[RADIATOR] Protected EAP authentication failed

Fri Jul 15 08:42:05 CDT 2011

Hello Heikki,
> Your configuration looks correct.
> You need to check the client settings because there is no usable
> identity (username) received with the inner EAP-MSCHAP-V2 request.
>
> The PEAP problem is related to this line:
>
> EAP-Message =
> <2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136
>
>
> This is the inner EAP-MSCHAP-V2 Challenge from the client. Was the line
> perhaps cut when pasting it to email?
>
You're right. I'm sorry but the last part of the line got lost during 
the copy and paste.
Anyway it seems to be a client problem.

If I use a laptop with ubuntu 10.04 I get:

Code:       Access-Request
Identifier: 36
Authentic:  7<1><13><127>oJ<212><219><237><176>{<165>Z<249>p<214>
Attributes:
     Acct-Multi-Session-Id = 
"00-03-52-9A-C6-C9-00-15-00-49-6D-75-4E-1F-FC-7D-00-0E-65-37"
     Acct-Session-Id = "21a85895-00000253"
     NAS-Port = 513
     NAS-Port-Type = Wireless-IEEE-802-11
     NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
     NAS-IP-Address = 146.48.80.245
     Framed-MTU = 1496
     User-Name = "vino4 at test.it"
     Calling-Station-Id = "00-15-00-49-6D-75"
     Called-Station-Id = "00-03-52-9A-C6-C9"
     Service-Type = Framed-User
     EAP-Message = <2><1><0><144><25><1><23><3><1><0> -M 
<159><206><208>[<239>T<226><233>I<31>
<141>$C<232><247><220>2BsS<142>=<185><182><250><169><200><163><165><23><3><1><0>`B<252><184>&<141>
RO<255><146><152><213>o<176><175><134><229>p<157>2<222><180>}<242><16>V<247><250>4y<241>ib<186><164>v
<210><206><237><205>w[<209>'<161><243><240>J<251>P<150><11>><151>_<193>o<204>q<244><244>a<233><134><198><25>.stX
<193><209><254><19><178>v1<127><21><7><215>Nt'<151>JJ<141><143><174><246><1><237><242><167><253><144>
     Colubris-AVPAIR = "ssid=test-network"
     Colubris-AVPAIR = "group=test-group"
     Colubris-AVPAIR = "vsc-unique-id=10"
     Colubris-AVPAIR = "phytype=IEEE802dot11g"
     Colubris-Attr-250 = "<0><0><0><1>"
     Colubris-Attr-249 = "<146>0k<10>"
     Message-Authenticator = 
<185>R(<223>5<219><165>H<207><210>!T><170>.<160>
     ssid = test-network
     group = test-group
     vsc-unique-id = 10
     phytype = IEEE802dot11g

Fri Jul 15 10:38:19 2011: DEBUG: Handling request with Handler 'Realm = 
test.it, ssid=test-network'
Fri Jul 15 10:38:19 2011: DEBUG: Rewrote user name to vino4 at test.it
Fri Jul 15 10:38:19 2011: DEBUG:  Deleting session for vino4 at test.it, 
146.48.80.245, 513
Fri Jul 15 10:38:19 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 15 10:38:19 2011: DEBUG: Handling with EAP: code 2, 1, 144, 25
Fri Jul 15 10:38:19 2011: DEBUG: Response type 25
Fri Jul 15 10:38:19 2011: DEBUG: EAP PEAP inner authentication request 
for fabio at test.it
Fri Jul 15 10:38:19 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic: <148>j)n"5<177><29>V<18><22>><207>i<166><215>
Attributes:
     EAP-Message = 
<2><1><0>H<26><2><1><0>C1am<164><202><160><158>\<181><153>3HCYCZ<158><0><0><0><0>
<0><0><0><0><149><180>s<244>L<128><148>Mx<1><155><149><5><229><210>M0<205><166><195><137><219><245>,<0>fabio at test.it
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
     User-Name = "fabio at test.it"
     NAS-IP-Address = 146.48.80.245
     NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
     NAS-Port = 513
     Calling-Station-Id = "00-15-00-49-6D-75"

Fri Jul 15 10:38:19 2011: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1, request_src = test-src'
Fri Jul 15 10:38:19 2011: DEBUG: Rewrote user name to fabio at test.it
Fri Jul 15 10:38:19 2011: DEBUG:  Deleting session for fabio at test.it, 
146.48.80.245, 513
Fri Jul 15 10:38:19 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 15 10:38:19 2011: DEBUG: Handling with EAP: code 2, 1, 72, 26
Fri Jul 15 10:38:19 2011: DEBUG: Response type 26
Fri Jul 15 10:38:19 2011: DEBUG: Radius::AuthFILE looks for match with  
[fabio at test.it]
Fri Jul 15 10:38:19 2011: DEBUG: Radius::AuthFILE REJECT: No such user:  
[fabio at test.it]
Fri Jul 15 10:38:19 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no 
such user
Fri Jul 15 10:38:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP 
V2 failed: no such user
Fri Jul 15 10:38:19 2011: INFO: Access rejected for fabio at test.it: EAP 
MSCHAP V2 failed: no such user
Fri Jul 15 10:38:19 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject

Instead, with an identical radiator configuration, using windows vista I 
obtain:

*** Received from 146.48.107.5 port 32786 ....
Code:       Access-Request
Identifier: 211
Authentic:  h<155><186>bz}<172>BE<179><207><191><145><2>6<181>
Attributes:
     Acct-Multi-Session-Id = 
"00-03-52-9A-C6-C9-00-24-D6-87-D9-6E-4E-20-02-25-00-04-65-4E"
     Acct-Session-Id = "5bc8ed11-00000255"
     NAS-Port = 515
     NAS-Port-Type = Wireless-IEEE-802-11
     NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
     NAS-IP-Address = 146.48.80.245
     Framed-MTU = 1496
     User-Name = "fabio at test.it"
     Calling-Station-Id = "00-24-D6-87-D9-6E"
     Called-Station-Id = "00-03-52-9A-C6-C9"
     Service-Type = Framed-User
     EAP-Message = 
<2><27><0>k<25><0><23><3><1><0>`E<174><27><14><129><188><200><217><192>s<164>5<5>
<185>k<1>O<169><174>"`<150><147><10>d<185>`<242>MJ<180><128>a<218><142><240><160><189><168>5<21><231>
<168>x4<216><17><179><146>k<166>l<212><217><171><12><219>b<237><250><160><161>-<131><144><238>e<215><200>m<191>
<14><174><21><170><172><211>?<142><198><194>G<26><168>^<159>@B<245><143><173>vlj0<4>
     Colubris-AVPAIR = "ssid=test-network"
     Colubris-AVPAIR = "group=test-group"
     Colubris-AVPAIR = "vsc-unique-id=10"
     Colubris-AVPAIR = "phytype=IEEE802dot11g"
     Colubris-Attr-250 = ""
     Colubris-Attr-249 = ""
     Message-Authenticator = 
<11><231>{<128><183><144><214><205><135><153><141><176><25><172><14><159>
     ssid = test-network
     group = test-group
     vsc-unique-id = 10
     phytype = IEEE802dot11g

Fri Jul 15 11:02:24 2011: DEBUG: Handling request with Handler 'Realm = 
test.it, ssid=test-network'
Fri Jul 15 11:02:24 2011: DEBUG: Rewrote user name to fabio at test.it
Fri Jul 15 11:02:24 2011: DEBUG:  Deleting session for fabio at test.it, 
146.48.80.245, 515
Fri Jul 15 11:02:25 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 15 11:02:25 2011: DEBUG: Handling with EAP: code 2, 27, 107, 25
Fri Jul 15 11:02:25 2011: DEBUG: Response type 25
Fri Jul 15 11:02:25 2011: DEBUG: EAP PEAP inner authentication request 
for fabio at test.it
Fri Jul 15 11:02:25 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  8M<149>w<220><251><16><214><248>.<12><5><166>F<247><154>
Attributes:
     EAP-Message = 
<2><27><0>D<26><2><27><0>C1\<212>P%<7>K<150><6>[<186><154><212><15><157><240><164>
<0><0><0><0><0><0><0><0><233><220>/<137><140><136>1h<184>8<242><137><193><2><209><216>M;5Y<223><174><163><22><0>fabio at test.it
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
     User-Name = "fabio at test.it"
     NAS-IP-Address = 146.48.80.245
     NAS-Identifier = "CNSRV2-ISTI-CNR-IT"
     NAS-Port = 515
     Calling-Station-Id = "00-24-D6-87-D9-6E"

Fri Jul 15 11:02:25 2011: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1, request_src = test-src'
Fri Jul 15 11:02:25 2011: DEBUG: Rewrote user name to fabio at test.it
Fri Jul 15 11:02:25 2011: DEBUG:  Deleting session for fabio at test.it, 
146.48.80.245, 515
Fri Jul 15 11:02:25 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 15 11:02:25 2011: DEBUG: Handling with EAP: code 2, 27, 68, 26
Fri Jul 15 11:02:25 2011: DEBUG: Response type 26
Fri Jul 15 11:02:25 2011: DEBUG: Radius::AuthFILE looks for match with 
fabio at test.it [fabio at test.it]
Fri Jul 15 11:02:25 2011: DEBUG: Radius::AuthFILE ACCEPT: : 
fabio at test.it [fabio at test.it]
Fri Jul 15 11:02:25 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
Success
Fri Jul 15 11:02:25 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP 
MSCHAP V2 Challenge: Success
Fri Jul 15 11:02:25 2011: DEBUG: Access challenged for fabio at test.it: 
EAP MSCHAP V2 Challenge: Success
Fri Jul 15 11:02:25 2011: DEBUG: Returned PEAP tunnelled packet dump:

I have a quite old radiator version (v-4.3.1). Do you think that an 
update can be useful for this problem or, in your opinion, this is 
related to an
ubuntu 10.04 misbehaviour?

Thank you
Regards
Fabio