[RADIATOR] EAP PEAP Authentication Failing

Johnson, Neil M Tue, 25 Jun 2013 08:46:49 -0700

Last Thursday our Server support group uninstalled Symantec Anti-Virus, and 
installed Microsoft's System Center Endpoint Protection (SCEP) on one of our 
RADIUS servers.


Since then it has been failing to authenticate wireless users although it is 
processing accounting requests just fine.  Our server support team has done 
this successfully to our other RADIUS servers without issue.

Below is the a snippet from the RADIATOR log.   Looking at the logs from the 
WPA_Supplicant that I use to test authentication it appears there is an issue 
with the SSL handshake.

Thu Jun 20 17:52:57 2013 832787: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50692 ....
Code:       Access-Request
Identifier: 1
Authentic:  ~<9><158><24><11><174><221><245>+<179>R<134><21><229><215><179>
Attributes:
User-Name = "wlantes...@uiowa.edu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
Called-Station-Id = "eduroam"
EAP-Message = <2><0><0><25><1>wlantes...@uiowa.edu
Message-Authenticator = <231>I<187>]<133>rE<31><6><166>5<180>r{<217><178>
OSC-Client-Identifier = "fromUIOWA"

Thu Jun 20 17:52:57 2013 834206: DEBUG: Handling request with Handler 
'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Thu Jun 20 17:52:57 2013 835136: DEBUG: PreProcessing Hook: called.
Thu Jun 20 17:52:57 2013 836104: DEBUG:  Deleting session for 
wlantes...@uiowa.edu, 127.0.0.1,
Thu Jun 20 17:52:57 2013 836992: DEBUG: Handling with Radius::AuthLSA:
Thu Jun 20 17:52:57 2013 838004: DEBUG: Handling with EAP: code 2, 0, 25, 1
Thu Jun 20 17:52:57 2013 838878: DEBUG: Response type 1
Thu Jun 20 17:52:57 2013 840004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 840856: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Thu Jun 20 17:52:57 2013 841753: DEBUG: Access challenged for 
wlantes...@uiowa.edu: EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 842660: DEBUG: PostProcessing Hook: called.
Thu Jun 20 17:52:57 2013 843929: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50692 ....
Code:       Access-Challenge
Identifier: 1
Authentic:  Yz*<168>7f<226><24>%!?<169>@s<149><247>
Attributes:
EAP-Message = <1><1><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jun 20 17:52:57 2013 850606: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50692 ....
Code:       Access-Request
Identifier: 2
Authentic:  <227>A_<3><236><229>z<228><196><30>"<217>H/<195><206>
Attributes:
User-Name = "wlantes...@uiowa.edu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
Called-Station-Id = "eduroam"
EAP-Message = 
<2><1><0>z<25><128><0><0><0>p<22><3><1><0>k<1><0><0>g<3><1>Q<195><135><201><175><15><242><214>,'<127><21><231>1<1>@_<28>o<8>t<228><19><166>&<137><227><186><6><205>p<151><0><0>:<0>9<0>8<0><136><0><135><0>5<0><132><0><22><0><19><0><10><0>3<0>2<0><154><0><153><0>E<0>D<0>/<0><150><0>A<0><5><0><4><0><21><0><18><0><9><0><20><0><17><0><8><0><6><0><3><0><255><1><0><0><4><0>#<0><0>
Message-Authenticator = <201>T<4><5><249>KF<203><173>J<22>Q<235><200><12>,
OSC-Client-Identifier = "fromUIOWA"

Thu Jun 20 17:52:57 2013 851899: DEBUG: Handling request with Handler 
'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Thu Jun 20 17:52:57 2013 852780: DEBUG: PreProcessing Hook: called.
Thu Jun 20 17:52:57 2013 853720: DEBUG:  Deleting session for 
wlantes...@uiowa.edu, 127.0.0.1,
Thu Jun 20 17:52:57 2013 854632: DEBUG: Handling with Radius::AuthLSA:
Thu Jun 20 17:52:57 2013 855579: DEBUG: Handling with EAP: code 2, 1, 122, 25
Thu Jun 20 17:52:57 2013 856417: DEBUG: Response type 25
Thu Jun 20 17:52:57 2013 857581: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jun 20 17:52:57 2013 858578: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 859798: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Thu Jun 20 17:52:57 2013 860677: DEBUG: Access challenged for 
wlantes...@uiowa.edu: EAP PEAP Challenge
Thu Jun 20 17:52:57 2013 861545: DEBUG: PostProcessing Hook: called.
Thu Jun 20 17:52:57 2013 864311: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50692 ....
Code:       Access-Challenge
Identifier: 2
Authentic:  ?:<145><7><145><133>WP<180><141><182><161><232>O+<219>
Attributes:
EAP-Message = 
<1><2><5><130><25><192><0><0><15>!<22><3><1><0>J<2><0><0>F<3><1>Q<195><135><201><160><202><168><163><249><22><145><232>T<129><7><131>c<147><6><138>!b<240><186><246>9<213><138><179><161><217><197>
 
<245><231><18>G<22>1t<133><222>%<251>0[<160><24>E<251>A<214><9>!<169><195><163><180>O<135><203><145><249><150>a<0>5<0><22><3><1><14><196><11><0><14><192><0><14><189><0><5><179>0<130><5><175>0<130><4><151><160><3><2><1><2><2><17><0><192>1<252><202><166><225>N<140>vY<9>c<243><202>f<195>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0Q1<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon
 Server CA0<30><23><13>110603000000Z<23><13>
EAP-Message = 
140602235959Z0<130><1><26>1<11>0<9><6><3>U<4><6><19><2>US1<14>0<12><6><3>U<4><17><19><5>522421<11>0<9><6><3>U<4><8><19><2>IA1<18>0<16><6><3>U<4><7><19><9>Iowa
 City1<25>0<23><6><3>U<4><9><19><16>416-3 North 
Hall1<31>0<29><6><3>U<4><9><19><22>The University of 
Iowa1301<6><3>U<4><9><19>*ITS Telecommunication and Network 
Services1<27>0<25><6><3>U<4><10><19><18>University of 
Iowa1<19>0<17><6><3>U<4><11><19><10>ITS-TNS-NS1<20>0<18><6><3>U<4><11><19><11>
EAP-Message = 
PlatinumSSL1!0<31><6><3>U<4><3><19><24>net-auth-1.its.uiowa.edu0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><157>43z1<181>"<145><197>$<25><25><187>J<11><220><193><164><232>SD;<217><177>p<157>`#<201><223><219><179>6<150><216><26>B<13><217><188>B0<184>.<246><168><2><9><243>[d<138>4<21><155><222><1><235>=<232><138>R&<176><19>}<145><216><156><255>C<20><216>b<154><29>@<224>`<17>2z<220>\<165><168><4<2>$o<232><27><206><235><226>C<213>NmI@Q<138><233><218><22><234><241><23>9IQ<152>gM<132>81i<142><228><220><228><16><246><14>!<200>[q<160><239><130><178><254><8>T<177>tD<25><226>g<26><226>B<16><193><158>^}<217><211>5oA<8>7<132><161><15><153><14><232><28>]<133><179><130>n<194><129><16>
EAP-Message = 
u<186>-<203><175><187>U?<244>-M<156><229>kK<186><209><197><162><169><247><178><220><31>7<191><162>7<131><142>f<203><161>t<132><203>S<202><176><133><186>m"JV<159>Y{l)<235><178><200><11>w<176><185>k<249>*B<10><239><193><183>|<255><24>'<236><166><151><20><246><191><146><128>~<240><198><252>=<2><3><1><0><1><163><130><1><181>0<130><1><177>0<31><6><3>U<29>#<4><24>0<22><128><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<29><6><3>U<29><14><4><22><4><20>\<16><243><136><230><129>q<30><128><0>*<210>M<211><245><127>=Q<10><222>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<12><6><3>U<29><19><1><1><255><4><2>0<0>0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3><1><6><8>+<6><1><5><5><7><3><2>0]<6><3>U<29>
 <4>V0T0R<6><12>+<6><1><4><1><174>#<1><4><3><1><1>0B0@<6><8>
EAP-Message = 
+<6><1><5><5><7><2><1><22>4https://www.incommon.org/cert/repository/cps_ssl.pdf0=<6><3>U<29><31><4>60402<160>0<160>.<134>,http://crl.incommon.org/InCommonServerCA.crl0o<6><8>+<6><1><5><5><7><1><1><4>c0a09<6><8>+<6><1><5><5><7>0<2><134>-http://cert.incommon.org/InCommonServerCA.crt0$<6><8>+<6><1><5><5><7>0<1><134><24>http://ocsp.incommon.org0#<6><3>U<29><17><4><28>0<26><130><24>ne
EAP-Message = 
t-auth-1.its.uiowa.edu0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><130><1><1><0><149><241>
 
d<246>"<25><130><26>M<0><136><140><3>%<174><163><167>6<207><20><167><13><175><176><226>%(<178><182><140>Xp<173>\J<141><240><162>2i<175><242>8<152><133><139>Oy;<244><225><<145><2><189><255><182><229><215><223>Q<24><18><139>l<225>#<167><162><225><237><177><202>1<166><199>X:,|<184><137>=<236>R<237><195>-L<139><180><200><184>7<139><201>(<149><239><240><195><189>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

--- Then that's the last I hear until the client tries again…

Here is a snippet from wpa_supplicant log:

CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-PEAP: Start (server ver=0, own ver=1)
EAP-PEAP: Using PEAP version 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 112 bytes pending from ssl_out
SSL: 112 bytes left to be sent out (of total 112 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp

The client goes on to send a response back to the server but never receives a 
anything back.

I don't think there is an issue with RADIATOR, but I'm looking for information 
to feed back to our Server Support Team on the cause.
(They did try backing out their changes, but it didn't fix things).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] EAP PEAP Authentication Failing

Reply via email to