On 07/14/2011 01:33 PM, Fabio Ciampi wrote: Hello Fabio,
> I have a problem with EAP-PEAP authentication. This is my configuration > file: Your configuration looks correct. You need to check the client settings because there is no usable identity (username) received with the inner EAP-MSCHAP-V2 request. The PEAP problem is related to this line: EAP-Message = <2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136 This is the inner EAP-MSCHAP-V2 Challenge from the client. Was the line perhaps cut when pasting it to email? The length of the message should be 67 bytes (<0>C is 0x0043 in hex is 67 in dec). Your attribute looks too short so I am wondering if it was cut when pasted to email. The identity Radiator uses can be seen in the last bytes of the EAP-Message attribute. Here is an example of complete EAP-Message with the identity (hvn) showing at the end: EAP-Message = <2><6><0>:<26><2><6><0>91P).<13>=<228><16><3>]<249><210>c7<3><244><252><0><0><0><0><0><0><0><0><192>e<229><155><22><134>K<143><160><22><206><26><31>zg<135>1<15><138>nX<30>9S<0>hvn Note that in the PEAP case the inner authentication protoocol is EAP. For this reason Radiator uses the identity information carried by the EAP method (EAP-MSCHAP-V2) instead if the User-Name password. TTLS uses MS-CHAP (not EAP-MSCHAP-V2) so it uses the User-Name. Compare these two snippets from the log, first is TTLS, second is PEAP. Note how the identity that is used for check the users file is empty in PEAP case. Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE looks for match with [email protected] [[email protected]] Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE looks for match with [[email protected]] Thanks! Heikki > <AuthLog FILE> > > Identifier test-log > Filename %L/%Y%m%d-test-auth.log > LogSuccess 1 > LogFailure 1 > include %L/auth-log-file-format.cfg > > </AuthLog> > > > <Handler TunnelledByTTLS=1, request_src = test-src> > > RewriteUsername s/(.*)\\(.*)/$2/ > > <AuthBy FILE> > > EAPType PAP, MSCHAP-V2, CHAP, MSCHAP > Filename %L/test_account > > </AuthBy> > > StripFromReply Tunnel-Type, Tunnell-Medium-Type, > Tunnell-Private-Group-ID > AuthLog test-log > > </Handler> > > > <Handler TunnelledByPEAP=1, request_src = test-src> > > RewriteUsername s/(.*)\\(.*)/$2/ > > <AuthBy FILE> > > Filename %L/test_account > EAPType MSCHAP-V2 > > </AuthBy> > > StripFromReply Tunnel-Type, Tunnell-Medium-Type, > Tunnell-Private-Group-ID > AuthLog test-log > > </Handler> > > > <Handler Realm = test.it, ssid=test-network> > > RewriteUsername s/(.*)\\(.*)/$2/ > > <AuthBy FILE> > > Filename %L/outer_account > > EAPType TTLS, PEAP > EAPAnonymous %0 > > EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > EAPTLS_CertificateFile %D/certificates/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > > PreHandlerHook sub { ${$_[0]} -> add_attr('request_src', > 'test-src');} > > </AuthBy> > > AcctLogFileName %L/%Y%m%d-test.log > include %L/acct-log-file-format-eduroam.cfg > > </Handler> > > > outer_account file: > > anonymous User-Password = whatever > > > test_account file: > > [email protected] User-Password = "password" > > > > > As you can see in the following log, if I use TTLS authentication it > works without problems: > > Code: UNDEF > Identifier: UNDEF > Authentic: UNDEF > Attributes: > User-Name = "[email protected]" > MS-CHAP-Challenge = <<193><5><16><191><193><154><254> > MS-CHAP-Response = > <148><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><246><222>a^<254>*<180><1 > > > Thu Jul 14 11:06:41 2011: DEBUG: EAP TTLS inner authentication request > for [email protected] > Thu Jul 14 11:06:41 2011: DEBUG: Handling request with Handler > 'TunnelledByTTLS=1, request_src = test-src' > Thu Jul 14 11:06:41 2011: DEBUG: Rewrote user name to [email protected] > Thu Jul 14 11:06:41 2011: DEBUG: Deleting session for [email protected], > 146.48.80.245, > Thu Jul 14 11:06:41 2011: DEBUG: Handling with Radius::AuthFILE: > Thu Jul 14 11:06:41 2011: DEBUG: Reading users file > /$1$dga30/radiator-4_3_1/maria/test_account > Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE looks for match with > [email protected] [[email protected]] > Thu Jul 14 11:06:41 2011: DEBUG: Radius::AuthFILE ACCEPT: : > [email protected] [[email protected]] > Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT, > Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for [email protected] > Thu Jul 14 11:06:42 2011: DEBUG: Returned TTLS tunnelled Diameter Packet > dump: > Code: Access-Accept > Identifier: UNDEF > Authentic: <2><240><128><29><174><178>Z<185>TB<251>5<200><134><137>J > Attributes: > > Thu Jul 14 11:06:42 2011: DEBUG: EAP result: 0, EAP TTLS inner > authentication redespatched to a Handler > Thu Jul 14 11:06:42 2011: DEBUG: AuthBy FILE result: ACCEPT, EAP TTLS > inner authentication redespatched to a Handler > Thu Jul 14 11:06:42 2011: DEBUG: Access accepted for [email protected] > Thu Jul 14 11:06:42 2011: DEBUG: Packet dump: > *** Sending to 146.48.107.5 port 32786 .... > Code: Access-Accept > Identifier: 112 > Authentic: <155>P<192><23>"<25><238>kq<150><177>A&w<132><217> > Attributes: > MS-MPPE-Send-Key = > <14><165>2<230>8>Tc<194><248><250><134><133>r<9><28><23>dMl;<187><249>|<148><194><163><249><8><178>)<156> > > MS-MPPE-Recv-Key = > )<200><204><3><11><216><30><190><10><31><226><180><191>_<172><131>0<194>NB<197><243><244><216><251><227>< > > EAP-Message = <3><10><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > > > > > Instead if I use PEAP I get in my log file: > > Code: Access-Request > Identifier: 203 > Authentic: <12><171><138><16><243>'<220><221>K<134><250>|<28>x*<17> > Attributes: > Acct-Multi-Session-Id = > "00-03-52-9A-C6-C9-00-15-00-49-6D-75-4E-1E-B7-A4-00-03-63-31" > Acct-Session-Id = "21a85895-00000221" > NAS-Port = 464 > NAS-Port-Type = Wireless-IEEE-802-11 > NAS-Identifier = "CNSRV2-ISTI-CNR-IT" > NAS-IP-Address = 146.48.80.245 > Framed-MTU = 1496 > User-Name = "[email protected]" > Calling-Station-Id = "00-15-00-49-6D-75" > Called-Station-Id = "00-03-52-9A-C6-C9" > Service-Type = Framed-User > EAP-Message = <2><1><0><144><25><1><23><3><1><0> > 2<26><167>`5<183><2><198><184><136><202><194><129>{[<209><244><144><25><15 > <196><172>AkDp}<146>FJ'<184><154>k<155>f<218><169>ox<232>J<201><226><194>UJ<167>rG%<169>q<243><3>:/k<243><223>v<220><221><172>0<145> > > Colubris-AVPAIR = "ssid=test-network" > Colubris-AVPAIR = "group=test-group" > Colubris-AVPAIR = "vsc-unique-id=10" > Colubris-AVPAIR = "phytype=IEEE802dot11g" > Colubris-Attr-250 = "<0><0><0><1>" > Colubris-Attr-249 = "<146>0k<10>" > Message-Authenticator = > y=<129>|<212><200><235><165>i<163><166><185><244><173>r2 > ssid = test-network > group = test-group > vsc-unique-id = 10 > phytype = IEEE802dot11g > > Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler 'Realm = > test.it, ssid=test-network' > Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to [email protected] > Thu Jul 14 11:32:17 2011: DEBUG: Deleting session for [email protected], > 146.48.80.245, 464 > Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE: > Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 144, 25 > Thu Jul 14 11:32:17 2011: DEBUG: Response type 25 > Thu Jul 14 11:32:17 2011: DEBUG: EAP PEAP inner authentication request > for [email protected] > Thu Jul 14 11:32:17 2011: DEBUG: PEAP Tunnelled request Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy > Attributes: > EAP-Message = > <2><1><0>H<26><2><1><0>C1<159><221>P<23><249><176>E<0>~<206>r<183><212><233>G<167><0><0><0><0><0><0><0><0><136 > > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > User-Name = "[email protected]" > NAS-IP-Address = 146.48.80.245 > NAS-Identifier = "CNSRV2-ISTI-CNR-IT" > NAS-Port = 464 > Calling-Station-Id = "00-15-00-49-6D-75" > > Thu Jul 14 11:32:17 2011: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1, request_src = test-src' > Thu Jul 14 11:32:17 2011: DEBUG: Rewrote user name to [email protected] > Thu Jul 14 11:32:17 2011: DEBUG: Deleting session for [email protected], > 146.48.80.245, 464 > Thu Jul 14 11:32:17 2011: DEBUG: Handling with Radius::AuthFILE: > Thu Jul 14 11:32:17 2011: DEBUG: Handling with EAP: code 2, 1, 72, 26 > Thu Jul 14 11:32:17 2011: DEBUG: Response type 26 > Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE looks for match with > [[email protected]] > Thu Jul 14 11:32:17 2011: DEBUG: Radius::AuthFILE REJECT: No such user: > [[email protected]] > Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no > such user > Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP > V2 failed: no such user > Thu Jul 14 11:32:17 2011: INFO: Access rejected for [email protected]: EAP > MSCHAP V2 failed: no such user > Thu Jul 14 11:32:17 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Reject > Identifier: UNDEF > Authentic: <127><4>U<174>$<135><186><18><204>a)<15>A<232>vy > Attributes: > EAP-Message = <4><1><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > Reply-Message = "Request Denied" > > Thu Jul 14 11:32:17 2011: DEBUG: EAP result: 3, EAP PEAP inner > authentication redespatched to a Handler > Thu Jul 14 11:32:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP > inner authentication redespatched to a Handler > Thu Jul 14 11:32:17 2011: DEBUG: Access challenged for [email protected]: > EAP PEAP inner authentication redespatched to a Handler > Thu Jul 14 11:32:17 2011: DEBUG: Packet dump: > *** Sending to 146.48.107.5 port 32786 .... > > > > I really don't understand why in the peap case the authentication fails. > > > Kind regards > Fabio > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
