eapol_test from wpa_supplicat-2.4 fails with MPPE keys mismatch for TTLS:CHAP/MSCHAP/MSCHAPv2
Hello, I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with " [ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine. I would be surprised if I was the first who tried to run these tests. Does anybody experienced the same issue? For configuration and test results please refer to the attached file. radiusd in debug mode write this: ... [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Tunneled challenge is incorrect [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 6 to 127.0.0.1 port 49816 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 The test configuration files looks like this: # cat EAP-TTLS_CHAP.conf ctrl_interface=wpa_supplicant.ctrl network={ ssid="QA test 802.1x network" key_mgmt=IEEE8021X eap=TTLS phase2="auth=CHAP" identity="testuser" anonymous_identity="anonymous" password="testpwd" ca_cert="/etc/raddb/certs/ca.pem" ca_cert2="/etc/raddb/certs/ca.pem" } The raiusd has the default configuration except: /etc/raddb/modules/mschap /etc/raddb/modules/pap /etc/raddb/eap.conf /etc/raddb/users and test certificates were created and added. For the details please see the attached file. The wpa_supplicant was built with the provided "defconfig" configuration. Regards, Patrik Kis
Hi,
I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with "
Does 2.2.x support TLS 1.2 anyway? It is really time to move on to 3.0.x these days... Greetings, Stefan Winter
[ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine.
I would be surprised if I was the first who tried to run these tests. Does anybody experienced the same issue? For configuration and test results please refer to the attached file.
radiusd in debug mode write this: ... [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Tunneled challenge is incorrect [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 6 to 127.0.0.1 port 49816 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000
The test configuration files looks like this: # cat EAP-TTLS_CHAP.conf ctrl_interface=wpa_supplicant.ctrl network={ ssid="QA test 802.1x network" key_mgmt=IEEE8021X eap=TTLS phase2="auth=CHAP" identity="testuser" anonymous_identity="anonymous" password="testpwd" ca_cert="/etc/raddb/certs/ca.pem" ca_cert2="/etc/raddb/certs/ca.pem" }
The raiusd has the default configuration except: /etc/raddb/modules/mschap /etc/raddb/modules/pap /etc/raddb/eap.conf /etc/raddb/users and test certificates were created and added. For the details please see the attached file.
The wpa_supplicant was built with the provided "defconfig" configuration.
Regards, Patrik Kis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Sep 9, 2015, at 6:15 AM, Patrik Kis <pkis@redhat.com> wrote:
I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with " [ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine.
I've pushed a fix to all branches.
I would be surprised if I was the first who tried to run these tests.
You're the first one who noted it. Alan DeKok.
On Wed, 2015-09-09 at 09:26 -0400, Alan DeKok wrote:
On Sep 9, 2015, at 6:15 AM, Patrik Kis <pkis@redhat.com> wrote:
I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with " [ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine.
I've pushed a fix to all branches.
Thanks! That was fast! I've tested it and it seems all cases are fixed. Thanks again!
I would be surprised if I was the first who tried to run these tests.
You're the first one who noted it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Patrik Kis QE BaseOS team https://home.corp.redhat.com/user/pkis Email: pkis@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Well found, Patrick! :) Interesting one this though, the public release date for iOS 9 is likely to be around a week from now. OS X El Capitan is likely to be released a compile of weeks after. Both negotiate for TLS-based EAP with TLS 1.2. EAP-TTLS users with FreeRADIUS 2.2.6 or later, or 3.0.7 or later will therefore need to upgrade to as yet unreleased versions of FreeRADIUS... or prohibit TLS 1.2 from being negotiated. This could easily be a pain for Eduroam users. Could we get fixed major versions out sooner rather than later therefore? Cheers, Nick
On Wed, Sep 09, 2015 at 12:22:35PM -0400, Alan DeKok wrote:
On Sep 9, 2015, at 11:45 AM, Nick Lowe <nick.lowe@gmail.com> wrote:
I mean fixed minor releases in the 2.x and 3.x major release branches.
I'll be releasing updates this week.
I got a segfault this afternoon with a particular (invalid) config but can't reproduce with the standard config. Will try and debug in the next day or so unless anyone else can reproduce and gets there before me. ("%{rand}" expansion crashed out during expansion upon incoming packet). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 9 Sep 2015, at 17:35, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Wed, Sep 09, 2015 at 12:22:35PM -0400, Alan DeKok wrote:
On Sep 9, 2015, at 11:45 AM, Nick Lowe <nick.lowe@gmail.com> wrote:
I mean fixed minor releases in the 2.x and 3.x major release branches.
I'll be releasing updates this week.
I got a segfault this afternoon with a particular (invalid) config but can't reproduce with the standard config. Will try and debug in the next day or so unless anyone else can reproduce and gets there before me.
("%{rand}" expansion crashed out during expansion upon incoming packet).
What kind of misconfiguration? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, Sep 09, 2015 at 06:03:43PM +0100, Arran Cudbard-Bell wrote:
("%{rand}" expansion crashed out during expansion upon incoming packet).
What kind of misconfiguration?
Exactly the above - %{rand} and %{randstr} segfault on expansion, %{rand:10} and %{randstr:ccccc} are fine. Config is stripped down to bare minimum - only enough modules enabled to support accounting packets and detail. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 9 Sep 2015, at 18:55, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Sep 09, 2015 at 06:03:43PM +0100, Arran Cudbard-Bell wrote:
("%{rand}" expansion crashed out during expansion upon incoming packet).
What kind of misconfiguration?
Exactly the above - %{rand} and %{randstr} segfault on expansion, %{rand:10} and %{randstr:ccccc} are fine.
In v3.1.x I get /usr/local/freeradius/etc/raddb/sites-enabled/default[39]: Failed parsing expanded string: /usr/local/freeradius/etc/raddb/sites-enabled/default[39]: %{rand} /usr/local/freeradius/etc/raddb/sites-enabled/default[39]: ^ Unknown attribute Which is correct. But yes, crashes with v3.0.x because a NULL fmt pointer gets passed to the xlat function. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Sep 2015, at 19:14, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Sep 2015, at 18:55, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Sep 09, 2015 at 06:03:43PM +0100, Arran Cudbard-Bell wrote:
("%{rand}" expansion crashed out during expansion upon incoming packet).
What kind of misconfiguration?
Exactly the above - %{rand} and %{randstr} segfault on expansion, %{rand:10} and %{randstr:ccccc} are fine.
In v3.1.x I get
/usr/local/freeradius/etc/raddb/sites-enabled/default[39]: Failed parsing expanded string: /usr/local/freeradius/etc/raddb/sites-enabled/default[39]: %{rand} /usr/local/freeradius/etc/raddb/sites-enabled/default[39]: ^ Unknown attribute
Which is correct. But yes, crashes with v3.0.x because a NULL fmt pointer gets passed to the xlat function.
Ah because my v3.1.x config has rlm_expr stripped out, doh! Not sure what the intent behind this virtual attribute code is, it doesn't seem to be used for actual attributes AFAICT, and re-using the xlat tree without a field to distinguish between virtual attributes and functions is a bad idea, as evidenced by this bug. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, Sep 09, 2015 at 03:17:10PM -0400, Alan DeKok wrote:
On Sep 9, 2015, at 1:55 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Exactly the above - %{rand} and %{randstr} segfault on expansion, %{rand:10} and %{randstr:ccccc} are fine.
I've pushed a fix (and test cases!)
And there was me trying to save you both from having to look at it! Thanks. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 9 Sep 2015, at 20:17, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 9, 2015, at 1:55 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Exactly the above - %{rand} and %{randstr} segfault on expansion, %{rand:10} and %{randstr:ccccc} are fine.
I've pushed a fix (and test cases!)
That's not really what internal was intended for? Or if it was can we rename it is_function? :) Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (6)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Nick Lowe -
Patrik Kis -
Stefan Winter