This turend out to be an issue with the MsChapV2 AVP and the trailer bits. This is now resolved
Thanx Aman Arneja On Wed, Apr 13, 2011 at 12:18 AM, Heikki Vatiainen <h...@open.com.au> wrote: > On 04/11/2011 03:55 PM, Aman Arneja wrote: > > > As you might have gathered from my previous mails, i am writing an EAP > > TTLS Method. We are facing problems with using EAP Inner Methods. Non > > Eap Inner methods are working fine. I am attaching 2 log files : > > > > 1.) radiatornoproxy : Config File = eap_ttls.cfg. > > Topology : > > Client - Wireless supplicant configured to authenticate using our TTLS + > > EAP MsChapv2 > > Radiator - AuthByLsa > > > > 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology : > > Client - Wireless supplicant configured to authenticate using our TTLS + > > EAP MsChapv2 > > Radiator - AuthByRadius, with authentication terminating on Microsoft NPS > > > > In Both Cases Radiator is rejecting the AVP sent by client after server > > sends access challenge. > > From the log it looks like Radiator sends access challenge inside the > tunnel as you say: > > EAP-Message = > > <1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1 > > This seems to be a well formed EAP-MSCHAP-V2 challange according to > http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02 > > But when the response comes, Radiator does not even get to process it as > an AVP but the underlying TLS processing indicates there is a "wrong > version number" as seen below. In other words, it looks like after the > client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the > tunnelling TLS thinks the received TLS record is faulty. > > A quick check shows that "wrong version number" could mean a mismatch > between expected and received SSL 3.0 and TLS 1.x version. However, for > me it looks like the version is alwasy <3><1> which is TLS 1.0. > > So it looks like SSL/TLS library Radiator uses sees something it does > not like. > > > Can some1 pls help us with this? Let me know if any more information is > > required. Seems to be an issue with the reading of the EAP Message from > > the AVP. > > I would say it is a TLS problem. Though I am not sure what exactly. > > Best regards, > Heikki > > > > Snipped of issue is as follows > > : > > Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '', > > Identifier '' > > > > Mon Apr 11 04:34:01 2011: DEBUG: Deleting session for > > DVM-AMARNE-DC\anonymous, 192.168.10.3, 0 > > > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE: > > > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21 > > > > Mon Apr 11 04:34:01 2011: DEBUG: Response type 21 > > > > Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6 > > > > Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed: > > 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number > > > > Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS > > read failed: 1168: 1 - error:1408F10B:SSL > > routines:SSL3_GET_RECORD:wrong version number > > > > Mon Apr 11 04:34:01 2011: INFO: Access rejected for > > DVM-AMARNE-DC\anonymous: EAP TTLS read failed: 1168: 1 - > > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > > > Mon Apr 11 04:34:01 2011: DEBUG: Packet dump: > > > > *** Sending to 192.168.10.3 port 65529 .... > > > > Code: Access-Reject > > > > Identifier: 6 > > > > Authentic: > > <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209> > > > > Attributes: > > > > EAP-Message = <4><7><0><4> > > > > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > > > Reply-Message = "Request Denied" > > > > Thanx > > > > > > > > Aman Arneja > > > > > > > > > > > > _______________________________________________ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. >
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
