[RADIATOR] EAP-TTLS authentication problem
Sami Keski-Kasari
samikk at open.com.au
Wed Dec 10 07:03:03 CST 2014
Hello,
Do you have User-Password check attribute defined for bengi at employee in
%D/users-eap?
Access-Accept should include MS-CHAP2-Success attribute that contains
server response to the client. If there is not password check attribute
defined, Radiator can't calculate the response.
You can also remove AddToReply parameters as they are not needed in
response.
Best Regards,
Sami
On 12/10/2014 01:17 PM, Bengi Sağlam wrote:
> Hi all,
>
> I have been trying to authenticate my users using EAP-TTLS as outer and
> MSCHAP-V2 as inner authentication. My handlers as following in the
> configuration file:
>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy FILE>
> Filename %D/users-eap
> # This tells the TTLS client what types of inner EAP requests
> # we will honour
> EAPType MSCHAP-V2
> AddToReply
> User-Name=%{User-Name},MS-CHAP-Challenge=%{MS-CHAP-Challenge},MS-CHAP2-Response=%{MS-CHAP2-Response}
> </AuthBy>
> </Handler>
>
> <Handler Realm=employee>
> <AuthBy FILE>
> Filename %D/users-eap
> EAPType TTLS
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_MaxFragmentSize 1000
> EAPTTLS_NoAckRequired
> AutoMPPEKeys
> </AuthBy>
> </Handler>
>
>
> I connect with my device to the SSID (the AP is an Aruba), and I'm asked
> to enter a username and a password. I enter a correct username and
> password, and then I see the certificate of the authentication server
> (the demo certificate from the goodies). After accepting the certificate
> in the device, I get the message "Wrong username or password". However,
> in the log it can be seen an "Access-Accept" for that User-Name as
> following:
>
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Access accepted for bengi at employee
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled Diameter
> Packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
> Attributes:
> User-Name = "bengi at employee"
> MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
> MS-CHAP2-Response =
> Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
>
>
> Part of the log regarding to these handlers:
>
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Packet dump:
>
> *** Received from 217.124.187.81 port 49159 ....
> Packet length = 232
> 01 ec 00 e8 3a da 51 af d9 aa 99 02 4b 23 b1 8b
> e7 67 3b 50 01 10 62 65 6e 67 69 40 65 6d 70 6c
> 6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
> 20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
> 2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
> 3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
> 3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
> 06 00 00 00 01 0c 06 00 00 04 4c 4f 15 02 01 00
> 13 01 62 65 6e 67 69 40 65 6d 70 6c 6f 79 65 65
> 1a 15 00 00 39 e7 05 0f 45 6d 70 6c 6f 79 65 65
> 42 65 6e 67 69 1a 19 00 00 39 e7 06 13 39 63 3a
> 31 63 3a 31 32 3a 63 65 3a 34 31 3a 63 63 1a 18
> 00 00 39 e7 0a 12 69 6e 73 74 61 6e 74 2d 43 45
> 3a 34 31 3a 43 43 50 12 c5 30 bf 8e 1c ec 68 2d
> af 8c 28 e7 85 09 37 c4
> Code: Access-Request
> Identifier: 236
> Authentic: :<218>Q<175><217><170><153><2>K#<177><139><231>g;P
> Attributes:
> User-Name = "bengi at employee"
> NAS-IP-Address = 192.168.88.241
> NAS-Port = 0
> NAS-Identifier = "9C-1C-12-CE-41-CC"
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = <2><1><0><19><1>bengi at employee
> Aruba-Essid-Name = "EmployeeBengi"
> Aruba-Location-Id = "9c:1c:12:ce:41:cc"
> Aruba-AP-Group = "instant-CE:41:CC"
> Message-Authenticator =
> <197>0<191><142><28><236>h-<175><140>(<231><133><9>7<196>
> Called-Station-Id = "9C-1C-12-CE-41-CC"
> Calling-Station-Id = "70_3E_AC_09_5A_11"
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling request with
> Handler 'Realm=employee', Identifier ''
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Normal Deleting session
> for bengi at employee, 192.168.88.241, 0
> Tue Dec 9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling with
> Radius::AuthFILE:
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling with EAP: code
> 2, 1, 19, 1
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Response type 1
> Tue Dec 9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS
> Challenge
> Tue Dec 9 09:38:13 2014 000000: DEBUG: AuthBy FILE result:
> CHALLENGE, EAP TTLS Challenge
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Access challenged for
> bengi at employee: EAP TTLS Challenge
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Packet dump:
> *** Sending to 217.124.187.81 port 49159 ....
> Packet length = 46
> 0b ec 00 2e 11 8a 1f 2d d8 bf 43 9e fa a4 65 32
> 52 2e 71 2e 4f 08 01 02 00 06 15 20 50 12 ca 56
> cb 01 02 57 fb 6a 17 3b f4 72 b9 1e 6b 77
> Code: Access-Challenge
> Identifier: 236
> Authentic: <17><138><31>-<216><191>C<158><250><164>e2R.q.
> Attributes:
> EAP-Message = <1><2><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Packet dump
>
> ....
> ....
> ....
>
> *** Received from 217.124.187.81 port 49159 ....
> Packet length = 372
> 01 f0 01 74 7c 63 ac b2 a9 c6 0a 59 5f ed 09 d2
> 9d 9e d9 fb 01 10 62 65 6e 67 69 40 65 6d 70 6c
> 6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
> 20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
> 2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
> 3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
> 3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
> 06 00 00 00 01 0c 06 00 00 04 4c 4f a1 02 05 00
> 9f 15 80 00 00 00 95 17 03 01 00 90 5e e2 2d ca
> b1 e7 e8 3a 40 8d ed bc 83 fe be de 70 e6 1b b2
> 63 f5 50 40 db 2a 61 55 e9 a1 69 12 ed 50 45 7e
> 50 62 aa b4 bc 60 77 c5 8b a5 fb 74 7a 0e 7b 43
> a1 eb 81 6b fb bc 57 0e ff 3c 0b b6 6a a2 36 2d
> 84 c8 84 b6 bb fb 6f 35 20 44 64 29 96 6a 54 6f
> 72 78 1e 3f 3c 26 57 57 4b d7 b2 7b 06 31 61 5d
> b1 ce 95 14 7d 72 06 03 f0 45 76 31 ac 3f 20 14
> 2d ed 3f aa a0 8e 86 33 09 c6 93 47 14 32 68 5a
> 92 8b d3 ea 34 97 45 1c 66 d8 df a5 1a 15 00 00
> 39 e7 05 0f 45 6d 70 6c 6f 79 65 65 42 65 6e 67
> 69 1a 19 00 00 39 e7 06 13 39 63 3a 31 63 3a 31
> 32 3a 63 65 3a 34 31 3a 63 63 1a 18 00 00 39 e7
> 0a 12 69 6e 73 74 61 6e 74 2d 43 45 3a 34 31 3a
> 43 43 50 12 97 6b fe f0 32 58 33 d6 75 12 7c c0
> 51 ae 74 18
> Code: Access-Request
> Identifier: 240
> Authentic:
> |c<172><178><169><198><10>Y_<237><9><210><157><158><217><251>
> Attributes:
> User-Name = "bengi at employee"
> NAS-IP-Address = 192.168.88.241
> NAS-Port = 0
> NAS-Identifier = "9C-1C-12-CE-41-CC"
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> <2><5><0><159><21><128><0><0><0><149><23><3><1><0><144>^<226>-<202><177><231><232>:@<141><237><188><131><254><190><222>p<230><27><178>c<245>P@<219>*aU<233><161>i<18><237>PE~Pb<170><180><188>`w<197><139><165><251>tz<14>{C<161><235><129>k<251><188>W<14><255><<11><182>j<162>6-<132><200><132><182><187><251>o5
> Dd)<150>jTorx<30>?<&WWK<215><178>{<6>1a]<177><206><149><20>}r<6><3><240>Ev1<172>?
> <20>-<237>?<170><160><142><134>3<9><198><147>G<20>2hZ<146><139><211><234>4<151>E<28>f<216><223><165>
> Aruba-Essid-Name = "EmployeeBengi"
> Aruba-Location-Id = "9c:1c:12:ce:41:cc"
> Aruba-AP-Group = "instant-CE:41:CC"
> Message-Authenticator =
> <151>k<254><240>2X3<214>u<18>|<192>Q<174>t<24>
> Called-Station-Id = "9C-1C-12-CE-41-CC"
> Calling-Station-Id = "70_3E_AC_09_5A_11"
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling request with
> Handler 'Realm=employee', Identifier ''
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Normal Deleting session
> for bengi at employee, 192.168.88.241, 0
> Tue Dec 9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling with
> Radius::AuthFILE:
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling with EAP: code
> 2, 5, 159, 21
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Response type 21
> Tue Dec 9 09:38:13 2014 000000: DEBUG: EAP TTLS data, 3, 5, 4
> Tue Dec 9 09:38:13 2014 000000: DEBUG: EAP TTLS inner
> authentication request for bengi at employee
> Tue Dec 9 09:38:13 2014 000000: DEBUG: TTLS Tunnelled Diameter
> Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
> Attributes:
> User-Name = "bengi at employee"
> MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
> MS-CHAP2-Response =
> Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling request with
> Handler 'TunnelledByTTLS=1', Identifier ''
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Normal Deleting session
> for bengi at employee, 192.168.88.241,
> Tue Dec 9 09:38:13 2014 000000: DEBUG: do query to
> 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Handling with
> Radius::AuthFILE:
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Reading users file
> /usr/local/etc/radiator/bengi/databases/users-eap
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE looks
> for match with bengi at employee [bengi at employee]
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE ACCEPT:
> : bengi at employee [bengi at employee]
> Tue Dec 9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Access accepted for
> bengi at employee
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled
> Diameter Packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
> Attributes:
> User-Name = "bengi at employee"
> MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
> MS-CHAP2-Response =
> Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
> Tue Dec 9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS
> inner authentication redispatched to a Handler
> Tue Dec 9 09:38:13 2014 000000: DEBUG: AuthBy FILE result:
> CHALLENGE, EAP TTLS inner authentication redispatched to a Handler
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Access challenged for
> bengi at employee: EAP TTLS inner authentication redispatched to a
> Handler
> Tue Dec 9 09:38:13 2014 000000: DEBUG: Packet dump:
> *** Sending to 217.124.187.81 port 49159 ....
> Packet length = 199
> 0b f0 00 c7 e4 a4 2d 1f b5 f7 05 82 01 7f ef 4c
> 08 77 26 52 4f a1 01 06 00 9f 15 80 00 00 00 95
> 17 03 01 00 90 3b 61 06 45 54 11 24 e2 ed 1a 59
> a4 b2 19 a5 75 1b 1a 3e 3f 51 02 62 9a 2a 12 40
> da 51 ee 1a 62 51 39 42 20 cd 31 78 07 48 48 11
> ea 23 a5 9c 41 98 9c 27 1c 9e 2e 7f b5 19 00 72
> 99 83 2f 94 f4 1d 3d c6 7c cf 71 e1 85 e0 a8 1d
> b4 97 b2 95 6b fe 8c 4f d0 74 36 e1 23 d8 24 d2
> 99 af 97 3b 30 80 b6 44 22 75 21 1b 0d a8 7f 54
> a2 c5 99 60 3b 17 8e 97 64 a2 e2 60 5d 6d 09 44
> ce b4 81 3e 61 e4 8e 25 c1 4e 9b 46 0d 84 04 a7
> de a2 ef 9d 5d 50 12 86 04 b8 4e 35 6c ec 7a e7
> 7a fb 5e ec 8d 63 f8
> Code: Access-Challenge
> Identifier: 240
> Authentic: <228><164>-<31><181><247><5><130><1><127><239>L<8>w&R
> Attributes:
> EAP-Message =
> <1><6><0><159><21><128><0><0><0><149><23><3><1><0><144>;a<6>ET<17>$<226><237><26>Y<164><178><25><165>u<27><26>>?Q<2>b<154>*<18>@<218>Q<238><26>bQ9B
> <205>1x<7>HH<17><234>#<165><156>A<152><156>'<28><158>.<127><181><25><0>r<153><131>/<148><244><29>=<198>|<207>q<225><133><224><168><29><180><151><178><149>k<254><140>O<208>t6<225>#<216>$<210><153><175><151>;0<128><182>D"u!<27><13><168><127>T<162><197><153>`;<23><142><151>d<162><226>`]m<9>D<206><180><129>>a<228><142>%<193>N<155>F<13><132><4><167><222><162><239><157>]
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
>
> I was wondering if someone can suggest a solution for this case.
>
> Best regards,
> Bengi Saglam
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list