[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2

Tue, 09 Jun 2015 02:45:08 -0700 

Hi,

we are having an issue with authenticating TTLS when the supplicant uses
plain MSCHAPv2 instead of EAP-MSCHAPv2

1. Testing with eapoltest and following config in eapol_test:
-------------------------------------------------------------

     eap=TTLS
     phase2="auth=MSCHAPV2"

produces following request when the request is reinjected into the inner 
handler:

     Code:       Access-Request
     Identifier: UNDEF
     Authentic:  <238>g<236>Z<18>2<187>dmM$<242><223><30><209>4
     Attributes:
            User-Name = "xxxxxxxx"
            MS-CHAP-Challenge = 
<25><208><7><142>6Q<145>|`<157>P<251><194><203><233><156>
            MS-CHAP2-Response = ^<0><0><2><0>x<173><6><0> 
<0><0><0>;<0><0><0>h<0><0><0><0><0><0><0><0><214><233><146>R<152><167><214>xg<181><254><255>BS<175>@<204><29>=<1><225>|N<248>

This fails to provide a challenge.

     Tue Jun  9 09:32:25 2015 986798: DEBUG: Radius::AuthSQL looks for match 
with XXXXX [XXXXX]
     Tue Jun  9 09:32:25 2015 987631: DEBUG: Radius::AuthSQL ACCEPT: : XXXXX 
[XXXXX]

And subsequently fails.

2. Testing with eapoltest and following config in eapol_test:
-------------------------------------------------------------

     eap=TTLS
     phase2="autheap=MSCHAPV2"

produces following request when the request is reinjected into the inner 
handler:

     Code:       Access-Request
     Identifier: UNDEF
     Authentic:  <137>'H<220><247><247><152>z<186><145><230><133>i<216>?<227>
     Attributes:
            EAP-Message = 
<2><1><0>B<26><2><1><0>=1<3>A2<127><165><224>7<193><148><163>s<223><251><182><146><231><0><0><0><0><0><0><0><0>C<194><27>vv1<20><29>]h$/<149><17><159><202>I<6><128><204><246>"<186><189><0>radperf
            Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
            User-Name = "anonymous"

Here we get a challenge:

     Tue Jun  9 10:57:58 2015 642003: DEBUG: Radius::AuthSQL ACCEPT: : xxxxxx 
[anonymous]
     Tue Jun  9 10:57:58 2015 642696: DEBUG: EAP result: 3, EAP MSCHAP V2 
Challenge: Success

Any tips where to start searching.  We will try next to see if we can 
sucessfully authenticate TTLS/PAP in order to rule out any challenge issues.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   c...@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to