This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We are authenticating to radius servers with varying degrees of success. When I look at successful authentications, I frequently see Radius Protocol Malformed SSL packet. Each of these packets shows a LEN=1098 sometimes but no always failing the authentication MS-CHAP four way hand shake. Any insight is appreciated. These are Apple Ipad devices that Doctors are carrying into our Hospitals, so we're somewhat limited to capturing packets from the wireless controllers into the wired network (radius servers etc) since we cant load wireshark on the Apple devices.

asked 30 Nov '10, 11:12

swglover's gravatar image

swglover
1223
accept rate: 0%

Are their any messages in the Radius server log?

(02 Dec '10, 12:56) erics

Are you sure you are running RADIUS from your iPads? Generally RADIUS is transported over UDP, and probably is not going to all that reliable over wireless. You might want to explain your authentication architecture more fully. (Normally I would expect to use 802.1x from your wireless device and RADIUS from the access point).

You can use a regular laptop running Wireshark to capture wireless traffic (depending on your wireless card you might need a 3rd party adapter to capture traffic promiscuously)

permanent link

answered 02 Dec '10, 14:59

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Martyvis You are entirely correct. The whole package is 802.1x PEAP Digicert certificates and 'Radiator'/Steel Belted Radius The problem with capturing is the laptop authenticates perfectly, it is only the Apple devices that are the problem

(03 Dec '10, 03:45) swglover

I am not suggesting using the laptop to authenticate, but using Wireshark on it to capture the wireless traffic to and from your iPads.

Also if you are getting RADIUS protocol issues, there won't be coming directly from your iPad, but to and from your AP on the wire. Your iPad will be using 802.1x, not RADIUS. You might find if you turn up the logging level on your AP and RADIUS servers you will get more info.

(03 Dec '10, 15:09) martyvis

Was there any progress doing this? I'm seeing the same problem at my location. I love wireshark, and it would help me if it was on the iPad, but how does one capture wireless traffic between an AP, and an Ipad on a windows running laptop? are you suggesting putting it before the AP? I believe all that is encrypted.

(02 Mar '11, 07:18) jabbyjim

We're suggesting putting the laptop's 802.11 adapter into monitor mode if it's running Linux, *BSD, or Mac OS X, or using an AirPcap adapter if it's running Windows, and giving Wireshark the password for the network. That won't work if the network is using WPA or WPA2 in enterprise mode, however; see the Wireshark Wiki "How to Decrypt 802.11" page.

(02 Mar '11, 10:50) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×25
×10

question asked: 30 Nov '10, 11:12

question was seen: 5,475 times

last updated: 20 Sep '12, 02:16

p​o​w​e​r​e​d by O​S​Q​A