[RADIATOR] [Radiator] EAP TTLS with EAP Inner Method

Aman Arneja arneja.aman at gmail.com
Wed Apr 13 04:04:24 CDT 2011 

This turend out to be an issue with the MsChapV2 AVP and the trailer bits.
This is now resolved

Thanx

Aman Arneja

On Wed, Apr 13, 2011 at 12:18 AM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 04/11/2011 03:55 PM, Aman Arneja wrote:
>
> > As you might have gathered from my previous mails, i am writing an EAP
> > TTLS Method. We are facing problems with using EAP Inner Methods. Non
> > Eap Inner methods are working fine. I am attaching 2 log files :
> >
> > 1.) radiatornoproxy : Config File = eap_ttls.cfg.
> > Topology :
> > Client - Wireless supplicant configured to authenticate using our TTLS +
> > EAP MsChapv2
> > Radiator - AuthByLsa
> >
> > 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology :
> > Client - Wireless supplicant configured to authenticate using our TTLS +
> > EAP MsChapv2
> > Radiator - AuthByRadius, with authentication terminating on Microsoft NPS
> >
> > In Both Cases Radiator is rejecting the AVP sent by client after server
> > sends access challenge.
>
> From the log it looks like Radiator sends access challenge inside the
> tunnel as you say:
>
> EAP-Message =
>
> <1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1
>
> This seems to be a well formed EAP-MSCHAP-V2 challange according to
> http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02
>
> But when the response comes, Radiator does not even get to process it as
> an AVP but the underlying TLS processing indicates there is a "wrong
> version number" as seen below. In other words, it looks like after the
> client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the
> tunnelling TLS thinks the received TLS record is faulty.
>
> A quick check shows that "wrong version number" could mean a mismatch
> between expected and received SSL 3.0 and TLS 1.x version. However, for
> me it looks like the version is alwasy <3><1> which is TLS 1.0.
>
> So it looks like SSL/TLS library Radiator uses sees something it does
> not like.
>
> > Can some1 pls help us with this? Let me know if any more information is
> > required. Seems to be an issue with the reading of the EAP Message from
> > the AVP.
>
> I would say it is a TLS problem. Though I am not sure what exactly.
>
> Best regards,
> Heikki
>
>
> > Snipped of issue is as follows
> >  :
> > Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '',
> > Identifier ''
> >
> > Mon Apr 11 04:34:01 2011: DEBUG:  Deleting session for
> > DVM-AMARNE-DC\anonymous, 192.168.10.3, 0
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE:
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: Response type 21
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed:
> > 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
> > read failed:  1168: 1 - error:1408F10B:SSL
> > routines:SSL3_GET_RECORD:wrong version number
> >
> > Mon Apr 11 04:34:01 2011: INFO: Access rejected for
> > DVM-AMARNE-DC\anonymous: EAP TTLS read failed:  1168: 1 -
> > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> >
> > Mon Apr 11 04:34:01 2011: DEBUG: Packet dump:
> >
> > *** Sending to 192.168.10.3 port 65529 ....
> >
> > Code:       Access-Reject
> >
> > Identifier: 6
> >
> > Authentic:
> > <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209>
> >
> > Attributes:
> >
> > EAP-Message = <4><7><0><4>
> >
> > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Reply-Message = "Request Denied"
> >
> > Thanx
> >
> >
> >
> > Aman Arneja
> >
> >
> >
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110413/54639156/attachment-0001.html

More information about the radiator mailing list