Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Peter Eriksson peter at ifm.liu.se
Fri Sep 26 15:06:00 CEST 2008


>> FreeRadius 2.1.0 directly to the Access Point (with a response received
>> via Proxying to the same 1.1.7 server):
> ...
>> Sending Access-Accept of id 6 to 192.168.160.158 port 1036
>>         Vendor-Specific =
>> 0x0000013711348565439b6986f71bfa7425319eac8dd791f24936bc66a8cdd928a91c9c4343958ef040212
>> 4dd4f552726302e356b878e6474
>>         Vendor-Specific =
>> 0x0000013710348b855687f3a4ef1194289232229fe0be952c98689fb606c1e9d6ceae6a388baee98eeb292
>> be2d41ae58efa7f67737dec758c
>>         EAP-Message = 0x03060004
>>         Message-Authenticator = 0x00000000000000000000000000000000
>>         User-Name = "testson"
>> Finished request 6.
>>
>> (I assume that 'Vendor-Specific' stuff is the MS-MPPE-Recv-Key stuff
>> that the 1.1.7 talks about).
> 
>   Yes.  But it's *not* being printed as MS-MPPE-Recv-Key, which means
> you've broken the dictionaries somehow.

Hmm.. Strange. Since I haven't touched the dictionaries at all.

I've been investigating this issue a bit more and it gets really strange.

The Access Points in question is D-Link DWL-8200AP and D-Link DWL-3200AP
(most of the tests being done with the 8200AP).

I simplified the setup a bit and (added a local user "test" with
Cleartext-Password "test" and stopped trying to proxy requests)
to both the RADIUS servers and tested some more (including packet
logs). Here's the tcpdump output from the last packet of the RADIUS
negotiation between the AP and the RADIUS servers:

'users' file part relevant to this from both servers:

test            Cleartext-Password := "test"
        Reply-Message = "Welcome, Test user"



------------------ FreeRADIUS 1.1.7 (works!) ---------------------------

'radiusd -X' output:

Sending Access-Accept of id 6 to 192.168.160.158 port 1036
        Reply-Message = "Welcome, Test user"
        MS-MPPE-Recv-Key =
0x9eecf7bdc47ee54fda52c99bc019fcf5bcf0f752e8b2d876a86c2cba7e979241
        MS-MPPE-Send-Key =
0x402f46f3c3532e96c10a4842d351ed4650e9a490d2d69ff81c4aff290cf6d29d
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test"

'tcpdump -vvv' output:

14:50:38.860866 IP (tos 0x0, ttl 255, id 34273, offset 0, flags [DF],
proto UDP (17), length 214) radius-2.mgmt.1812 > ap13434.mgmt.1036: [udp
sum ok] RADIUS, length: 186
        Access Accept (2), id: 0x06, Authenticator:
f2ad4202d4ae49131e3e8609d74b0f3e
          Reply Attribute (18), length: 20, Value: Welcome, Test user
            0x0000:  5765 6c63 6f6d 652c 2054 6573 7420 7573
            0x0010:  6572
          Vendor Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311)
            Vendor Attribute: 17, Length: 50, Value: ../..I.gL.b..
....Q..Z....[./"c..c..8....ZE./(36.
            0x0000:  0000 0137 1134 86fb 2f99 0849 a867 4cbf
            0x0010:  62fc 0820 fd9c 09b6 512e bd5a 06d6 1e13
            0x0020:  5bc3 2f22 7f63 be98 63d0 e838 01ed 05b8
            0x0030:  5a45 f62f 2833 36b2
          Vendor Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311)
            Vendor Attribute: 16, Length: 50, Value:
...ct.i...s........)....~qY..2.... at ....6..C..ukw
            0x0000:  0000 0137 1034 8a9e 9763 7411 69d5 ed9b
            0x0010:  7315 7f0e a816 f916 ee2e 290a b8eb 1f7e
            0x0020:  7159 949b 327f e99d d8a9 40e5 d6e3 0436
            0x0030:  ad04 43bc b075 6b77
          EAP Message Attribute (79), length: 6, Value: ..
            0x0000:  0306 0004
          Message Authentication Attribute (80), length: 18, Value:
?.5..2../..E.l..
            0x0000:  3fea 35dc ea32 cdce 2fbb 1b45 a06c f391
          Username Attribute (1), length: 6, Value: test
            0x0000:  7465 7374



---------------- FreeRADIUS 2.1.1 (does not work) ----------------------

'radiusd -X' output:

Sending Access-Accept of id 5 to 192.168.160.158 port 1038
        MS-MPPE-Recv-Key =
0x2ddccad014a85d9efb3cfaf3a9a1e384ec4db611ba1330cce565ada55a295b2c
        MS-MPPE-Send-Key =
0x7fe1889799b75faae8e9dca9378586fc3e576020d04744f46a79a39e9997d977
        EAP-Message = 0x03050004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test"


'tcpdump -vvv' output:

14:55:53.580876 IP (tos 0x0, ttl 255, id 55088, offset 0, flags [DF],
proto UDP (17), length 196) radius-1.mgmt.1812 > ap13434.mgmt.1038: [udp
sum ok] RADIUS, length: 168
        Access Accept (2), id: 0x05, Authenticator:
0c7b40f4cc86a27f63c0e3c71e73aae0
          Vendor Specific Attribute (26), length: 59, Value: Vendor:
Microsoft (311)
            Vendor Attribute: 17, Length: 51, Value:
..5.{._....U....(..#w?9...I.T..jn.N...........i...
            0x0000:  0000 0137 1135 0093 35f4 7be2 5fdc d7cd
            0x0010:  da55 fa18 dcb5 28da ca23 773f 39a6 9ad1
            0x0020:  49c4 54f6 9c6a 6e98 4eb7 1a1f 0a01 a304
            0x0030:  2e7f da00 d869 0cc0 f2
          Vendor Specific Attribute (26), length: 59, Value: Vendor:
Microsoft (311)
            Vendor Attribute: 16, Length: 51, Value:
..."D...1.RX...dt..F..x4..&}...<F...I..j..L..%O!..'
            0x0000:  0000 0137 1035 009d be22 4487 0b90 31ab
            0x0010:  5258 cc13 aa64 748a 1946 ccc7 7834 e2f3
            0x0020:  267d a309 e43c 46b3 a1f0 49e0 c06a a0bb
            0x0030:  4cde 0c25 4f21 e0c4 27
          EAP Message Attribute (79), length: 6, Value: ..
            0x0000:  0305 0004
          Message Authentication Attribute (80), length: 18, Value:
.Y..........#~k.
            0x0000:  1b59 e3fd 01bd 9dfe e8f8 b1b9 237e 6b86
          Username Attribute (1), length: 6, Value: test
            0x0000:  7465 7374


Dunno if it's relevant, but I notice the 51 vs 50 'Length' value
difference in the 'Vendor Attribute'. An off-by-one error
somewhere?

- Peter





More information about the Freeradius-Users mailing list