[RADIATOR] eap + apple products - failed auth - CORRECTION

Amândio Antunes Gomes Silva amandio at scom.uminho.pt
Mon Mar 19 09:20:09 CDT 2012 

Hi Heikki (and list)!

I've been busy, that's why I didn't respond so promptly.

Just a thing that might be crucial to this problem: the RADIUS to which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet Authentication Service").

Thx,

Amândio

-----Mensagem original-----
De: Heikki Vatiainen [mailto:hvn at open.com.au] 
Enviada: sexta-feira, 16 de Março de 2012 12:54
Para: Amândio Antunes Gomes Silva
Cc: radiator at open.com.au
Assunto: Re: [RADIATOR] eap + apple products - failed auth

On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:

> In fact, the Message-Authenticator attribute was in the last packet

Ok thanks. Returning back to the list with this. There is information
about debugging EAP on Macs below, so this might be useful for later
reference too.

I did testing with Lion (10.7). The test setup was to terminate TTLS on
one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
authentication.

First setup returned no extra attributes from the authenticating Radiator:

Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:
<250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
Attributes:
        MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"


Next try returned a number of different attributes, just like your setup
does:

Attributes:
        MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
        Framed-IP-Address = 255.255.255.255
        Class = "funcionarios"
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 0:247
        Tunnel-Type = 0:VLAN
        MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
        MS-MPPE-Send-Key =
<137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
        MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
        MS-CHAP-Domain = "<231>UMINHO"
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 14


In both cases 10.7 had no problems with authentication.

You could try turning debugging on with Mac. Here are some notes Google
found for 10.6. I did not test these since I did not have 10.6.

http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X


For 10.7 I turned eapolclient debugging on like this:

Note: defaults command overwrites
/Library/Preferences/SystemConfiguration/com.apple.eapolclient

sudo defaults write
/Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
-int 255

Then watch /var/log/system.log

You should see: "eapolclient[nnnn]: opened log file
'/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
and en1 is the interface name.

The log file will show how EAPOL works. It will not show details about
e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
and sent and what their contents are.

Thanks!
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list