[RADIATOR] eap + apple products - failed auth - CORRECTION

Amândio Antunes Gomes Silva amandio at scom.uminho.pt
Thu Mar 22 13:08:36 CDT 2012


Hello,

the tips you gave didn't work. I've activated the log of the eapolclient on the MacOS side and observed the following (filtered):

2012/03/22 17:47:02.960034 4-way handshake notification scheduled
2012/03/22 17:47:07.613699 4-way handshake notification unscheduled
2012/03/22 17:50:18.496100 4-way handshake notification scheduled
2012/03/22 17:50:25.761091 4-way handshake complete

The lines that corresponds to the TTLS/MSCHAPV2 are the ones that occur by the time 17:47:??, and the authentication fails. The other two lines corresponds to an Successful PEAP (MSCHAPV2) authentication.

I googled around to search for "4-way handshake notification unscheduled", and found the source code of EAPOLSocket.c (http://www.opensource.apple.com/source/eap8021x/eap8021x-137/eapolclient.tproj/EAPOLSocket.c). 

As far as I can understand, someone is breaking the 4-way..., which makes the authentication fail.

Hope this can help you to help me...

Best regards,

Amândio

-----Mensagem original-----
De: Heikki Vatiainen [mailto:hvn at open.com.au]
Enviada: qua 21-03-2012 23:38
Para: Amândio Antunes Gomes Silva
Cc: radiator at open.com.au
Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
 
On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote:

Hello,

> I've been busy, that's why I didn't respond so promptly.
> 
> Just a thing that might be crucial to this problem: the RADIUS to which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet Authentication Service").

Ok, I think I have found something. It seems to be a Mac thing, not a
IAS or NPS problem.

Try adding the following in your AuthBy RADIUS that proxies to IAS:

StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key

Looks like Mac does not like it if these attributes are passed to it via
TTLS inner authentication. The MPPE attributes are clearly not needed,
since Radiator will calculate the correct attributes for the final
Access-Accept.

Try stripping those three attributes from the reply received from the MS
server. Please tell us how it goes.

Thanks!
Heikki


> Thx,
> 
> Amândio
> 
> -----Mensagem original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Enviada: sexta-feira, 16 de Março de 2012 12:54
> Para: Amândio Antunes Gomes Silva
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] eap + apple products - failed auth
> 
> On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:
> 
>> In fact, the Message-Authenticator attribute was in the last packet
> 
> Ok thanks. Returning back to the list with this. There is information
> about debugging EAP on Macs below, so this might be useful for later
> reference too.
> 
> I did testing with Lion (10.7). The test setup was to terminate TTLS on
> one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
> authentication.
> 
> First setup returned no extra attributes from the authenticating Radiator:
> 
> Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
> dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:
> <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
> Attributes:
>         MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"
> 
> 
> Next try returned a number of different attributes, just like your setup
> does:
> 
> Attributes:
>         MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
>         Framed-IP-Address = 255.255.255.255
>         Class = "funcionarios"
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 0:247
>         Tunnel-Type = 0:VLAN
>         MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
>         MS-MPPE-Send-Key =
> <137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
>         MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
>         MS-CHAP-Domain = "<231>UMINHO"
>         MS-MPPE-Encryption-Policy = Encryption-Required
>         MS-MPPE-Encryption-Types = 14
> 
> 
> In both cases 10.7 had no problems with authentication.
> 
> You could try turning debugging on with Mac. Here are some notes Google
> found for 10.6. I did not test these since I did not have 10.6.
> 
> http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X
> 
> 
> For 10.7 I turned eapolclient debugging on like this:
> 
> Note: defaults command overwrites
> /Library/Preferences/SystemConfiguration/com.apple.eapolclient
> 
> sudo defaults write
> /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
> -int 255
> 
> Then watch /var/log/system.log
> 
> You should see: "eapolclient[nnnn]: opened log file
> '/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
> and en1 is the interface name.
> 
> The log file will show how EAPOL works. It will not show details about
> e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
> and sent and what their contents are.
> 
> Thanks!
> Heikki
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120322/36a06cde/attachment.html 


More information about the radiator mailing list