date:20130729

Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication Failing)

2013-07-29 Thread Johnson, Neil M


It's kind of hard get a trace 4 log as the server is processing a lot of
accounting requests at the same time.

I did do additional packet captures and on the RADIUS server I see
requests going in and responses going out, but capturing packets on the
client side shows only 1 initial response getting back to the client.

I suspect a network/Firewall issue now and am pursuing that, but why it is
only affecting one RADIUS server, I don't know.

-Neil


Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 7/29/13 6:37 AM, "Sami Keski-Kasari"  wrote:

>Hello Neil,
>
>Can you reply with Trace 4 logfile so that we can see what happens?
>
>Best Regards,
>  Sami
>
>On 07/26/2013 10:39 PM, Johnson, Neil M wrote:
>>
>> I had our server folks completely re-install windows on the server and
>> I'm still getting the same problem (Accounting requests are processing
>> fine. EAP Authentication id failing).
>>
>> I'm using the same version of RADIATOR, Perl, Perl modules,
>> certificates, and configuration as 8 other servers that are working, but
>> something about this server is different.
>>
>> Trace logs, output from eapol_test, and packet captures show that there
>> is an initial request to RADIATOR and RADIATOR responds, but when the
>> client makes it's next request RADIATOR never responds. No error
>> messages in the the RADIATOR trace log.
>>
>> Ideas?
>>
>> -Neil
>>
>> --
>> Neil Johnson
>> Network Engineer
>> The University of Iowa
>> Phone: 319 384-0938
>> Fax: 319 335-2951
>> Mobile: 319 540-2081
>> E-Mail: neil-john...@uiowa.edu
>>
>>
>> From: , Neil Johnson > >
>> Date: Thursday, June 27, 2013 2:47 PM
>> To: Alan Buxey >>
>> Cc: "radiator@open.com.au "
>> mailto:radiator@open.com.au>>
>> Subject: Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication
>> Failing)
>>
>> Well, according to our server support folks, they performed this same
>> procedure on our other 8 RADIUS servers and didn't have any issues.
>>
>> They were using SCCM (Microsoft's System Center Configuration Manager)
>> to automate the uninstall and re-install of the software rather than a
>> manual process. I wonder if performing the actions by hand would make a
>> difference.
>>
>> Since it appears to be one box, I'm assuming there was something wrong
>> with it before the upgrade and it should be wiped and reinstalled from
>> scratch.
>>
>> -Neil
>> --
>> Neil Johnson
>> Network Engineer
>> The University of Iowa
>> Phone: 319 384-0938
>> Fax: 319 335-2951
>> Mobile: 319 540-2081
>> E-Mail: neil-john...@uiowa.edu 
>>
>>
>> From: Alan Buxey >>
>> Reply-To: Alan Buxey > >
>> Date: Thursday, June 27, 2013 1:35 PM
>> To: Neil Johnson >>
>> Cc: Heikki Vatiainen mailto:h...@open.com.au>>,
>> "radiator@open.com.au "
>> mailto:radiator@open.com.au>>
>> Subject: Re: Microsoft AV (Was Re: [RADIATOR] EAP PEAP Authentication
>> Failing)
>>
>> What would be interesting is whether a clean install of Windows and just
>> the installation of the Microsoft SEP kills it
>>
>> alan
>>
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
>-- 
>Sami Keski-Kasari 
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>___
>radiator mailing list
>radiator@open.com.au
>http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] PEAP from Radiator via Juniper switches

2013-07-29 Thread Garry Shtern

I figured out what happened.  I apply "AllowInReply" attributes to the clients 
depending on the type and I forgot to include "EAP-Message", 
"Message-Authenticator" and others.

Once I added those, everything started working correctly.

Thanks!

-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Garry Shtern
Sent: Monday, July 29, 2013 9:05 AM
To: 'Sami Keski-Kasari'; radiator@open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

Sure, here you go...

Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Received from 172.20.60.2 port 6850 
Code:   Access-Request
Identifier: 196
Authentic:  <205>dD<193>x<230><138><161>+?B<217>k<154><218>C
Attributes:
User-Name = "SECURITYTEST$"
NAS-Port = 121
EAP-Message = <2><0><0><18><1>SECURITYTEST$
Message-Authenticator = 
<246>X<208>3<137><196>#nP<230><186>^<138><25><226><227>
Acct-Session-Id = "8O2.1x81a0139d000556a4"
NAS-Port-Id = "ge-0/0/14.0"
Calling-Station-Id = "78-2b-cb-9a-85-34"
Called-Station-Id = "88-e0-f3-b0-80-00"
NAS-IP-Address = 192.168.61.6
NAS-Identifier = "udsw16-1603-1-re0"
NAS-Port-Type = Ethernet

Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier ''
Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 
22:07:40 2013: DEBUG:  Deleting session for SECURITYTEST$, 192.168.61.6, 121 
Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth 
Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 
22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP 
result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE 
result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access 
challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: 
DEBUG: Packet dump:
*** Sending to 172.20.60.2 port 6850 
Code:   Access-Challenge
Identifier: 196
Authentic:  7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252>
Attributes:


-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Sami Keski-Kasari
Sent: Monday, July 29, 2013 6:52 AM
To: radiator@open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

Hello Garry,

Can you reply with Trace 4 log file.

Best Regards,
  Sami


On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward.  Here you go:
>
> # User check from user file
>
> 
>
>  Identifier  user-file-auth
>
>  # Location of the users file
>
>  Filename%D/users
>
>  # Suppoted EAP Types and session info
>
>  EAPType PEAP,TLS,MSCHAP-V2
>
>  EAPTLS_MaxFragmentSize  1024
>
>  EAPTLS_SessionResumptionLimit   60
>
>  # Certificate Info
>
>  EAPTLS_CAFile   %D/certs/ca.pem
>
>  EAPTLS_CertificateType  PEM
>
>  EAPTLS_PrivateKeyFile   %D/certs/%h.pem
>
>  EAPTLS_CertificateChainFile %D/certs/%h.pem
>
>  # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
>  # an ordinary Radius-MSCHAPV2 request and redespatch to to a 
> Handler
>
>  # that matches ConvertedFromEAPMSCHAPV2=1
>
>  EAP_PEAP_MSCHAP_Convert 1
>
>  # Deal with MPPE keys
>
>  AutoMPPEKeys
>
> 
>
> *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator@open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
>  Original message 
> From: Garry Shtern  >
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator@open.com.au'"  >
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via 
> Juniper EX switch to Radiator.  I am seeing the Access-Request come 
> in, and Radiator responds with Access-Challenge which is dropped by the EX.
>   However, I have the same switch pointing to Microsoft NPS and 
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the 
> following difference in responses:
>
> -NPS returns "Authenticator" and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and 
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns "Authenticator" and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that's why 
> it's dropping the frames, while Cisco IOS switch is absolutely fine 
> and forwards the traffic back to

Re: [RADIATOR] PEAP from Radiator via Juniper switches

2013-07-29 Thread Garry Shtern

Sure, here you go...

Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Received from 172.20.60.2 port 6850 
Code:   Access-Request
Identifier: 196
Authentic:  <205>dD<193>x<230><138><161>+?B<217>k<154><218>C
Attributes:
User-Name = "SECURITYTEST$"
NAS-Port = 121
EAP-Message = <2><0><0><18><1>SECURITYTEST$
Message-Authenticator = 
<246>X<208>3<137><196>#nP<230><186>^<138><25><226><227>
Acct-Session-Id = "8O2.1x81a0139d000556a4"
NAS-Port-Id = "ge-0/0/14.0"
Calling-Station-Id = "78-2b-cb-9a-85-34"
Called-Station-Id = "88-e0-f3-b0-80-00"
NAS-IP-Address = 192.168.61.6
NAS-Identifier = "udsw16-1603-1-re0"
NAS-Port-Type = Ethernet

Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier ''
Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$
Fri Jul 19 22:07:40 2013: DEBUG:  Deleting session for SECURITYTEST$, 
192.168.61.6, 121
Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth
Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1
Fri Jul 19 22:07:40 2013: DEBUG: Response type 1
Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge
Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP 
Challenge
Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Sending to 172.20.60.2 port 6850 
Code:   Access-Challenge
Identifier: 196
Authentic:  7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252>
Attributes:


-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Sami Keski-Kasari
Sent: Monday, July 29, 2013 6:52 AM
To: radiator@open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

Hello Garry,

Can you reply with Trace 4 log file.

Best Regards,
  Sami


On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward.  Here you go:
>
> # User check from user file
>
> 
>
>  Identifier  user-file-auth
>
>  # Location of the users file
>
>  Filename%D/users
>
>  # Suppoted EAP Types and session info
>
>  EAPType PEAP,TLS,MSCHAP-V2
>
>  EAPTLS_MaxFragmentSize  1024
>
>  EAPTLS_SessionResumptionLimit   60
>
>  # Certificate Info
>
>  EAPTLS_CAFile   %D/certs/ca.pem
>
>  EAPTLS_CertificateType  PEM
>
>  EAPTLS_PrivateKeyFile   %D/certs/%h.pem
>
>  EAPTLS_CertificateChainFile %D/certs/%h.pem
>
>  # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
>  # an ordinary Radius-MSCHAPV2 request and redespatch to to a 
> Handler
>
>  # that matches ConvertedFromEAPMSCHAPV2=1
>
>  EAP_PEAP_MSCHAP_Convert 1
>
>  # Deal with MPPE keys
>
>  AutoMPPEKeys
>
> 
>
> *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator@open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
>  Original message 
> From: Garry Shtern  >
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator@open.com.au'"  >
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via 
> Juniper EX switch to Radiator.  I am seeing the Access-Request come 
> in, and Radiator responds with Access-Challenge which is dropped by the EX.
>   However, I have the same switch pointing to Microsoft NPS and 
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the 
> following difference in responses:
>
> -NPS returns "Authenticator" and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and 
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns "Authenticator" and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that's why 
> it's dropping the frames, while Cisco IOS switch is absolutely fine 
> and forwards the traffic back to the client w/o much of a consideration.
>
> Is there any easy way to force Radiator to add the same attributes to 
> the Challenge as NPS?
>
> Thanks.
>
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


--
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server anywhere. 
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, 
TACACS+, PAM, external, Active Di

Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication Failing)

2013-07-29 Thread Sami Keski-Kasari

Hello Neil,

Can you reply with Trace 4 logfile so that we can see what happens?

Best Regards,
  Sami

On 07/26/2013 10:39 PM, Johnson, Neil M wrote:
>
> I had our server folks completely re-install windows on the server and
> I'm still getting the same problem (Accounting requests are processing
> fine. EAP Authentication id failing).
>
> I'm using the same version of RADIATOR, Perl, Perl modules,
> certificates, and configuration as 8 other servers that are working, but
> something about this server is different.
>
> Trace logs, output from eapol_test, and packet captures show that there
> is an initial request to RADIATOR and RADIATOR responds, but when the
> client makes it's next request RADIATOR never responds. No error
> messages in the the RADIATOR trace log.
>
> Ideas?
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> Mobile: 319 540-2081
> E-Mail: neil-john...@uiowa.edu
>
>
> From: , Neil Johnson  >
> Date: Thursday, June 27, 2013 2:47 PM
> To: Alan Buxey mailto:a.l.m.bu...@lboro.ac.uk>>
> Cc: "radiator@open.com.au "
> mailto:radiator@open.com.au>>
> Subject: Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication
> Failing)
>
> Well, according to our server support folks, they performed this same
> procedure on our other 8 RADIUS servers and didn't have any issues.
>
> They were using SCCM (Microsoft's System Center Configuration Manager)
> to automate the uninstall and re-install of the software rather than a
> manual process. I wonder if performing the actions by hand would make a
> difference.
>
> Since it appears to be one box, I'm assuming there was something wrong
> with it before the upgrade and it should be wiped and reinstalled from
> scratch.
>
> -Neil
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> Mobile: 319 540-2081
> E-Mail: neil-john...@uiowa.edu 
>
>
> From: Alan Buxey mailto:a.l.m.bu...@lboro.ac.uk>>
> Reply-To: Alan Buxey  >
> Date: Thursday, June 27, 2013 1:35 PM
> To: Neil Johnson mailto:neil-john...@uiowa.edu>>
> Cc: Heikki Vatiainen mailto:h...@open.com.au>>,
> "radiator@open.com.au "
> mailto:radiator@open.com.au>>
> Subject: Re: Microsoft AV (Was Re: [RADIATOR] EAP PEAP Authentication
> Failing)
>
> What would be interesting is whether a clean install of Windows and just
> the installation of the Microsoft SEP kills it
>
> alan
>
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] PEAP from Radiator via Juniper switches

2013-07-29 Thread Sami Keski-Kasari

Hello Garry,

Can you reply with Trace 4 log file.

Best Regards,
  Sami


On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward.  Here you go:
>
> # User check from user file
>
> 
>
>  Identifier  user-file-auth
>
>  # Location of the users file
>
>  Filename%D/users
>
>  # Suppoted EAP Types and session info
>
>  EAPType PEAP,TLS,MSCHAP-V2
>
>  EAPTLS_MaxFragmentSize  1024
>
>  EAPTLS_SessionResumptionLimit   60
>
>  # Certificate Info
>
>  EAPTLS_CAFile   %D/certs/ca.pem
>
>  EAPTLS_CertificateType  PEM
>
>  EAPTLS_PrivateKeyFile   %D/certs/%h.pem
>
>  EAPTLS_CertificateChainFile %D/certs/%h.pem
>
>  # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
>  # an ordinary Radius-MSCHAPV2 request and redespatch to to a
> Handler
>
>  # that matches ConvertedFromEAPMSCHAPV2=1
>
>  EAP_PEAP_MSCHAP_Convert 1
>
>  # Deal with MPPE keys
>
>  AutoMPPEKeys
>
> 
>
> *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator@open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
>  Original message 
> From: Garry Shtern  >
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator@open.com.au'"  >
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via
> Juniper EX switch to Radiator.  I am seeing the Access-Request come in,
> and Radiator responds with Access-Challenge which is dropped by the EX.
>   However, I have the same switch pointing to Microsoft NPS and
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the
> following difference in responses:
>
> -NPS returns “Authenticator” and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns “Authenticator” and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that’s why
> it’s dropping the frames, while Cisco IOS switch is absolutely fine and
> forwards the traffic back to the client w/o much of a consideration.
>
> Is there any easy way to force Radiator to add the same attributes to
> the Challenge as NPS?
>
> Thanks.
>
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication Failing)

Re: [RADIATOR] PEAP from Radiator via Juniper switches

Re: [RADIATOR] PEAP from Radiator via Juniper switches

Re: [RADIATOR] Microsoft AV (Was Re: EAP PEAP Authentication Failing)

Re: [RADIATOR] PEAP from Radiator via Juniper switches

5 matches

Site Navigation

Mail list logo

Footer information