[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2

Christian Kratzer ck-lists at cksoft.de
Tue Jun 9 04:44:28 CDT 2015 

Hi,

we are having an issue with authenticating TTLS when the supplicant uses
plain MSCHAPv2 instead of EAP-MSCHAPv2

1. Testing with eapoltest and following config in eapol_test:
-------------------------------------------------------------

     eap=TTLS
     phase2="auth=MSCHAPV2"

produces following request when the request is reinjected into the inner handler:

     Code:       Access-Request
     Identifier: UNDEF
     Authentic:  <238>g<236>Z<18>2<187>dmM$<242><223><30><209>4
     Attributes:
 	    User-Name = "xxxxxxxx"
 	    MS-CHAP-Challenge = <25><208><7><142>6Q<145>|`<157>P<251><194><203><233><156>
 	    MS-CHAP2-Response = ^<0><0><2><0>x<173><6><0> <0><0><0>;<0><0><0>h<0><0><0><0><0><0><0><0><214><233><146>R<152><167><214>xg<181><254><255>BS<175>@<204><29>=<1><225>|N<248>

This fails to provide a challenge.

     Tue Jun  9 09:32:25 2015 986798: DEBUG: Radius::AuthSQL looks for match with XXXXX [XXXXX]
     Tue Jun  9 09:32:25 2015 987631: DEBUG: Radius::AuthSQL ACCEPT: : XXXXX [XXXXX]

And subsequently fails.

2. Testing with eapoltest and following config in eapol_test:
-------------------------------------------------------------

     eap=TTLS
     phase2="autheap=MSCHAPV2"

produces following request when the request is reinjected into the inner handler:

     Code:       Access-Request
     Identifier: UNDEF
     Authentic:  <137>'H<220><247><247><152>z<186><145><230><133>i<216>?<227>
     Attributes:
 	    EAP-Message = <2><1><0>B<26><2><1><0>=1<3>A2<127><165><224>7<193><148><163>s<223><251><182><146><231><0><0><0><0><0><0><0><0>C<194><27>vv1<20><29>]h$/<149><17><159><202>I<6><128><204><246>"<186><189><0>radperf
 	    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
 	    User-Name = "anonymous"

Here we get a challenge:

     Tue Jun  9 10:57:58 2015 642003: DEBUG: Radius::AuthSQL ACCEPT: : xxxxxx [anonymous]
     Tue Jun  9 10:57:58 2015 642696: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success

Any tips where to start searching.  We will try next to see if we can sucessfully authenticate TTLS/PAP in order to rule out any challenge issues.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list