MS-CHAP-V2 with no retry

Sun Apr 10 16:41:20 CEST 2011

On 10/04/2011 12:57, James J J Hooper wrote:
> On 10/04/2011 12:39, James J J Hooper wrote:
>> On 10/04/2011 12:16, James J J Hooper wrote:
>>> On 10/04/2011 07:03, Alan DeKok wrote:
>>>> James J J Hooper wrote:
>>>>> I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
>>>>> Failure packet, should be an EAP *request* (currently it's EAP
>>>>> failure)??
>>>>
>>>> Yes, thanks.
>>>
>>>
>>> Also, args to pairmove2 are wrong way around, as attached.
>>>
>>
>>
>> After that last change (p4.txt.gz), I think it's now doing the right thing:
>>
>> * wpa_supplicant output matches Phil's (against W2k8 NPS), with the
>> exception that M=... is always present.
>>
>> * With allow_retry = no, XP pop's up the usual 'enter credentials...'
>> bubble, and box.
>>
>> * With allow_retry = yes, XP pops a "click to process credentials" bubble,
>> then a "type your password again" box:
>> http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png
>
>
> ...Although, when you correct the password in the 'allow_retry = yes"
> popup, I don't think FR has got the bit to handle that yet:
>
> Found Auth-Type = eduroamalieneap-bris-sha-ca
> # Executing group from file
> /usr/local/etc/raddb/sites-enabled/eduroamalien-inner
> +- entering group eduroamalieneap-bris-sha-ca {...}
> [eduroamalieneap-bris-sha-ca] Request found, released from the list
> [eduroamalieneap-bris-sha-ca] EAP/mschapv2
> [eduroamalieneap-bris-sha-ca] processing type mschapv2
> rlm_eap_mschapv2: Unexpected response received << ***
> [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2
> [eduroamalieneap-bris-sha-ca] Failed in EAP select
> ++[eduroamalieneap-bris-sha-ca] returns invalid
> Failed to authenticate the user.
> Login incorrect: [jh1761-s at bris.ac.uk] (from client JamesJJ port 256 cli
> 00-1a-4d-35-b0-5a via TLS tunnel)
> } # server eduroamalien-inner
> [peap] Got tunneled reply code 3
> EAP-Message = 0x040c0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
> EAP-Message = 0x040c0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE


I think it needs two things now:

1)
Something like:
@@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, 
EAP_HANDLER *handler)
                  *      a challenge.
                  */
         case PW_EAP_MSCHAPV2_RESPONSE:
-               if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
-                       radlog(L_ERR, "rlm_eap_mschapv2: Unexpected 
response received");
+               if ((data->code != PW_EAP_MSCHAPV2_CHALLENGE) && 
(data->code != PW_EAP_MSCHAPV2_FAILURE)) {
+                       radlog(L_ERR, "rlm_eap_mschapv2: Unexpected 
response received: %d", data->code);
                         return 0;
                 }

... because the response to our MSCHAPV2_FAILURE seems to be a 
MSCHAPV2_FAILURE



2)
if (inst->retry_msg) {
   snprintf(buffer + 9, sizeof(buffer), " C=");
     for (i = 0; i < 16; i++) {
       snprintf(buffer + 12 + i*2,
       sizeof(buffer), "%02x",
       fr_rand() & 0xff);
     }

This C=<random> needs to be saved and eventually make it's way in to 
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);

has the correct challenge, and can then process the clients "retry" correctly?

(help, I havn't managed to work out the mechanism from the current 
challenge generation bits yet!)

-James




