iPad PEAP MSCHAPv2

Óscar Remírez de Ganuza Satrústegui oscarrdg at unav.es
Thu Feb 25 13:16:43 CET 2016


Good morning,

Just a few lines to update on this case:
We finally found where the problem was: the winbind daemon.

On our new server, both freeradius (3.0.10) and openssl (OpenSSL 1.0.1e)
were working ok. But the winbind daemon (4.1.12) used to authenticate
mschapv2 with the windows domain [1] had some bug.

It works ok for some time, and suddenly it gets "bugged".
It continues running, ntlm_auth still works ok, but when used through
freeradius, for some reason, it fails to continue the conversation after
sent the tunnelled MSCHAPv2 response.

And if it gets restarted, it begins working again!

It happens like twice a week.

We have not continued investigating where the problem lies inside the
winbind daemon. Instead, we are using some script to check and restart the
daemon whenever this bug happens.

In the future, we will also store NT-Password in LDAP, so that freeradius
can take it from LDAP (as it already does with userPassword for PAP), and
use it to authenticate MSCHAPv2 instead of using winbind/ntlm_auth. [2]
That way we will not depend on samba software anymore.

I guess maybe it will also be faster.

Thank you much for everybody helping with this issue. It really helped us
to find where was the problem.

Regards,


[1] Config from:
http://deployingradius.com/documents/configuration/active_directory.html
[2] As seen on:
http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057124.html



*Oscar Remírez de Ganuza Satrústegui*
IT Services
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.edu/web/it/

On Fri, Jan 15, 2016 at 5:45 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jan 15, 2016, at 11:37 AM, Óscar Remírez de Ganuza Satrústegui <
> oscarrdg at unav.es> wrote:
> > I have continued investigating this issue, reproducing the problem with
> > eapol_test.
> > Disabling tlsv1_2 did not affect the result, and I was still having
> > problems.
>
>   That's bad.
>
> > So I have installed the new freeradius version on the old server, in
> order
> > to being able to compare the results, and I have found that the new
> > freeradius works ok on the old server!
>
>   That's good.  We've put a lot of effort into working around OpenSSL
> problems. :(
>
> > Comparing the debug logs, line by line, I see that the first difference
> is
> > in the EAP-Message of Access-Request #6, much bigger in case #2:
> >
> > In Case #1:
> > (6) Received Access-Request Id 6 from 159.237.8.31:44007 to
> > 159.237.12.8:1812 length 142
> > (6)   User-Name = "anonino at unav.es"
> > (6)   NAS-IP-Address = 127.0.0.1
> > (6)   Calling-Station-Id = "02-00-00-00-00-01"
> > (6)   Framed-MTU = 1400
> > (6)   NAS-Port-Type = Wireless-802.11
> > (6)   Connect-Info = "CONNECT 11Mbps 802.11b"
> > (6)   EAP-Message = 0x020600061900
>
>   That's an EAP-TLS ACK.
>
> > In Case #2:
> > (6) Received Access-Request Id 6 from 159.237.8.31:32965 to
> > 159.237.18.104:1812 length 280
> > (6)   User-Name = "anonino at unav.es"
> > (6)   NAS-IP-Address = 127.0.0.1
> > (6)   Calling-Station-Id = "02-00-00-00-00-01"
> > (6)   Framed-MTU = 1400
> > (6)   NAS-Port-Type = Wireless-802.11
> > (6)   Connect-Info = "CONNECT 11Mbps 802.11b"
> > (6)   EAP-Message =
> >
> 0x02060090198000000086160301004610000042410483144b3e8df35650f6435c0906f39d3d33301f98f391c1bc73127ff72afe7ef82d6aa40707f062c2eaab73383292ca022f1469df43863eda1d869a64b3607c5014030100010116030100303b6e2063d8d994c891195fb9e8c3103b1344b7b90b063b
>
>   And that's EAP-TLS data.  It *should* work....
>
> > I have seen that there are also some problems with versions OpenSSL
> 1.0.1f
> > and 1.0.1g:
> >
> http://lists.freeradius.org/pipermail/freeradius-users/2015-December/081251.html
>
>   Yes.
>
> > Is it correct if I conclude that this version (OpenSSL 1.0.1e) is also
> not
> > working properly??
>
>   I'd be happy to blame OpenSSL.
>
> > Is there a way to make freeradius use a different version of openssl on
> the
> > same server?
>
>   Yes.  But it's not trivial.  That's because the compiler can find the
> second version, but has a MUCH harder time ignoring the first version.
> Unless we can make it ignore the first version... it can compile against
> some combination of the versions, which is bad.
>
>   Virtual machines are cheap.  I'd suggest trying a new virtual machine,
> which you can put only one version of OpenSSL on.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list