[RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hugo Veiga hveiga at ubi.pt
Tue Jan 26 10:05:56 CST 2016


Sorry.... For the waist of your time, and thanks for your point (I was
trying all possible things that I could remember and this went to the list
by mistake).

Also tried another certificate but it's doing the same, it gets stuck and
never reaches the inner handler.

Here is a trace from 4.16 with the SQL clause just like 4.9 (except for the
AuthBy SQL "Accounting" - that's in the 4.9 because its a production
eviroment) with i'm not doing right now for the 4.16.

Best regards,
Hugo Veiga


The config file for 4.16:

....

<AuthBy SQL>
        Identifier PEAP_CONVIDADO_INNER
        DBSource dbi:mysql:radius-temp
        DBUsername db_user
        DBAuth db_passwd_1234
        Timeout 10
        SQLRetries 4
        FailureBackoffTime 10
        EAPType MSCHAP-V2
        AuthSelect SELECT password FROM convidado WHERE
username=SUBSTRING('%u',1,LOCATE('@','%u')) AND datai<"%Y-%m-%d %H:%M:%S"
AND dataf>"%Y-%m-%d %H:%M:%S"
</AuthBy>

<AuthBy SQL>
        Identifier PEAP_CONVIDADO
       DBSource dbi:mysql:radius-temp
        DBUsername db_user
        DBAuth db_passwd_1234
        Timeout 10
        SQLRetries 4
        FailureBackoffTime 10
        EAPType PEAP
        EAPAnonymous %u
        EAPTLS_PEAPVersion 0
        EAPTTLS_NoAckRequired
        EAPTLS_CAFile /etc/radiator/hvcert.pem
        EAPTLS_CertificateFile /etc/radiator/hvcert.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/hvkey.pem
        EAPTLS_MaxFragmentSize 1000
        AutoMPPEKeys
</AuthBy>



<Handler TunnelledByPEAP=1>
        AuthBy PEAP_CONVIDADO_INNER
</Handler>



<Handler Realm=/^convidado$/i>
        AuthByPolicy ContinueAlways
#        AuthBy SQLAccounting - Not in for this test used
        AuthBy PEAP_CONVIDADO
</Handler>

------------

Dump:

Tue Jan 26 15:54:52 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 b4 00 a3 8b 03 28 8f 0a 8b 4e 9e 3c 46 ac c2
a3 a8 87 4f 57 07 41 50 32 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 39 2d 39
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 55 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 e3 bc 56 bf 10 ec 97 f5 f8 22 c6 7e 96
a4 80 c8
Code:       Access-Request
Identifier: 180
Authentic:  <139><3>(<143><10><139>N<158><F<172><194><163><168><135>O
Attributes:
        NAS-Port-Id = "AP2/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-D9-94:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56405
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<227><188>V<191><16><236><151><245><248>"<198>~<150><164><128><200>

Tue Jan 26 15:54:52 2016: DEBUG: Handling request with Handler
'Realm=/^convidado$/i', Identifier ''
Tue Jan 26 15:54:52 2016: DEBUG:  Deleting session for 1745 at convidado,
10.240.1.1, 56405
Tue Jan 26 15:54:52 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:54:52 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:54:52 2016: DEBUG: Handling with EAP: code 2, 1, 19, 1
Tue Jan 26 15:54:52 2016: DEBUG: Response type 1
Tue Jan 26 15:54:52 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jan 26 15:54:52 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Tue Jan 26 15:54:52 2016: DEBUG: Access challenged for 1745 at convidado: EAP
PEAP Challenge
Tue Jan 26 15:54:52 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b b4 00 2e fa a6 ac 2d f7 6f 14 aa 11 5c 6e 0e
a4 24 88 8e 4f 08 01 02 00 06 19 20 50 12 2d 47
b9 13 e4 7d 75 21 1b 7e 14 4b 39 67 16 5e
Code:       Access-Challenge
Identifier: 180
Authentic:  <250><166><172>-<247>o<20><170><17>\n<14><164>$<136><142>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 b4 00 a3 8b 03 28 8f 0a 8b 4e 9e 3c 46 ac c2
a3 a8 87 4f 57 07 41 50 32 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 39 2d 39
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 55 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 e3 bc 56 bf 10 ec 97 f5 f8 22 c6 7e 96
a4 80 c8
Code:       Access-Request
Identifier: 180
Authentic:  <139><3>(<143><10><139>N<158><F<172><194><163><168><135>O
Attributes:
        NAS-Port-Id = "AP2/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-D9-94:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56405
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<227><188>V<191><16><236><151><245><248>"<198>~<150><164><128><200>

Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from
10.240.1.1(20004): retransmit reply
Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b b4 00 2e fa a6 ac 2d f7 6f 14 aa 11 5c 6e 0e
a4 24 88 8e 4f 08 01 02 00 06 19 20 50 12 2d 47
b9 13 e4 7d 75 21 1b 7e 14 4b 39 67 16 5e
Code:       Access-Challenge
Identifier: 180
Authentic:  <250><166><172>-<247>o<20><170><17>\n<14><164>$<136><142>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:55:02 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 b4 00 a3 8b 03 28 8f 0a 8b 4e 9e 3c 46 ac c2
a3 a8 87 4f 57 07 41 50 32 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 39 2d 39
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 55 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 e3 bc 56 bf 10 ec 97 f5 f8 22 c6 7e 96
a4 80 c8
Code:       Access-Request
Identifier: 180
Authentic:  <139><3>(<143><10><139>N<158><F<172><194><163><168><135>O
Attributes:
        NAS-Port-Id = "AP2/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-D9-94:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56405
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<227><188>V<191><16><236><151><245><248>"<198>~<150><164><128><200>

Tue Jan 26 15:55:02 2016: INFO: Duplicate request id 180 received from
10.240.1.1(20004): retransmit reply
Tue Jan 26 15:55:02 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b b4 00 2e fa a6 ac 2d f7 6f 14 aa 11 5c 6e 0e
a4 24 88 8e 4f 08 01 02 00 06 19 20 50 12 2d 47
b9 13 e4 7d 75 21 1b 7e 14 4b 39 67 16 5e
Code:       Access-Challenge
Identifier: 180
Authentic:  <250><166><172>-<247>o<20><170><17>\n<14><164>$<136><142>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:55:03 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 db 00 a3 5f 0c 36 7b 4a 93 dc 83 0b a6 ee 6d
27 9a bf d9 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 5d 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 1c 9f 10 d5 be 75 e8 ed a5 94 76 0b 96
26 9e 63
Code:       Access-Request
Identifier: 219
Authentic:  _<12>6{J<147><220><131><11><166><238>m'<154><191><217>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56413
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<28><159><16><213><190>u<232><237><165><148>v<11><150>&<158>c

Tue Jan 26 15:55:03 2016: DEBUG: Handling request with Handler
'Realm=/^convidado$/i', Identifier ''
Tue Jan 26 15:55:03 2016: DEBUG:  Deleting session for 1745 at convidado,
10.240.1.1, 56413
Tue Jan 26 15:55:03 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:55:03 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:55:03 2016: DEBUG: Handling with EAP: code 2, 1, 19, 1
Tue Jan 26 15:55:03 2016: DEBUG: Response type 1
Tue Jan 26 15:55:03 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jan 26 15:55:03 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Tue Jan 26 15:55:03 2016: DEBUG: Access challenged for 1745 at convidado: EAP
PEAP Challenge
Tue Jan 26 15:55:03 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b db 00 2e 44 9f 61 13 8c 83 6a de 65 83 5b 52
82 87 89 90 4f 08 01 02 00 06 19 20 50 12 00 c3
c2 6d ca 00 3a 25 ce 23 4e 2e b6 48 41 c2
Code:       Access-Challenge
Identifier: 219
Authentic:  D<159>a<19><140><131>j<222>e<131>[R<130><135><137><144>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:55:08 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 db 00 a3 5f 0c 36 7b 4a 93 dc 83 0b a6 ee 6d
27 9a bf d9 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 5d 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 1c 9f 10 d5 be 75 e8 ed a5 94 76 0b 96
26 9e 63
Code:       Access-Request
Identifier: 219
Authentic:  _<12>6{J<147><220><131><11><166><238>m'<154><191><217>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56413
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<28><159><16><213><190>u<232><237><165><148>v<11><150>&<158>c

Tue Jan 26 15:55:08 2016: INFO: Duplicate request id 219 received from
10.240.1.1(20004): retransmit reply
Tue Jan 26 15:55:08 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b db 00 2e 44 9f 61 13 8c 83 6a de 65 83 5b 52
82 87 89 90 4f 08 01 02 00 06 19 20 50 12 00 c3
c2 6d ca 00 3a 25 ce 23 4e 2e b6 48 41 c2
Code:       Access-Challenge
Identifier: 219
Authentic:  D<159>a<19><140><131>j<222>e<131>[R<130><135><137><144>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:55:13 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 ....

Packet length = 163
01 db 00 a3 5f 0c 36 7b 4a 93 dc 83 0b a6 ee 6d
27 9a bf d9 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 5d 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 1c 9f 10 d5 be 75 e8 ed a5 94 76 0b 96
26 9e 63
Code:       Access-Request
Identifier: 219
Authentic:  _<12>6{J<147><220><131><11><166><238>m'<154><191><217>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 56413
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
<28><159><16><213><190>u<232><237><165><148>v<11><150>&<158>c

Tue Jan 26 15:55:13 2016: INFO: Duplicate request id 219 received from
10.240.1.1(20004): retransmit reply
Tue Jan 26 15:55:13 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 ....

Packet length = 46
0b db 00 2e 44 9f 61 13 8c 83 6a de 65 83 5b 52
82 87 89 90 4f 08 01 02 00 06 19 20 50 12 00 c3
c2 6d ca 00 3a 25 ce 23 4e 2e b6 48 41 c2
Code:       Access-Challenge
Identifier: 219
Authentic:  D<159>a<19><140><131>j<222>e<131>[R<130><135><137><144>
Attributes:
        EAP-Message = <1><2><0><6><25>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>






>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20160126/f28db46a/attachment-0001.html 


More information about the radiator mailing list