[RADIATOR] EAP-Peap-ntlm stops
Heikki Vatiainen
hvn at open.com.au
Wed Dec 7 14:13:23 CST 2011
On 12/06/2011 11:53 PM, Fabio Prina wrote:
> I'm trying to authenticate my office WIFI network
>
> If in the inner auth I use a AuthBy FILE all works fine but if I use NTLM the communication stops just after the last Access-Challenge (with a success) Anyway if I use a wrong password I receive an access-reject
>
> Do you have any idea ?
The configuration you had included has this:
PTLS_PEAPVersion 0
Please make sure this what you really have:
EAPTLS_PEAPVersion 0
If this was correct then I know at least one case that has caused this
kind of problem. The answer ntlm_auth returns is incorrect and the
client thinks RADIUS server has failed MSCHAP-V2 server authentication.
The client then immediately stops the authentication process.
See for example these for bug description:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/623342
Thanks!
Heikki
> Cheers
> --
> Fabio
>
>
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP
>
> EAPTLS_CAFile %D/certificates/startssl/ca-startssl.pem
> EAPTLS_CertificateFile %D/certificates/startssl/auth2.wtest.it.pem
> EAPTLS_PrivateKeyFile %D/certificates/startssl/auth2.wtest.it.pem
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> EAPAnonymous anonymous at wifi.wtest.it
> PTLS_PEAPVersion 0
>
> Identifier wtestOfficeWIFI_OUT
> </AuthBy>
>
>
> <AuthBy NTLM>
> DefaultDomain OFFICE
> EAPType MSCHAP-V2
> Identifier wtestOfficeWIFI_IN
> </AuthBy>
>
> ############
> <Handler TunnelledByPEAP=1>
> AuthBy wtestOfficeWIFI_IN
> </Handler>
>
>
> <Handler Client-Identifier=/wtestWIFI/>
> RewriteUsername s/OFFICE\\(.*)/$1/
>
> AuthBy wtestOfficeWIFI_OUT
>
> AcctLogFileName %L/wtest_office/acct_wifi.%Y%m
> <Log FILE>
> Filename %L/wtest_office/auth_wifi.%Y%m
> Trace 3
> </Log>
> </Handler>
>
>
>
> ########################
> #Tail log
>
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <137><129>B<180><232>s<192>)<139>/<150>Y<4><161>O<31>
> Attributes:
> EAP-Message = <2><12><0>K<26><2><12><0>J1<201>"<210><217>>l<15><6><130>)<205><156>e<137>X<131><0><0><0><0><0><0><0><0>*<157>m v<147><29><173>oZ<251>jh<190>)<230>KZ}<175><145><167><174><20><0>OFFICE\Wuser
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 10.10.241.14
> NAS-Identifier = "wf15.ftmil"
> NAS-Port = 4325
> Calling-Station-Id = "000f.6644.f67d"
> User-Name = "anonymous at wifi.wtest.it"
>
> Tue Dec 6 17:32:50 2011: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier ''
> Tue Dec 6 17:32:50 2011: DEBUG: Session_db0 Deleting session for anonymous at wifi.wtest.it, 10.10.241.14, 4325 Tue Dec 6 17:32:50 2011: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='10.10.241.14' and NASPORT='4325' and VIPIDENTIFIER='' and USERNAME='anonymous at wifi.wtest.it'':
> Tue Dec 6 17:32:50 2011: DEBUG: Handling with Radius::AuthNTLM: wtestOfficeWIFI_IN Tue Dec 6 17:32:50 2011: DEBUG: Handling with EAP: code 2, 12, 75, 26 Tue Dec 6 17:32:50 2011: DEBUG: Response type 26 Tue Dec 6 17:32:50 2011: DEBUG: Radius::AuthNTLM looks for match with OFFICE\Wuser [anonymous at wifi.wtest.it] Tue Dec 6 17:32:50 2011: DEBUG: Radius::AuthNTLM ACCEPT: : OFFICE\Wuser [anonymous at wifi.wtest.it] Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute Request-User-Session-Key: Yes Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute LANMAN-Challenge: 298f418cba0abf15 Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute NT-Response: 2a9d6d2076931dad6f5afb6a68be29e64b5a7daf91a7ae14
> Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute NT-Domain:: T0ZGSUNF Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute Username:: QWRtaW5pc3RyYXRvcg== Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: .
> Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: Authenticated: Yes Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: LANMAN-Session-Key: 7BBE0E4BDAF2DBA3 Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: User-Session-Key: 0EF1975AD0D4DA6A2C2586C26B3AA205 Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: .
> Tue Dec 6 17:32:50 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Tue Dec 6 17:32:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Dec 6 17:32:50 2011: DEBUG: Access challenged for anonymous at wifi.wtest.it: EAP MSCHAP V2 Challenge: Success Tue Dec 6 17:32:50 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: <137><129>B<180><232>s<192>)<139>/<150>Y<4><161>O<31>
> Attributes:
> EAP-Message = <1><13><0>=<26><3><12><0>8S=1D80B53D82D30962031491DA6547DAC863B2D602 M=success
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 6 17:32:50 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler Tue Dec 6 17:32:50 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler Tue Dec 6 17:32:50 2011: DEBUG: Access challenged for Wuser: EAP PEAP inner authentication redispatched to a Handler Tue Dec 6 17:32:50 2011: DEBUG: Packet dump:
> *** Sending to 10.10.241.14 port 1645 ....
> Code: Access-Challenge
> Identifier: 209
> Authentic: <237><158><241>LFp<169>8<132><245><9><182><136>w<170><15>
> Attributes:
> EAP-Message = <1><13><0>T<25><0><23><3><1><0>IZ<173><239>C<133>W<169>1lZ<235>^R<200><248>P<28><178><169><195>3<199><196><11><243>9<158><252><163>D<195>/<236>R<252><225>W<6>X+<224>8x_<169><133><197><200><178>:#<137>o<2><19><224><141><136>q<22><217>Lk<154><172><197>Zw:<182><148><203>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Questa e-mail e gli allegati possono essere confidenziali, riservati e / o protetti ai sensi di legge. Se avete ricevuto questa e-mail per errore, non essendone destinatari, siete pregati di informare il mittente con l'invio di una risposta e-mail all'indirizzo di cui sopra e quindi eliminare il messaggio e la vostra risposta dal sistema. Se non siete destinatari della presente email siete obbligati a non utilizzare, divulgare, distribuire, copiare, stampare o fare conto sul contenuto di questa e-mail. Eventuali pareri o opinioni contenute nella presente email sono esclusivamente riferibili all'autore. Eventuali dichiarazioni rilasciate e/o intenzioni espresse nella presente comunicazione non riflettono necessariamente la posizione di Easynet. In nessun modo il contenuto della presente email potrà creare obbligazioni per Easynet o per le società del gruppo Easynet se non confermate da un contratto formale sottoscritto da Easynet. Qualsiasi cifra o importo indicati nella p
resente e-mail deve essere considerata una mera citazione ed è soggetto a variazioni. Easynet pone in essere controlli approfonditi allo scopo di eliminare qualsiasi minaccia tipo virus o simili; nondimeno i destinatari devono a loro volta scansionare questa e-mail e gli eventuali allegati allo scopo di rilevare minacce tipo virus o simili. Easynet non rilascia alcuna garanzia circa l'assenza di virus in questa e-mail o negli allegati. Nel rispetto delle norme vigenti per garantire la protezione dei nostri clienti e dei nostri Partner potremo monitorare e controllare le e-mail inviate da e verso i nostri server. Easynet Italia S.p.A. Viale Fulvio Testi, 7 Milano, I-20159, Italy www.easynet.com Registro Imprese Milano Cod. Fisc e P. IVA 13028980152 REA 1607597 Capitale Sociale 800.000 € i.v. Socio unico EGHL (UK) Limited
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list