[RADIATOR] eap + apple products - failed auth - CORRECTION

Heikki Vatiainen hvn at open.com.au
Wed Mar 21 18:38:36 CDT 2012


On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote:

Hello,

> I've been busy, that's why I didn't respond so promptly.
> 
> Just a thing that might be crucial to this problem: the RADIUS to which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet Authentication Service").

Ok, I think I have found something. It seems to be a Mac thing, not a
IAS or NPS problem.

Try adding the following in your AuthBy RADIUS that proxies to IAS:

StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key

Looks like Mac does not like it if these attributes are passed to it via
TTLS inner authentication. The MPPE attributes are clearly not needed,
since Radiator will calculate the correct attributes for the final
Access-Accept.

Try stripping those three attributes from the reply received from the MS
server. Please tell us how it goes.

Thanks!
Heikki


> Thx,
> 
> Amândio
> 
> -----Mensagem original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Enviada: sexta-feira, 16 de Março de 2012 12:54
> Para: Amândio Antunes Gomes Silva
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] eap + apple products - failed auth
> 
> On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:
> 
>> In fact, the Message-Authenticator attribute was in the last packet
> 
> Ok thanks. Returning back to the list with this. There is information
> about debugging EAP on Macs below, so this might be useful for later
> reference too.
> 
> I did testing with Lion (10.7). The test setup was to terminate TTLS on
> one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
> authentication.
> 
> First setup returned no extra attributes from the authenticating Radiator:
> 
> Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
> dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:
> <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
> Attributes:
>         MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"
> 
> 
> Next try returned a number of different attributes, just like your setup
> does:
> 
> Attributes:
>         MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
>         Framed-IP-Address = 255.255.255.255
>         Class = "funcionarios"
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 0:247
>         Tunnel-Type = 0:VLAN
>         MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
>         MS-MPPE-Send-Key =
> <137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
>         MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
>         MS-CHAP-Domain = "<231>UMINHO"
>         MS-MPPE-Encryption-Policy = Encryption-Required
>         MS-MPPE-Encryption-Types = 14
> 
> 
> In both cases 10.7 had no problems with authentication.
> 
> You could try turning debugging on with Mac. Here are some notes Google
> found for 10.6. I did not test these since I did not have 10.6.
> 
> http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X
> 
> 
> For 10.7 I turned eapolclient debugging on like this:
> 
> Note: defaults command overwrites
> /Library/Preferences/SystemConfiguration/com.apple.eapolclient
> 
> sudo defaults write
> /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
> -int 255
> 
> Then watch /var/log/system.log
> 
> You should see: "eapolclient[nnnn]: opened log file
> '/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
> and en1 is the interface name.
> 
> The log file will show how EAPOL works. It will not show details about
> e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
> and sent and what their contents are.
> 
> Thanks!
> Heikki
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list