Re: [RADIATOR] eap + apple products - failed auth
On 03/07/2012 07:19 PM, Amândio Antunes Gomes Silva wrote: > I followed Heikki's instructions, but with no success. I made some > further investigation and realized that the Access-Accept received by > Radiator from the IAS server isn't forwarded to the client. I rechecked the log you had previously sent to the list, one question about the log: did you cut it short or was the last Access-Challenge (id 204) really missing Message-Authenticator attribute? Are you using the latest Radiator? Thanks! Heikki > I 'sniffed' > the Ethernet traffic using tcpdump in the radiator server, and the > Access-Accept packet isn't sent to the client. I sniffed a PEAP-MSCHAPV2 > (which works) and a TTLS/MSCHAPV2 and compared the packets. In the > TTLS/MSCHAPV2, the process ends with a Challenge issued by Radiator, and > sent to the NAS, but it seemed that the NAS doesn't send it back to the > client. I then investigate further and discovered that the AP tries to > send packets to the client, but it reports an error (see below). After > this, I suppose that it's a problem related to the Mac OS Supplicant. > Any hint on how to solve this? > > > > Best regards, > > > > Amândio > > > > Additional Info: > > > > TCPDUMP (between NAS and radiator radius server): > > > > reading from file MacOS-TTLS-MSCHAPV2-7.pcap, link-type EN10MB (Ethernet) > > 16:47:16.536506 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x2b length: 217 > > 16:47:16.560307 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x2b length: 46 > > 16:47:16.570428 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x2c length: 356 > > 16:47:16.628723 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x2c length: 1082 > > 16:47:16.710643 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x2d length: 198 > > 16:47:16.738682 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x2d length: 1078 > > 16:47:16.895393 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x2e length: 198 > > 16:47:16.931681 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x2e length: 1078 > > 16:47:17.027529 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x2f length: 198 > > 16:47:17.053752 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x2f length: 1078 > > 16:47:17.208341 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x30 length: 198 > > 16:47:17.230283 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x30 length: 659 > > 16:47:17.243674 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x31 length: 530 > > 16:47:17.309004 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x31 length: 109 > > 16:47:17.552920 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x32 length: 351 > > 16:47:17.637727 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x32 length: 263 > > 16:47:19.932943 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x33 length: 217 > > 16:47:19.956708 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x33 length: 46 > > 16:47:19.963244 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x34 length: 388 > > 16:47:19.991490 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x34 length: 1082 > > 16:47:20.022300 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x35 length: 198 > > 16:47:20.052285 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x35 length: 1078 > > 16:47:20.181138 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x36 length: 198 > > 16:47:20.216984 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x36 length: 1078 > > 16:47:20.339282 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x37 length: 198 > > 16:47:20.360917 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x37 length: 1078 > > 16:47:20.372684 IP 172.16.45.66.datametrics > radius-server.radius: > RADIUS, Access Request (1), id: 0x38 length: 198 > > 16:47:20.403901 IP radius-server.radius > 172.16.45.66.datametrics: > RADIUS, Access Challenge (11), id: 0x38 length: 659 > > > > MacOS syslog (via console): > > > > Mar 7 16:47:16 macbookproscom eapolclient[4092]: en1 START >
Re: [RADIATOR] eap + apple products - failed auth
Hi, Heikki! Hi, list! I followed Heikki's instructions, but with no success. I made some further investigation and realized that the Access-Accept received by Radiator from the IAS server isn't forwarded to the client. I 'sniffed' the Ethernet traffic using tcpdump in the radiator server, and the Access-Accept packet isn't sent to the client. I sniffed a PEAP-MSCHAPV2 (which works) and a TTLS/MSCHAPV2 and compared the packets. In the TTLS/MSCHAPV2, the process ends with a Challenge issued by Radiator, and sent to the NAS, but it seemed that the NAS doesn't send it back to the client. I then investigate further and discovered that the AP tries to send packets to the client, but it reports an error (see below). After this, I suppose that it's a problem related to the Mac OS Supplicant. Any hint on how to solve this? Best regards, Amândio Additional Info: TCPDUMP (between NAS and radiator radius server): reading from file MacOS-TTLS-MSCHAPV2-7.pcap, link-type EN10MB (Ethernet) 16:47:16.536506 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x2b length: 217 16:47:16.560307 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x2b length: 46 16:47:16.570428 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x2c length: 356 16:47:16.628723 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x2c length: 1082 16:47:16.710643 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x2d length: 198 16:47:16.738682 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x2d length: 1078 16:47:16.895393 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x2e length: 198 16:47:16.931681 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x2e length: 1078 16:47:17.027529 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x2f length: 198 16:47:17.053752 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x2f length: 1078 16:47:17.208341 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x30 length: 198 16:47:17.230283 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x30 length: 659 16:47:17.243674 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x31 length: 530 16:47:17.309004 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x31 length: 109 16:47:17.552920 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x32 length: 351 16:47:17.637727 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x32 length: 263 16:47:19.932943 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x33 length: 217 16:47:19.956708 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x33 length: 46 16:47:19.963244 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x34 length: 388 16:47:19.991490 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x34 length: 1082 16:47:20.022300 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x35 length: 198 16:47:20.052285 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x35 length: 1078 16:47:20.181138 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x36 length: 198 16:47:20.216984 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x36 length: 1078 16:47:20.339282 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x37 length: 198 16:47:20.360917 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x37 length: 1078 16:47:20.372684 IP 172.16.45.66.datametrics > radius-server.radius: RADIUS, Access Request (1), id: 0x38 length: 198 16:47:20.403901 IP radius-server.radius > 172.16.45.66.datametrics: RADIUS, Access Challenge (11), id: 0x38 length: 659 MacOS syslog (via console): Mar 7 16:47:16 macbookproscom eapolclient[4092]: en1 START Mar 7 16:47:17 macbookproscom eapolclient[4092]: TTLS: authentication failed with status 1 Access Point: Mar 7 16:47:20 apb-scom-0b-glt 45: Mar 7 16:47:19.444 WET: %DOT11-4-MAXRETRIES: Packet to client f0b4.7916.ce7b reached max retries, removing the client Note: The IP address of apb-scom-0b-glt is 172.16.45.66. TIA, Best regards, Amândio Antunes Gomes da Silva ---
