Small ammendment on the e-mail, I mentioned the Length of the AVP but I meant the AVP code, and it seems FreeRadius handles this correctly The AVP code should be 3 bytes and the AVP Flags is 1 byte.
So the 00 00 00 bytes at the end is ok Regards, Tom. > -----Original Message----- > From: Tom Rixom > Sent: Monday, March 08, 2004 9:23 AM > To: [EMAIL PROTECTED] > Subject: RE: EAP-TTLS-EAP-* > > > Hi Alan, > > I got EAP-TLS-EAP-MSCHAPV2 working but I had to tweak > SecureW2 a bit for FreeRadius. > > I had a closer look and this is what I came up with (With > help of the -Xxx ;)): > > this is the log file of FreeRadius: > > Mon Mar 8 08:51:30 2004 : Debug: modcall: group authenticate > returns handled for request 15 > TTLS: Got tunneled reply RADIUS code 11 > MS-CHAP2-Success = > 0x00533d424633414335433345333436364644434242374234394137443033 > 37443741334338333441413836 > MS-MPPE-Recv-Key = 0x759a726e4985b73a7bd99c9b1e56d215 > MS-MPPE-Send-Key = 0x19c1e335bed2de6b215dbbeec4d175ec > MS-MPPE-Encryption-Policy = 0x00000001 > MS-MPPE-Encryption-Types = 0x00000006 > EAP-Message = > 0x010200331a0301002e533d42463341433543334533343636464443424237 > 423439413744303337443741334338333441413836 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x5bef466393edf2ac59626d5581d57a6c > Mon Mar 8 08:51:30 2004 : Debug: TTLS::process_reply > Mon Mar 8 08:51:30 2004 : Debug: TTLS: Got tunneled > Access-Challenge > TTLS tunnel data out 0000: 00 00 00 4f 40 00 00 3b 01 02 00 > 33 1a 03 01 00 > TTLS tunnel data out 0010: 2e 53 3d 42 46 33 41 43 35 43 33 > 45 33 34 36 36 > TTLS tunnel data out 0020: 46 44 43 42 42 37 42 34 39 41 37 > 44 30 33 37 44 > TTLS tunnel data out 0030: 37 41 33 43 38 33 34 41 41 38 36 > 00 00 00 > Mon Mar 8 08:51:30 2004 : Debug: TTLS: handled Access-Challenge > Mon Mar 8 08:51:30 2004 : Debug: TTLS::process_reply returning: 11 > Mon Mar 8 08:51:30 2004 : Debug: RLM_MODULE_REJECT: 0 > Mon Mar 8 08:51:30 2004 : Debug: RLM_MODULE_HANDLED: 3 > Mon Mar 8 08:51:30 2004 : Debug: RLM_MODULE_UPDATED: 8 > Mon Mar 8 08:51:30 2004 : Debug: eapttls_process: returning 11 > Mon Mar 8 08:51:30 2004 : Debug: > rlm_eap_ttls::eapttls_authenticate: eapttls_process returned 11 > Mon Mar 8 08:51:30 2004 : Debug: modsingle[authenticate]: > returned from eap (rlm_eap) for request 15 > Mon Mar 8 08:51:30 2004 : Debug: modcall[authenticate]: > module "eap" returns handled for request 15 > Mon Mar 8 08:51:30 2004 : Debug: modcall: group authenticate > returns handled for request 15 > Sending Access-Challenge of id 183 to 192.168.0.104:32778 > EAP-Message = > 0x010a00b41580000000aa1703010018d9ebc6a739379802c18e5769d95be6 > 399c152413ad8ce9171703010088982d2a091ef7d383e715114af75ec1cecc > 6aa03a45a5dbfc28c2e157e908d3fdd5b887c0b6f5daf618ac3b9b23fad8b3 > acf4c6e4cf06911bace0aab5cd3dd75327b73cb0abd286aa97cf54c04174f9 > 326ffb6268c3dcbf0ec4c3b1c86899a42ff58f104ba34138ef0e727c6859a7 > 59cb02e1a944f7e2892c5b454143a742975e6a35e6f2eabb0182 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x8ed06f90e771f7fd1aa6806076a375b2 > Mon Mar 8 08:51:30 2004 : Debug: Finished request 15 > Mon Mar 8 08:51:30 2004 : Debug: Going to the next request > Mon Mar 8 08:51:30 2004 : Debug: Waking up in 5 seconds... > > As you can see everything looks okay, the EAP-Message is > added to an AVP: > > EAP-Message = > 0x010200331a0301002e533d42463341433543334533343636464443424237 > 423439413744303337443741334338333441413836 > > is set to: > > TTLS tunnel data out 0000: 00 00 00 4f 40 00 00 3b 01 02 00 > 33 1a 03 01 00 > TTLS tunnel data out 0010: 2e 53 3d 42 46 33 41 43 35 43 33 > 45 33 34 36 36 > TTLS tunnel data out 0020: 46 44 43 42 42 37 42 34 39 41 37 > 44 30 33 37 44 > TTLS tunnel data out 0030: 37 41 33 43 38 33 34 41 41 38 36 00 00 00 > > *** What are the last 00 00 00 on the end??? That doesn't > seem right. If it were for example > an empty packet it should be 00 00 00 00 as the length is 4 > bytes in Diameter AVPs (Or am I wrong?) *** > > The stuff I can't see in the log is: > > Add AVP to a TLS application data blob and encrypt. > > the encrypted blob however is shown: > 8d9ebc6a739379802c18e5769d95be6399c152413ad8ce9171703010088982 > d2a091ef7d383e715114af75ec1cecc6aa03a45a5dbfc28c2e157e908d3fdd > 5b887c0b6f5daf618ac3b9b23fad8b3acf4c6e4cf06911bace0aab5cd3dd75 > 327b73cb0abd286aa97cf54c04174f9326ffb6268c3dcbf0ec4c3b1c86899a > 42ff58f104ba34138ef0e727c6859a759cb02e1a944f7e2892c5b454143a74 > 2975e6a35e6f2eabb0182 > > And this is the EAP-Message: > > EAP-Message: > 0x010a00b41580000000aa1703010018d9ebc6a739379802c18e5769d95be6 > 399c152413ad8ce9171703010088982d2a091ef7d383e715114af75ec1cecc > 6aa03a45a5dbfc28c2e157e908d3fdd5b887c0b6f5daf618ac3b9b23fad8b3 > acf4c6e4cf06911bace0aab5cd3dd75327b73cb0abd286aa97cf54c04174f9 > 326ffb6268c3dcbf0ec4c3b1c86899a42ff58f104ba34138ef0e727c6859a7 > 59cb02e1a944f7e2892c5b454143a742975e6a35e6f2eabb0182 > > What I receive on the other end is the following: > > The EAP-Message :) > 0x010a00b41580000000aa1703010018d9ebc6a739379802c18e5769d95be6 > 399c152413ad8ce9171703010088982d2a091ef7d383e715114af75ec1cecc > 6aa03a45a5dbfc28c2e157e908d3fdd5b887c0b6f5daf618ac3b9b23fad8b3 > acf4c6e4cf06911bace0aab5cd3dd75327b73cb0abd286aa97cf54c04174f9 > 326ffb6268c3dcbf0ec4c3b1c86899a42ff58f104ba34138ef0e727c6859a7 > 59cb02e1a944f7e2892c5b454143a742975e6a35e6f2eabb0182 > > ------ This is logging from SecureW2 ---------- > 8:51:30:871::TLSDecBlock::pbEncBlock(136): > 982D2A091EF7D383E715114AF75EC1CECC6AA03A45A5DBFC28C2E157E908D3 > FDD5B887C0B6F5DAF618AC3B9B23FAD8B3ACF4C6E4CF06911BACE0AAB5CD3D > D75327B73CB0ABD286AA97CF54C04174F9326FFB6268C3DCBF0EC4C3B1C868 > 99A42FF58F104BA34138EF0E727C6859A759CB02E1A944F7E2892C5B454143 > A742975E6A35E6F2EABB0182 > > 8:51:30:871::TLSDecBlock::pbDecBlock(136): > 0000004F400000340101002C1A0101002710CA9F5BCBDDA23929D85DBEC284 > 14E859746F6D2E7269786F6D40746573742E636F6D0000004F4000003B0102 > 00331A0301002E533D42463341433543334533343636464443424237423439 > 4137443033374437413343383334414138360000005BE6A6D35924F1B695ED > 7D04A33B3472FB2D820A0101 > > 8:51:30:871::TLSDecBlock::padding: 1 > > *** As you can see the decryption when ok and the padding and > MAC is correct so this is the exact data > received from Freeradius *** > > 8:51:30:881::TLSParseServerPacket::application data (114): > 0000004F400000340101002C1A0101002710CA9F5BCBDDA23929D85DBEC284 > 14E859746F6D2E7269786F6D40746573742E636F6D0000004F4000003B0102 > 00331A0301002E533D42463341433543334533343636464443424237423439 > 413744303337443741334338333441413836000000 > > *** This is a weird EAP-Message which is luckily ignored as > SecureW2 only uses the last read EAP-Message > but I checked and it is the previous EAP-Message sendt by > FreeRadius which was a response to my > EAP-Identity... *** > 8:51:30:881::TLSParseApplicationDataRecord::Eap-Message(44): > 0101002C1A0101002710CA9F5BCBDDA23929D85DBEC28414E859746F6D2E72 > 69786F6D40746573742E636F6D > > *** This is the EAP-Message from EAP-MSCHAPV2 we want *** > 8:51:30:881::TLSParseApplicationDataRecord::Eap-Message(51): > 010200331A0301002E533D4246334143354333453334363646444342423742 > 3439413744303337443741334338333441413836 > > The last message, as this is a screwy Length is ignored... > but let me check the TLS protocol to see > if the 00 00 00 bytes at the end mean anything. > > Regards, > > Tom Rixom. > > > -----Original Message----- > > From: Alan DeKok [mailto:[EMAIL PROTECTED] > > Sent: Sunday, March 07, 2004 1:16 AM > > To: [EMAIL PROTECTED] > > Subject: Re: EAP-TTLS-EAP-* > > > > > > "Tom Rixom" <[EMAIL PROTECTED]> wrote: > > > Thanks! Did you change the RLM_MODULE_HANDLED to PW_CHALLENGE in > > > rlm_eap_ttls.c? > > > > A little more than that, but pretty much. > > > > > Are you familiar with the TLS protocol? > > > > Unfortunately, yes. > > > > > Because as that did the trick for EAP-MD5, EAP-MSCHAPV2 > still screws > > > up as FreeRadius sends me two EAP-messages in the TLS > > application data > > > followed by a corrupt message. > > > > I don't think I've tried EAP-MSCHAPV2 with TTLS. > > > > Try running the server with '-Xxx'. It will print out what data > > comes into, and out of, the TLS tunnel. > > > > > I will debug freeradius a bit more and tell you what I find out. > > > > Thanks. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
