[RADIATOR] Protected EAP authentication failed

Heikki Vatiainen hvn at open.com.au
Fri Jul 15 02:41:05 CDT 2011


On 07/14/2011 01:33 PM, Fabio Ciampi wrote:

Hello Fabio,

> I have a problem with EAP-PEAP authentication. This is my configuration
> file:

Your configuration looks correct.

You need to check the client settings because there is no usable
identity (username) received with the inner EAP-MSCHAP-V2 request.

The PEAP problem is related to this line:

EAP-Message =
<2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136


This is the inner EAP-MSCHAP-V2 Challenge from the client. Was the line
perhaps cut when pasting it to email?

The length of the message should be 67 bytes (<0>C is 0x0043 in hex is
67 in dec). Your attribute looks too short so I am wondering if it was
cut when pasted to email.

The identity Radiator uses can be seen in the last bytes of the
EAP-Message attribute. Here is an example of complete EAP-Message with
the identity (hvn) showing at the end:

EAP-Message =
<2><6><0>:<26><2><6><0>91P).<13>=<228><16><3>]<249><210>c7<3><244><252><0><0><0><0><0><0><0><0><192>e<229><155><22><134>K<143><160><22><206><26><31>zg<135>1<15><138>nX<30>9S<0>hvn

Note that in the PEAP case the inner authentication protoocol is EAP.
For this reason Radiator uses the identity information carried by the
EAP method (EAP-MSCHAP-V2) instead if the User-Name password. TTLS uses
MS-CHAP (not EAP-MSCHAP-V2) so it uses the User-Name.

Compare these two snippets from the log, first is TTLS, second is PEAP.
Note how the identity that is used for check the users file is empty in
PEAP case.

Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE looks for match with
fabio at test.it [fabio at test.it]

Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE looks for match with
[fabio at test.it]


Thanks!
Heikki


> <AuthLog FILE>
> 
>     Identifier test-log
>     Filename %L/%Y%m%d-test-auth.log
>     LogSuccess 1
>     LogFailure 1
>     include  %L/auth-log-file-format.cfg
> 
> </AuthLog>
> 
> 
> <Handler TunnelledByTTLS=1, request_src = test-src>
> 
>     RewriteUsername s/(.*)\\(.*)/$2/
> 
> <AuthBy FILE>
> 
>             EAPType PAP, MSCHAP-V2, CHAP, MSCHAP
>             Filename %L/test_account
> 
> </AuthBy>
> 
>         StripFromReply Tunnel-Type, Tunnell-Medium-Type,
> Tunnell-Private-Group-ID
>         AuthLog test-log
> 
> </Handler>
> 
> 
> <Handler TunnelledByPEAP=1, request_src = test-src>
> 
>         RewriteUsername s/(.*)\\(.*)/$2/
> 
> <AuthBy FILE>
> 
>            Filename %L/test_account
>            EAPType MSCHAP-V2
> 
> </AuthBy>
> 
>         StripFromReply Tunnel-Type, Tunnell-Medium-Type,
> Tunnell-Private-Group-ID
>         AuthLog test-log
> 
> </Handler>
> 
> 
> <Handler Realm = test.it, ssid=test-network>
> 
>     RewriteUsername s/(.*)\\(.*)/$2/
> 
> <AuthBy FILE>
> 
>         Filename %L/outer_account
> 
>         EAPType TTLS, PEAP
>         EAPAnonymous %0
> 
>         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
> 
>         PreHandlerHook sub { ${$_[0]} -> add_attr('request_src',
> 'test-src');}
> 
> </AuthBy>
> 
>     AcctLogFileName %L/%Y%m%d-test.log
>     include  %L/acct-log-file-format-eduroam.cfg
> 
> </Handler>
> 
> 
> outer_account file:
> 
>    anonymous        User-Password = whatever
> 
> 
> test_account file:
> 
>    fabio at test.it      User-Password = "password"
> 
> 
> 
> 
> As you can see in the following log, if I use TTLS authentication it
> works without problems:
> 
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>         User-Name = "fabio at test.it"
>         MS-CHAP-Challenge = <<193><5><16><191><193><154><254>
>         MS-CHAP-Response =
> <148><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><246><222>a^<254>*<180><1
> 
> 
> Thu Jul 14 11:06:41 2011: DEBUG: EAP TTLS inner authentication request
> for fabio at test.it
> Thu Jul 14 11:06:41 2011: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1, request_src = test-src'
> Thu Jul 14 11:06:41 2011: DEBUG: Rewrote user name to fabio at test.it
> Thu Jul 14 11:06:41 2011: DEBUG:  Deleting session for fabio at test.it,
> 146.48.80.245,
> Thu Jul 14 11:06:41 2011: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 14 11:06:41 2011: DEBUG: Reading users file
> /$1$dga30/radiator-4_3_1/maria/test_account
> Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE looks for match with
> fabio at test.it [fabio at test.it]
> Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE ACCEPT: :
> fabio at test.it [fabio at test.it]
> Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT,
> Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for fabio at test.it
> Thu Jul 14 11:06:42 2011: DEBUG: Returned TTLS tunnelled Diameter Packet
> dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic: <2><240><128><29><174><178>Z<185>TB<251>5<200><134><137>J
> Attributes:
> 
> Thu Jul 14 11:06:42 2011: DEBUG: EAP result: 0, EAP TTLS inner
> authentication redespatched to a Handler
> Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT, EAP TTLS
> inner authentication redespatched to a Handler
> Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for vino at test.it
> Thu Jul 14 11:06:42 2011: DEBUG: Packet dump:
> *** Sending to 146.48.107.5 port 32786 ....
> Code:       Access-Accept
> Identifier: 112
> Authentic: <155>P<192><23>"<25><238>kq<150><177>A&w<132><217>
> Attributes:
>         MS-MPPE-Send-Key =
> <14><165>2<230>8>Tc<194><248><250><134><133>r<9><28><23>dMl;<187><249>|<148><194><163><249><8><178>)<156>
> 
>         MS-MPPE-Recv-Key =
> )<200><204><3><11><216><30><190><10><31><226><180><191>_<172><131>0<194>NB<197><243><244><216><251><227><
> 
>         EAP-Message = <3><10><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> 
> 
> 
> Instead if I use PEAP I get in my log file:
> 
> Code:       Access-Request
> Identifier: 203
> Authentic: <12><171><138><16><243>'<220><221>K<134><250>|<28>x*<17>
> Attributes:
>         Acct-Multi-Session-Id =
> "00-03-52-9A-C6-C9-00-15-00-49-6D-75-4E-1E-B7-A4-00-03-63-31"
>         Acct-Session-Id = "21a85895-00000221"
>         NAS-Port = 464
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
>         NAS-IP-Address = 146.48.80.245
>         Framed-MTU = 1496
>         User-Name = "vino2 at test.it"
>         Calling-Station-Id = "00-15-00-49-6D-75"
>         Called-Station-Id = "00-03-52-9A-C6-C9"
>         Service-Type = Framed-User
>         EAP-Message = <2><1><0><144><25><1><23><3><1><0> 
> 2<26><167>`5<183><2><198><184><136><202><194><129>{[<209><244><144><25><15
> <196><172>AkDp}<146>FJ'<184><154>k<155>f<218><169>ox<232>J<201><226><194>UJ<167>rG%<169>q<243><3>:/k<243><223>v<220><221><172>0<145>
> 
>         Colubris-AVPAIR = "ssid=test-network"
>         Colubris-AVPAIR = "group=test-group"
>         Colubris-AVPAIR = "vsc-unique-id=10"
>         Colubris-AVPAIR = "phytype=IEEE802dot11g"
>         Colubris-Attr-250 = "<0><0><0><1>"
>         Colubris-Attr-249 = "<146>0k<10>"
>         Message-Authenticator =
> y=<129>|<212><200><235><165>i<163><166><185><244><173>r2
>         ssid = test-network
>         group = test-group
>         vsc-unique-id = 10
>         phytype = IEEE802dot11g
> 
> Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler 'Realm =
> test.it, ssid=test-network'
> Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to vino2 at test.it
> Thu Jul 14 11:32:17 2011: DEBUG:  Deleting session for vino2 at test.it,
> 146.48.80.245, 464
> Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 144, 25
> Thu Jul 14 11:32:17 2011: DEBUG: Response type 25
> Thu Jul 14 11:32:17 2011: DEBUG: EAP PEAP inner authentication request
> for fabio at test.it
> Thu Jul 14 11:32:17 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy
> Attributes:
>         EAP-Message =
> <2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136
> 
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "fabio at test.it"
>         NAS-IP-Address = 146.48.80.245
>         NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
>         NAS-Port = 464
>         Calling-Station-Id = "00-15-00-49-6D-75"
> 
> Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, request_src = test-src'
> Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to fabio at test.it
> Thu Jul 14 11:32:17 2011: DEBUG:  Deleting session for fabio at test.it,
> 146.48.80.245, 464
> Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 72, 26
> Thu Jul 14 11:32:17 2011: DEBUG: Response type 26
> Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE looks for match with 
> [fabio at test.it]
> Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE REJECT: No such user: 
> [fabio at test.it]
> Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such user
> Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP
> V2 failed: no such user
> Thu Jul 14 11:32:17 2011: INFO: Access rejected for fabio at test.it: EAP
> MSCHAP V2 failed: no such user
> Thu Jul 14 11:32:17 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy
> Attributes:
>         EAP-Message = <4><1><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
> 
> Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
> inner authentication redespatched to a Handler
> Thu Jul 14 11:32:17 2011: DEBUG: Access challenged for vino2 at test.it:
> EAP PEAP inner authentication redespatched to a Handler
> Thu Jul 14 11:32:17 2011: DEBUG: Packet dump:
> *** Sending to 146.48.107.5 port 32786 ....
> 
> 
> 
> I really don't understand why in the peap case the authentication fails.
> 
> 
> Kind regards
> Fabio
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list