[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2

Heikki Vatiainen hvn at open.com.au
Tue Jun 9 05:00:08 CDT 2015


On 9.6.2015 12.44, Christian Kratzer wrote:

> we are having an issue with authenticating TTLS when the supplicant uses
> plain MSCHAPv2 instead of EAP-MSCHAPv2
>
> 1. Testing with eapoltest and following config in eapol_test:
> -------------------------------------------------------------
>
>       eap=TTLS
>       phase2="auth=MSCHAPV2"
>
> produces following request when the request is reinjected into the inner handler:
>
>       Code:       Access-Request
>       Identifier: UNDEF
>       Authentic:  <238>g<236>Z<18>2<187>dmM$<242><223><30><209>4
>       Attributes:
>   	    User-Name = "xxxxxxxx"
>   	    MS-CHAP-Challenge = <25><208><7><142>6Q<145>|`<157>P<251><194><203><233><156>
>   	    MS-CHAP2-Response = ^<0><0><2><0>x<173><6><0> <0><0><0>;<0><0><0>h<0><0><0><0><0><0><0><0><214><233><146>R<152><167><214>xg<181><254><255>BS<175>@<204><29>=<1><225>|N<248>
>
> This fails to provide a challenge.
>
>       Tue Jun  9 09:32:25 2015 986798: DEBUG: Radius::AuthSQL looks for match with XXXXX [XXXXX]
>       Tue Jun  9 09:32:25 2015 987631: DEBUG: Radius::AuthSQL ACCEPT: : XXXXX [XXXXX]
>
> And subsequently fails.

It should now return accept or reject, not a challenge. If it accepts, 
it will tunnel MS-CHAP2-Success back to the client with the accept. The 
client then compares the received value with what it expects. The value 
it expects depends on the response the server calculates. The username 
and password are included in the calculated response. The server can not 
just say "yes" without knowing the password, that's the v2 part. Also, 
the username must be the same the client uses when it calculates its 
expected value. You should not rewrite it for plain MSCHAPv2.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list