[RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Heikki Vatiainen hvn at open.com.au
Tue Dec 20 06:20:15 CST 2011 

On 12/20/2011 06:06 AM, Indrajaya Pitra Perdana wrote:

> I upgraded the IOS in my catalyst, the results shows a little bit
> different, seems that the certificate is doing okay, but somehow it keep
> asking for anoymous user? is there configuration that i missed? here are
> the log file and the config, thanks

Looks like PEAP authentication is now working much better. You should
change your configuration a little and it should work after that.

Add new Handler before the other Handlers:

<Handler Request-Type=Accounting-Request>
  # Move the second AuthBy from Handler TunnelledByPEAP=1 here
  # You can also remove the second AuthBy from the last Handler
</Handler>

Now it fails because of this:
Tue Dec 20 10:54:17 2011: DEBUG: EAP result: 1, Not authenticated by
this AuthBy
Tue Dec 20 10:54:17 2011: DEBUG: AuthBy SQL result: REJECT, Not
authenticated by this AuthBy

The AuthBy is the second AuthBy in Handler TunnelledByPEAP=1

About anonymous: 'anonymous' is a name that does not matter here. You
should look for PEAP tunnelled requests, 'DEBUG: PEAP Tunnelled request
Packet dump:', which show the inner authentication and the real
identity. For example:

Tue Dec 20 10:54:16 2011: DEBUG: Radius::AuthSQL looks for match with
indrajaya [anonymous]

Here 'indrajaya' is the real identity and 'anonymous' in this case is
the default value of User-Name attribute Radiator adds into tunnelled
request.

Once you change Handler TunneledByPEAP=1 I am quite sure your
configuration will work. Can you tell us how old the IOS version was you
were using?

Thanks!
Heikki

> 
> 
> /Regards,
> Indrajaya Pitra Perdana/
> 
> On 12/17/2011 2:01 PM, vietrha at indo.net.id wrote:
>>
>> I'm using Microsoft Windows XP Professional SP 2
>>
>> Quoting Heikki Vatiainen <hvn at open.com.au>:
>>
>>> On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote:
>>>
>>>> Thanks, i give it a try, i already enable tls trace in my win xp, and i
>>>> don't see there's an exchange certificate :-)
>>> What client are you using? I noticed the log shows it sends EAP TLS
>>> (type 13) responses while also logging about detecting PEAP authentication.
>>>
>>>> [1448] 11:49:36:218: PeapReadConnectionData
>>>> [1448] 11:49:36:218: PeapReadUserData
>>>> [1448] 11:49:36:218: RasEapGetInfo
>>>> [2884] 11:49:52:515: EapPeapBegin
>>>> [2884] 11:49:52:515: PeapReadConnectionData
>>>> [2884] 11:49:52:515: PeapReadUserData
>>>> [2884] 11:49:52:515:
>>>> [2884] 11:49:52:515: EapTlsBegin(test)
>>>> [2884] 11:49:52:515: State change to Initial
>>>> [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication
>>>> [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication
>>>> [2884] 11:49:52:515: MaxTLSMessageLength is now 16384
>>>> [2884] 11:49:52:515: EapPeapBegin done
>>>> [2884] 11:49:52:515: EapPeapMakeMessage
>>>> [2884] 11:49:52:515: EapPeapCMakeMessage
>>>> [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL
>>>> [2884] 11:49:52:515: EapTlsCMakeMessage
>>>> [2884] 11:49:52:515: EapTlsReset
>>>> [2884] 11:49:52:515: State change to Initial
>>>> [2884] 11:49:52:515: GetCredentials
>>>> [2884] 11:49:52:515: Flag is Client and Store is Current User
>>>> [2884] 11:49:52:515: GetCachedCredentials
>>>> [2884] 11:49:52:515: FreeCachedCredentials
>>>> [2884] 11:49:52:515: No Cert Store.  Guest Access requested
>>>> [2884] 11:49:52:515: No Cert Name.  Guest access requested
>>>> [2884] 11:49:52:515: Will validate server cert
>>>> [2884] 11:49:52:515: MakeReplyMessage
>>>> [2884] 11:49:52:515: SecurityContextFunction
>>>> [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312
>>>> [2884] 11:49:52:515: State change to SentHello
>>>> [2884] 11:49:52:515: BuildPacket
>>>> [2884] 11:49:52:515: << Sending Response (Code: 2) packet: Id: 2,
>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>> [2884] 11:49:52:515: EapPeapCMakeMessage done
>>>> [2884] 11:49:52:515: EapPeapMakeMessage done
>>>> [1352] 11:50:22:531: EapPeapEnd
>>>> [1352] 11:50:22:531: EapTlsEnd
>>>> [1352] 11:50:22:531: EapTlsEnd(test)
>>>> [1352] 11:50:22:531: EapPeapEnd done
>>>> [1352] 11:50:22:562: EapPeapBegin
>>>> [1352] 11:50:22:562: PeapReadConnectionData
>>>> [1352] 11:50:22:562: PeapReadUserData
>>>> [1352] 11:50:22:562:
>>>> [1352] 11:50:22:562: EapTlsBegin(test)
>>>> [1352] 11:50:22:562: State change to Initial
>>>> [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication
>>>> [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication
>>>> [1352] 11:50:22:562: MaxTLSMessageLength is now 16384
>>>> [1352] 11:50:22:562: EapPeapBegin done
>>>> [1352] 11:50:22:562: EapPeapMakeMessage
>>>> [1352] 11:50:22:562: EapPeapCMakeMessage
>>>> [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL
>>>> [1352] 11:50:22:562: EapTlsCMakeMessage
>>>> [1352] 11:50:22:562: EapTlsReset
>>>> [1352] 11:50:22:562: State change to Initial
>>>> [1352] 11:50:22:562: GetCredentials
>>>> [1352] 11:50:22:562: Flag is Client and Store is Current User
>>>> [1352] 11:50:22:562: GetCachedCredentials
>>>> [1352] 11:50:22:562: FreeCachedCredentials
>>>> [1352] 11:50:22:562: No Cert Store.  Guest Access requested
>>>> [1352] 11:50:22:562: No Cert Name.  Guest access requested
>>>> [1352] 11:50:22:562: Will validate server cert
>>>> [1352] 11:50:22:562: MakeReplyMessage
>>>> [1352] 11:50:22:562: SecurityContextFunction
>>>> [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312
>>>> [1352] 11:50:22:562: State change to SentHello
>>>> [1352] 11:50:22:562: BuildPacket
>>>> [1352] 11:50:22:562: << Sending Response (Code: 2) packet: Id: 37,
>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>> [1352] 11:50:22:562: EapPeapCMakeMessage done
>>>> [1352] 11:50:22:562: EapPeapMakeMessage done
>>>> [1448] 11:50:52:578: EapPeapEnd
>>>> [1448] 11:50:52:578: EapTlsEnd
>>>> [1448] 11:50:52:578: EapTlsEnd(test)
>>>> [1448] 11:50:52:578: EapPeapEnd done
>>>> [1448] 11:51:52:593: PeapReadConnectionData
>>>> [1448] 11:51:52:593: PeapReadUserData
>>>> [1448] 11:51:52:593: RasEapGetInfo
>>>> [1352] 12:02:42:625: PeapReadConnectionData
>>>> [1352] 12:02:42:640: PeapReadUserData
>>>> [1352] 12:02:42:640: RasEapGetInfo
>>>> [1352] 12:02:42:640: PeapReDoUserData
>>>> [1352] 12:02:42:640: EapTlsInvokeIdentityUI
>>>> [1352] 12:02:42:640: GetCertInfo
>>>> [1352] 12:03:42:640: PeapReadConnectionData
>>>> [1352] 12:03:42:640: PeapReadUserData
>>>> [1352] 12:03:42:640: RasEapGetInfo
>>>> [1352] 12:03:42:671: EapPeapBegin
>>>> [1352] 12:03:42:671: PeapReadConnectionData
>>>> [1352] 12:03:42:671: PeapReadUserData
>>>> [1352] 12:03:42:671:
>>>> [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya)
>>>> [1352] 12:03:42:671: State change to Initial
>>>> [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication
>>>> [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication
>>>> [1352] 12:03:42:671: MaxTLSMessageLength is now 16384
>>>> [1352] 12:03:42:671: EapPeapBegin done
>>>> [1352] 12:03:42:671: EapPeapMakeMessage
>>>> [1352] 12:03:42:671: EapPeapCMakeMessage
>>>> [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL
>>>> [1352] 12:03:42:671: EapTlsCMakeMessage
>>>> [1352] 12:03:42:671: EapTlsReset
>>>> [1352] 12:03:42:671: State change to Initial
>>>> [1352] 12:03:42:671: GetCredentials
>>>> [1352] 12:03:42:671: Flag is Client and Store is Current User
>>>> [1352] 12:03:42:671: GetCachedCredentials
>>>> [1352] 12:03:42:671: FreeCachedCredentials
>>>> [1352] 12:03:42:671: No Cert Store.  Guest Access requested
>>>> [1352] 12:03:42:671: No Cert Name.  Guest access requested
>>>> [1352] 12:03:42:671: Will validate server cert
>>>> [1352] 12:03:42:671: MakeReplyMessage
>>>> [1352] 12:03:42:671: SecurityContextFunction
>>>> [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312
>>>> [1352] 12:03:42:671: State change to SentHello
>>>> [1352] 12:03:42:671: BuildPacket
>>>> [1352] 12:03:42:671: << Sending Response (Code: 2) packet: Id: 3,
>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>> [1352] 12:03:42:671: EapPeapCMakeMessage done
>>>> [1352] 12:03:42:671: EapPeapMakeMessage done
>>>> [2004] 12:04:12:687: EapPeapEnd
>>>> [2004] 12:04:12:687: EapTlsEnd
>>>> [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya)
>>>> [2004] 12:04:12:687: EapPeapEnd done
>>>> [2004] 12:04:42:734: EapPeapBegin
>>>> [2004] 12:04:42:734: PeapReadConnectionData
>>>> [2004] 12:04:42:734: PeapReadUserData
>>>>
>>>> /Regards,
>>>> Indrajaya Pitra Perdana/
>>>>
>>>> On 12/15/2011 6:04 PM, Heikki Vatiainen wrote:
>>>>> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote:
>>>>>
>>>>>> The problem still persist even i created my own certificate using the
>>>>>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap
>>>>>> challenge sent by Radiator, do u have any clue on this? or perhaps the
>>>>>> problem is within my 2950 catalyst ? thanks :-)
>>>>> You could try enabling debug for EAP authentication on the switch to see
>>>>> how it reacts to EAP messages.
>>>>>
>>>>> Meanwhile you could also try running wireshark on Windows to see if the
>>>>> challenge with the certificate is sent by the switch to the XP box.
>>>>>
>>>>> One thing you could try first is to use even lower value for
>>>>> EAPTLS_MaxFragmentSize
>>>>>
>>>>> The messages before certifcate are much smaller and so this challenge
>>>>> would be the first that can reach the maximum size.
>>>>>
>>>>> Thanks!
>>>>>
>>>
>>> --
>>> Heikki Vatiainen <hvn at open.com.au>
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>> NetWare etc.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list