iPad PEAP MSCHAPv2

Alan DeKok aland at deployingradius.com
Fri Jan 15 17:45:49 CET 2016


On Jan 15, 2016, at 11:37 AM, Óscar Remírez de Ganuza Satrústegui <oscarrdg at unav.es> wrote:
> I have continued investigating this issue, reproducing the problem with
> eapol_test.
> Disabling tlsv1_2 did not affect the result, and I was still having
> problems.

  That's bad.

> So I have installed the new freeradius version on the old server, in order
> to being able to compare the results, and I have found that the new
> freeradius works ok on the old server!

  That's good.  We've put a lot of effort into working around OpenSSL problems. :(

> Comparing the debug logs, line by line, I see that the first difference is
> in the EAP-Message of Access-Request #6, much bigger in case #2:
> 
> In Case #1:
> (6) Received Access-Request Id 6 from 159.237.8.31:44007 to
> 159.237.12.8:1812 length 142
> (6)   User-Name = "anonino at unav.es"
> (6)   NAS-IP-Address = 127.0.0.1
> (6)   Calling-Station-Id = "02-00-00-00-00-01"
> (6)   Framed-MTU = 1400
> (6)   NAS-Port-Type = Wireless-802.11
> (6)   Connect-Info = "CONNECT 11Mbps 802.11b"
> (6)   EAP-Message = 0x020600061900

  That's an EAP-TLS ACK.

> In Case #2:
> (6) Received Access-Request Id 6 from 159.237.8.31:32965 to
> 159.237.18.104:1812 length 280
> (6)   User-Name = "anonino at unav.es"
> (6)   NAS-IP-Address = 127.0.0.1
> (6)   Calling-Station-Id = "02-00-00-00-00-01"
> (6)   Framed-MTU = 1400
> (6)   NAS-Port-Type = Wireless-802.11
> (6)   Connect-Info = "CONNECT 11Mbps 802.11b"
> (6)   EAP-Message =
> 0x02060090198000000086160301004610000042410483144b3e8df35650f6435c0906f39d3d33301f98f391c1bc73127ff72afe7ef82d6aa40707f062c2eaab73383292ca022f1469df43863eda1d869a64b3607c5014030100010116030100303b6e2063d8d994c891195fb9e8c3103b1344b7b90b063b

  And that's EAP-TLS data.  It *should* work....

> I have seen that there are also some problems with versions OpenSSL 1.0.1f
> and 1.0.1g:
> http://lists.freeradius.org/pipermail/freeradius-users/2015-December/081251.html

  Yes.

> Is it correct if I conclude that this version (OpenSSL 1.0.1e) is also not
> working properly??

  I'd be happy to blame OpenSSL. 

> Is there a way to make freeradius use a different version of openssl on the
> same server?

  Yes.  But it's not trivial.  That's because the compiler can find the second version, but has a MUCH harder time ignoring the first version.  Unless we can make it ignore the first version... it can compile against some combination of the versions, which is bad.

  Virtual machines are cheap.  I'd suggest trying a new virtual machine, which you can put only one version of OpenSSL on.

  Alan DeKok.




More information about the Freeradius-Users mailing list