[RADIATOR] [Radiator] EAP TTLS with EAP Inner Method

Heikki Vatiainen hvn at open.com.au
Tue Apr 12 13:48:09 CDT 2011


On 04/11/2011 03:55 PM, Aman Arneja wrote:

> As you might have gathered from my previous mails, i am writing an EAP
> TTLS Method. We are facing problems with using EAP Inner Methods. Non
> Eap Inner methods are working fine. I am attaching 2 log files :
>  
> 1.) radiatornoproxy : Config File = eap_ttls.cfg.
> Topology :
> Client - Wireless supplicant configured to authenticate using our TTLS +
> EAP MsChapv2
> Radiator - AuthByLsa
>  
> 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology :
> Client - Wireless supplicant configured to authenticate using our TTLS +
> EAP MsChapv2
> Radiator - AuthByRadius, with authentication terminating on Microsoft NPS
>  
> In Both Cases Radiator is rejecting the AVP sent by client after server
> sends access challenge.

>From the log it looks like Radiator sends access challenge inside the
tunnel as you say:

EAP-Message =
<1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1

This seems to be a well formed EAP-MSCHAP-V2 challange according to
http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02

But when the response comes, Radiator does not even get to process it as
an AVP but the underlying TLS processing indicates there is a "wrong
version number" as seen below. In other words, it looks like after the
client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the
tunnelling TLS thinks the received TLS record is faulty.

A quick check shows that "wrong version number" could mean a mismatch
between expected and received SSL 3.0 and TLS 1.x version. However, for
me it looks like the version is alwasy <3><1> which is TLS 1.0.

So it looks like SSL/TLS library Radiator uses sees something it does
not like.

> Can some1 pls help us with this? Let me know if any more information is
> required. Seems to be an issue with the reading of the EAP Message from
> the AVP.

I would say it is a TLS problem. Though I am not sure what exactly.

Best regards,
Heikki


> Snipped of issue is as follows
>  :
> Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '',
> Identifier ''
> 
> Mon Apr 11 04:34:01 2011: DEBUG:  Deleting session for
> DVM-AMARNE-DC\anonymous, 192.168.10.3, 0
> 
> Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE:
> 
> Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21
> 
> Mon Apr 11 04:34:01 2011: DEBUG: Response type 21
> 
> Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6
> 
> Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed: 
> 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 
> Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
> read failed:  1168: 1 - error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
> 
> Mon Apr 11 04:34:01 2011: INFO: Access rejected for
> DVM-AMARNE-DC\anonymous: EAP TTLS read failed:  1168: 1 -
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 
> Mon Apr 11 04:34:01 2011: DEBUG: Packet dump:
> 
> *** Sending to 192.168.10.3 port 65529 ....
> 
> Code:       Access-Reject
> 
> Identifier: 6
> 
> Authentic: 
> <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209>
> 
> Attributes:
> 
> EAP-Message = <4><7><0><4>
> 
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Reply-Message = "Request Denied"
> 
> Thanx
> 
>  
> 
> Aman Arneja
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list