[RADIATOR] EAP-TTLS authentication problem

Amândio Antunes Gomes Silva amandio at scom.uminho.pt
Thu Dec 11 03:32:11 CST 2014 

Hi Bengi.

 

Maybe you have to remove the realm from the User-Name rewriting it (if, of course, in your users file the realm isn’t registered as part of the username).

 

Best regards,

 

 

Cumprimentos,

Amândio Antunes Gomes da Silva

-----------------------------------------------------------------------------------------------------------------------------------

Serviços de Comunicações da Universidade do Minho

Campus de Gualtar, 4710-057 Braga - Portugal

Tel.: + 351 253 60 40 20, Fax: +351 253 60 40 21

email:  <mailto:amandio at scom.uminho.pt> amandio at scom.uminho.pt |  <http://www.scom.uminho.pt/> http://www.scom.uminho.pt

-----------------------------------------------------------------------------------------------------------------------------------

This email is confidential. If you are not the intended recipient, 

you must not disclose or use the information contained in it.

If you have received this mail in error, please tell us immediately 

by return email and delete the document.

--

Este email é confidêncial. Se não é o destinatário do mesmo,

não deve nem revelar, nem usar o seu conteúdo.

Se recebeu esta mensagem por engano, por favor informe-nos

Imediatamente, devolvendo e apagando este email.

 

Amândio

 

De: Bengi Sağlam [mailto:bengi at socialandbeyond.com] 
Enviada: quarta-feira, 10 de Dezembro de 2014 11:18
Para: radiator at open.com.au
Assunto: [RADIATOR] EAP-TTLS authentication problem

 

Hi all,

I have been trying to authenticate my users using EAP-TTLS as outer and  MSCHAP-V2 as inner authentication. My handlers as following in the configuration file:



<Handler TunnelledByTTLS=1>

<AuthBy FILE>

        Filename %D/users-eap

    # This tells the TTLS client what types of inner EAP requests

    # we will honour

    EAPType MSCHAP-V2

AddToReply User-Name=%{User-Name},MS-CHAP-Challenge=%{MS-CHAP-Challenge},MS-CHAP2-Response=%{MS-CHAP2-Response}

</AuthBy>

</Handler>

 

<Handler Realm=employee>

  <AuthBy FILE>

Filename %D/users-eap

EAPType TTLS

EAPTLS_PrivateKeyPassword whatever

EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

EAPTLS_CertificateFile %D/certificates/cert-srv.pem

EAPTLS_CertificateType PEM

EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem

EAPTLS_MaxFragmentSize 1000

EAPTTLS_NoAckRequired

AutoMPPEKeys

  </AuthBy>

 </Handler>



I connect with my device to the SSID (the AP is an Aruba), and I'm asked to enter a username and a password. I enter a correct username and password, and then I see the certificate of the authentication server (the demo certificate from the goodies). After accepting the certificate in the device, I get the message "Wrong username or password". However, in the log it can be seen an "Access-Accept" for that User-Name as following:

Tue Dec  9 09:38:13 2014 000000: DEBUG: Access accepted for bengi at employee

Tue Dec  9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled Diameter Packet dump:

Code:       Access-Accept

Identifier: UNDEF

Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>

Attributes:

User-Name = "bengi at employee"

MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>

MS-CHAP2-Response = Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>

 

 

Part of the log regarding to these handlers:

 

Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:

*** Received from 217.124.187.81 port 49159 ....
Packet length = 232
01 ec 00 e8 3a da 51 af d9 aa 99 02 4b 23 b1 8b
e7 67 3b 50 01 10 62 65 6e 67 69 40 65 6d 70 6c
6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
06 00 00 00 01 0c 06 00 00 04 4c 4f 15 02 01 00
13 01 62 65 6e 67 69 40 65 6d 70 6c 6f 79 65 65
1a 15 00 00 39 e7 05 0f 45 6d 70 6c 6f 79 65 65
42 65 6e 67 69 1a 19 00 00 39 e7 06 13 39 63 3a
31 63 3a 31 32 3a 63 65 3a 34 31 3a 63 63 1a 18
00 00 39 e7 0a 12 69 6e 73 74 61 6e 74 2d 43 45
3a 34 31 3a 43 43 50 12 c5 30 bf 8e 1c ec 68 2d
af 8c 28 e7 85 09 37 c4
Code:       Access-Request
Identifier: 236
Authentic:  :<218>Q<175><217><170><153><2>K#<177><139><231>g;P
Attributes:
User-Name = "bengi at employee"
NAS-IP-Address = 192.168.88.241
NAS-Port = 0
NAS-Identifier = "9C-1C-12-CE-41-CC"
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><1><0><19><1>bengi at employee
Aruba-Essid-Name = "EmployeeBengi"
Aruba-Location-Id = "9c:1c:12:ce:41:cc"
Aruba-AP-Group = "instant-CE:41:CC"
Message-Authenticator = <197>0<191><142><28><236>h-<175><140>(<231><133><9>7<196>
Called-Station-Id = "9C-1C-12-CE-41-CC"
Calling-Station-Id = "70_3E_AC_09_5A_11"
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler 'Realm=employee', Identifier ''
Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for bengi at employee, 192.168.88.241, 0
Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'': 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE: 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with EAP: code 2, 1, 19, 1
Tue Dec  9 09:38:13 2014 000000: DEBUG: Response type 1
Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS Challenge
Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
Tue Dec  9 09:38:13 2014 000000: DEBUG: Access challenged for bengi at employee: EAP TTLS Challenge
Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:
*** Sending to 217.124.187.81 port 49159 ....
Packet length = 46
0b ec 00 2e 11 8a 1f 2d d8 bf 43 9e fa a4 65 32
52 2e 71 2e 4f 08 01 02 00 06 15 20 50 12 ca 56
cb 01 02 57 fb 6a 17 3b f4 72 b9 1e 6b 77
Code:       Access-Challenge
Identifier: 236
Authentic:  <17><138><31>-<216><191>C<158><250><164>e2R.q.
Attributes:
EAP-Message = <1><2><0><6><21> 
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump

....

....

....

*** Received from 217.124.187.81 port 49159 ....
Packet length = 372
01 f0 01 74 7c 63 ac b2 a9 c6 0a 59 5f ed 09 d2
9d 9e d9 fb 01 10 62 65 6e 67 69 40 65 6d 70 6c
6f 79 65 65 04 06 c0 a8 58 f1 05 06 00 00 00 00
20 13 39 43 2d 31 43 2d 31 32 2d 43 45 2d 34 31
2d 43 43 3d 06 00 00 00 13 1f 13 37 30 3a 33 45
3a 41 43 3a 30 39 3a 35 41 3a 31 31 1e 13 39 43
3a 31 43 3a 31 32 3a 43 45 3a 34 31 3a 43 43 06
06 00 00 00 01 0c 06 00 00 04 4c 4f a1 02 05 00
9f 15 80 00 00 00 95 17 03 01 00 90 5e e2 2d ca
b1 e7 e8 3a 40 8d ed bc 83 fe be de 70 e6 1b b2
63 f5 50 40 db 2a 61 55 e9 a1 69 12 ed 50 45 7e
50 62 aa b4 bc 60 77 c5 8b a5 fb 74 7a 0e 7b 43
a1 eb 81 6b fb bc 57 0e ff 3c 0b b6 6a a2 36 2d
84 c8 84 b6 bb fb 6f 35 20 44 64 29 96 6a 54 6f
72 78 1e 3f 3c 26 57 57 4b d7 b2 7b 06 31 61 5d
b1 ce 95 14 7d 72 06 03 f0 45 76 31 ac 3f 20 14
2d ed 3f aa a0 8e 86 33 09 c6 93 47 14 32 68 5a
92 8b d3 ea 34 97 45 1c 66 d8 df a5 1a 15 00 00
39 e7 05 0f 45 6d 70 6c 6f 79 65 65 42 65 6e 67
69 1a 19 00 00 39 e7 06 13 39 63 3a 31 63 3a 31
32 3a 63 65 3a 34 31 3a 63 63 1a 18 00 00 39 e7
0a 12 69 6e 73 74 61 6e 74 2d 43 45 3a 34 31 3a
43 43 50 12 97 6b fe f0 32 58 33 d6 75 12 7c c0
51 ae 74 18
Code:       Access-Request
Identifier: 240
Authentic:  |c<172><178><169><198><10>Y_<237><9><210><157><158><217><251>
Attributes:
User-Name = "bengi at employee"
NAS-IP-Address = 192.168.88.241
NAS-Port = 0
NAS-Identifier = "9C-1C-12-CE-41-CC"
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><5><0><159><21><128><0><0><0><149><23><3><1><0><144>^<226>-<202><177><231><232>:@<141><237><188><131><254><190><222>p<230><27><178>c<245>P@<219>*aU<233><161>i<18><237>PE~Pb<170><180><188>`w<197><139><165><251>tz<14>{C<161><235><129>k<251><188>W<14><255><<11><182>j<162>6-<132><200><132><182><187><251>o5 Dd)<150>jTorx<30>?<&WWK<215><178>{<6>1a]<177><206><149><20>}r<6><3><240>Ev1<172>? <20>-<237>?<170><160><142><134>3<9><198><147>G<20>2hZ<146><139><211><234>4<151>E<28>f<216><223><165>
Aruba-Essid-Name = "EmployeeBengi"
Aruba-Location-Id = "9c:1c:12:ce:41:cc"
Aruba-AP-Group = "instant-CE:41:CC"
Message-Authenticator = <151>k<254><240>2X3<214>u<18>|<192>Q<174>t<24>
Called-Station-Id = "9C-1C-12-CE-41-CC"
Calling-Station-Id = "70_3E_AC_09_5A_11"
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler 'Realm=employee', Identifier ''
Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for bengi at employee, 192.168.88.241, 0
Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'': 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE: 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with EAP: code 2, 5, 159, 21
Tue Dec  9 09:38:13 2014 000000: DEBUG: Response type 21
Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP TTLS data, 3, 5, 4
Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP TTLS inner authentication request for bengi at employee
Tue Dec  9 09:38:13 2014 000000: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
Attributes:
User-Name = "bengi at employee"
MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
MS-CHAP2-Response = Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling request with Handler 'TunnelledByTTLS=1', Identifier ''
Tue Dec  9 09:38:13 2014 000000: DEBUG: Normal Deleting session for bengi at employee, 192.168.88.241, 
Tue Dec  9 09:38:13 2014 000000: DEBUG: do query to 'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'': 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Handling with Radius::AuthFILE: 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Reading users file /usr/local/etc/radiator/bengi/databases/users-eap
Tue Dec  9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE looks for match with bengi at employee [bengi at employee]
Tue Dec  9 09:38:13 2014 000000: DEBUG: Radius::AuthFILE ACCEPT: : bengi at employee [bengi at employee]
Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: ACCEPT, 
Tue Dec  9 09:38:13 2014 000000: DEBUG: Access accepted for bengi at employee
Tue Dec  9 09:38:13 2014 000000: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  y<178><201>"<128><133><Z<142><212><150>k<176><238>1<174>
Attributes:
User-Name = "bengi at employee"
MS-CHAP-Challenge = <198><213>TZ0L<206>Z<223>.jK%<236><234><24>
MS-CHAP2-Response = Q<0><15><127>><249>4+<212><16>k<141>vl<212><162><140><178><0><0><0><0><0><0><0><0><247><141><232>gt<8><214><187>4<151>e<174>{<182><191><236>R<228><141>3<188><154>z<159>
Tue Dec  9 09:38:13 2014 000000: DEBUG: EAP result: 3, EAP TTLS inner authentication redispatched to a Handler
Tue Dec  9 09:38:13 2014 000000: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS inner authentication redispatched to a Handler
Tue Dec  9 09:38:13 2014 000000: DEBUG: Access challenged for bengi at employee: EAP TTLS inner authentication redispatched to a Handler
Tue Dec  9 09:38:13 2014 000000: DEBUG: Packet dump:
*** Sending to 217.124.187.81 port 49159 ....
Packet length = 199
0b f0 00 c7 e4 a4 2d 1f b5 f7 05 82 01 7f ef 4c
08 77 26 52 4f a1 01 06 00 9f 15 80 00 00 00 95
17 03 01 00 90 3b 61 06 45 54 11 24 e2 ed 1a 59
a4 b2 19 a5 75 1b 1a 3e 3f 51 02 62 9a 2a 12 40
da 51 ee 1a 62 51 39 42 20 cd 31 78 07 48 48 11
ea 23 a5 9c 41 98 9c 27 1c 9e 2e 7f b5 19 00 72
99 83 2f 94 f4 1d 3d c6 7c cf 71 e1 85 e0 a8 1d
b4 97 b2 95 6b fe 8c 4f d0 74 36 e1 23 d8 24 d2
99 af 97 3b 30 80 b6 44 22 75 21 1b 0d a8 7f 54
a2 c5 99 60 3b 17 8e 97 64 a2 e2 60 5d 6d 09 44
ce b4 81 3e 61 e4 8e 25 c1 4e 9b 46 0d 84 04 a7
de a2 ef 9d 5d 50 12 86 04 b8 4e 35 6c ec 7a e7
7a fb 5e ec 8d 63 f8
Code:       Access-Challenge
Identifier: 240
Authentic:  <228><164>-<31><181><247><5><130><1><127><239>L<8>w&R
Attributes:
EAP-Message = <1><6><0><159><21><128><0><0><0><149><23><3><1><0><144>;a<6>ET<17>$<226><237><26>Y<164><178><25><165>u<27><26>>?Q<2>b<154>*<18>@<218>Q<238><26>bQ9B <205>1x<7>HH<17><234>#<165><156>A<152><156>'<28><158>.<127><181><25><0>r<153><131>/<148><244><29>=<198>|<207>q<225><133><224><168><29><180><151><178><149>k<254><140>O<208>t6<225>#<216>$<210><153><175><151>;0<128><182>D"u!<27><13><168><127>T<162><197><153>`;<23><142><151>d<162><226>`]m<9>D<206><180><129>>a<228><142>%<193>N<155>F<13><132><4><167><222><162><239><157>]
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

 

 

 

I was wondering if someone can suggest a solution for this case.

Best regards,
Bengi Saglam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20141211/ff9f9bf3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6498 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20141211/ff9f9bf3/attachment-0001.bin

More information about the radiator mailing list