[RADIATOR] eap + apple products - failed auth

Heikki Vatiainen hvn at open.com.au
Fri Mar 16 07:53:43 CDT 2012 

On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:

> In fact, the Message-Authenticator attribute was in the last packet

Ok thanks. Returning back to the list with this. There is information
about debugging EAP on Macs below, so this might be useful for later
reference too.

I did testing with Lion (10.7). The test setup was to terminate TTLS on
one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
authentication.

First setup returned no extra attributes from the authenticating Radiator:

Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:
<250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
Attributes:
        MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"


Next try returned a number of different attributes, just like your setup
does:

Attributes:
        MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
        Framed-IP-Address = 255.255.255.255
        Class = "funcionarios"
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 0:247
        Tunnel-Type = 0:VLAN
        MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
        MS-MPPE-Send-Key =
<137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
        MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
        MS-CHAP-Domain = "<231>UMINHO"
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 14


In both cases 10.7 had no problems with authentication.

You could try turning debugging on with Mac. Here are some notes Google
found for 10.6. I did not test these since I did not have 10.6.

http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X


For 10.7 I turned eapolclient debugging on like this:

Note: defaults command overwrites
/Library/Preferences/SystemConfiguration/com.apple.eapolclient

sudo defaults write
/Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
-int 255

Then watch /var/log/system.log

You should see: "eapolclient[nnnn]: opened log file
'/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
and en1 is the interface name.

The log file will show how EAPOL works. It will not show details about
e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
and sent and what their contents are.

Thanks!
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list