[RADIATOR] Issues with EAP/PEAP authentication
Hirayama, Pat
phirayam at fredhutch.org
Mon Mar 1 23:16:56 UTC 2021
Greetings,
So, I've now had to roll back my Ubuntu 20.04.1 LTS + Radiator 4.25-1 to CentOS 6.11 + Radiator 4.12.1. I am having a weird authentication issue with wifi clients. Roughly half of them seem to fail to login -- but the other half have no problems whatsoever.
I did some testing with Trace 4 and I suspect that it is due to protocol differences between OpenSSL on CentOS 6 and Ubuntu 20 that Heikki and others pointed out when I posted last month when I was having issues with LDAP -- mostly because of the "unsupported protocol" that appears in the logfile -- and the fact that the same basic handler configuration works fine on the older OS/Radiator. But it isn't clear to me what specific protocol is being used that is unsupported.
Hoping the hive mind can offer some suggestions or solutions for me to try before I schedule some more on-prem testing. Or, are there additional configs or details that you need?
Thanks!
-p
Handler definitions from .conf file (slightly anonymized):
<Handler TunnelledByPEAP=1>
RejectHasReason
AuthLog wifi-authlog
<AuthBy NTLM>
include /etc/radiator/eap.txt
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Domain DOMAIN
DefaultDomain DOMAIN
EAPType MSCHAP-V2,PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1024
EAPTLS_SecurityLevel 1
EAPTLS_Ciphers DEFAULT at SECLEVEL=1
EAPTLS_Protocols TLSv1.1, TLSv1.2
EAPAnonymous %0
SSLeayTrace 4
</AuthBy>
</Handler>
#### Outer Handler #####
# When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role
<Handler>
AuthByPolicy ContinueUntilAccept
AuthLog wifi-authlog
RejectHasReason
<AuthBy FILE>
Filename %D/users.anonymous
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
include /etc/radiator/eap.txt
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1024
EAPTLS_SecurityLevel 1
EAPTLS_Ciphers DEFAULT at SECLEVEL=1
EAPTLS_Protocols TLSv1.1, TLSv1.2
EAPAnonymous %0
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
/etc/radiator/eap.txt
EAPTLS_CertificateFile /etc/ssl/certs/scrappy.pem
EAPTLS_PrivateKeyFile /etc/ssl/private/scrappy.key
EAPTLS_CAFile /etc/ssl/certs/ssl4free.pem
EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW at SECLEVEL=1:!DH
radiator log entries from failed authentication (slightly anonymized):
Feb 24 11:40:02 scrappy /opt/radiator/radiator/radiusd[5690]: Server started: Radiator 4.25 on scrappy.ipa.domain.tld
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Received from 140.107.50.190 port 32770 ....#012Code: Access-Request#012Identifier: 64#012Authentic: ^<158>)<175><246><20>`~<175>]<3><203><187><203><223><241>#012Attributes:#012#011User-Name = "host/ADM-1593562.domain.tld"#012#011Chargeable-User-Identity = <0>#012#011Location-Capable = CIVIC_LOCATION#012#011Calling-Station-Id = "dc-53-60-92-4a-69"#012#011Called-Station-Id = "a0-93-51-a9-e3-20:Marconi Test"#012#011NAS-Port = 13#012#011cisco-avpair = "audit-session-id=8c6b32be000000296036abc3"#012#011Acct-Session-Id = "6036abc3/dc:53:60:92:4a:69/45"#012#011NAS-IP-Address = 140.107.50.190#012#011NAS-Identifier = "j4-test-wlc"#012#011Airespace-WLAN-Id = 2#012#011Service-Type = Framed-User#012#011Framed-MTU = 1300#012#011NAS-Port-Type = Wireless-IEEE-802-11#012#011Tunnel-Type = 0:VLAN#012#011Tunnel-Medium-Type = 0:802#012#011Tunnel-Private-Group-ID = 44#012#011EAP-Message = <2><2><0><31><1>host/ADM-1593562.domain.tld#012#011Message-Authenticator = <0>v2<13><234>X8<10><182><162>p<8><179><5><201>d
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling request with Handler '', Identifier ''
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: SessINTERNAL: Deleting session for host/ADM-1593562.domain.tld, 140.107.50.190, 13
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with Radius::AuthFILE:
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with EAP: code 2, 2, 31, 1
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Response type 1
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Initialised SSL library: Net::SSLeay 1.88, OpenSSL 1.1.1f 31 Mar 2020
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Radius::AuthFILE setting TLS protocols to: TLSv1.1 TLSv1.2
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Radius::AuthFILE setting EAPTLS_Ciphers to: DEFAULT at SECLEVEL=1
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: EAP result: 3, EAP PEAP Challenge
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Access challenged for host/ADM-1593562.domain.tld: EAP PEAP Challenge
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Sending to 140.107.50.190 port 32770 ....#012Code: Access-Challenge#012Identifier: 64#012Authentic: B$<16><176>5<242>+<30><159><170><196>j<145>N<241>(#012Attributes:#012#011EAP-Message = <1><3><0><6><25> #012#011Message-Authenticator = <181><30><198>(FC<2><196>3<153><200><197>N<165><14><157>
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Received from 140.107.50.190 port 32770 ....#012Code: Access-Request#012Identifier: 65#012Authentic: <13><240>+G<251>+<19>C<24><19>y~<5>/N<141>#012Attributes:#012#011User-Name = "host/ADM-1593562.domain.tld"#012#011Chargeable-User-Identity = <0>#012#011Location-Capable = CIVIC_LOCATION#012#011Calling-Station-Id = "dc-53-60-92-4a-69"#012#011Called-Station-Id = "a0-93-51-a9-e3-20:Marconi Test"#012#011NAS-Port = 13#012#011cisco-avpair = "audit-session-id=8c6b32be000000296036abc3"#012#011Acct-Session-Id = "6036abc3/dc:53:60:92:4a:69/45"#012#011NAS-IP-Address = 140.107.50.190#012#011NAS-Identifier = "j4-test-wlc"#012#011Airespace-WLAN-Id = 2#012#011Service-Type = Framed-User#012#011Framed-MTU = 1300#012#011NAS-Port-Type = Wireless-IEEE-802-11#012#011Tunnel-Type = 0:VLAN#012#011Tunnel-Medium-Type = 0:802#012#011Tunnel-Private-Group-ID = 44#012#011EAP-Message = <2><3><0>q<25><128><0><0><0>g<22><3><1><0>b<1><0><0>^<3><1>`6<171><195><138><219>A<2>t<143><17><140><225><173><223>a,<140>G<173>u<167>=<244><169><180><207><131>sx<209><175><0><0><28><192><20><192><19><0>9<0>3<0>5<0>/<192><10><192><9><0>8<0>2<0><10><0><19><0><5><0><4><1><0><0><25><0><10><0><6><0><4><0><23><0><24><0><11><0><2><1><0><0><23><0><0><255><1><0><1><0>#012#011Message-Authenticator = l<6><167>p<131><213><214>:N<211><161><132>M<224><210><207>
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling request with Handler '', Identifier ''
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: SessINTERNAL: Deleting session for host/ADM-1593562.domain.tld, 140.107.50.190, 13
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with Radius::AuthFILE:
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with EAP: code 2, 3, 113, 25
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Response type 25
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: EAP TLS SSL_accept result: -1, 1, 20
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: EAP TLS error: -1, 1, 20, 5690: 1 - error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: EAP Failure, elapsed time 0.067517
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: EAP result: 1, EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: AuthBy FILE result: REJECT, EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Access rejected for host/ADM-1593562.domain.tld: EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Wed Feb 24 11:40:51 2021: wifi: FAIL: host/ADM-1593562.domain.tld: host/ADM-1593562.domain.tld: 140.107.50.190: j4-test-wlc: Access-Request: dc-53-60-92-4a-69: a0-93-51-a9-e3-20:Marconi Test
Feb 24 11:40:51 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Sending to 140.107.50.190 port 32770 ....#012Code: Access-Reject#012Identifier: 65#012Authentic: <30>*Y<210><193><137>Rt-U<223>u<228><185>(<138>#012Attributes:#012#011EAP-Message = <4><3><0><4>#012#011Message-Authenticator = ?<175>RQ<4><156><21><2><253><209><226><156><151><9>:a#012#011Reply-Message = "EAP PEAP TLS error: unsupported protocol"
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Received from 140.107.50.190 port 32770 ....#012Code: Access-Request#012Identifier: 66#012Authentic: <176><193>)gX<^J<8><233><198><181><176>w<238><204>#012Attributes:#012#011User-Name = "DOMAIN\username"#012#011Chargeable-User-Identity = <0>#012#011Location-Capable = CIVIC_LOCATION#012#011Calling-Station-Id = "dc-53-60-92-4a-69"#012#011Called-Station-Id = "a0-93-51-a9-e3-20:Marconi Test"#012#011NAS-Port = 13#012#011cisco-avpair = "audit-session-id=8c6b32be000000296036abc3"#012#011Acct-Session-Id = "6036abc3/dc:53:60:92:4a:69/45"#012#011NAS-IP-Address = 140.107.50.190#012#011NAS-Identifier = "j4-test-wlc"#012#011Airespace-WLAN-Id = 2#012#011Service-Type = Framed-User#012#011Framed-MTU = 1300#012#011NAS-Port-Type = Wireless-IEEE-802-11#012#011Tunnel-Type = 0:VLAN#012#011Tunnel-Medium-Type = 0:802#012#011Tunnel-Private-Group-ID = 44#012#011EAP-Message = <2><5><0><19><1>DOMAIN\username#012#011Message-Authenticator = @<207><24>_<6><128>^<156>y3<217>U<132><200>"<133>
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling request with Handler '', Identifier ''
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: SessINTERNAL: Deleting session for DOMAIN\username, 140.107.50.190, 13
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with Radius::AuthFILE:
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with EAP: code 2, 5, 19, 1
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Response type 1
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: EAP result: 3, EAP PEAP Challenge
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Access challenged for DOMAIN\username: EAP PEAP Challenge
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Sending to 140.107.50.190 port 32770 ....#012Code: Access-Challenge#012Identifier: 66#012Authentic: <235>B7<255>{<128>N<228><197><189><145><0>]h7C#012Attributes:#012#011EAP-Message = <1><6><0><6><25> #012#011Message-Authenticator = X<207><246>Q<193><5><141>1<151>@pU<252><240>54
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Received from 140.107.50.190 port 32770 ....#012Code: Access-Request#012Identifier: 67#012Authentic: <5>]0<162><21><219><203><201><200><6><209><206>W<134>C #012Attributes:#012#011User-Name = "DOMAIN\username"#012#011Chargeable-User-Identity = <0>#012#011Location-Capable = CIVIC_LOCATION#012#011Calling-Station-Id = "dc-53-60-92-4a-69"#012#011Called-Station-Id = "a0-93-51-a9-e3-20:Marconi Test"#012#011NAS-Port = 13#012#011cisco-avpair = "audit-session-id=8c6b32be000000296036abc3"#012#011Acct-Session-Id = "6036abc3/dc:53:60:92:4a:69/45"#012#011NAS-IP-Address = 140.107.50.190#012#011NAS-Identifier = "j4-test-wlc"#012#011Airespace-WLAN-Id = 2#012#011Service-Type = Framed-User#012#011Framed-MTU = 1300#012#011NAS-Port-Type = Wireless-IEEE-802-11#012#011Tunnel-Type = 0:VLAN#012#011Tunnel-Medium-Type = 0:802#012#011Tunnel-Private-Group-ID = 44#012#011EAP-Message = <2><6><0>q<25><128><0><0><0>g<22><3><1><0>b<1><0><0>^<3><1>`6<171><200><12>w^<223><247><190><142><16><231><176>=qcPd<219><217><166><149><18>,<9><25><6>x<31><193>R<0><0><28><192><20><192><19><0>9<0>3<0>5<0>/<192><10><192><9><0>8<0>2<0><10><0><19><0><5><0><4><1><0><0><25><0><10><0><6><0><4><0><23><0><24><0><11><0><2><1><0><0><23><0><0><255><1><0><1><0>#012#011Message-Authenticator = <201><163><219><251>g<186>;<248><228><170><4><146>K<211>W<150>
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling request with Handler '', Identifier ''
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: SessINTERNAL: Deleting session for DOMAIN\username, 140.107.50.190, 13
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with Radius::AuthFILE:
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Handling with EAP: code 2, 6, 113, 25
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Response type 25
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: EAP TLS SSL_accept result: -1, 1, 20
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: EAP TLS error: -1, 1, 20, 5690: 1 - error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: EAP Failure, elapsed time 0.012610
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: EAP result: 1, EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: AuthBy FILE result: REJECT, EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Access rejected for DOMAIN\username: EAP PEAP TLS error: unsupported protocol
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Wed Feb 24 11:40:56 2021: wifi: FAIL: DOMAIN\username: DOMAIN\username: 140.107.50.190: j4-test-wlc: Access-Request: dc-53-60-92-4a-69: a0-93-51-a9-e3-20:Marconi Test
Feb 24 11:40:56 scrappy /opt/radiator/radiator/radiusd[5690]: Packet dump:#012*** Sending to 140.107.50.190 port 32770 ....#012Code: Access-Reject#012Identifier: 67#012Authentic: <149><211><248><1><139>Q<18><211>r%%<198>.<7> <188>(#012Attributes:#012#011EAP-Message = <4><6><0><4>#012#011Message-Authenticator = )f<2><157><1><208><225><199><252><230>4<148>o#F<127>#012#011Reply-Message = "EAP PEAP TLS error: unsupported protocol"
--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | phirayam at fredhutch.org | Fred Hutch | Cures Start Here
More information about the radiator
mailing list