On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote: Hello,
> I've been busy, that's why I didn't respond so promptly. > > Just a thing that might be crucial to this problem: the RADIUS to which we do > proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet > Authentication Service"). Ok, I think I have found something. It seems to be a Mac thing, not a IAS or NPS problem. Try adding the following in your AuthBy RADIUS that proxies to IAS: StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key Looks like Mac does not like it if these attributes are passed to it via TTLS inner authentication. The MPPE attributes are clearly not needed, since Radiator will calculate the correct attributes for the final Access-Accept. Try stripping those three attributes from the reply received from the MS server. Please tell us how it goes. Thanks! Heikki > Thx, > > Amândio > > -----Mensagem original----- > De: Heikki Vatiainen [mailto:h...@open.com.au] > Enviada: sexta-feira, 16 de Março de 2012 12:54 > Para: Amândio Antunes Gomes Silva > Cc: radiator@open.com.au > Assunto: Re: [RADIATOR] eap + apple products - failed auth > > On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote: > >> In fact, the Message-Authenticator attribute was in the last packet > > Ok thanks. Returning back to the list with this. There is information > about debugging EAP on Macs below, so this might be useful for later > reference too. > > I did testing with Lion (10.7). The test setup was to terminate TTLS on > one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for > authentication. > > First setup returned no extra attributes from the authenticating Radiator: > > Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet > dump: > Code: Access-Accept > Identifier: UNDEF > Authentic: > <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196> > Attributes: > MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7" > > > Next try returned a number of different attributes, just like your setup > does: > > Attributes: > MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48" > Framed-IP-Address = 255.255.255.255 > Class = "funcionarios" > Tunnel-Medium-Type = 0:802 > Tunnel-Private-Group-ID = 0:247 > Tunnel-Type = 0:VLAN > MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H. > MS-MPPE-Send-Key = > <137><153>;<215><211>D<248><246>C<219>QP&<8><223>` > MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E" > MS-CHAP-Domain = "<231>UMINHO" > MS-MPPE-Encryption-Policy = Encryption-Required > MS-MPPE-Encryption-Types = 14 > > > In both cases 10.7 had no problems with authentication. > > You could try turning debugging on with Mac. Here are some notes Google > found for 10.6. I did not test these since I did not have 10.6. > > http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X > > > For 10.7 I turned eapolclient debugging on like this: > > Note: defaults command overwrites > /Library/Preferences/SystemConfiguration/com.apple.eapolclient > > sudo defaults write > /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags > -int 255 > > Then watch /var/log/system.log > > You should see: "eapolclient[nnnn]: opened log file > '/var/log/eapolclient.en1.log' where nnnn is eapolclient's process id > and en1 is the interface name. > > The log file will show how EAPOL works. It will not show details about > e.g., MS-CHAP-V2 but should at least tell what EAP messages are received > and sent and what their contents are. > > Thanks! > Heikki > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
