Re: [RADIATOR] EAP PEAP Challenges

2016-04-12 Thread Hugh Irvine 

Hello Roberto -

Welcome to the wonderful world of EAP.

Note that EAP is essentially a stateful encrypted TCP tunnel, over RADIUS, over 
UDP, hence the large number of packets back and forth for a single 
authentication.

I wonder what substance they were abusing?

regards

Hugh


> On 12 Apr 2016, at 23:58, a.l.m.bu...@lboro.ac.uk wrote:
> 
> Hi,
>>   Are all the challenges independent of each other? I can't find anything in
>>   the debug log that ties the incoming packets together.
> 
> all seperate UDP packets - but with a known state - the RADIUS
> server recognises the conversation (up to 256 from each NAS usually)
> 
> with latest patchset for 4.16 you can see more details to help track
> a conversation in debug
> 
> alan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP PEAP Challenges

2016-04-12 Thread A . L . M . Buxey 
Hi,

>Is there a paper somewhere which discusses EAP PEAP Challenges? I'm
>debugging a new controller's access to radiator and finding that a working
>auth requires 11 udp packets each way and I don't understand why. What
>info is being passed?

documented in the RFC and on resources such as packetlife

identity request/response
set up of EAP - transfer of the server cert (and intermediates0
(that bit can be a couple more packets)
negotiation for PEAP
PEAP tunnel creation
MSCHAPv2 challenge-response
accept

its a lof of stuff going on. over UDP , with possible
interesting RADIUS interactions.

if you want something with less chat, EAP-TLS or EAP-PWD ...or event EAP-FAST
are the way to go.

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP PEAP Challenges

2016-04-12 Thread Ullfig, Roberto Alfredo 
Also, what does this mean?

Mon Apr 11 10:32:06 2016: DEBUG: Handling with EAP: code 2, 2, 12, 1
Mon Apr 11 10:32:06 2016: DEBUG: Response type 1
Mon Apr 11 10:32:06 2016: DEBUG: EAP result: 3, EAP PEAP Challenge

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Ullfig, Roberto Alfredo
Sent: Tuesday, April 12, 2016 8:39 AM
To: radiator@open.com.au
Subject: Re: [RADIATOR] EAP PEAP Challenges

Are all the challenges independent of each other? I can't find anything in the 
debug log that ties the incoming packets together.

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

From: radiator-boun...@open.com.au 
[mailto:radiator-boun...@open.com.au] On Behalf Of Ullfig, Roberto Alfredo
Sent: Tuesday, April 12, 2016 8:37 AM
To: radiator@open.com.au
Subject: [RADIATOR] EAP PEAP Challenges

Is there a paper somewhere which discusses EAP PEAP Challenges? I'm debugging a 
new controller's access to radiator and finding that a working auth requires 11 
udp packets each way and I don't understand why. What info is being passed?

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP PEAP Challenges

2016-04-12 Thread Ullfig, Roberto Alfredo 
Are all the challenges independent of each other? I can't find anything in the 
debug log that ties the incoming packets together.

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Ullfig, Roberto Alfredo
Sent: Tuesday, April 12, 2016 8:37 AM
To: radiator@open.com.au
Subject: [RADIATOR] EAP PEAP Challenges

Is there a paper somewhere which discusses EAP PEAP Challenges? I'm debugging a 
new controller's access to radiator and finding that a working auth requires 11 
udp packets each way and I don't understand why. What info is being passed?

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] EAP PEAP Challenges

2016-04-12 Thread Ullfig, Roberto Alfredo 
Is there a paper somewhere which discusses EAP PEAP Challenges? I'm debugging a 
new controller's access to radiator and finding that a working auth requires 11 
udp packets each way and I don't understand why. What info is being passed?

---
Roberto Ullfig - rull...@uic.edu
ACCC Research Programmer

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator