[RADIATOR] eap-ttls/ms-chap-v2

Michael Shoemaker shoemake at america.net
Tue Jan 18 16:00:43 CST 2011 

Yes, I used the -t as I am working with a db compiled as such and can't 
change that at this time.

This is what is in the access request to the dbfile.


         User-Name = "tonytestgordonlab"
         MS-CHAP-Challenge = f<223>)<22><158>R\<27><3><5>ia<226><213>*n
         MS-CHAP2-Response = 
<193><0><0><0><0><27><0><0><0>P<24><7><0><1><0><0><0><0><0><0><0><0><0><0><0><0><229>[<149><185><148><25>I,D<250>KS<153><183><28>\ 
-<209><18> <186><1><183>

Fri Jan 14 12:44:56 2011: DEBUG: EAP TTLS inner authentication request 
for tonytestgordonlab
Fri Jan 14 12:44:56 2011: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1'
Fri Jan 14 12:44:56 2011: DEBUG: Rewrote user name to tonytestgordonlab
Fri Jan 14 12:44:56 2011: DEBUG:  Deleting session for 
tonytestgordonlab, 192.168.0.1,
Fri Jan 14 12:44:56 2011: DEBUG: Handling with Radius::AuthDBFILE:
Fri Jan 14 12:44:56 2011: DEBUG: Radius::AuthDBFILE looks for match with 
tonytestgordonlab [tonytestgordonlab]
Fri Jan 14 12:44:57 2011: DEBUG: Radius::AuthDBFILE REJECT: Bad 
Password: tonytestgordonlab [tonytestgordonlab]
Fri Jan 14 12:44:57 2011: DEBUG: AuthBy DBFILE result: REJECT, Bad Password
Fri Jan 14 12:44:57 2011: INFO: Access rejected for tonytestgordonlab: 
Bad Password
Fri Jan 14 12:44:57 2011: DEBUG: Returned TTLS tunnelled Diameter Packet 
dump:


That is what I have. I am quite sure I must be over looking something 
fairly trivial.

Thoughts?


On 01/18/2011 04:19 PM, Heikki Vatiainen wrote:
> On 01/18/2011 05:19 PM, Michael Shoemaker wrote:
>
>> We are trying to get authentication with an alvarion wireless unit that
>> is sending mschapv2 encrypted passwords through a eap-ttls tunnel.
>>
>> I can get the eap-ttls tunnel built and can see the attempts to request
>> the mschapv2 but am not sure where our hangup is.
> I have a couple of suggestions below. If they do not work, reply with
> your configuration file (no secrets) and log file that shows the failing
> requests.
>
>> What needs to be done to be able to get local authentication on the
>> radiator server using AuthBy DBFILE (DB_File)
>>
>> The db was built using a plaintext file then converted using the
>> builddbm script.
> Did you use -t option with builddbm? If you did not, then you should
> remove "DBType DB_FILE" from the config. By default builddbm creates a
> AnyDBM_File which is also the default value for DBType.
>
>> <Handler TunnelledByTTLS=1>
>>
>> <AuthBy DBFILE>
>>                   Filename /etc/raddb.proxy/dbm/users.db
>>                   DBType DB_File
> Check if this is really the correct value.
>
>> </AuthBy>
>> this gets me to the point of doing the ttls tunnel, then it passes the
>> mschap stuff to the authby dbfile... but I am not sure how to unencrypt
>> the pw to check vs the db file.
> If the DBType check will not help, then the problems with password check
> should be visible in the log.
>
> Thanks!
> Heikki Vatiainen
>

More information about the radiator mailing list