On 04/11/2011 03:55 PM, Aman Arneja wrote: > As you might have gathered from my previous mails, i am writing an EAP > TTLS Method. We are facing problems with using EAP Inner Methods. Non > Eap Inner methods are working fine. I am attaching 2 log files : > > 1.) radiatornoproxy : Config File = eap_ttls.cfg. > Topology : > Client - Wireless supplicant configured to authenticate using our TTLS + > EAP MsChapv2 > Radiator - AuthByLsa > > 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology : > Client - Wireless supplicant configured to authenticate using our TTLS + > EAP MsChapv2 > Radiator - AuthByRadius, with authentication terminating on Microsoft NPS > > In Both Cases Radiator is rejecting the AVP sent by client after server > sends access challenge.
>From the log it looks like Radiator sends access challenge inside the tunnel as you say: EAP-Message = <1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1 This seems to be a well formed EAP-MSCHAP-V2 challange according to http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02 But when the response comes, Radiator does not even get to process it as an AVP but the underlying TLS processing indicates there is a "wrong version number" as seen below. In other words, it looks like after the client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the tunnelling TLS thinks the received TLS record is faulty. A quick check shows that "wrong version number" could mean a mismatch between expected and received SSL 3.0 and TLS 1.x version. However, for me it looks like the version is alwasy <3><1> which is TLS 1.0. So it looks like SSL/TLS library Radiator uses sees something it does not like. > Can some1 pls help us with this? Let me know if any more information is > required. Seems to be an issue with the reading of the EAP Message from > the AVP. I would say it is a TLS problem. Though I am not sure what exactly. Best regards, Heikki > Snipped of issue is as follows > : > Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '', > Identifier '' > > Mon Apr 11 04:34:01 2011: DEBUG: Deleting session for > DVM-AMARNE-DC\anonymous, 192.168.10.3, 0 > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE: > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21 > > Mon Apr 11 04:34:01 2011: DEBUG: Response type 21 > > Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6 > > Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed: > 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS > read failed: 1168: 1 - error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: INFO: Access rejected for > DVM-AMARNE-DC\anonymous: EAP TTLS read failed: 1168: 1 - > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: DEBUG: Packet dump: > > *** Sending to 192.168.10.3 port 65529 .... > > Code: Access-Reject > > Identifier: 6 > > Authentic: > <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209> > > Attributes: > > EAP-Message = <4><7><0><4> > > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Reply-Message = "Request Denied" > > Thanx > > > > Aman Arneja > > > > > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
