[RADIATOR] Protected EAP authentication failed
Fabio Ciampi
fabio.ciampi at isti.cnr.it
Thu Jul 14 05:33:11 CDT 2011
Hello,
I have a problem with EAP-PEAP authentication. This is my configuration
file:
<AuthLog FILE>
Identifier test-log
Filename %L/%Y%m%d-test-auth.log
LogSuccess 1
LogFailure 1
include %L/auth-log-file-format.cfg
</AuthLog>
<Handler TunnelledByTTLS=1, request_src = test-src>
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
EAPType PAP, MSCHAP-V2, CHAP, MSCHAP
Filename %L/test_account
</AuthBy>
StripFromReply Tunnel-Type, Tunnell-Medium-Type,
Tunnell-Private-Group-ID
AuthLog test-log
</Handler>
<Handler TunnelledByPEAP=1, request_src = test-src>
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
Filename %L/test_account
EAPType MSCHAP-V2
</AuthBy>
StripFromReply Tunnel-Type, Tunnell-Medium-Type,
Tunnell-Private-Group-ID
AuthLog test-log
</Handler>
<Handler Realm = test.it, ssid=test-network>
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
Filename %L/outer_account
EAPType TTLS, PEAP
EAPAnonymous %0
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
PreHandlerHook sub { ${$_[0]} -> add_attr('request_src',
'test-src');}
</AuthBy>
AcctLogFileName %L/%Y%m%d-test.log
include %L/acct-log-file-format-eduroam.cfg
</Handler>
outer_account file:
anonymous User-Password = whatever
test_account file:
fabio at test.it User-Password = "password"
As you can see in the following log, if I use TTLS authentication it
works without problems:
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
User-Name = "fabio at test.it"
MS-CHAP-Challenge = <<193><5><16><191><193><154><254>
MS-CHAP-Response =
<148><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><246><222>a^<254>*<180><1
Thu Jul 14 11:06:41 2011: DEBUG: EAP TTLS inner authentication request
for fabio at test.it
Thu Jul 14 11:06:41 2011: DEBUG: Handling request with Handler
'TunnelledByTTLS=1, request_src = test-src'
Thu Jul 14 11:06:41 2011: DEBUG: Rewrote user name to fabio at test.it
Thu Jul 14 11:06:41 2011: DEBUG: Deleting session for fabio at test.it,
146.48.80.245,
Thu Jul 14 11:06:41 2011: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 14 11:06:41 2011: DEBUG: Reading users file
/$1$dga30/radiator-4_3_1/maria/test_account
Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE looks for match with
fabio at test.it [fabio at test.it]
Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE ACCEPT: :
fabio at test.it [fabio at test.it]
Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT,
Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for fabio at test.it
Thu Jul 14 11:06:42 2011: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code: Access-Accept
Identifier: UNDEF
Authentic: <2><240><128><29><174><178>Z<185>TB<251>5<200><134><137>J
Attributes:
Thu Jul 14 11:06:42 2011: DEBUG: EAP result: 0, EAP TTLS inner
authentication redespatched to a Handler
Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT, EAP TTLS
inner authentication redespatched to a Handler
Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for vino at test.it
Thu Jul 14 11:06:42 2011: DEBUG: Packet dump:
*** Sending to 146.48.107.5 port 32786 ....
Code: Access-Accept
Identifier: 112
Authentic: <155>P<192><23>"<25><238>kq<150><177>A&w<132><217>
Attributes:
MS-MPPE-Send-Key =
<14><165>2<230>8>Tc<194><248><250><134><133>r<9><28><23>dMl;<187><249>|<148><194><163><249><8><178>)<156>
MS-MPPE-Recv-Key =
)<200><204><3><11><216><30><190><10><31><226><180><191>_<172><131>0<194>NB<197><243><244><216><251><227><
EAP-Message = <3><10><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Instead if I use PEAP I get in my log file:
Code: Access-Request
Identifier: 203
Authentic: <12><171><138><16><243>'<220><221>K<134><250>|<28>x*<17>
Attributes:
Acct-Multi-Session-Id =
"00-03-52-9A-C6-C9-00-15-00-49-6D-75-4E-1E-B7-A4-00-03-63-31"
Acct-Session-Id = "21a85895-00000221"
NAS-Port = 464
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
NAS-IP-Address = 146.48.80.245
Framed-MTU = 1496
User-Name = "vino2 at test.it"
Calling-Station-Id = "00-15-00-49-6D-75"
Called-Station-Id = "00-03-52-9A-C6-C9"
Service-Type = Framed-User
EAP-Message = <2><1><0><144><25><1><23><3><1><0>
2<26><167>`5<183><2><198><184><136><202><194><129>{[<209><244><144><25><15
<196><172>AkDp}<146>FJ'<184><154>k<155>f<218><169>ox<232>J<201><226><194>UJ<167>rG%<169>q<243><3>:/k<243><223>v<220><221><172>0<145>
Colubris-AVPAIR = "ssid=test-network"
Colubris-AVPAIR = "group=test-group"
Colubris-AVPAIR = "vsc-unique-id=10"
Colubris-AVPAIR = "phytype=IEEE802dot11g"
Colubris-Attr-250 = "<0><0><0><1>"
Colubris-Attr-249 = "<146>0k<10>"
Message-Authenticator =
y=<129>|<212><200><235><165>i<163><166><185><244><173>r2
ssid = test-network
group = test-group
vsc-unique-id = 10
phytype = IEEE802dot11g
Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler 'Realm =
test.it, ssid=test-network'
Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to vino2 at test.it
Thu Jul 14 11:32:17 2011: DEBUG: Deleting session for vino2 at test.it,
146.48.80.245, 464
Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 144, 25
Thu Jul 14 11:32:17 2011: DEBUG: Response type 25
Thu Jul 14 11:32:17 2011: DEBUG: EAP PEAP inner authentication request
for fabio at test.it
Thu Jul 14 11:32:17 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy
Attributes:
EAP-Message =
<2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "fabio at test.it"
NAS-IP-Address = 146.48.80.245
NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
NAS-Port = 464
Calling-Station-Id = "00-15-00-49-6D-75"
Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler
'TunnelledByPEAP=1, request_src = test-src'
Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to fabio at test.it
Thu Jul 14 11:32:17 2011: DEBUG: Deleting session for fabio at test.it,
146.48.80.245, 464
Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 72, 26
Thu Jul 14 11:32:17 2011: DEBUG: Response type 26
Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE looks for match with
[fabio at test.it]
Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE REJECT: No such user:
[fabio at test.it]
Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
such user
Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP
V2 failed: no such user
Thu Jul 14 11:32:17 2011: INFO: Access rejected for fabio at test.it: EAP
MSCHAP V2 failed: no such user
Thu Jul 14 11:32:17 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy
Attributes:
EAP-Message = <4><1><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
inner authentication redespatched to a Handler
Thu Jul 14 11:32:17 2011: DEBUG: Access challenged for vino2 at test.it:
EAP PEAP inner authentication redespatched to a Handler
Thu Jul 14 11:32:17 2011: DEBUG: Packet dump:
*** Sending to 146.48.107.5 port 32786 ....
I really don't understand why in the peap case the authentication fails.
Kind regards
Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110714/fdc3e288/attachment-0001.html
More information about the radiator
mailing list