[RADIATOR] does OpenSSL 0.9.8n need patched for use with EAP-FAST?

Heikki Vatiainen hvn at open.com.au
Fri Apr 1 10:01:33 CDT 2011 

On 03/31/2011 03:51 PM, Jim Veneskey wrote:

> I have gone back to openssl 1.0.0d and installed newer versions of the
> modules.

Ok, I did also some testing. Please see below for more.

> Attached is a full log of my test session, including the radius.cfg and
> users file I am using.
> My radius.cfg is basically the example one found in goodies/.

Same here.

> I am testing the setup using a Windows client running Funk Odyssey and I
> have verified that
> the credentials I am using on the client match what is in the users file.
> 
> Funk will prompt me to acquire new EAP-FAST credentials,  however, when
> I instruct it to do so - it just
> keeps popping back up.

I tested with eapol_test from wpa_supplicant package. Here's the
configuration I used:

network={
        ssid="eapol"
        proto=WPA2
        pairwise=CCMP
        key_mgmt=WPA-EAP
        eap=FAST
        anonymous_identity="hvn"
        identity="hvn"
        password="password"
        ca_cert="cacert.pem"
        phase1="fast_provisioning=2"
        pac_file="wpasupplicant.eap-fast-pac"
        phase2="autheap=MSCHAPV2"
        #dh_file="dh2048.pem"
}

Command was: ./eapol_test -p1645 -s mysecret -c eapol-eap-fast.conf

If run twice, it will succeed. The first run fetches the pac file and
then subsequent logins will succeed.

> It appears to be failing here:  (for full trace - see attachment)

Same here if I run it when there is no pac_file and fast_provisioning is
set to 1. The MSCHAP calculated challenge response does not match what
was expected.

>> Thu Mar 31 08:29:51 2011: DEBUG: Radius::AuthFILE ACCEPT: : anonymous
>> [anonymous]

It got the user and its password from users file.

>> Thu Mar 31 08:29:51 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2
>> Authentication failure

Challenge was not what was expected.

> At this point, I am not sure if I now have Radiator configured properly,
> and the issue is with my client.

The Radiator configuration should be good. I think this is related to
what happens or does not happens during pac provisioning. I'll try with
a different client, iPod, later to see how it behaves.

> Radiator is not displaying any errors about modules any more - so I'm
> guessing it may be configured properly?

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list