RoamServer Network Traffic Analysis
This document details the type of traffic activity that occurs with iPass RoamServer software and the sequence of events in play-by-play, packet-by-packet fashion. In these examples, RoamServer 5.05 for Windows is used in conjunction with various AAA implementations commonly used by the iPass customer base. This is not meant to be a comprehensive review of all possible configurations, nor does it detail the inner workings of any protocol such as LDAP, RADIUS, or RPC.
To view the network capture files provided, use a packet capture utility such as Ethereal. The WinPCap library is not required to view these files.
LDAP Authentication (Active Directory 2003)
In this example, the RoamServer machine is not a member of the domain which it is performing LDAP authentication against. This represents a potential real-world scenario, since non-members (who may be placed in a DMZ network with firewall-based traffic restrictions) or even UNIX-based RoamServers are used to authenticate users against Active Directory in light of security considerations. This setup also eliminates typical domain-related activity (such as Group Policy refresh) from the capture. Traffic with an Active Directory 2000 environment should be identical.
For reference, please observe the packet capture of this event. The RoamServer IP is 192.168.0.34 and the domain controller is 192.168.0.10. The traffic capture was filtered to observe only IP traffic between these two machines as the command checkipass.exe -u <username> -p <password> is ran with a successful authentication.
The following takes place in sequence (individual sequence numbers on this list do not represent the graph below):
1. RoamServer performs a TCP handshake with the domain controller via TCP 389. RoamServer sends an LDAP Bind Request using the bind account and password specified in the RoamServer LDAP configuration file. The Distinguished Name and password of this account is sent in clear text.
LDAP Message, Bind Request
Message Id: 1
Message Type: Bind Request (0x00)
Message Length: 99
Response In: 5
Version: 3
DN: CN=DeviceIDbind,OU=Service Accounts,OU=User Accounts,DC=lab2003,DC=ipass,DC=com
Auth Type: Simple (0x00)
Password: myBadP@SSwd
LDAP Controls
LDAP Control
Control OID: 2.16.840.1.113730.3.4.2
2. Domain controller returns a success code in the form of an LDAP Bind Result to the RoamServer.
LDAP Message, Bind Result Message Id: 1 Message Type: Bind Result (0x01) Message Length: 7 Response To: 4 Time: 0.001229000 seconds Result Code: success (0x00) Matched DN: (null) Error Message: (null)
3. RoamServer sends an LDAP Search Request with the specified search filter:
LDAP Message, Search Request
Message Id: 2
Message Type: Search Request (0x03)
Message Length: 80
Response In: 7
Base DN: DC=lab2003,DC=ipass,DC=com
Scope: Subtree (0x02)
Dereference: Always (0x03)
Size Limit: 2
Time Limit: 11
Attributes Only: False
Filter: (sAMAccountName=agentsmith)
Attribute: 1.1
LDAP Controls
LDAP Control
Control OID: 2.16.840.1.113730.3.4.2
4. Domain controller returns LDAP Search Entry results in the form of enumerated Distinguished Names in various Active Directory partitions.
LDAP Message, Search Entry Message Id: 2 Message Type: Search Entry (0x04) Message Length: 76 Response To: 6 Time: 0.000362000 seconds Distinguished Name: CN=test,OU=Technical Support,OU=User Accounts,DC=lab2003,DC=ipass,DC=com LDAP Message, Search Result Reference Message Id: 2 Message Type: Search Result Reference (0x13) Message Length: 86 Response To: 6 Time: 0.000362000 seconds Reference URL: ldap://ForestDnsZones.lab2003.ipass.com/DC=ForestDnsZones,DC=lab2003,DC=ipass,DC=com LDAP Message, Search Result Reference Message Id: 2 Message Type: Search Result Reference (0x13) Message Length: 86 Response To: 6 Time: 0.000362000 seconds Reference URL: ldap://DomainDnsZones.lab2003.ipass.com/DC=DomainDnsZones,DC=lab2003,DC=ipass,DC=com
LDAP Message, Search Result Reference
Message Id: 2 Message Type: Search Result Reference (0x13) Message Length: 70 Response To: 6 Time: 0.000362000 seconds Reference URL: ldap://lab2003.ipass.com/CN=Configuration,DC=lab2003,DC=ipass,DC=com
LDAP Message, Search Result
Message Id: 2 Message Type: Search Result (0x05) Message Length: 7 Response To: 6 Time: 0.000362000 seconds Result Code: success (0x00) Matched DN: (null) Error Message: (null)
5. RoamServer sends another LDAP Bind Request with the DN of the authenticating user as well as the password for this account (once again sent in clear text).
LDAP Message, Bind Request
Message Id: 3
Message Type: Bind Request (0x00)
Message Length: 81
Response In: 9
Version: 3
DN: CN=test,OU=Technical Support,OU=User Accounts,DC=lab2003,DC=ipass,DC=com
Auth Type: Simple (0x00)
Password: matrix
LDAP Controls
LDAP Control
Control OID: 2.16.840.1.113730.3.4.2
6. Domain controller returns an LDAP Bind Result with a success code.
LDAP Message, Bind Result Message Id: 3 Message Type: Bind Result (0x01) Message Length: 7 Response To: 8 Time: 0.001173000 seconds Result Code: success (0x00) Matched DN: (null) Error Message: (null)
7. RoamServer sends an LDAP Search Request with a filter to enumerate all attributes of this user's objectClass:
LDAP Message, Search Request
Message Id: 4
Message Type: Search Request (0x03)
Message Length: 58
Response In: 11
Base DN: DC=lab2003,DC=ipass,DC=com
Scope: Base (0x00)
Dereference: Always (0x03)
Size Limit: 0
Time Limit: 0
Attributes Only: False
Filter: (objectClass=*)
LDAP Controls
LDAP Control
Control OID: 2.16.840.1.113730.3.4.2
8. Domain controller returns LDAP Search Entry results listing the various attributes of the user's objectClass.
LDAP Message, Search Entry
Message Id: 4
Message Type: Search Entry (0x04)
Message Length: 3462
Response To: 10
Time: 0.000962000 seconds
Distinguished Name: DC=lab2003,DC=ipass,DC=com
Attribute: objectClass
Value: top
Value: domain
Value: domainDNS
Attribute: distinguishedName
Value: DC=lab2003,DC=ipass,DC=com
Attribute: pwdHistoryLength
Value: 3
Attribute: fSMORoleOwner
Value: CN=NTDS Settings,CN=SL-2003DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab2003,DC=ipass,DC=com
(display output truncated for brevity)
9. Domain controller returns an LDAP Search Result success code.
LDAP Message, Search Result Message Id: 4 Message Type: Search Result (0x05) Message Length: 7 Result Code: success (0x00) Matched DN: (null) Error Message: (null)
10. RoamServer sends an LDAP Unbind Request.
LDAP Message, Unbind Request
Message Id: 5
Message Type: Unbind Request (0x02)
Message Length: 0
LDAP Controls
LDAP Control
Control OID: 2.16.840.1.113730.3.4.2
The TCP session is then torn down. The total amount of traffic is about 5 - 6 kB.
RADIUS Authentication (Funk SBR proxying to Active Directory)
In this example, RoamServer performs RADIUS authentication to a Funk Steel-Belted RADIUS server, which in turns performs authentication with Active Directory (since the username doesn't exist on the local Funk database). This particular Funk server is configured to search for users in its own local database first, then if it cannot find a matching username, sends the request to a secondary authentication source (in this case, a Windows domain).
For reference, please observe the packet capture of this event. The RoamServer is 192.168.0.34, the Funk server is 192.168.0.36, and the domain controller is 192.168.0.6. The traffic capture was filtered to observe only IP traffic between these three machines as the command checkipass.exe -u <username> -p <password> is ran with a successful authentication.
The following takes place in sequence (individual sequence numbers on this list do not represent the graph below):
1. RoamServer sends a RADIUS Access-Request packet over UDP 1645 to the RADIUS server. The packet includes the following Attribute Value Pairs: User-Name, User-Password (encrypted), NAS-IP-Address, NAS-Identifier (with the value “i-Pass VNAS”).
Code: Access-Request (1)
Packet identifier: 0x6 (6)
Length: 69
Authenticator: 3B0F4484DB77A293EF1DD9F55063816D
Attribute Value Pairs
User-Name: agentsmith
User-Password: 8,\254b\016\246\017\355\275\313\230zRM\306-
NAS-IP-Address: 192.168.0.34 (192.168.0.34)
NAS-Identifier: i-Pass VNAS
2. The RADIUS server initiates a DCE RPC Requests to the domain controller for NETLOGON Secure Channel transaction on TCP 1026 (this port number was presumably established previously in a Remote Procedure Call session and assigned by the RPC endpoint mapper process on the domain controller).
3. The domain controller provides DCE RPC Responses to Funk SBR. After verifying the credentials, the RADIUS server sends the RoamServer a RADIUS Access-Accept packet. The packet includes the following Attribute Value Pairs: Class, Framed-Protocol, and Service-Type.
Code: Access-Accept (2)
Packet identifier: 0x6 (6)
Length: 106
Authenticator: 6CF83E990FC105AAB293BF4846FFDDF5
Attribute Value Pairs
Class: 53425232434C8FB8C4DE90FEEDB887C01180350180048199...
Framed-Protocol: PPP (1)
Service-Type: Framed-User (2)
The total amount of traffic is about 2 kB. If the username had been in the Funk local database, then traffic would be similar to the above but without the interaction between the RADIUS server and domain controller.
RADIUS Authentication (IAS /Active Directory)
In this example, RoamServer performs RADIUS authentication to IAS (Microsoft RADIUS), which in turn performs authentication with Active Directory. Internet Authentication Service does not contain a built-in user database and is designed to forward authentication requests to the domain it is a member of. The ability to authenticate users is partly based on policies set at the IAS level which control monitoring of various user attributes, such as domain group membership, auth protocol (PAP, CHAP, etc.), time of day, etc.. Active Directory's user object also contains a flag under the Dial-in tab to determine whether this policy is controlled at the domain or at IAS level. This example uses Active Directory 2000 and IAS 2000.
For reference, please observe the packet capture of this event. The RoamServer is 192.168.0.34, the IAS server is 192.168.0.33, and the domain controller is 192.168.0.5. The traffic capture was filtered to observe only IP traffic between these three machines as the command checkipass.exe -u <username> -p <password> is ran with a successful authentication.
The following takes place in sequence (individual sequence numbers on this list do not represent the graph below):
1. RoamServer sends a RADIUS Access-Request packet over UDP 1812 to the RADIUS server. The packet includes the following Attribute Value Pairs: User-Name, User-Password (encrypted), NAS-IP-Address, NAS-Identifier (with the value “i-Pass VNAS”).
Code: Access-Request (1)
Packet identifier: 0x4 (4)
Length: 69
Authenticator: 897499391E27B0A05BB70926CB462E94
Attribute Value Pairs
User-Name: agentsmith
User-Password: \302-\367\030\267\345\a\230\265e\036S\255T\365\314
NAS-IP-Address: 192.168.0.34 (192.168.0.34)
NAS-Identifier: i-Pass VNAS
2. IAS initiates a DCE RPC Request to the domain controller for NETLOGON Secure Channel transaction on TCP 1026 (this port number was presumably established previously in a Remote Procedure Call session and assigned by the RPC endpoint mapper process on the domain controller). The domain controller provides a DCE RPC Response to IAS.
3. IAS initiates an LDAP Search Request, filtering with (sAMAccountName=username), and querying for user object attributes such as msNPAllowDialin, msNPCallingStationID, msRADIUSCallbackNumber, msRADIUSFramedIPAddress, msRADIUSFramedRoute, and msRADIUSServiceType.
SASL Buffer Length: 273
SASL buffer
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 02011100FFFFFFFF4B830F1406A16239F0A9EE613B52AF93...
krb5_tok_id: KRB5_GSS_Wrap (0x0102)
krb5_sgn_alg: HMAC (0x0011)
krb5_seal_alg: None (0xffff)
krb5_snd_seq: 4B830F1406A16239
krb5_sgn_cksum: F0A9EE613B52AF93
krb5_confounder: E058A54B8A1521C6
GSS-API payload (226 bytes)
LDAP Message, Search Request
Message Id: 12564
Message Type: Search Request (0x03)
Message Length: 209
Response In: 5
Base DN: DC=lab,DC=ipass,DC=com
Scope: Subtree (0x02)
Dereference: Never (0x00)
Size Limit: 0
Time Limit: 10
Attributes Only: False
Filter: (sAMAccountName=agentsmith)
Attribute: msNPAllowDialin
Attribute: msNPCallingStationID
Attribute: msRADIUSCallbackNumber
Attribute: msRADIUSFramedIPAddress
Attribute: msRADIUSFramedRoute
Attribute: msRADIUSServiceType
4. Domain controller responds with LDAP search results.
SASL Buffer Length: 392
SASL buffer
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 02011100FFFFFFFF9B85E1995512297C5E8742BF59914582...
krb5_tok_id: KRB5_GSS_Wrap (0x0102)
krb5_sgn_alg: HMAC (0x0011)
krb5_seal_alg: None (0xffff)
krb5_snd_seq: 9B85E1995512297C
krb5_sgn_cksum: 5E8742BF59914582
krb5_confounder: 11820DEE35154CFA
GSS-API payload (345 bytes)
LDAP Message, Search Entry
Message Id: 12564
Message Type: Search Entry (0x04)
Message Length: 71
Response To: 4
Time: 0.001172000 seconds
Distinguished Name: CN=agentsmith,OU=Technical Support,OU=People,DC=lab,DC=ipass,DC=com
LDAP Message, Search Result Reference
Message Id: 12564
Message Type: Search Result Reference (0x13)
Message Length: 62
Response To: 4
Time: 0.001172000 seconds
Reference URL: ldap://child2.lab.ipass.com/DC=child2,DC=lab,DC=ipass,DC=com
LDAP Message, Search Result Reference
Message Id: 12564
Message Type: Search Result Reference (0x13)
Message Length: 62
Response To: 4
Time: 0.001172000 seconds
Reference URL: ldap://child1.lab.ipass.com/DC=child1,DC=lab,DC=ipass,DC=com
LDAP Message, Search Result Reference
Message Id: 12564
Message Type: Search Result Reference (0x13)
Message Length: 62
Response To: 4
Time: 0.001172000 seconds
Reference URL: ldap://lab.ipass.com/CN=Configuration,DC=lab,DC=ipass,DC=com
LDAP Message, Search Result
Message Id: 12564
Message Type: Search Result (0x05)
Message Length: 7
Response To: 4
Time: 0.001172000 seconds
Result Code: success (0x00)
Matched DN: (null)
Error Message: (null)
5. IAS sends the RoamServer a RADIUS Access-Accept packet. The packet includes the following Attribute Value Pairs: Class, Framed-Protocol, and Service-Type.
Code: Access-Accept (2)
Packet identifier: 0x4 (4)
Length: 64
Authenticator: D6B16804061D6EE85376E2A0A904BB51
Attribute Value Pairs
Framed-Protocol: PPP (1)
Service-Type: Framed-User (2)
Class: 5F9406B9000001370001C0A8002101C5E0D7F126ADB10000...
The total amount of traffic is about 2 kB.
NT Authentication (with Active Directory)
In this example, RoamServer (installed on Windows Server 2003) performs NT authentication to an Active Directory domain. The type of traffic will differ with an NT 4.0 domain or NT 4.0 machines due to the type of authentication protocol support and their associated ports. RoamServer's NT authentication method is dependent on Windows' built-in authentication subsystem which is composed of several entities that coordinates the user authentication process. UNIX or Linux RoamServers cannot perform NT authentication since they do not contain operating system code necessary to perform this function. Furthermore, there is no support for attempting this on a UNIX / Linux system utilizing the Samba package for Windows domain integration.
Background
In order for a Windows host to perform NT authentication in a domain, the host must be a member of that domain (or at the very least a member of a trusted domain). The NT Local Security Authority (LSA) subsystem, which processes logons onto a machine's desktop interactively, utilizes one of two processes:
- The Winlogon process to authenticate local machines accounts with the local Security Accounts Manager (SAM) database.
- The Netlogon process to authenticate domain accounts by contacting a domain controller via the operating system's Security Support Provider Interface (SSPI) using one of the available SSPs, such as Negotiate, Kerberos, NTLM, etc.; the SSPI is Microsoft's implementation of the Generic Security Service API (GSS-API).
The LSA determines whether to authenticate with the local SAM or the domain controller based upon the login “DOMAIN” field (typically the third field in the Microsoft GINA login dialog), indicating either the local machine name or the NetBIOS domain name. If the machine is not a member of a domain, this third field does not exist for user interaction since it is in “Workgroup” mode. In “Workgroup” mode, the DOMAIN value becomes the NetBIOS hostname of the machine itself.
RoamServer does not provide an NT DOMAIN value when processing iPassConnect authentication requests. Therefore, it sends the username and password to the LSA, which processes it first with the local SAM, and then if it doesn't find a matching username, will invoke the Netlogon process to authenticate with the domain (assuming the machine is a domain member).
For reference, please observe the packet capture of this event. The RoamServer is 192.168.0.34 and the domain controller is 192.168.0.5. The packet capture was filtered to observe only IP traffic between these two machines as the command checkipass.exe -u <username> -p <password> is ran with a successful authentication.
The following takes place in sequence (individual sequence numbers on this list do not represent the graph below):
1. RoamServer initiates a DCE RPC Request to the domain controller for NETLOGON Secure Channel transaction on TCP 1026 (this port number was presumably established previously in a Remote Procedure Call session and assigned by the RPC endpoint mapper process on the domain controller).
2. Domain controller provides a DCE RPC Response to the RoamServer over the same NETLOGON Secure Channel path.
The total amount of traffic is about 1 kB. However, note that in order for this to take place, the machine must have previously authenticated its domain machine account as it was connected to the network, either at boot time or when network connectivity was established. It must have also been able to determine the location of the domain controller by DNS SRV query (or via WINS / lmhosts / broadcast if NT 4.0). Default authentication protocols and available security support providers between NT 4.0 and 2000 / 2003 will also be different, and the prerequisites stated above will have different combinations of traffic established beforehand.