[RADIATOR] eap + apple products - failed auth - CORRECTION
Amândio Antunes Gomes Silva
amandio at scom.uminho.pt
Fri Mar 23 12:28:33 CDT 2012
Hi Heikki et al.!
Finally I get it working!
Rearranging the attributes in the reply packet solved the problem. As I was already using a ReplyHook to add some attributes, I changed that in order to ensure that the MS-CHAP2-Success attribute comes in the first place. I did that by storing all attributes in temp vars, removing all that attributes from the reply packet and inserting them again, starting with the specific attribute MS-CHAP2-Success. The lines I coded in the reply hook are as follows:
BEGIN OF THE ReplyHook code
sub {
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $r = ${$_[2]};
if ($p->code eq "Access-Accept") {
use Net::LDAP;
my $ldapserver = "*****************";
my $authdn = "***************************";
my $base = "********************";
my $ldappw = "***************";
my $ldap = Net::LDAP->new($ldapserver, scheme => 'ldaps', timeout => 5);
my $mesg = $ldap->start_tls(verify => 'none');
# &main::log($main::LOG_DEBUG, "LDAP TLS result: ".$mesg->error);
$mesg = $ldap->bind($authdn, password=>$ldappw);
my $username = $r->get_attr('User-Name');
$username =~ s/^([^@]+).*/$1/gi;
# &main::log($main::LOG_DEBUG, "AMANDIO User-Name: ".$username);
my $ldapresult = $ldap->search(
base => $base,
filter => "sAMAccountName=".$username,
attrs => [ 'um-SCOMattribute1',
'um-SCOMattribute2',
'um-SCOMattribute3',
'um-SCOMattribute4',
'extensionAttribute2'
]
);
my $max = $ldapresult->count;
my $mschapdomain = $rp->get_attr('MS-CHAP-Domain');
my $mschapresult = $rp->get_attr('MS-CHAP2-Success');
my $msmpperecvkey = $rp->get_attr('MS-MPPE-Recv-Key');
my $msmppesendkey = $rp->get_attr('MS-MPPE-Send-Key');
my $msmppeencpol = $rp->get_attr('MS-MPPE-Encryption-Policy');
my $msmppeenctypes = $rp->get_attr('MS-MPPE-Encryption-Types');
my $framedipaddress = $rp->get_attr('Framed-IP-Address');
if ($max > 0) { # Allways with something, as it runs after an Access-accept, so the user exists
my $entry = $ldapresult->entry(0);
$rp->delete_attr('MS-CHAP2-Success');
$rp->delete_attr('MS-CHAP-Domain');
$rp->delete_attr('MS-MPPE-Recv-Key');
$rp->delete_attr('MS-MPPE-Send-Key');
$rp->delete_attr('MS-MPPE-Encryption-Policy');
$rp->delete_attr('MS-MPPE-Encryption-Types');
$rp->delete_attr('Framed-IP-Address');
$rp->delete_attr('Tunnel-Medium-Type');
$rp->delete_attr('Tunnel-Private-Group-ID');
$rp->delete_attr('Tunnel-Type');
$rp->delete_attr('Class');
$p->delete_attr('Class');
$rp->add_attr('MS-CHAP2-Success',$mschapresult);
$rp->add_attr('MS-CHAP-Domain',$mschapdomain);
$rp->add_attr('MS-MPPE-Recv-Key',$msmpperecvkey);
$rp->add_attr('MS-MPPE-Send-Key',$msmppesendkey);
$rp->add_attr('MS-MPPE-Encryption-Policy',$msmppeencpol);
$rp->add_attr('MS-MPPE-Encryption-Types',$msmppeenctypes);
$rp->add_attr('Framed-IP-Address',$framedipaddress);
$rp->add_attr('Tunnel-Type', $entry->get_value('um-SCOMattribute1'));
#$p->change_attr('Tunnel-Private-Group-ID', $entry->get_value('um-SCOMattribute2')) if (defined($p->get_attr('Tunnel-Private-Group-ID')));
$rp->add_attr('Tunnel-Private-Group-ID', $entry->get_value('um-SCOMattribute2'));
$p->change_attr('Class', $entry->get_value('um-SCOMattribute3')) if (defined($p->get_attr('Class')));
$rp->add_attr('Class', $entry->get_value('um-SCOMattribute3')) if (!defined($p->get_attr('Class')));
$rp->add_attr('Tunnel-Medium-Type', $entry->get_value('um-SCOMattribute4'));
$rp->add_attr('Reply-Message', $entry->get_value('extensionAttribute2'));
}
$ldap->unbind();
&main::log($main::LOG_DEBUG, "R->User-Name: ".$r->get_attr('User-Name'));
&main::log($main::LOG_DEBUG, "RP->Class: ".$rp->get_attr('Class'));
&main::log($main::LOG_DEBUG, "RP->Tunnel-Private-Group-ID: ".$rp->get_attr('Tunnel-Private-Group-ID'));
&main::log($main::LOG_DEBUG, "RP->Tunnel-Medium-Type: ".$rp->get_attr('Tunnel-Medium-Type'));
&main::log($main::LOG_DEBUG, "RP->Tunnel-Type: ".$rp->get_attr('Tunnel-Type'));
&main::log($main::LOG_DEBUG, "RP->MS-CHAP2-Success: ".$rp->get_attr('MS-CHAP2-Success'));
&main::log($main::LOG_DEBUG, "var MS-CHAP2-Success: ".$mschapresult);
return;
} else {
return;
}
}
END OF ReplyHook code
I know some of this attributes can be removed from the packet, as you said beforen but I wanted to see how it behaves - BTW, improvements to this ReplyHook are welcome.
I may say that it was a 'little bit' tricky to get around this.
Thank you very much, Heikki!
Best regards,
Amândio
-----Mensagem original-----
De: Heikki Vatiainen [mailto:hvn at open.com.au]
Enviada: quinta-feira, 22 de Março de 2012 22:15
Para: Amândio Antunes Gomes Silva
Cc: radiator at open.com.au
Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
On 03/22/2012 08:08 PM, Amândio Antunes Gomes Silva wrote:
> the tips you gave didn't work. I've activated the log of the eapolclient
> on the MacOS side and observed the following (filtered):
Yes, I it looks like filtering attributes from inner authentication was
sometimes successful, but not always.
The eapol log is not that helpfulp because the problem seems to be with
TTLS (upper layer).
However, I think I have found a consistent way to have it fail or
succeed. Looks like the key to success is to make sure MS-CHAP2-Success
gets tunneled to the client as the first attribute.
You could try stripping all other attributes and/or making sure
MS-CHAP2-Success is the first attribute in the "Returned TTLS tunnelled
Diameter Packet dump" list.
Can you try this and tell how it works for you?
Thanks!
Heikki
> 2012/03/22 17:47:02.960034 4-way handshake notification scheduled
> 2012/03/22 17:47:07.613699 4-way handshake notification unscheduled
> 2012/03/22 17:50:18.496100 4-way handshake notification scheduled
> 2012/03/22 17:50:25.761091 4-way handshake complete
>
> The lines that corresponds to the TTLS/MSCHAPV2 are the ones that occur
> by the time 17:47:??, and the authentication fails. The other two lines
> corresponds to an Successful PEAP (MSCHAPV2) authentication.
>
> I googled around to search for "4-way handshake notification
> unscheduled", and found the source code of EAPOLSocket.c
> (http://www.opensource.apple.com/source/eap8021x/eap8021x-137/eapolclient.tproj/EAPOLSocket.c).
>
> As far as I can understand, someone is breaking the 4-way..., which
> makes the authentication fail.
>
> Hope this can help you to help me...
>
> Best regards,
>
> Amândio
>
> -----Mensagem original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au]
> Enviada: qua 21-03-2012 23:38
> Para: Amândio Antunes Gomes Silva
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
>
> On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote:
>
> Hello,
>
>> I've been busy, that's why I didn't respond so promptly.
>>
>> Just a thing that might be crucial to this problem: the RADIUS to
> which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows
> Server 2003 "Internet Authentication Service").
>
> Ok, I think I have found something. It seems to be a Mac thing, not a
> IAS or NPS problem.
>
> Try adding the following in your AuthBy RADIUS that proxies to IAS:
>
> StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key
>
> Looks like Mac does not like it if these attributes are passed to it via
> TTLS inner authentication. The MPPE attributes are clearly not needed,
> since Radiator will calculate the correct attributes for the final
> Access-Accept.
>
> Try stripping those three attributes from the reply received from the MS
> server. Please tell us how it goes.
>
> Thanks!
> Heikki
>
>
>> Thx,
>>
>> Amândio
>>
>> -----Mensagem original-----
>> De: Heikki Vatiainen [mailto:hvn at open.com.au]
>> Enviada: sexta-feira, 16 de Março de 2012 12:54
>> Para: Amândio Antunes Gomes Silva
>> Cc: radiator at open.com.au
>> Assunto: Re: [RADIATOR] eap + apple products - failed auth
>>
>> On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote:
>>
>>> In fact, the Message-Authenticator attribute was in the last packet
>>
>> Ok thanks. Returning back to the list with this. There is information
>> about debugging EAP on Macs below, so this might be useful for later
>> reference too.
>>
>> I did testing with Lion (10.7). The test setup was to terminate TTLS on
>> one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for
>> authentication.
>>
>> First setup returned no extra attributes from the authenticating Radiator:
>>
>> Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet
>> dump:
>> Code: Access-Accept
>> Identifier: UNDEF
>> Authentic:
>> <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196>
>> Attributes:
>> MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7"
>>
>>
>> Next try returned a number of different attributes, just like your setup
>> does:
>>
>> Attributes:
>> MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48"
>> Framed-IP-Address = 255.255.255.255
>> Class = "funcionarios"
>> Tunnel-Medium-Type = 0:802
>> Tunnel-Private-Group-ID = 0:247
>> Tunnel-Type = 0:VLAN
>> MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H.
>> MS-MPPE-Send-Key =
>> <137><153>;<215><211>D<248><246>C<219>QP&<8><223>`
>> MS-CHAP2-Success =
> "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E"
>> MS-CHAP-Domain = "<231>UMINHO"
>> MS-MPPE-Encryption-Policy = Encryption-Required
>> MS-MPPE-Encryption-Types = 14
>>
>>
>> In both cases 10.7 had no problems with authentication.
>>
>> You could try turning debugging on with Mac. Here are some notes Google
>> found for 10.6. I did not test these since I did not have 10.6.
>>
>>
> http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X
>>
>>
>> For 10.7 I turned eapolclient debugging on like this:
>>
>> Note: defaults command overwrites
>> /Library/Preferences/SystemConfiguration/com.apple.eapolclient
>>
>> sudo defaults write
>> /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags
>> -int 255
>>
>> Then watch /var/log/system.log
>>
>> You should see: "eapolclient[nnnn]: opened log file
>> '/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id
>> and en1 is the interface name.
>>
>> The log file will show how EAPOL works. It will not show details about
>> e.g., MS-CHAP-V2 but should at least tell what EAP messages are received
>> and sent and what their contents are.
>>
>> Thanks!
>> Heikki
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list