RE: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Hi, I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck. The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3 The freeradius debug does indicate successful auth and both MPPE keys sent to the client. modcall[authenticate]: module "mschap" returns ok for request 17 modcall: leaving group MS-CHAP (returns ok) for request 17 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 17 modcall: leaving group authenticate (returns ok) for request 17 Sending Access-Accept of id 21 to 172.16.10.254 port 32777 MS-MPPE-Recv-Key = 0x6a72b3417ed819d9e4d3e5fa8867d1d8211c41941fe2035d33f24b906b3b4406 MS-MPPE-Send-Key = 0x29098f385530c131460af68bc229719d9b5b1dea1e70a783f89acac8ea17aa17 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "Moussa" Finished request 17 However, the client debug shows wpa msg 1 was dropped as follows: 22:53:12.156 ++ EAPOL message received 22:53:12.156 Message dequeued 22:53:12.156 [DTL] Received EAPOL packet 00000000: 01 03 00 5F FE 00 89 00 20 00 00 00 00 00 00 00 ..._.... ....... 00000010: 01 1F 74 D9 48 45 D8 28 4E 3C E4 B3 0B D4 59 3D ..t.HE.(N<....Y= 00000020: 04 C0 20 9B 00 3A 81 5D EE 4D 90 F1 96 63 98 7B .. ..:.].M...c.{ 00000030: E5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 ... 22:53:12.156 [NRM] Processing EAPOL-Key message 22:53:12.156 [DTL] Received replay counter is 0000000000000001 22:53:12.156 [DTL] EAPOL-Key message version = 1 22:53:12.156 [NRM] Processing EAPOL-Key 4-way handshake message 1 22:53:12.156 [NRM] Setting master session key(s) 22:53:12.156 [ERR] Cannot set master key: authentication not complete or method does not support session keys 22:53:12.156 [ERR] EAPOL-Key pairwise key message 1 discarded: no PMK If I made a freeradius configuration mistake, TTLS with mschap wouldn't work. Any help is very much appreciated. Mak
"Mak Moussa" <mmoussa@mmoussa.com> wrote:
I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck.
OK...
The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3
OK.
If I made a freeradius configuration mistake, TTLS with mschap wouldn't work.
Hmm... it may be that the MSCHAPv2 support in the TTLS code needs work. I haven't looked at it recently, but I do recall some work-arounds.. Which client are you using? It looks like Windows, but Windows doesn't support TTLS natively, so you're obviously doing something special. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Dear Alan, Thank you for the quick reply. Indeed, on WinXP I was using the Funk Odyssey client as it offered a good debug log. However, I tested using different supplicants like IntelPROSet on WinXP and the OSX 10.4 built-in supplicant with consistent results. I even tried a LinkSys WAP54G Fat AP firmware v3.04, as well as the Aruba switch with its thin AP with no difference in the results. I would certainly appreciate any tips on the possible workarounds you mentioned. Thx Mak -----Original Message----- From: freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 05, 2006 8:05 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" <mmoussa@mmoussa.com> wrote:
I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck.
OK...
The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3
OK.
If I made a freeradius configuration mistake, TTLS with mschap wouldn't work.
Hmm... it may be that the MSCHAPv2 support in the TTLS code needs work. I haven't looked at it recently, but I do recall some work-arounds.. Which client are you using? It looks like Windows, but Windows doesn't support TTLS natively, so you're obviously doing something special. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0? Thank you, Roberto -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Roberto Greiner <mrgreiner@gmail.com> wrote:
I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0?
I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----Original Message----- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint.
King, Michael wrote:
-----Original Message----- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too.
I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Actually it's both: to know if the new version was expect to be ready soon and if the general structure would be too different, but since it's still months before 2.0 is ready, I will go for 1.1.3. :-) Thank you for the feedback, Roberto -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Alan DeKok wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0?
I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too.
Alan DeKok.
Ok. Thx Roberto -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
"Mak Moussa" <mmoussa@mmoussa.com> wrote:
Thank you for the quick reply. Indeed, on WinXP I was using the Funk Odyssey client as it offered a good debug log.
Ok...
However, I tested using different supplicants like IntelPROSet on WinXP and the OSX 10.4 built-in supplicant with consistent results.
i.e. it doesn't work, either? It looks like it may be an issue with FreeRADIUS. See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c, function process_reply(). Poke that code, and see if it helps... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Wanted to confirm that ttls w/mschapv2 didn't work in any of the test scenarios outlined earlier. Thanks.. I will look closely into that function in ttls.c Would you still say that it is the ttls.c code, even though ttls w/mschap worked fine? I am looking for a differentiator in the code between mschap and mschapv2, as the client didn't seem to accept the mppe keys iin the case of mschapv2 and claimed it had no PMK. Thx Mak -----Original Message----- From: freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 05, 2006 3:06 PM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" <mmoussa@mmoussa.com> wrote:
Thank you for the quick reply. Indeed, on WinXP I was using the Funk Odyssey client as it offered a good debug log.
Ok...
However, I tested using different supplicants like IntelPROSet on WinXP and the OSX 10.4 built-in supplicant with consistent results.
i.e. it doesn't work, either? It looks like it may be an issue with FreeRADIUS. See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c, function process_reply(). Poke that code, and see if it helps... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Mak Moussa" <mmoussa@mmoussa.com> wrote:
Would you still say that it is the ttls.c code, even though ttls w/mschap worked fine?
Yes.
I am looking for a differentiator in the code between mschap and mschapv2,
Like the code I pointed you to? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Thank you for the pointers to the source code. My colleague Colus Tang was quick to dive into the code and had to patch 2 files: ttls.c and rlm_eap_ttls.c to change the behavior from eap_mschap to eap_mschapv2. He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications. Please review the attached patch for any additional improvements as needed. I am attaching two console outputs of 'radiusd -X' before and after the patch to show the behavior differences. Many thanks for the help. Mak -----Original Message----- From: freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, October 06, 2006 6:18 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" <mmoussa@mmoussa.com> wrote:
Would you still say that it is the ttls.c code, even though ttls w/mschap worked fine?
Yes.
I am looking for a differentiator in the code between mschap and mschapv2,
Like the code I pointed you to? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, urgh. please never attached things using outlook/outlook express. the rest of the world doesnt tak winmail.dat files. I've fentun'd the result and reattached for you. alan
"Mak Moussa" <mmoussa@mmoussa.com> wrote:
He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications.
Great.
Please review the attached patch for any additional improvements as needed.
Hmm...
Content-Disposition: attachment; filename="winmail.dat"
Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks to Alan Buxey for reattaching the files in a tgz file. Resending again. Mak -----Original Message----- From: freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmoussa=mmoussa.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 12, 2006 5:44 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" <mmoussa@mmoussa.com> wrote:
He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications.
Great.
Please review the attached patch for any additional improvements as needed.
Hmm...
Content-Disposition: attachment; filename="winmail.dat"
Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am having problems rewriting the IP Netmask attribure. I am using mysql for my user authorization. the IP address seems to get set right, but the Netmask does not. I have specified it specifically and even changed the default, but could not get this to work. Its a PPP framed connection. What should I look at ? Thank you for suggestions. Apu ------------------------------ Apu Islam ( E Pluribus Unum)
Apu islam wrote:
I am having problems rewriting the IP Netmask attribure. I am using mysql for my user authorization. the IP address seems to get set right, but the Netmask does not. I have specified it specifically and even changed the default, but could not get this to work. Its a PPP framed connection. What should I look at ? Thank you for suggestions.
Apu
Hi Apu, Run the server in debugging mode (radiusd -X) and watch the access-accept packet go from freeradius to your NAS. If the subnet mask is correct there, there's a config. problem/bug with your NAS. If it's not correct there, then there's something you've missed in your freeradius config. Is there any chance the subnet mask is specified on your NAS and it's overriding what you send it? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Apu islam -
James Wakefield -
King, Michael -
Mak Moussa -
Roberto Greiner