[RADIATOR] eap + apple products - failed auth - CORRECTION

Heikki Vatiainen hvn at open.com.au
Thu Mar 22 17:14:36 CDT 2012


On 03/22/2012 08:08 PM, Amândio Antunes Gomes Silva wrote:

> the tips you gave didn't work. I've activated the log of the eapolclient
> on the MacOS side and observed the following (filtered):

Yes, I it looks like filtering attributes from inner authentication was
sometimes successful, but not always.

The eapol log is not that helpfulp because the problem seems to be with
TTLS (upper layer).

However, I think I have found a consistent way to have it fail or
succeed. Looks like the key to success is to make sure MS-CHAP2-Success
gets tunneled to the client as the first attribute.

You could try stripping all other attributes and/or making sure
MS-CHAP2-Success is the first attribute in the "Returned TTLS tunnelled
Diameter Packet dump" list.

Can you try this and tell how it works for you?

Thanks!
Heikki


> 2012/03/22 17:47:02.960034 4-way handshake notification scheduled
> 2012/03/22 17:47:07.613699 4-way handshake notification unscheduled
> 2012/03/22 17:50:18.496100 4-way handshake notification scheduled
> 2012/03/22 17:50:25.761091 4-way handshake complete
> 
> The lines that corresponds to the TTLS/MSCHAPV2 are the ones that occur
> by the time 17:47:??, and the authentication fails. The other two lines
> corresponds to an Successful PEAP (MSCHAPV2) authentication.
> 
> I googled around to search for "4-way handshake notification
> unscheduled", and found the source code of EAPOLSocket.c
> (http://www.opensource.apple.com/source/eap8021x/eap8021x-137/eapolclient.tproj/EAPOLSocket.c).
> 
> As far as I can understand, someone is breaking the 4-way..., which
> makes the authentication fail.
> 
> Hope this can help you to help me...
> 
> Best regards,
> 
> Amândio
> 
> -----Mensagem original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au]
> Enviada: qua 21-03-2012 23:38
> Para: Amândio Antunes Gomes Silva
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
> 
> On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote:
> 
> Hello,
> 
>> I've been busy, that's why I didn't respond so promptly.
>>
>> Just a thing that might be crucial to this problem: the RADIUS to
> which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows
> Server 2003 "Internet Authentication Service").
> 
> Ok, I think I have found something. It seems to be a Mac thing, not a
> IAS or NPS problem.
> 
> Try adding the following in your AuthBy RADIUS that proxies to IAS:
> 
> StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key
> 
> Looks like Mac does not like it if these attributes are passed to it via
> TTLS inner authentication. The MPPE attributes are clearly not needed,
> since Radiator will calculate the correct attributes for the final
> Access-Accept.
> 
> Try stripping those three attributes from the reply received from the MS
> server. Please tell us how it goes.
> 
> Thanks!
> Heikki
> 
> 
>> Thx,
>>
>> Amândio
>>
>> -----Mensagem original-----
>> De: Heikki Vatiainen [mailto:hvn at open.com.au]
>> Enviada: sexta-feira, 16 de Março de 2012 12:54
>> Para: Amândio Antunes Gomes Silva
>> Cc: radiator at open.com.au
>> Assunto: Re: [RADIATOR] eap + apple products - failed auth
>>
>> On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:
>>
>>> In fact, the Message-Authenticator attribute was in the last packet
>>
>> Ok thanks. Returning back to the list with this. There is information
>> about debugging EAP on Macs below, so this might be useful for later
>> reference too.
>>
>> I did testing with Lion (10.7). The test setup was to terminate TTLS on
>> one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
>> authentication.
>>
>> First setup returned no extra attributes from the authenticating Radiator:
>>
>> Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
>> dump:
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:
>> <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
>> Attributes:
>>         MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"
>>
>>
>> Next try returned a number of different attributes, just like your setup
>> does:
>>
>> Attributes:
>>         MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
>>         Framed-IP-Address = 255.255.255.255
>>         Class = "funcionarios"
>>         Tunnel-Medium-Type = 0:802
>>         Tunnel-Private-Group-ID = 0:247
>>         Tunnel-Type = 0:VLAN
>>         MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
>>         MS-MPPE-Send-Key =
>> <137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
>>         MS-CHAP2-Success =
> "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
>>         MS-CHAP-Domain = "<231>UMINHO"
>>         MS-MPPE-Encryption-Policy = Encryption-Required
>>         MS-MPPE-Encryption-Types = 14
>>
>>
>> In both cases 10.7 had no problems with authentication.
>>
>> You could try turning debugging on with Mac. Here are some notes Google
>> found for 10.6. I did not test these since I did not have 10.6.
>>
>>
> http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X
>>
>>
>> For 10.7 I turned eapolclient debugging on like this:
>>
>> Note: defaults command overwrites
>> /Library/Preferences/SystemConfiguration/com.apple.eapolclient
>>
>> sudo defaults write
>> /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
>> -int 255
>>
>> Then watch /var/log/system.log
>>
>> You should see: "eapolclient[nnnn]: opened log file
>> '/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
>> and en1 is the interface name.
>>
>> The log file will show how EAPOL works. It will not show details about
>> e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
>> and sent and what their contents are.
>>
>> Thanks!
>> Heikki
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list