Cisco ACS 4.x Radius Proxy MS-CHAP Error

  • 1
  • Question
  • Updated 4 years ago
  • Answered

We have just deployed some Aerohive AP's into our existing wireless deployment (Cisco) and we have an issue with an MS-CHAP error, the Cisco deployment works fine.  We run two domains, staff & student so use ACS4.2 to proxy the authentication requests, based on the suffix, to the relevant Microsoft NPS (Staff or Student).  Cisco ACS returns the following error

VSA: l=16 t=MS-CHAP-Error(2): \000E=691 R=0 V=3

We are running the following software on the AP's

HiveOS 6.1r6a.1794   AP   ver 3.1.6  

If we by pass the ACS server we can get the AP's to authenticate users directly with NPS.

Any help would be greatly appreciated. 

Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
So, is this 802.1X with EAP and an inner-EAP type of MS-CHAP-v2? Or CWP access backed by RADIUS with plain MS-CHAP-v2?

If you are using 802.1X with EAP, the access point will just pass through the EAP untouched which means the issue would likely be in the client's supplicant or the RADIUS backend.

The error you are looking at appears to be an attribute in an Access-Reject as it includes the text VSA, which stands for vendor specific attribute. Not being intimately familiar with ACS myself, is there any better logging on the server itself that could provide more information?
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Hi Nick

Sorry I should have said, it 802.1x with EAP.  The packet flow is

Supplicant=>AP=>ACS=>Student NPS or Staff NPS

In this configuration the Cisco Wireless works fine but we receive an MS-CHAP error with Aerohive.

In this setup, the Aerohive works fine;

Supplicant=>AP=>Student NPS or Staff NPS

I appreciate the AP will just pass-through the EAP however as the supplicant works fine with ACS removed i am inclined to think the problem is a VSA issue with ACS. I was hoping someone had encountered this issue and could tell me what  VSA was required.  I did notice thought the the access-request packet contained  service type of 'Authorize-Only' although I am aware of this service type I haven't seen it before, I believe it is used for COA. Is tis normal?  Wireshark output below.  I have also copied in the reject packet.  I'm trying to see what logs I can get off the ACS and NPS servers.

No.     Time           Source                Destination           Protocol Length Info
     77 8596.013401000 x.x.25.2           x.x.48.10          RADIUS   196    Access-Request(1) (id=18, l=154)

Frame 77: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits) on interface 0
Ethernet II, Src: Aerohive_0c:4a:00 (9c:5d:12:0c:4a:00), Dst: JuniperN_df:cc:87 (00:24:dc:df:cc:87)
Internet Protocol Version 4, Src: x.x.25.2 (x.x.25.2), Dst: x.x.48.10 (x.x.48.10)
User Datagram Protocol, Src Port: 51655 (51655), Dst Port: radius (1812)
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x12 (18)
    Length: 154
    Authenticator: e2b2b2e7f2c5b7db358f5967f8b74b6d
    [The response to this request is in frame 78]
    Attribute Value Pairs
        AVP: l=6  t=Service-Type(6): Authorize-Only(17)
            Service-Type: Authorize-Only (17)
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
            NAS-Port-Type: Wireless-802.11 (19)
        AVP: l=22  t=User-Name(1): khariha@student.tafe
            User-Name: test@student.x
        AVP: l=24  t=Vendor-Specific(26) v=Microsoft(311)
            VSA: l=18 t=MS-CHAP-Challenge(11): 4dfdd366297be4e4a44a728727776b75
        AVP: l=58  t=Vendor-Specific(26) v=Microsoft(311)
            VSA: l=52 t=MS-CHAP2-Response(25): d600e1ead1b304e1affa22a7ca60eed9473b000000000000...
        AVP: l=6  t=NAS-IP-Address(4): x.x.25.2
            NAS-IP-Address: x.x.25.2 (x.x.25.2)
        AVP: l=12  t=NAS-Identifier(32): NACManager
            NAS-Identifier: NACManager



No.     Time           Source                Destination           Protocol Length Info
     78 8596.044504000 x.x.48.10          x.x.25.2           RADIUS   84     Access-Reject(3) (id=18, l=42)


Radius Protocol
    Code: Access-Reject (3)
    Packet identifier: 0x12 (18)
    Length: 42
    Authenticator: 0c91968552cfa63cb1a5cfb8068249fa
    [This is a response to a request in frame 77]
    [Time from request: 0.031103000 seconds]
    Attribute Value Pairs
        AVP: l=22  t=Vendor-Specific(26) v=Microsoft(311)
            VSA: l=16 t=MS-CHAP-Error(2): \000E=691 R=0 V=3
                MS-CHAP-Error:




Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
For 802.1X, the Service-Type must always be Framed, as per RFC 3580.

I will have a think through what you have posted and see if anything comes to mind.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Right, okay. Looking at what you have posted, that is not what we expect 802.1X authentication which mandates EAP by the standards and a Service-Type of Framed. That appears plain MS-CHAP-v2 for something else. What is NACManager? Is that really coming from the Aerohive AP?
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes
NACmanger is just a nasid we have used in our access rules. I'll double check the config on hive mgr but i believe 892.1x is configured.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
We should see a TLS-based EAP type with many Access-Requests and Access-Challenges going back and forward before the Access-Accept.

I would first check that the supplicant is configured to use PEAP with MS-CHAP-v2.
It may be that there you are using EAP-MS-CHAP-v2 by mistake and HiveOS is setting the Service-Type to Authorize-Only.

Are you using something like AnyConnect as the supplicant? I do not believe it is possible to do this with the Windows native supplicant.

The fact that this can succeed at all with your Cisco APs suggests that the configuration in NPS is also incorrect to allow an insecure authentication method. Naked MS-CHAP-v2 is horrendously insecure.

What do you have in your Connection Request Policy and Network Policy in NPS?

(I spent some time cleaning up the display of the TLS-based EAP and EAPOL dissectors in Wireshark in a patch I submitted which was included so I know what we are expecting to see here!)
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Hi Nick


Let pick this up again on Tuesday when I'm in the office, the packet capture was from the radius test tool in Hive Manager so is not an actual user authentication.  The Aerohive kit was configured by Beachhead, Aerohives resellers, so I can't comment on your response above but I'll confirm the configuration with you on Tuesday and get packet captures of a actual authentication.  Thank you kindly for all your prompt responses and have a great weekend. 

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Aha, this makes sense now! The test function is using plain MS-CHAP-v2, so it is not in any way a valid simulation of 802.1X that uses EAP. It is only really testing that the RADIUS server is available to service requests. You need a capture of what happens when a real client is used if these are not working.

This also explains the Service-Type of Authorize-Only. (I did not know that the RADIUS test tool used this, I do now!)

If you have only tested with the RADIUS test tool and not real clients, you will likely find that they are working.

You need specific configuration in NPS for the test to get an Access-Accept that differs from that of an 802.1X client using EAP. An Access-Reject is normal, typical and expected otherwise. It does not in itself show that anything is wrong here.

You can ignore my comments about plain MS-CHAP-v2 and it being insecure as they will not be applicable or relevant to your 802.1X clients, nor are the logs you have posted which sent me down the wrong path.
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes
My apologies for that, I should have realised they were test packets. I'll run the tests on Tuesday and get back to you. Thanks again
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
No need to apologise! :) I didn't mean it like that and only meant what I said in the purely factual sense - sorry if it came over badly! This type of thing always interests me, it will be great to get to the bottom of it!

Interestingly, I think this reinforces the need for Aerohive to implement PEAP and TTLS support for the CWP and the RADIUS test function so it that can simulate real clients.
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Hi Nick

Apologies for not being in touch, I was off ill all of last week.  I have completed the pack captures with an actual client and this time we have a number of access-challenges in the conversation.  I have copied in the packets below, apologies for the length but I wanted to ensure you got he whole conversation.  I have not changed any settings on the supplicant at this point. I looking forward to hearing your thoughts and I thank you in advance for your time and assistance. 


No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    172.16.25.2           10.116.48.10          RADIUS   227    Access-Request(1) (id=17, l=185)


Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x11 (17)
    Length: 185
    Authenticator: 92093107d22b2e82a9e7db0052e7a9cb
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=23  t=User-Name(1): wrightc3@student.tafe
            User-Name: wrightc3@student.tafe
        AVP: l=6  t=NAS-IP-Address(4): 172.16.25.2
            NAS-IP-Address: 172.16.25.2 (172.16.25.2)
        AVP: l=12  t=NAS-Identifier(32): AerohiveAP
            NAS-Identifier: AerohiveAP
        AVP: l=6  t=NAS-Port(5): 0
            NAS-Port: 0
        AVP: l=35  t=Called-Station-Id(30): 9C-5D-12-0C-4A-24:Aerohive-802.1x
            Called-Station-Id: 9C-5D-12-0C-4A-24:Aerohive-802.1x
        AVP: l=19  t=Calling-Station-Id(31): 90-00-4E-19-23-54
            Calling-Station-Id: 90-00-4E-19-23-54
        AVP: l=6  t=Framed-MTU(12): 1500
            Framed-MTU: 1500
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
            NAS-Port-Type: Wireless-802.11 (19)
        AVP: l=28  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 249
                Length: 26
                Type: Identity (1)
                Identity: wrightc3@student.tafe
        AVP: l=6  t=Service-Type(6): Framed(2)
            Service-Type: Framed (2)
        AVP: l=18  t=Message-Authenticator(80): 1b24a4c9b25f9e95b2a6b016c0471823
            Message-Authenticator: 1b24a4c9b25f9e95b2a6b016c0471823




No.     Time           Source                Destination           Protocol Length Info
      2 0.048193000    10.116.48.10          172.16.25.2           RADIUS   132    Access-Challenge(11) (id=17, l=90)


Radius Protocol
    Code: Access-Challenge (11)
    Packet identifier: 0x11 (17)
    Length: 90
    Authenticator: 6e535cdfc76a259dbc262cfe8ffaf8f7
    [This is a response to a request in frame 1]
    [Time from request: 0.048193000 seconds]
    Attribute Value Pairs
        AVP: l=6  t=Session-Timeout(27): 30
            Session-Timeout: 30
        AVP: l=8  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 250
                Length: 6
                Type: Protected EAP (EAP-PEAP) (25)
                EAP-TLS Flags: 0x20
                    0... .... = Length Included: False
                    .0.. .... = More Fragments: False
                    ..1. .... = Start: True
                    .... .000 = Version: 0
        AVP: l=38  t=State(24): 1f9d022d0000013700010200ac10300e0000000000000000...
            State: 1f9d022d0000013700010200ac10300e0000000000000000...
        AVP: l=18  t=Message-Authenticator(80): 5787e52ca14d71005130c0440fe55aeb
            Message-Authenticator: 5787e52ca14d71005130c0440fe55aeb



No.     Time           Source                Destination           Protocol Length Info
      3 0.051366000    172.16.25.2           10.116.48.10          RADIUS   357    Access-Request(1) (id=18, l=315)


Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x12 (18)
    Length: 315
    Authenticator: 0aaebe35e06d8322d3378f0e856276f3
    Attribute Value Pairs
        AVP: l=23  t=User-Name(1): wrightc3@student.tafe
            User-Name: wrightc3@student.tafe
        AVP: l=6  t=NAS-IP-Address(4): 172.16.25.2
            NAS-IP-Address: 172.16.25.2 (172.16.25.2)
        AVP: l=12  t=NAS-Identifier(32): AerohiveAP
            NAS-Identifier: AerohiveAP
        AVP: l=6  t=NAS-Port(5): 0
            NAS-Port: 0
        AVP: l=35  t=Called-Station-Id(30): 9C-5D-12-0C-4A-24:Aerohive-802.1x
            Called-Station-Id: 9C-5D-12-0C-4A-24:Aerohive-802.1x
        AVP: l=19  t=Calling-Station-Id(31): 90-00-4E-19-23-54
            Calling-Station-Id: 90-00-4E-19-23-54
        AVP: l=6  t=Framed-MTU(12): 1500
            Framed-MTU: 1500
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
            NAS-Port-Type: Wireless-802.11 (19)
        AVP: l=120  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 250
                Length: 118
                Type: Protected EAP (EAP-PEAP) (25)
                EAP-TLS Flags: 0x80
                    1... .... = Length Included: True
                    .0.. .... = More Fragments: False
                    ..0. .... = Start: False
                    .... .000 = Version: 0
                EAP-TLS Length: 108
                Secure Sockets Layer
                    TLSv1 Record Layer: Handshake Protocol: Client Hello
                        Content Type: Handshake (22)
                        Version: TLS 1.0 (0x0301)
                        Length: 103
                        Handshake Protocol: Client Hello
                            Handshake Type: Client Hello (1)
                            Length: 99
                            Version: TLS 1.0 (0x0301)
                            Random
                                gmt_unix_time: Oct  7, 2014 14:37:04.000000000 E. Australia Standard Time
                                random_bytes: 7c2c5633f2c10799613b04e202880042bc59626bd6dd8451...
                            Session ID Length: 0
                            Cipher Suites Length: 24
                            Cipher Suites (12 suites)
                                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                            Compression Methods Length: 1
                            Compression Methods (1 method)
                                Compression Method: null (0)
                            Extensions Length: 34
                            Extension: renegotiation_info
                                Type: renegotiation_info (0xff01)
                                Length: 1
                                Renegotiation Info extension
                                    Renegotiation info extension length: 0
                            Extension: status_request
                                Type: status_request (0x0005)
                                Length: 5
                                Data (5 bytes)
                            Extension: elliptic_curves
                                Type: elliptic_curves (0x000a)
                                Length: 6
                                Elliptic Curves Length: 4
                                Elliptic curves (2 curves)
                                    Elliptic curve: secp256r1 (0x0017)
                                    Elliptic curve: secp384r1 (0x0018)
                            Extension: ec_point_formats
                                Type: ec_point_formats (0x000b)
                                Length: 2
                                EC point formats Length: 1
                                Elliptic curves point formats (1)
                                    EC point format: uncompressed (0)
                            Extension: SessionTicket TLS
                                Type: SessionTicket TLS (0x0023)
                                Length: 0
                                Data (0 bytes)
        AVP: l=38  t=State(24): 1f9d022d0000013700010200ac10300e0000000000000000...
            State: 1f9d022d0000013700010200ac10300e0000000000000000...
        AVP: l=6  t=Service-Type(6): Framed(2)
            Service-Type: Framed (2)
        AVP: l=18  t=Message-Authenticator(80): 8d484806d54ed04f001ea7cd16e462f1
            Message-Authenticator: 8d484806d54ed04f001ea7cd16e462f1



No.     Time           Source                Destination           Protocol Length Info
  28972 2771.233905000 10.116.48.10          172.16.25.2           RADIUS   152    Access-Challenge(11) (id=18, l=1590)


Radius Protocol
    Code: Access-Challenge (11)
    Packet identifier: 0x12 (18)
    Length: 1590
    Authenticator: 769bf2d277c0f69a78db1a77501ab0df
    [This is a response to a request in frame 28970]
    [Time from request: 0.060417000 seconds]
    Attribute Value Pairs
        AVP: l=6  t=Session-Timeout(27): 30
            Session-Timeout: 30
        AVP: l=255  t=EAP-Message(79) Segment[1]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[2]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[3]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[4]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[5]
            EAP fragment
        AVP: l=233  t=EAP-Message(79) Last Segment[6]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 251
                Length: 1496
                Type: Protected EAP (EAP-PEAP) (25)
                EAP-TLS Flags: 0xc0
                    1... .... = Length Included: True
                    .1.. .... = More Fragments: True
                    ..0. .... = Start: False
                    .... .000 = Version: 0
                EAP-TLS Length: 3156
                [3 EAP-TLS Fragments (3156 bytes): #28972(1486), #28975(1490), #28977(180)]
                    [Frame: 28972, payload: 0-1485 (1486 bytes)]
                    [Frame: 28975, payload: 1486-2975 (1490 bytes)]
                    [Frame: 28977, payload: 2976-3155 (180 bytes)]
                    [Fragment Count: 3]
                    [Reassembled EAP-TLS Length: 3156]
                Secure Sockets Layer
                    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
                        Content Type: Handshake (22)
                        Version: TLS 1.0 (0x0301)
                        Length: 3151
                        Handshake Protocol: Server Hello
                            Handshake Type: Server Hello (2)
                            Length: 77
                            Version: TLS 1.0 (0x0301)
                            Random
                                gmt_unix_time: Oct  7, 2014 14:37:05.000000000 E. Australia Standard Time
                                random_bytes: f0a3c1a55486fbb646efea527c4ecfe5a6fab6e617fa094b...
                            Session ID Length: 32
                            Session ID: ce0e0000cbbedcdacd32acaef02c769aa28fd53cee8f896b...
                            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                            Compression Method: null (0)
                            Extensions Length: 5
                            Extension: renegotiation_info
                                Type: renegotiation_info (0xff01)
                                Length: 1
                                Renegotiation Info extension
                                    Renegotiation info extension length: 0
                        Handshake Protocol: Certificate
                            Handshake Type: Certificate (11)
                            Length: 1380
                            Certificates Length: 1377
                            Certificates (1377 bytes)
                                Certificate Length: 1374
                                Certificate (id-at-commonName=MOLEDUDC3.student.tafe)
                                    signedCertificate
                                        version: v3 (2)
                                        serialNumber : 0x6102514300000000000c
                                        signature (shaWithRSAEncryption)
                                            Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
                                        issuer: rdnSequence (0)
                                            rdnSequence: 3 items (id-at-commonName=BTQEDUCS1-CA,dc=student,dc=tafe)
                                                RDNSequence item: 1 item (dc=tafe)
                                                    RelativeDistinguishedName item (dc=tafe)
                                                        Id: 0.9.2342.19200300.100.1.25 (dc)
                                                        IA5String: tafe
                                                RDNSequence item: 1 item (dc=student)
                                                    RelativeDistinguishedName item (dc=student)
                                                        Id: 0.9.2342.19200300.100.1.25 (dc)
                                                        IA5String: student
                                                RDNSequence item: 1 item (id-at-commonName=BTQEDUCS1-CA)
                                                    RelativeDistinguishedName item (id-at-commonName=BTQEDUCS1-CA)
                                                        Id: 2.5.4.3 (id-at-commonName)
                                                        DirectoryString: printableString (1)
                                                            printableString: BTQEDUCS1-CA
                                        validity
                                            notBefore: utcTime (0)
                                                utcTime: 14-03-18 22:01:34 (UTC)
                                            notAfter: utcTime (0)
                                                utcTime: 15-03-18 22:01:34 (UTC)
                                        subject: rdnSequence (0)
                                            rdnSequence: 1 item (id-at-commonName=MOLEDUDC3.student.tafe)
                                                RDNSequence item: 1 item (id-at-commonName=MOLEDUDC3.student.tafe)
                                                    RelativeDistinguishedName item (id-at-commonName=MOLEDUDC3.student.tafe)
                                                        Id: 2.5.4.3 (id-at-commonName)
                                                        DirectoryString: printableString (1)
                                                            printableString: MOLEDUDC3.student.tafe
                                        subjectPublicKeyInfo
                                            algorithm (rsaEncryption)
                                                Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
                                            Padding: 0
                                            subjectPublicKey: 30818902818100bb49f927278853ce79d7b48afa246f4ec7...
                                        extensions: 9 items
                                            Extension (id-ms-certificate-template-name)
                                                Extension Id: 1.3.6.1.4.1.311.20.2 (id-ms-certificate-template-name)
                                                BMPString:  DomainController
                                            Extension (id-ce-extKeyUsage)
                                                Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
                                                KeyPurposeIDs: 2 items
                                                    KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
                                                    KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
                                            Extension (id-ce-keyUsage)
                                                Extension Id: 2.5.29.15 (id-ce-keyUsage)
                                                Padding: 5
                                                KeyUsage: a0 (digitalSignature, keyEncipherment)
                                                    1... .... = digitalSignature: True
                                                    .0.. .... = contentCommitment: False
                                                    ..1. .... = keyEncipherment: True
                                                    ...0 .... = dataEncipherment: False
                                                    .... 0... = keyAgreement: False
                                                    .... .0.. = keyCertSign: False
                                                    .... ..0. = cRLSign: False
                                                    .... ...0 = encipherOnly: False
                                                    0... .... = decipherOnly: False
                                            Extension (id-smime-capabilities)
                                                Extension Id: 1.2.840.113549.1.9.15 (id-smime-capabilities)
                                                SMIMECapabilities: 8 items
                                                    SMIMECapability id-alg-rc2-cbc (128 bits)
                                                        attrType: 1.2.840.113549.3.2 (id-alg-rc2-cbc)
                                                        RC2CBCParameters: rc2WrapParameter (0)
                                                            rc2WrapParameter: 128
                                                    SMIMECapability id-alg-rc4 (128 bits)
                                                        attrType: 1.2.840.113549.3.4 (id-alg-rc4)
                                                        RC2CBCParameters: rc2WrapParameter (0)
                                                            rc2WrapParameter: 128
                                                    SMIMECapability joint-iso-itu-t.16.840.1.101.3.4.1.42
                                                        attrType: 2.16.840.1.101.3.4.1.42 (joint-iso-itu-t.16.840.1.101.3.4.1.42)
                                                    SMIMECapability joint-iso-itu-t.16.840.1.101.3.4.1.45
                                                        attrType: 2.16.840.1.101.3.4.1.45 (joint-iso-itu-t.16.840.1.101.3.4.1.45)
                                                    SMIMECapability joint-iso-itu-t.16.840.1.101.3.4.1.2
                                                        attrType: 2.16.840.1.101.3.4.1.2 (joint-iso-itu-t.16.840.1.101.3.4.1.2)
                                                    SMIMECapability joint-iso-itu-t.16.840.1.101.3.4.1.5
                                                        attrType: 2.16.840.1.101.3.4.1.5 (joint-iso-itu-t.16.840.1.101.3.4.1.5)
                                                    SMIMECapability id-alg-des-cbc
                                                        attrType: 1.3.14.3.2.7 (id-alg-des-cbc)
                                                    SMIMECapability id-alg-des-ede3-cbc
                                                        attrType: 1.2.840.113549.3.7 (id-alg-des-ede3-cbc)
                                            Extension (id-ce-subjectKeyIdentifier)
                                                Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
                                                SubjectKeyIdentifier: 0f8ba824c1a52695749220fc2a12aa62a2fdd741
                                            Extension (id-ce-authorityKeyIdentifier)
                                                Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
                                                AuthorityKeyIdentifier
                                                    keyIdentifier: f26305e7d41d8d4bd21c68b515223d2410d11d9a
                   &

(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Harvey,

Could you email me the pcap / pcap-ng file of the whole exchange to my private email address, nick.lowe {at} gmail.com ?

Do you also have a capture of the successful case?

The exchange that you have posted above isn't concluded to an Access-Reject. The last frame you have posted is an Access-Challenge from the RADIUS server to the client earlier on in the TLS handshaking process.

Thanks,

Nick
(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Hi Nick


Apologies I have just checked the text file and it does have all the packets in there, maybe the website has a text limit, who knows! I will email over the pcap file. 

I can organize a capture of a successful auth, using the ACS and NPS servers, however the radius request will originate form the Cisco WLC, we haven't had any successful auth from the Aerohive WAP. 

Thanks again for all your help it really is appreciated.

Harvey

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Just to keep this thread updated for anybody following along. I have taken a look at the capture and the issue shown there is a failed SSL/TLS handshake within the EAP. This is highly unlikely to be anything Aerohive related as the EAP payload is relayed untouched as an opaque blob from the RADIUS server to the client supplicant and vice versa.

The server certificate that is being used in the Server Hello derives from a root certificate which the supplicant does not trust. It therefore terminates the authentication attempt with the TLS Fatal Alert of Unknown CA.

Because a tunnel is never established, no MS-CHAP-v2 is ever exchanged here.

Harvey, I cannot see how this could be working with Cisco. Please can I also therefore have a capture of a successful case?

Can you check that the server certificate you have configured in the EAP-terminating RADIUS server is correct and that the client (supplicant) is configured to validate it correctly.

(An 'Ignored Unknown Record' is shown in Wireshark frame 8 is likely due to fragmentation, which wouldn't be a problem, but it could be due to truncation/corruption. I haven't dug in to this in depth by performing manual reassembly though.)


(Edited)
Photo of harvey khatri

harvey khatri

  • 8 Posts
  • 0 Reply Likes

Hi Nick

Apologies for the delay in getting back to you, I have been travelling interstate and have only just got back.  .  I'll organize a successful capture in the next day or so but in the meantime I will double check the Cert situation and get back to you.


Thanks Nick you are truly a great help.