes long and the other 32 bytes (the message authenticator) but both
containing nothing that looks like a access-accept :(

The packet that should contain an access accept is:

[4348] 23:20:08:326: TLSParseServerPacket::application data (11) 
[4348] 23:20:08:326: 0B000901 00038021 00010002 00000000 |.......!........|

Which in hex is:

1,9,0,b,21,80,3,0,2,0

The last 4 are the access accept, but the EAP header is all wrong.

Is there maybe a way to enable more SSL logging?

Tom

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list