I have a project that involves custom client authentication for the StrongSwan IKEv2 server implementation on Linux.
I am running: StrongSwan 5.4.0 with eap-radius plugin
Currently, we use FreeRadius to speak EAP-MSCHAPv2 with various client platforms (Windows, Mac, Linux). Due to some limitations, we need to implement our own RADIUS "speaking" + EAP-MSCHAPv2 server to replace FreeRadius. I wont go into details as to why this is needed (but I will say that it is required), but, I am running into an issue that I can't seem to figure out.
Following the RFC specs for the RADIUS protocol, as well as the EAP and MSCHAPv2 protocols, I have created a POC server that authenticates clients. The implementation works for all Mac OSX clients, Android clients (using strongswan app), and linux clients.
The issues start with Windows clients (tested Windows 10 + 7). For some reason, the Windows client errors out with code 691, which is a generic error that implies either a wrong username/password, or wrong authentication protocol.
I have confirmed in numerous ways that my EAP-MSCHAPv2 implementation follows the RFC specs:
MSCHAPv2 RFC: https://www.rfc-editor.org/rfc/rfc2759
At the bottom of that RFC, there are example data sets. When I use the username and password in those examples, my code generates the correct output:
INPUTS:
AuthenticatorChallenge = 5B5D7C7D7B3F2F3E3C2C602132262628
PeerChallenge = 21402324255E262A28295F2B3A337C7E
username = "User"
password = "clientPass"
OUTPUT:
8-octet Challenge: = D02E4386BCE91226
24 octet NT-Response:: 82309ECD8D708B5EA08FAA3981CD83544233114A3D85D6DF
42-octet AuthenticatorResponse: S=407A5589115FD0D6209F510FE9C04566932CDA56
This validates that my implementation is following the RFC spec for the data that should be calculated during the MSCHAPv2 portions of the EAP conversation. This is also confirmed by the fact that Mac, Android and Linux clients authenticate successfully.
This leads me to beleive that the Windows error is related to the packet format, and not the underlying values being generated by my code. To that end, I enabled full debug logging in StrongSwan and pointed the authentication back to FreeRadius, so that I could log a successful authentication conversation with FreeRadius, then compare the packets with my own POC.
The following is a successful Windows EAP conversation with FreeRadius:
- EAP Identity + Challenge Response
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> sending RADIUS Access-Request to server '127.0.0.1'
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> => 168 bytes @ 0x7f55f00014b0
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 0: 01 F6 00 A8 73 40 3E 5D A8 2A 50 21 53 8E FE 52 ....s@>].*P!S..R
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 16: 0F 14 D1 8E 01 12 72 34 32 6D 33 6E 63 76 2D 65 ......r42m3ncv-e
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 32: 38 77 66 70 67 33 3D 06 00 00 00 05 06 06 00 00 8wfpg3=.........
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 48: 00 02 05 06 00 00 00 01 57 10 69 6B 65 76 32 2D ........W.ikev2-
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 64: 6D 73 63 68 61 70 76 32 04 06 C4 34 2E 23 1E 0E mschapv2...4.#..
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 80: 31 39 36 2E 35 32 2E 34 36 2E 33 35 1F 10 36 36 196.52.46.35..66
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 96: 2E 32 30 37 2E 32 30 38 2E 32 32 36 4F 17 02 00 .207.208.226O...
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 112: 00 15 01 72 34 32 6D 33 6E 63 76 2D 65 38 77 66 ...r42m3ncv-e8wf
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 128: 70 67 33 20 13 63 61 2D 30 30 31 5F 73 74 72 6F pg3 .ca-001_stro
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 144: 6E 67 73 77 61 6E 50 12 E1 CD BD 37 42 F0 6C BE ngswanP....7B.l.
Jul 30 01:02:38 87[CFG] <ikev2-mschapv2|1> 160: 64 AB BD F6 19 B6 9A A6 d.......
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> received RADIUS Access-Challenge from server '127.0.0.1'
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> => 112 bytes @ 0x7f55f0000de0
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 0: 0B F6 00 70 ED 7D 83 2C AF 6E 81 05 ED E7 73 43 ...p.}.,.n....sC
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 16: 60 19 76 B7 1A 0C 00 00 01 37 1C 06 0A FF FF 03 `.v......7......
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 32: 4F 2C 01 01 00 2A 1A 01 01 00 25 10 FC 80 3D 84 O,...*....%...=.
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 48: 7A A0 ED DC FF E3 CB 7C C3 07 62 FC 72 34 32 6D z......|..b.r42m
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 64: 33 6E 63 76 2D 65 38 77 66 70 67 33 50 12 63 4F 3ncv-e8wfpg3P.cO
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 80: 24 0B F0 D1 B3 09 7B 74 40 5C DF FC FB CC 18 12 $.....{t@\......
Jul 30 01:02:39 87[CFG] <ikev2-mschapv2|1> 96: 01 A0 90 AE 01 A1 8A DA 3E A1 21 17 0E 05 88 2C ........>.!....,
Jul 30 01:02:39 87[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 42 bytes @ 0x7f55f0000ee0
Jul 30 01:02:39 87[IKE] <ikev2-mschapv2|1> 0: 01 01 00 2A 1A 01 01 00 25 10 FC 80 3D 84 7A A0 ...*....%...=.z.
Jul 30 01:02:39 87[IKE] <ikev2-mschapv2|1> 16: ED DC FF E3 CB 7C C3 07 62 FC 72 34 32 6D 33 6E .....|..b.r42m3n
Jul 30 01:02:39 87[IKE] <ikev2-mschapv2|1> 32: 63 76 2D 65 38 77 66 70 67 33 cv-e8wfpg3
Jul 30 01:02:39 87[IKE] <ikev2-mschapv2|1> initiating EAP_MSCHAPV2 method (id 0x01)
- EAP Request Packet + Success Packet (Access-Challenge) Response:
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> sending RADIUS Access-Request to server '127.0.0.1'
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> => 240 bytes @ 0x7f5618001570
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 0: 01 F7 00 F0 8A 5D 27 E3 01 D1 65 4C 07 7B CC 4A .....]'...eL.{.J
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 16: 41 12 87 95 01 12 72 34 32 6D 33 6E 63 76 2D 65 A.....r42m3ncv-e
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 32: 38 77 66 70 67 33 3D 06 00 00 00 05 06 06 00 00 8wfpg3=.........
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 48: 00 02 05 06 00 00 00 01 57 10 69 6B 65 76 32 2D ........W.ikev2-
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 64: 6D 73 63 68 61 70 76 32 04 06 C4 34 2E 23 1E 0E mschapv2...4.#..
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 80: 31 39 36 2E 35 32 2E 34 36 2E 33 35 1F 10 36 36 196.52.46.35..66
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 96: 2E 32 30 37 2E 32 30 38 2E 32 32 36 4F 4D 02 01 .207.208.226OM..
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 112: 00 4B 1A 02 01 00 46 31 7F D3 69 D7 24 FB 6A 9E .K....F1..i.$.j.
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 128: 22 39 C7 3F B0 43 94 3C 00 00 00 00 00 00 00 00 "9.?.C.<........
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 144: 76 E7 D7 C3 6B 69 85 B0 1F 7E EF 8D 11 C6 78 28 v...ki...~....x(
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 160: D3 F4 78 04 40 BD BD 39 00 72 34 32 6D 33 6E 63 [email protected]
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 176: 76 2D 65 38 77 66 70 67 33 20 13 63 61 2D 30 30 v-e8wfpg3 .ca-00
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 192: 31 5F 73 74 72 6F 6E 67 73 77 61 6E 18 12 01 A0 1_strongswan....
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 208: 90 AE 01 A1 8A DA 3E A1 21 17 0E 05 88 2C 50 12 ......>.!....,P.
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 224: 73 4F EF F8 F6 08 B9 31 DA FC 35 25 0F CF 00 30 sO.....1..5%...0
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> received RADIUS Access-Challenge from server '127.0.0.1'
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> => 121 bytes @ 0x7f5618001160
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 0: 0B F7 00 79 F6 E1 7C CC C5 C7 FA 31 F7 9A 68 45 ...y..|....1..hE
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 16: 71 6A D6 A9 1A 0C 00 00 01 37 1C 06 0A FF FF 03 qj.......7......
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 32: 4F 35 01 02 00 33 1A 03 01 00 2E 53 3D 32 30 46 O5...3.....S=20F
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 48: 46 45 45 38 39 43 31 31 41 39 37 36 44 45 43 34 FEE89C11A976DEC4
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 64: 38 46 42 46 44 34 44 44 31 33 32 46 43 31 36 33 8FBFD4DD132FC163
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 80: 36 39 33 35 31 50 12 D1 D9 D9 CB 8D C1 9A F8 EE 69351P..........
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 96: 40 12 C5 13 F5 CD 40 18 12 01 A0 90 AE 00 A2 8A @.....@.........
Jul 30 01:02:39 48[CFG] <ikev2-mschapv2|1> 112: DA 3E A1 21 17 0E 05 88 2C .>.!....,
Jul 30 01:02:39 48[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 51 bytes @ 0x7f56180012c0
Jul 30 01:02:39 48[IKE] <ikev2-mschapv2|1> 0: 01 02 00 33 1A 03 01 00 2E 53 3D 32 30 46 46 45 ...3.....S=20FFE
Jul 30 01:02:39 48[IKE] <ikev2-mschapv2|1> 16: 45 38 39 43 31 31 41 39 37 36 44 45 43 34 38 46 E89C11A976DEC48F
Jul 30 01:02:39 48[IKE] <ikev2-mschapv2|1> 32: 42 46 44 34 44 44 31 33 32 46 43 31 36 33 36 39 BFD4DD132FC16369
Jul 30 01:02:39 48[IKE] <ikev2-mschapv2|1> 48: 33 35 31 351
Jul 30 01:02:39 48[ENC] <ikev2-mschapv2|1> added payload of type EAP to message
- EAP Success -> Success (Access-Accept) Response:
Jul 30 01:02:39 124[ENC] <ikev2-mschapv2|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 30 01:02:39 124[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 6 bytes @ 0x7f55d80012f0
Jul 30 01:02:39 124[IKE] <ikev2-mschapv2|1> 0: 02 02 00 06 1A 03 ......
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> sending RADIUS Access-Request to server '127.0.0.1'
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> => 171 bytes @ 0x7f55d8000980
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 0: 01 A8 00 AB CA 0B A5 7E 53 26 BB 1F 7B F5 BC 66 .......~S&..{..f
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 16: BD 7B 9D 87 01 12 72 34 32 6D 33 6E 63 76 2D 65 .{....r42m3ncv-e
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 32: 38 77 66 70 67 33 3D 06 00 00 00 05 06 06 00 00 8wfpg3=.........
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 48: 00 02 05 06 00 00 00 01 57 10 69 6B 65 76 32 2D ........W.ikev2-
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 64: 6D 73 63 68 61 70 76 32 04 06 C4 34 2E 23 1E 0E mschapv2...4.#..
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 80: 31 39 36 2E 35 32 2E 34 36 2E 33 35 1F 10 36 36 196.52.46.35..66
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 96: 2E 32 30 37 2E 32 30 38 2E 32 32 36 4F 08 02 02 .207.208.226O...
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 112: 00 06 1A 03 20 13 63 61 2D 30 30 31 5F 73 74 72 .... .ca-001_str
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 128: 6F 6E 67 73 77 61 6E 18 12 01 A0 90 AE 00 A2 8A ongswan.........
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 144: DA 3E A1 21 17 0E 05 88 2C 50 12 AA 6E 35 90 03 .>.!....,P..n5..
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 160: 74 77 80 4A 2E BD FD A7 B2 C5 5B tw.J......[
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> received RADIUS Access-Accept from server '127.0.0.1'
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> => 182 bytes @ 0x7f55d8001750
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 0: 02 A8 00 B6 61 C5 9A 92 51 CB DD 0B DF 37 3A 0F ....a...Q....7:.
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 16: 83 40 AB F2 1A 0C 00 00 01 37 1C 06 0A FF FF 03 [email protected]......
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 32: 1A 0C 00 00 01 37 07 06 00 00 00 01 1A 0C 00 00 .....7..........
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 48: 01 37 08 06 00 00 00 06 1A 2A 00 00 01 37 10 24 .7.......*...7.$
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 64: E6 DC E1 89 5C 76 E8 8A BA 58 F7 7B B6 5E 62 4C ....\v...X.{.^bL
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 80: 7F EB BB C2 45 5A 6B F7 0E 01 F3 9E 0F AD 0E AE ....EZk.........
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 96: A3 92 1A 2A 00 00 01 37 11 24 ED F6 C9 A5 D7 3A ...*...7.$.....:
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 112: 0D C4 4D 93 4F 99 6E 81 28 AC B1 CE 30 DA A0 AF ..M.O.n.(...0...
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 128: 4F 28 71 60 12 E5 35 39 04 27 A6 68 4F 06 03 02 O(q`..59.'.hO...
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 144: 00 04 50 12 C3 89 53 1A 29 FD 07 DD 11 FB 65 82 ..P...S.).....e.
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 160: 73 93 0C B2 01 12 72 34 32 6D 33 6E 63 76 2D 65 s.....r42m3ncv-e
Jul 30 01:02:39 124[CFG] <ikev2-mschapv2|1> 176: 38 77 66 70 67 33 8wfpg3
Now the EAP conversation with my POC:
- EAP Identity + Challenge Response
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> sending RADIUS Access-Request to server '127.0.0.1'
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> => 168 bytes @ 0x7fc2800019c0
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 0: 01 56 00 A8 C3 0E 12 EC A6 1A 72 E2 3C CA 4A 78 .V........r.<.Jx
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 16: 54 E4 35 51 01 12 72 34 32 6D 33 6E 63 76 2D 65 T.5Q..r42m3ncv-e
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 32: 38 77 66 70 67 33 3D 06 00 00 00 05 06 06 00 00 8wfpg3=.........
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 48: 00 02 05 06 00 00 00 01 57 10 69 6B 65 76 32 2D ........W.ikev2-
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 64: 6D 73 63 68 61 70 76 32 04 06 C4 34 2E 23 1E 0E mschapv2...4.#..
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 80: 31 39 36 2E 35 32 2E 34 36 2E 33 35 1F 10 36 36 196.52.46.35..66
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 96: 2E 32 30 37 2E 32 30 38 2E 32 32 36 4F 17 02 00 .207.208.226O...
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 112: 00 15 01 72 34 32 6D 33 6E 63 76 2D 65 38 77 66 ...r42m3ncv-e8wf
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 128: 70 67 33 20 13 63 61 2D 30 30 31 5F 73 74 72 6F pg3 .ca-001_stro
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 144: 6E 67 73 77 61 6E 50 12 0F F1 22 79 D1 AD DE 25 ngswanP..."y...%
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 160: 5B 01 3D A7 19 81 8A AC [.=.....
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> received RADIUS Access-Challenge from server '127.0.0.1'
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> => 100 bytes @ 0x7fc280000d20
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 0: 0B 56 00 64 BF 61 D9 0F 42 95 2C 76 A4 41 C3 0F .V.d.a..B.,v.A..
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 16: 59 9B A4 FA 4F 2C 01 01 00 2A 1A 01 01 00 25 10 Y...O,...*....%.
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 32: 15 C1 FB 92 B0 5A D7 64 1D 60 C5 46 69 00 DA E5 .....Z.d.`.Fi...
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 48: 72 34 32 6D 33 6E 63 76 2D 65 38 77 66 70 67 33 r42m3ncv-e8wfpg3
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 64: 18 12 15 C1 FB 92 B0 5A D7 64 1D 60 C5 46 69 00 .......Z.d.`.Fi.
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 80: DA E5 50 12 41 E8 6C 15 EF 59 DC CC A0 C7 7A A7 ..P.A.l..Y....z.
Jul 30 00:33:24 89[CFG] <ikev2-mschapv2|1> 96: 3A 70 2D 82 :p-.
Jul 30 00:33:24 89[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 42 bytes @ 0x7fc280001650
Jul 30 00:33:24 89[IKE] <ikev2-mschapv2|1> 0: 01 01 00 2A 1A 01 01 00 25 10 15 C1 FB 92 B0 5A ...*....%......Z
Jul 30 00:33:24 89[IKE] <ikev2-mschapv2|1> 16: D7 64 1D 60 C5 46 69 00 DA E5 72 34 32 6D 33 6E .d.`.Fi...r42m3n
Jul 30 00:33:24 89[IKE] <ikev2-mschapv2|1> 32: 63 76 2D 65 38 77 66 70 67 33 cv-e8wfpg3
Jul 30 00:33:24 89[IKE] <ikev2-mschapv2|1> initiating EAP_MSCHAPV2 method (id 0x01)
- EAP Request Packet + Success Packet (Access-Challenge) Response:
Jul 30 00:33:24 100[ENC] <ikev2-mschapv2|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 75 bytes @ 0x7fc2940069c0
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 0: 02 01 00 4B 1A 02 01 00 46 31 B2 2F A8 1C 2F 1A ...K....F1./../.
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 16: EF 66 C0 F1 A6 B7 27 BD 51 5F 00 00 00 00 00 00 .f....'.Q_......
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 32: 00 00 64 97 7D 85 D1 6B DD 8C 82 82 A0 CB EB D7 ..d.}..k........
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 48: D8 D0 21 1C 27 96 63 7B 3D 13 00 72 34 32 6D 33 ..!.'.c{=..r42m3
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 64: 6E 63 76 2D 65 38 77 66 70 67 33 ncv-e8wfpg3
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> sending RADIUS Access-Request to server '127.0.0.1'
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> => 240 bytes @ 0x7fc294003d60
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 0: 01 7C 00 F0 DB AB 7C BF 31 2A CA A3 A1 33 93 7B .|....|.1*...3.{
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 16: DB A4 B3 C5 01 12 72 34 32 6D 33 6E 63 76 2D 65 ......r42m3ncv-e
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 32: 38 77 66 70 67 33 3D 06 00 00 00 05 06 06 00 00 8wfpg3=.........
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 48: 00 02 05 06 00 00 00 01 57 10 69 6B 65 76 32 2D ........W.ikev2-
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 64: 6D 73 63 68 61 70 76 32 04 06 C4 34 2E 23 1E 0E mschapv2...4.#..
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 80: 31 39 36 2E 35 32 2E 34 36 2E 33 35 1F 10 36 36 196.52.46.35..66
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 96: 2E 32 30 37 2E 32 30 38 2E 32 32 36 4F 4D 02 01 .207.208.226OM..
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 112: 00 4B 1A 02 01 00 46 31 B2 2F A8 1C 2F 1A EF 66 .K....F1./../..f
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 128: C0 F1 A6 B7 27 BD 51 5F 00 00 00 00 00 00 00 00 ....'.Q_........
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 144: 64 97 7D 85 D1 6B DD 8C 82 82 A0 CB EB D7 D8 D0 d.}..k..........
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 160: 21 1C 27 96 63 7B 3D 13 00 72 34 32 6D 33 6E 63 !.'.c{=..r42m3nc
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 176: 76 2D 65 38 77 66 70 67 33 20 13 63 61 2D 30 30 v-e8wfpg3 .ca-00
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 192: 31 5F 73 74 72 6F 6E 67 73 77 61 6E 18 12 15 C1 1_strongswan....
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 208: FB 92 B0 5A D7 64 1D 60 C5 46 69 00 DA E5 50 12 ...Z.d.`.Fi...P.
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 224: DC 26 57 40 79 91 11 FC 3F 6A C0 AD 0A 66 A0 4D .&W@y...?j...f.M
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> received RADIUS Access-Challenge from server '127.0.0.1'
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> => 121 bytes @ 0x7fc294006930
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 0: 0B 7C 00 79 35 C3 A8 F7 CC BE 84 13 5D 37 B0 66 .|.y5.......]7.f
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 16: A7 78 94 4A 1A 0C 00 00 01 37 1C 06 0A FF FF 02 .x.J.....7......
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 32: 4F 35 01 01 00 33 1A 03 01 00 2E 53 3D 33 39 39 O5...3.....S=399
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 48: 45 33 42 36 43 43 43 31 46 42 44 32 37 36 41 42 E3B6CCC1FBD276AB
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 64: 34 45 39 32 33 33 31 33 32 42 34 33 46 37 39 41 4E9233132B43F79A
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 80: 31 31 39 45 37 18 12 15 C1 FB 92 B0 5A D7 64 1D 119E7.......Z.d.
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 96: 60 C5 46 69 00 DA E5 50 12 1F C6 29 3B 96 8E C4 `.Fi...P...);...
Jul 30 00:33:24 100[CFG] <ikev2-mschapv2|1> 112: EE A4 39 67 FB 3B AE 12 8E ..9g.;...
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> EAP_MSCHAPV2 payload => 51 bytes @ 0x7fc2940045e0
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 0: 01 01 00 33 1A 03 01 00 2E 53 3D 33 39 39 45 33 ...3.....S=399E3
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 16: 42 36 43 43 43 31 46 42 44 32 37 36 41 42 34 45 B6CCC1FBD276AB4E
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 32: 39 32 33 33 31 33 32 42 34 33 46 37 39 41 31 31 9233132B43F79A11
Jul 30 00:33:24 100[IKE] <ikev2-mschapv2|1> 48: 39 45 37 9E7
Jul 30 00:33:24 100[ENC] <ikev2-mschapv2|1> added payload of type EAP to message
At this point, no further communication is seen from the client. Client side, the error 691 is shown. This implies that the client was not able to validate the Access-Challenge sent by my POC. Which is either due to bad packet format, or, bad success packet value.
I have taken the peer and authenticator challenges from the successful log, and ran it through my code to see if I can get the same success packet output, and it does indeed generate the same value.
Looking at the format of the packet byte by byte, I cannot see any differece in either format or value, yet, Windows rejects this response and terminates the EAP conversation.
If anyone has any in depth knowledge of Windows + EAP + MSCHAPv2 implementations, I would greatly appreciate the help, as at this point I have compared the data byte by byte and cannot see any differences.
Here are more references to the RFCs implemented:
- EAP MS-CHAPv2 packet format: http://tools.ietf.org/id/draft-kamath-pppext-eap-mschapv2-01.txt
- EAP MS-CHAPv2: https://www.rfc-editor.org/rfc/rfc2759
- RADIUS Access-Request: https://www.rfc-editor.org/rfc/rfc2865
- RADIUS Support For Extensible Authentication Protocol: https://www.rfc-editor.org/rfc/rfc3579
Additional Notes:
I was originally suspecting that the issue could be in the RADIUS packets, and not in the EAP messages, since the EAP payload look identical in both the FreeRadius (working) conversation, and my POC. The reason I abandoned that theory is that both client and server logs show that the error happens during the EAP authentication stage.
Could there be something in the RADIUS protocol/packets that can affect the validity or acceptance of EAP messages by the client?
Also, the error is thrown during the "Success Packet" Access-Challenge stage of the EAP conversation, but, could earlier steps fail silently and cause this error at a later stage? I haven't found anything in any of the above RFCs that would suggest that, but I'm not ruling anything out at this point as I've been at it for nearly 2 weeks.
Lastly, I have tried to get more debug information out of Windows to see the exact data that Windows is using to determine the validity of the message, but, all I was able to get from the "Remote Access Diagnostic Report" is this:
[3004] 07-30 11:38:21:863: EapBegin(fServer=0)
[3004] 07-30 11:38:21:863: EapBegin: EapTypeToBeUsed=26, EapAuthType=2
[3004] 07-30 11:38:21:863: EapBegin: ThisIsARenegotiation=0, SaveCredsToCredMan=0, UseWinlogonCredentials=0.
[3004] 07-30 11:38:21:864: EapBegin: Connection handle: 1835008
[3004] 07-30 11:38:21:864: EapBegin: EAP user blob is not passed so using the credentials.
[3004] 07-30 11:38:21:864: fRetry = 0.
[3004] 07-30 11:38:21:865: Eap user data size: 1021.
[3004] 07-30 11:38:21:865: EapBegin done
[3004] 07-30 11:38:21:865: EapMakeMessage,RBuf=4b78910
[3004] 07-30 11:38:21:865: MakeAuthenticateeMessage...
[3004] 07-30 11:38:21:865: EAPSTATE_Initial
[3004] 07-30 11:38:21:865: EapMethodBegin(Flags=0x10, Remaining retry count=3)
[3004] 07-30 11:38:21:866: EAPSTATE_Working
[3004] 07-30 11:38:21:866: HandleEapResponse -- Entering.
[3004] 07-30 11:38:21:866: EapHost returned Action = EapHostPeerResponseSend. Processing send packet...
[3004] 07-30 11:38:21:866: RasProcessEapHostSendPacket -- Entering.
[3004] 07-30 11:38:21:866: Got identity: r42m3ncv-e8wfpg3.
[3004] 07-30 11:38:21:866: RasProcessEapHostSendPacket: Sending packet.
[3004] 07-30 11:38:21:866: RasProcessEapHostSendPacket -- Leaving: 0x0.
[3004] 07-30 11:38:21:866: HandleEapResponse -- Leaving: 0x0.
[3004] 07-30 11:38:21:869: EapMakeMessage,RBuf=4b78910
[3004] 07-30 11:38:21:869: MakeAuthenticateeMessage...
[3004] 07-30 11:38:21:869: EAPSTATE_Working
[3004] 07-30 11:38:21:870: HandleEapResponse -- Entering.
[3004] 07-30 11:38:21:870: EapHost returned Action = EapHostPeerResponseSend. Processing send packet...
[3004] 07-30 11:38:21:870: RasProcessEapHostSendPacket -- Entering.
[3004] 07-30 11:38:21:870: RasProcessEapHostSendPacket: Sending packet.
[3004] 07-30 11:38:21:870: RasProcessEapHostSendPacket -- Leaving: 0x0.
[3004] 07-30 11:38:21:870: HandleEapResponse -- Leaving: 0x0.
[3004] 07-30 11:38:21:873: EapMakeMessage,RBuf=4b78910
[3004] 07-30 11:38:21:873: MakeAuthenticateeMessage...
[3004] 07-30 11:38:21:873: EAPSTATE_Working
[3004] 07-30 11:38:21:873: HandleEapResponse -- Entering.
[3004] 07-30 11:38:21:873: EapHost returned Action = EapHostPeerResponseResult. Retreiving result...
[3004] 07-30 11:38:21:873: RasGetEapHostAuthResult -- Entering.
[3004] 07-30 11:38:21:873: RasSetQuarantineStatus -- Entering.
[3004] 07-30 11:38:21:873: ISOLATION_STATE_UNKNOWN
[3004] 07-30 11:38:21:873: RasSetQuarantineStatus -- Leaving: 0x0.
[3004] 07-30 11:38:21:873: EAP Authentication failed with error: Internal = 0x2b3, External = 0x80420112.
[3004] 07-30 11:38:21:873: RasGetEapHostAuthResult -- Leaving: 0x0.
[3004] 07-30 11:38:21:873: HandleEapResponse -- Leaving: 0x0.
[960] 07-30 11:38:21:881: EapEnd
[960] 07-30 11:38:21:881: EapMethodEnd called for EAP Index 26
If anyone knows how to get any useful debugging data for EAP-MSCHAPV2 on Windows, that could also be very helpful. Ideally I would want to see the individual inputs to the various calculations performed by the Windows implementation as I see no logical reason why it's not working as the spec is being followed.