(RADIATOR) PEAPV1-GTC implementation
Hugh Irvine
hugh at open.com.au
Thu Jun 5 03:27:38 CDT 2008
Hello Tom -
Further to this, please see sections 5.18.41 and 5.18.42 in the
Radiator 4.2 reference manual ("doc/ref.pdf").
regards
Hugh
On 5 Jun 2008, at 18:24, Hugh Irvine wrote:
>
> Hello Tom -
>
> I still need to see a copy of your configuration file.
>
> regards
>
> Hugh
>
>
> On 5 Jun 2008, at 18:12, SecureW2 ((List)) wrote:
>
>> Hugh,
>>
>> Sorry about this, it was quite late yesterday and I somehow
>> convinced myself
>> that my own debug logging was using the ASCII debug log of radiator.
>>
>> The decrypted packet header is correct, but it is the extended
>> response
>> packet that is used in PEAPv0
>> (http://tools.ietf.org/html/draft-kamath-pppext-peapv0-00 section
>> 2.1). I am
>> however using PEAPv1 in this particular authentication.
>>
>> I am not sure if this is correct, but in PEAPv1 I expect a simple
>> ACCESS-ACCEPT packet, not the extended response which I would
>> expect in
>> PEAPv0.
>>
>> Regards,
>>
>> Tom
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: Hugh Irvine [mailto:hugh at open.com.au]
>>> Verzonden: donderdag 5 juni 2008 10:05
>>> Aan: SecureW2 (List)
>>> CC: radiator at open.com.au
>>> Onderwerp: Re: (RADIATOR) PEAPV1-GTC implementation
>>>
>>>
>>> Hello -
>>>
>>> The final packet shown in the debug below is a PEAP access
>>> challenge,
>>> not an access accept.
>>>
>>> I will need to see your configuration file as well as the trace 4
>>> debug.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 5 Jun 2008, at 17:47, SecureW2 ((List)) wrote:
>>>
>>>> Hi,
>>>>
>>>> I am having trouble getting my new SecureW2 PEAPV1-GTC
>>>> implementation
>>>> working with Radiator and I was hoping if you could shed some light
>>>> on it.
>>>>
>>>> It is failing in the ACCESS-ACCEPT send by the inner GTC module:
>>>>
>>>> ------------------ GTC Response Tunneled in PEAP sent by SecureW2
>>>> ----------
>>>>
>>>> *** Received from 82.75.154.105 port 27803 ....
>>>>
>>>> Packet length = 180
>>>> 01 e7 00 b4 b0 cc 03 df 3e f8 72 e0 38 29 d8 f8 6c d0 5b 65 01 0a
>>>> 74 6f 6d
>>>> 40 74 74 6c 73 0c 06 00 00 05 78 1e 10 30 30 30 66 2e 38 66 31
>>>> 64 2e
>>>> 37 36 32 30 1f 10 30 30 31 61 2e 37 33 39 31 2e
>>>> 37 36 31 30 50 12 54 12 ef 07 bd 38 fa 73 4c f3 ca 68 2d 32 11 27
>>>> 4f 39 02
>>>> 08 00 37 19 81 00 00 00 2d 17 03 01 00 28 ce be 0d 48 f0 05 18 1f
>>>> 71 dc fc
>>>> 61 71 04 c7 0e a4 c3 b9 58 99 7e 47 76 24
>>>> c5 1b 02 50 ea ab c7 9f 8d 21 74 76 90 b3 dc 3d
>>>> 06 00 00 00 13 05 06 00 00 01 5c 06 06 00 00 00
>>>> 02 04 06 c0 a8 02 02 20 0d 72 69 78 6f 6d 61 70
>>>> 31 31 30 30
>>>> Code: Access-Request
>>>> Identifier: 231
>>>> Authentic: <176><204><3><223>><248>r<224>8)<216><248>l<208>[e
>>>> Attributes:
>>>> User-Name = "tom at ttls"
>>>> Framed-MTU = 1400
>>>> Called-Station-Id = "000f.8f1d.7620"
>>>> Calling-Station-Id = "001a.7391.7610"
>>>> Message-Authenticator =
>>>> T<18><239><7><189>8<250>sL<243><202>h-2<17>'
>>>> EAP-Message =
>>>> <2><8><0>7<25><129><0><0><0>-<23><3><1><0>
>>>> (<206><190><13>H<240><5><24><31>q<
>>>> 220><252>aq<4><199><14><164><195><185>X<153>~Gv
>>>> $<197><27><2>P<234><171><199>
>>>> <159><141>!tv<144><179><220>
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>>>> NAS-Port = 348
>>>> Service-Type = Framed-User
>>>> NAS-IP-Address = 192.168.2.2
>>>> NAS-Identifier = "rixomap1100"
>>>>
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Handling request with Handler
>>>> 'Realm=ttls'
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Rewrote user name to tom Wed
>>>> Jun 4
>>>> 21:51:08 2008: DEBUG: Deleting session for tom at ttls, 192.168.2.2,
>>>> 348 Wed
>>>> Jun 4 21:51:08 2008: DEBUG: Handling with Radius::AuthFILE:
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Handling with EAP: code 2, 8, 55
>>>> Wed Jun 4
>>>> 21:51:08 2008: DEBUG: Response type 25 Wed Jun 4 21:51:08 2008:
>>>> DEBUG: EAP
>>>> PEAP inner authentication request for anonymous Wed Jun 4 21:51:08
>>>> 2008:
>>>> DEBUG: PEAP Tunnelled request Packet dump:
>>>>
>>>> ------------- Tunneled GTC Response sent internally by Radiator to
>>>> GTC -----
>>>>
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: ]<137>"<0><254>8<181>r<214>}_<178><246>I<16>|
>>>> Attributes:
>>>> EAP-Message = <2><1><0><14><6>zolavin38
>>>> Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> User-Name = "anonymous"
>>>> NAS-IP-Address = 192.168.2.2
>>>> NAS-Identifier = "rixomap1100"
>>>> NAS-Port = 348
>>>> Calling-Station-Id = "001a.7391.7610"
>>>>
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Handling request with Handler
>>>> 'TunnelledByPEAP=1'
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Deleting session for anonymous,
>>>> 192.168.2.2, 348 Wed Jun 4 21:51:08 2008: DEBUG: Handling with
>>>> Radius::AuthOTP:
>>>> Wed Jun 4 21:51:08 2008: DEBUG: Handling with EAP: code 2, 1, 14
>>>> Wed Jun 4
>>>> 21:51:08 2008: DEBUG: Response type 6 Wed Jun 4 21:51:08 2008:
>>>> DEBUG: EAP
>>>> result: 0, Wed Jun 4 21:51:08 2008: DEBUG: AuthBy OTP result:
>>>> ACCEPT, Wed
>>>> Jun 4 21:51:08 2008: DEBUG: Access accepted for anonymous Wed
>>>> Jun 4
>>>> 21:51:08 2008: DEBUG: Returned PEAP tunnelled packet dump:
>>>>
>>>> ------------------ GTC ACCESS-ACCEPT ----------
>>>>
>>>> Code: Access-Accept
>>>> Identifier: UNDEF
>>>> Authentic: ]<137>"<0><254>8<181>r<214>}_<178><246>I<16>|
>>>> Attributes:
>>>> EAP-Message = <3><1><0><4>
>>>> Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Wed Jun 4 21:51:08 2008: DEBUG: EAP result: 3, EAP PEAP inner
>>>> authentication redespatched to a Handler Wed Jun 4 21:51:08 2008:
>>>> DEBUG:
>>>> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
>>>> redespatched to
>>>> a Handler Wed Jun 4 21:51:08 2008: DEBUG: Access challenged for
>>>> tom: EAP
>>>> PEAP inner authentication redespatched to a Handler Wed Jun 4
>>>> 21:51:08
>>>> 2008: DEBUG: Packet dump:
>>>> *** Sending to 82.75.154.105 port 27803 ....
>>>>
>>>> Packet length = 112
>>>> 0b e7 00 70 89 b4 5b 6d f7 16 a3 4b 29 09 cc 66 ba 35 cd e1 4f 4a
>>>> 01 09 00
>>>> 48 19 01 17 03 01 00
>>>> 18 7a 9a ba 58 45 b0 99 16 48 47 eb 6d 9d 32 f5
>>>> 39 cd da 7c 8c 40 2f e0 bc 17 03 01 00 20 75 2e
>>>> 41 15 7b 26 82 ef 13 43 a7 3c b8 a5 22 69 f0 2a 20 f3 53 f3 8a 67
>>>> 7d 52 24
>>>> b5 eb 23 e0 01 50 12
>>>> 56 0c 63 9d 7e 82 83 a3 d5 5e 8a 32 3d 82 21 89
>>>> Code: Access-Challenge
>>>> Identifier: 231
>>>> Authentic: <176><204><3><223>><248>r<224>8)<216><248>l<208>[e
>>>> Attributes:
>>>> EAP-Message =
>>>> <1><9><0>H<25><1><23><3><1><0><24>z<154><186>XE<176><153><22>HG<235
>>>> >m<
>>>> 157>2<
>>>> 245>9<205><218>|<140>@/<224><188><23><3><1><0>
>>>> u.A<21>{&<130><239><19>C<167><<184><165>"i<240>*
>>>> <243>S<243><138>g}R$<181><235>#<224><1>
>>>> Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> When decrypted in SecureW2 there are two application_data messages,
>>>> one 24
>>>> bytes long and the other 32 bytes (the message authenticator)
>>>> but both
>>>> containing nothing that looks like a access-accept :(
>>>>
>>>> The packet that should contain an access accept is:
>>>>
>>>> [4348] 23:20:08:326: TLSParseServerPacket::application data (11)
>>>> [4348] 23:20:08:326: 0B000901 00038021 00010002 00000000
>>>> |.......!........|
>>>>
>>>> Which in hex is:
>>>>
>>>> 1,9,0,b,21,80,3,0,2,0
>>>>
>>>> The last 4 are the access accept, but the EAP header is all wrong.
>>>>
>>>> Is there maybe a way to enable more SSL logging?
>>>>
>>>> Tom
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/
>>> archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> systems.
>>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/
> archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list