[RADIATOR] EAP PEAP Authentication Failing

Johnson, Neil M neil-johnson at uiowa.edu
Tue Jun 25 10:45:59 CDT 2013 

Last Thursday our Server support group uninstalled Symantec Anti-Virus, and installed Microsoft's System Center Endpoint Protection (SCEP) on one of our RADIUS servers.

Since then it has been failing to authenticate wireless users although it is processing accounting requests just fine.  Our server support team has done this successfully to our other RADIUS servers without issue.

Below is the a snippet from the RADIATOR log.   Looking at the logs from the WPA_Supplicant that I use to test authentication it appears there is an issue with the SSL handshake.

Thu Jun 20 17:52:57 2013 832787: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50692 ....
Code:       Access-Request
Identifier: 1
Authentic:  ~<9><158><24><11><174><221><245>+<179>R<134><21><229><215><179>
Attributes:
User-Name = "wlantest02 at uiowa.edu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
Called-Station-Id = "eduroam"
EAP-Message = <2><0><0><25><1>wlantest02 at uiowa.edu
Message-Authenticator = <231>I<187>]<133>rE<31><6><166>5<180>r{<217><178>
OSC-Client-Identifier = "fromUIOWA"

Thu Jun 20 17:52:57 2013 834206: DEBUG: Handling request with Handler 'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, Realm=/(uiowa\.edu$)/i ', Identifier ''
Thu Jun 20 17:52:57 2013 835136: DEBUG: PreProcessing Hook: called.
Thu Jun 20 17:52:57 2013 836104: DEBUG:  Deleting session for wlantest02 at uiowa.edu, 127.0.0.1,
Thu Jun 20 17:52:57 2013 836992: DEBUG: Handling with Radius::AuthLSA:
Thu Jun 20 17:52:57 2013 838004: DEBUG: Handling with EAP: code 2, 0, 25, 1
Thu Jun 20 17:52:57 2013 838878: DEBUG: Response type 1
Thu Jun 20 17:52:57 2013 840004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 840856: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 841753: DEBUG: Access challenged for wlantest02 at uiowa.edu: EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 842660: DEBUG: PostProcessing Hook: called.
Thu Jun 20 17:52:57 2013 843929: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50692 ....
Code:       Access-Challenge
Identifier: 1
Authentic:  Yz*<168>7f<226><24>%!?<169>@s<149><247>
Attributes:
EAP-Message = <1><1><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jun 20 17:52:57 2013 850606: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50692 ....
Code:       Access-Request
Identifier: 2
Authentic:  <227>A_<3><236><229>z<228><196><30>"<217>H/<195><206>
Attributes:
User-Name = "wlantest02 at uiowa.edu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
Called-Station-Id = "eduroam"
EAP-Message = <2><1><0>z<25><128><0><0><0>p<22><3><1><0>k<1><0><0>g<3><1>Q<195><135><201><175><15><242><214>,'<127><21><231>1<1>@_<28>o<8>t<228><19><166>&<137><227><186><6><205>p<151><0><0>:<0>9<0>8<0><136><0><135><0>5<0><132><0><22><0><19><0><10><0>3<0>2<0><154><0><153><0>E<0>D<0>/<0><150><0>A<0><5><0><4><0><21><0><18><0><9><0><20><0><17><0><8><0><6><0><3><0><255><1><0><0><4><0>#<0><0>
Message-Authenticator = <201>T<4><5><249>KF<203><173>J<22>Q<235><200><12>,
OSC-Client-Identifier = "fromUIOWA"

Thu Jun 20 17:52:57 2013 851899: DEBUG: Handling request with Handler 'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, Realm=/(uiowa\.edu$)/i ', Identifier ''
Thu Jun 20 17:52:57 2013 852780: DEBUG: PreProcessing Hook: called.
Thu Jun 20 17:52:57 2013 853720: DEBUG:  Deleting session for wlantest02 at uiowa.edu, 127.0.0.1,
Thu Jun 20 17:52:57 2013 854632: DEBUG: Handling with Radius::AuthLSA:
Thu Jun 20 17:52:57 2013 855579: DEBUG: Handling with EAP: code 2, 1, 122, 25
Thu Jun 20 17:52:57 2013 856417: DEBUG: Response type 25
Thu Jun 20 17:52:57 2013 857581: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jun 20 17:52:57 2013 858578: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 859798: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 860677: DEBUG: Access challenged for wlantest02 at uiowa.edu: EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 861545: DEBUG: PostProcessing Hook: called.
Thu Jun 20 17:52:57 2013 864311: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50692 ....
Code:       Access-Challenge
Identifier: 2
Authentic:  ?:<145><7><145><133>WP<180><141><182><161><232>O+<219>
Attributes:
EAP-Message = <1><2><5><130><25><192><0><0><15>!<22><3><1><0>J<2><0><0>F<3><1>Q<195><135><201><160><202><168><163><249><22><145><232>T<129><7><131>c<147><6><138>!b<240><186><246>9<213><138><179><161><217><197> <245><231><18>G<22>1t<133><222>%<251>0[<160><24>E<251>A<214><9>!<169><195><163><180>O<135><203><145><249><150>a<0>5<0><22><3><1><14><196><11><0><14><192><0><14><189><0><5><179>0<130><5><175>0<130><4><151><160><3><2><1><2><2><17><0><192>1<252><202><166><225>N<140>vY<9>c<243><202>f<195>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0Q1<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon Server CA0<30><23><13>110603000000Z<23><13>
EAP-Message = 140602235959Z0<130><1><26>1<11>0<9><6><3>U<4><6><19><2>US1<14>0<12><6><3>U<4><17><19><5>522421<11>0<9><6><3>U<4><8><19><2>IA1<18>0<16><6><3>U<4><7><19><9>Iowa City1<25>0<23><6><3>U<4><9><19><16>416-3 North Hall1<31>0<29><6><3>U<4><9><19><22>The University of Iowa1301<6><3>U<4><9><19>*ITS Telecommunication and Network Services1<27>0<25><6><3>U<4><10><19><18>University of Iowa1<19>0<17><6><3>U<4><11><19><10>ITS-TNS-NS1<20>0<18><6><3>U<4><11><19><11>
EAP-Message = PlatinumSSL1!0<31><6><3>U<4><3><19><24>net-auth-1.its.uiowa.edu0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><157>43z1<181>"<145><197>$<25><25><187>J<11><220><193><164><232>SD;<217><177>p<157>`#<201><223><219><179>6<150><216><26>B<13><217><188>B0<184>.<246><168><2><9><243>[d<138>4<21><155><222><1><235>=<232><138>R&<176><19>}<145><216><156><255>C<20><216>b<154><29>@<224>`<17>2z<220>\<165><168><4<2>$o<232><27><206><235><226>C<213>NmI at Q<138><233><218><22><234><241><23>9IQ<152>gM<132>81i<142><228><220><228><16><246><14>!<200>[q<160><239><130><178><254><8>T<177>tD<25><226>g<26><226>B<16><193><158>^}<217><211>5oA<8>7<132><161><15><153><14><232><28>]<133><179><130>n<194><129><16>
EAP-Message = u<186>-<203><175><187>U?<244>-M<156><229>kK<186><209><197><162><169><247><178><220><31>7<191><162>7<131><142>f<203><161>t<132><203>S<202><176><133><186>m"JV<159>Y{l)<235><178><200><11>w<176><185>k<249>*B<10><239><193><183>|<255><24>'<236><166><151><20><246><191><146><128>~<240><198><252>=<2><3><1><0><1><163><130><1><181>0<130><1><177>0<31><6><3>U<29>#<4><24>0<22><128><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<29><6><3>U<29><14><4><22><4><20>\<16><243><136><230><129>q<30><128><0>*<210>M<211><245><127>=Q<10><222>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<12><6><3>U<29><19><1><1><255><4><2>0<0>0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3><1><6><8>+<6><1><5><5><7><3><2>0]<6><3>U<29> <4>V0T0R<6><12>+<6><1><4><1><174>#<1><4><3><1><1>0B0@<6><8>
EAP-Message = +<6><1><5><5><7><2><1><22>4https://www.incommon.org/cert/repository/cps_ssl.pdf0=<6><3>U<29><31><4>60402<160>0<160>.<134>,http://crl.incommon.org/InCommonServerCA.crl0o<6><8>+<6><1><5><5><7><1><1><4>c0a09<6><8>+<6><1><5><5><7>0<2><134>-http://cert.incommon.org/InCommonServerCA.crt0$<6><8>+<6><1><5><5><7>0<1><134><24>http://ocsp.incommon.org0#<6><3>U<29><17><4><28>0<26><130><24>ne
EAP-Message = t-auth-1.its.uiowa.edu0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><130><1><1><0><149><241> d<246>"<25><130><26>M<0><136><140><3>%<174><163><167>6<207><20><167><13><175><176><226>%(<178><182><140>Xp<173>\J<141><240><162>2i<175><242>8<152><133><139>Oy;<244><225><<145><2><189><255><182><229><215><223>Q<24><18><139>l<225>#<167><162><225><237><177><202>1<166><199>X:,|<184><137>=<236>R<237><195>-L<139><180><200><184>7<139><201>(<149><239><240><195><189>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

--- Then that's the last I hear until the client tries again…

Here is a snippet from wpa_supplicant log:

CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-PEAP: Start (server ver=0, own ver=1)
EAP-PEAP: Using PEAP version 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 112 bytes pending from ssl_out
SSL: 112 bytes left to be sent out (of total 112 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp

The client goes on to send a response back to the server but never receives a anything back.

I don't think there is an issue with RADIATOR, but I'm looking for information to feed back to our Server Support Team on the cause.
(They did try backing out their changes, but it didn't fix things).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-johnson at uiowa.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130625/30967270/attachment-0001.html

More information about the radiator mailing list