[RADIATOR] Protected EAP authentication failed

Fabio Ciampi fabio.ciampi at isti.cnr.it
Mon Jul 18 09:20:42 CDT 2011


  Hello Heikki,

> I was wondering why it does still not get the identity, and took a
> better look at the code. The identity with EAP protocols is actually
> taken from EAP message that has type Identity (1).
>
> For example the first EAP tunnelled request has this when testing with
> eapol_test:
>
>          EAP-Message =<2><5><0><4><1>hvn
>
> 0x2 = Code (Response)
> 0x5 = Identifier
> 0x0004 = Lenght
> 0x1 = Type (Identity)
> hvn = Type-Data
>
> So you should check the logs to see if the client sends or gets prompted
> and then sends its identity with a message like above.
>

I did a test with eapol_test using the following configuration file:

    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=root
    network={
             ssid="test-network"
             scan_ssid=1
             key_mgmt=WPA-EAP
             eap=PEAP
             identity="fabio at test.it"
             anonymous_identity="vino11 at test.it"
             password="ciambella"
             #ca_cert="/etc/cert/ca.pem"
             phase2="auth=MSCHAPV2"
    }


Again it works if I use TTLS but it doesn't work with PEAP 
authentication. Here is what I got in the debug file of the radiator:


Code:       Access-Request
Identifier: 6
Authentic:  zE<164>}<11><221>j<187><169><128><178>w<165><11>Y<240>
Attributes:
     User-Name = "vino11 at test.it"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-IEEE-802-11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = <2><6><0>`<25><1><23><3><1><0> 
n<162>l-<20><173><193>E"FE<249>T<238><169><<234><128>
=<26>N<141>[<176><128><8><218><208>so-<11><23><3><1><0>0[<22>E<170>9<191><1><241>?<214><228><206>=<141><184>
<9>J<227>y<4><186><169>$?]Y<238><137><230>B<183><149>Bw<135>J&<186><24>;<136><144><136><254><132><240><137><130>
     Message-Authenticator = 
KR><183><154><167>B<17><189>B%<159><10><15><154><188>

Mon Jul 18 15:54:07 2011: DEBUG: Handling request with Handler 'Realm = 
test.it'
Mon Jul 18 15:54:07 2011: DEBUG: Rewrote user name to vino11 at test.it
Mon Jul 18 15:54:07 2011: DEBUG:  Deleting session for vino11 at test.it, 
127.0.0.1,
Mon Jul 18 15:54:07 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 18 15:54:07 2011: DEBUG: Handling with EAP: code 2, 6, 96, 25
Mon Jul 18 15:54:07 2011: DEBUG: Response type 25
Mon Jul 18 15:54:07 2011: DEBUG: EAP PEAP inner authentication request 
for vino11 at test.it
Mon Jul 18 15:54:07 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic: <152><234><7><176><217>P<26><186><29><7>rO<210>J<173><255>
Attributes:
* EAP-Message = <2><0><0><18><1>fabio at test.it*
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
     User-Name = "vino11 at test.it"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"

Mon Jul 18 15:54:07 2011: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1, request_src = test-src'
Mon Jul 18 15:54:07 2011: DEBUG: Rewrote user name to vino11 at test.it
Mon Jul 18 15:54:07 2011: DEBUG:  Deleting session for vino11 at test.it, 
127.0.0.1,
Mon Jul 18 15:54:07 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 18 15:54:07 2011: DEBUG: Handling with EAP: code 2, 0, 18, 1
Mon Jul 18 15:54:07 2011: DEBUG: Response type 1
Mon Jul 18 15:54:07 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Mon Jul 18 15:54:07 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP 
MSCHAP-V2 Challenge
Mon Jul 18 15:54:07 2011: DEBUG: Access challenged for vino11 at test.it: 
EAP MSCHAP-V2 Challenge
Mon Jul 18 15:54:07 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic: <152><234><7><176><217>P<26><186><29><7>rO<210>J<173><255>
Attributes:
     EAP-Message = 
<1><1><0>)<26><1><1><0>$<16>.<128><11>#<254>5',<248>H<223>B<216><15><5><174>mx3.isti.cnr.it
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Jul 18 15:54:07 2011: DEBUG: EAP result: 3, EAP PEAP inner 
authentication redespatched to a Handler
Mon Jul 18 15:54:07 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
inner authentication redespatched to a Handler
Mon Jul 18 15:54:07 2011: DEBUG: Access challenged for vino11 at test.it: 
EAP PEAP inner authentication redespatched to a Handler
Mon Jul 18 15:54:07 2011: DEBUG: Packet dump:
*** Sending to 146.48.87.201 port 38987 ....
Code:       Access-Challenge
Identifier: 6
Authentic: <158>5<254>^0<232>0`<172>^<247><186>\^<178><24>
Attributes:
     EAP-Message = 
<1><1><0>K<25><1><23><3><1><0>@)<228><206><208>3<197>6<247><222><197><181><161>L$B~fZ<242><250><3><182>P<236>
<250>,<249>TzS<12>oC<133>m<174><129>B<30><152><251><8><243>Q<168><234>^<140>2QM<222>X<183>d<6>k<12><198>=<198>N<170>6
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Jul 18 15:54:07 2011: DEBUG: Packet dump:
*** Received from 146.48.87.201 port 38987 ....
Code:       Access-Request
Identifier: 7
Authentic: <131>8<236>SX$e<25>Jl<175>7<7><143><134><223>
Attributes:
     User-Name = "vino11 at test.it"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-IEEE-802-11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = <2><1><0><144><25><1><23><3><1><0> 
iT8<10>[<146>BIa<181><235><155><135>p<222><25>f<243>Y\HJ%<11><149>
<12><<216><140><213><244><209><23><3><1><0>`4{O<202>%<30><12>`d<187><191><128><175>HV<247><156>C<185><31><140><162><250>r<230>
Y#X<155><144>F<10>!<218>#L<208>k<195>^Q|<233>u5K<184><228>MW-<235><129><172><193>M<31><148><143><182><189><219><246><228><21>Lc
<252><9><30><165><228>rGB<235><150>x!<218>4<167>N!N<140><159><142>n<137><171>R<212><159>u7
     Message-Authenticator = Da_}<14><219><178>kP<179><130><3>mjV<215>

Mon Jul 18 15:54:07 2011: DEBUG: Handling request with Handler 'Realm = 
test.it'
Mon Jul 18 15:54:07 2011: DEBUG: Rewrote user name to vino11 at test.it
Mon Jul 18 15:54:07 2011: DEBUG:  Deleting session for vino11 at test.it, 
127.0.0.1,
Mon Jul 18 15:54:07 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 18 15:54:07 2011: DEBUG: Handling with EAP: code 2, 1, 144, 25
Mon Jul 18 15:54:08 2011: DEBUG: Response type 25
Mon Jul 18 15:54:08 2011: DEBUG: EAP PEAP inner authentication request 
for fabio at test.it
Mon Jul 18 15:54:08 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic: <19><152>'<205><201><134><159>![8<233><198><218><140><216>?
Attributes:
     EAP-Message = 
<2><1><0>H<26><2><1><0>C1<240><149>DOE<22>k<240><205>*<15><253><0><148>E<224><0><0><0><0><0><0><0><0>d@<136>
<25>,M<187><151><1><222><168><29>E<21>J<193>P<29><145><249><18><212><243><11><0>fabio at test.it
     Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
     User-Name = "fabio at test.it"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"

Mon Jul 18 15:54:08 2011: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1, request_src = test-src'
Mon Jul 18 15:54:08 2011: DEBUG: Rewrote user name to fabio at test.it
Mon Jul 18 15:54:08 2011: DEBUG:  Deleting session for fabio at test.it, 
127.0.0.1,
Mon Jul 18 15:54:08 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 18 15:54:08 2011: DEBUG: Handling with EAP: code 2, 1, 72, 26
Mon Jul 18 15:54:08 2011: DEBUG: Response type 26
Mon Jul 18 15:54:08 2011: DEBUG: Radius::AuthFILE looks for match with  
[fabio at test.it]
Mon Jul 18 15:54:08 2011: DEBUG: Radius::AuthFILE REJECT: No such user:  
[fabio at test.it]
Mon Jul 18 15:54:08 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no 
such user
Mon Jul 18 15:54:08 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP 
V2 failed: no such user
Mon Jul 18 15:54:08 2011: INFO: Access rejected for fabio at test.it: EAP 
MSCHAP V2 failed: no such user
Mon Jul 18 15:54:08 2011: DEBUG: Returned PEAP tunnelled packet dump:


As you see, within the eap-message the value of the type identity is 1.
I attach the log file of eapol_test that I got on the client side.


Kind regards
Fabio


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110718/8dbd000c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eapol_test_client.log
Type: text/x-log
Size: 37564 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20110718/8dbd000c/attachment-0001.bin 


More information about the radiator mailing list