(RADIATOR) TLS problem?
nagataki at nri-net.com
nagataki at nri-net.com
Thu Jul 10 11:49:06 CDT 2003
Hi everyone,
I'm testing wireless LAN connection by using peap(ms-chap2-v2).
But I have problems and can't see what is incorrect.
One of the problems is that authentication by using certificates doesn't
work constantly.
But after radiusd restarted,authentication work well for a short period.
What's mean that "EAP TLS SSL_accept result: -1, 2, 8576" in server_log?
What does cause the problems?
So I need you help for resolving problems.
Please give me any ideas.
Thank you in advance.
I'll describe testing environment(includes eap_peap.cfg),server logging.
---------------------------------------------------------------------------
(ENVIRONMENT)
"Antenna_side"
Cisco Aironet 1200
"client_side"
Windows XP HomeEdition SP1
"server_side"
OS:RedHat7.3(kernel-2.4.20)
Radiator-Demo-3.6 with patches-3.6
(latest downloaded at 4 july 2003)
Net_SSLeay.pm-1.23
Digest-HMAC-1.01
Digest-SHA1-2.02
Digest-MD4-1.1
openssl-0.9.7b
perl 5.6.1 built for i386-linux
etc.
------------------------------------
(eap_peap.cfg)
#Foreground
#LogStdout
LogDir /var/log
#DbDir .
AuthPort 1812
AcctPort 1813
DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
# anonymous-PEAP must be in here:
Filename /etc/radiator/users
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType PEAP,MSCHAP-V2
</AuthBy>
</Handler>
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner aut
hentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele
ct
# a specific handler, or else you can use EAPAnonymous to set a username and rea
lm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/o
r the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or
also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton r
equest.
# In this basic example, both the inner and outer authentication are authenticat
ed
# from a file by AuthBy FILE
<Handler>
<AuthBy FILE>
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard use
rname
# in the outer requests, and it also requires an entry for the
# actual user name who is trying to connect (ie the 'Login name'
entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename /etc/radiator/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP,MSCHAP-V2,LEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
#EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
#EAPTLS_PrivateKeyPassword whatever
EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
EAPTLS_PrivateKeyPassword 1qaz2wsx
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048
EAPTLS_MaxFragmentSize 1024
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a certifica
te
# then Radiator will look for a certificate revocation list (CRL
)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, o
r
# if the CRL says the certificate has neen revoked, the authenti
cation will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile paramete
r.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require yo
u to specify
# MPPE send and receive keys. This _will_ be required if you sel
ect
# 'Keys will be generated automatically for data privacy' in the
Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the inne
r
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, i
t can
# be used to choose a local Realm to handle the inner authentica
tion.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session Resumption
and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a sessio
n can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
</Handler>
-------------------------------------------------------
(server_log)
Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on radiator-1 (EV
ALUATION) (EVALUATION)
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2150 ....
Code: Access-Request
Identifier: 88
Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><199><0><13><1>nagataki
Message-Authenticator = @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2150 ....
Code: Access-Challenge
Identifier: 88
Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
EAP-Message = <1><200><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2151 ....
Code: Access-Request
Identifier: 89
Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
<1>?<13>n<3>-<249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
135>'o<25>cg<227><236><19> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10><0><9><0>
d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
Message-Authenticator = <175>%<20><176><131><25>!3=<178><247><27><31><17
9>Xc
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2151 ....
Code: Access-Challenge
Identifier: 89
Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
EAP-Message = <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
<0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<246>(<147
>S<148>]<193>H<14><183> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231><0><3><22
8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6><9>*<134>
H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<1
2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<
4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4
><3><19><18>ACS03.netcom.ad.jp1#
EAP-Message = 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
-net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0<9><6><3
>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><
5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>In
ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>H<134><24
7><13><1><9><1><22><20>nagataki at nri-net.com0<129><159>0<13><6><9>*<134>H<134><24
7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<215>E
EAP-Message = <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
(*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192><196><194
><30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A<128><235
>a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/R<<222><133>Y
<196><188>/<250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>U<29>%<4>
<12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6><9>`<134>
H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated Certificate0<29><6><3>U<2
9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28>~<128><2
17><176>J0<129><195><6><3>U<29>
EAP-Message = #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
<29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129><153>0<1
29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<130><1><0>0<13
><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><239><188>
5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206><14><155
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on radiator-1 (EV
ALUATION) (EVALUATION)
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2150 ....
Code: Access-Request
Identifier: 88
Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><199><0><13><1>nagataki
Message-Authenticator = @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2150 ....
Code: Access-Challenge
Identifier: 88
Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
EAP-Message = <1><200><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2151 ....
Code: Access-Request
Identifier: 89
Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
<1>?<13>n<3>-<249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
135>'o<25>cg<227><236><19> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10><0><9><0>
d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
Message-Authenticator = <175>%<20><176><131><25>!3=<178><247><27><31><17
9>Xc
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2151 ....
Code: Access-Challenge
Identifier: 89
Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
EAP-Message = <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
<0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<246>(<147
>S<148>]<193>H<14><183> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231><0><3><22
8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6><9>*<134>
H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<1
2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<
4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4
><3><19><18>ACS03.netcom.ad.jp1#
EAP-Message = 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
-net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0<9><6><3
>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><
5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>In
ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>H<134><24
7><13><1><9><1><22><20>nagataki at nri-net.com0<129><159>0<13><6><9>*<134>H<134><24
7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<215>E
EAP-Message = <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
(*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192><196><194
><30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A<128><235
>a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/R<<222><133>Y
<196><188>/<250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>U<29>%<4>
<12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6><9>`<134>
H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated Certificate0<29><6><3>U<2
9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28>~<128><2
17><176>J0<129><195><6><3>U<29>
EAP-Message = #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
<29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129><153>0<1
29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<130><1><0>0<13
><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><239><188>
5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206><14><155
><226>}<4><202>+<18><229><252><236><232>
EAP-Message = IO<231>-<155>fv<26><159>[e<7><8><4>r<188><17>(4<221><157>R
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2152 ....
Code: Access-Request
Identifier: 90
Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><201><0><6><25><0>
Message-Authenticator = u <181><182><231><153>s<166><135>|XT<132>p<141>~
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 201, 6
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2152 ....
Code: Access-Challenge
Identifier: 90
Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
Attributes:
EAP-Message = <1><202><0><242><25><0> <6>EF<24><2><157><30><150>|<11>L<2
41><213><174>y<168>(<218>5<216><253><165><165><159><232><0><221><185> e<185>J<27
><3>Lt<159><23>~F{J.<218><19><237><196><201><8><150>z<30><194><171><237><195><22
7><16>8CO%<22><3><1><0><168><13><0><0><160><2><1><2><0><155><0><153>0<129><150>1
<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3
>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4>
<11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<
134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<14><0><0><0>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2153 ....
Code: Access-Request
Identifier: 91
Authentic: 7<30>#Lb<24><204><189>-%~<187>[<22>N%
Attributes:
User-Name = "nagataki"
cisco-avpair = "ssid=hotspot"
NAS-IP-Address = 192.168.0.47
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b31"
NAS-Identifier = "test-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><202><0><199><25><128><0><0><0><189><22><3><1><0><141><
11><0><0><3><0><0><0><16><0><0><130><0><128><10>/n<4><252><252>KZ,<14><167><177>
A<143><130><226>P<175><240><219>{7<245><217><215><165><192><132>O<207><218><137>
@i<141><222>`<159>K<2>A<7>"<142><189><232><197><250>:A<231><235><245>=v<146><250
> \<212><178><247>9<220>t-<163><193>v<227><189>M<177>RL<173>w<27>`1<17>0p<227><1
3>"'<153>Cn<196><227>f<243><3><12><228>[%<28><130><195><149>Ah<170>Y<23><31><12>
<184><239>rB<210>9<164><195><27><152><203>S<210>]<163>i<187><243><20><3><1><0><1
><1><22><3><1><0> <150>?h<22><185>L<192><242><233><31><16><10><191><225>5<218><2
0>a<142>2q<218><229><26>/<252>Zi<211>j<2><228>
Message-Authenticator = k<163>5M<251>,<235><134><251><190>V<207><130><15
0><31><221>
Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 202, 199
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
----------------------------------------------------------
Best Regards.
Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list