(RADIATOR) TLS problem?

nagataki at nri-net.com nagataki at nri-net.com
Thu Jul 10 11:49:06 CDT 2003


Hi everyone,

I'm testing wireless LAN connection by using peap(ms-chap2-v2).
But I have problems and can't see what is incorrect.

One of the problems is that authentication by using certificates doesn't
work constantly.
But after radiusd restarted,authentication work well for a short period.

What's mean that "EAP TLS SSL_accept result: -1, 2, 8576" in server_log?
What does cause the problems?

So I need you help for resolving problems.

Please give me any ideas.

Thank you in advance.

I'll describe testing environment(includes eap_peap.cfg),server logging.
---------------------------------------------------------------------------
(ENVIRONMENT)
	"Antenna_side"
		Cisco Aironet 1200
	"client_side"
		Windows XP HomeEdition SP1
	"server_side"
		OS:RedHat7.3(kernel-2.4.20)
		Radiator-Demo-3.6 with patches-3.6
		(latest downloaded at 4 july 2003) 
		Net_SSLeay.pm-1.23
		Digest-HMAC-1.01
		Digest-SHA1-2.02
		Digest-MD4-1.1
		openssl-0.9.7b
		perl 5.6.1 built for i386-linux
			etc.
------------------------------------
(eap_peap.cfg)

#Foreground
#LogStdout
LogDir          /var/log
#DbDir          .
AuthPort        1812
AcctPort        1813
DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                # anonymous-PEAP must be in here:
                Filename /etc/radiator/users

                # This tells the PEAP client what types of inner EAP requests
                # we will honour
                EAPType PEAP,MSCHAP-V2
        </AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner aut
hentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele
ct
# a specific handler, or else you can use EAPAnonymous to set a username and rea
lm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/o
r the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or
also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton r
equest.
# In this basic example, both the inner and outer authentication are authenticat
ed
# from a file by AuthBy FILE
<Handler>
        <AuthBy FILE>
                # The username of the outer authentication
                #  must be in this file to get anywhere. In this example,
                # it requires an entry for 'anonymous' which is the standard use
rname
                # in the outer requests, and it also requires an entry for the
                # actual user name who is trying to connect (ie the 'Login name'
 entered
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename /etc/radiator/users

                # EAPType sets the EAP type(s) that Radiator will honour.
                # Options are: MD5-Challenge, One-Time-Password
                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                # Multiple types can be comma separated. With the default (most
                # preferred) type given first
                EAPType PEAP,MSCHAP-V2,LEAP

                # EAPTLS_CAFile is the name of a file of CA certificates
                # in PEM format. The file can contain several CA certificates
                # Radiator will first look in EAPTLS_CAFile then in
                # EAPTLS_CAPath, so there usually is no need to set both
                #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
                EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem

                # EAPTLS_CAPath is the name of a directory containing CA
                # certificates in PEM format. The files each contain one
                # CA certificate. The files are looked up by the CA
                # subject name hash value
#               EAPTLS_CAPath

                # EAPTLS_CertificateFile is the name of a file containing
                # the servers certificate. EAPTLS_CertificateType
                # specifies the type of the file. Can be PEM or ASN1
                # defaults to ASN1
                #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
                EAPTLS_CertificateType PEM

                # EAPTLS_PrivateKeyFile is the name of the file containing
                # the servers private key. It is sometimes in the same file
                # as the server certificate (EAPTLS_CertificateFile)
                # If the private key is encrypted (usually the case)
                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                #EAPTLS_PrivateKeyPassword whatever
                EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
                EAPTLS_PrivateKeyPassword 1qaz2wsx

                # EAPTLS_RandomFile is an optional file containing
                # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                # size that will be replied by Radiator. It must be small
                # enough to fit in a single Radius request (ie less than 4096)
                # and still leave enough space for other attributes
                # Aironet APs seem to need a smaller MaxFragmentSize
                # (eg 1024) than the default of 2048
                EAPTLS_MaxFragmentSize 1024

                # EAPTLS_DHFile if set specifies the DH group file. It
                # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                # If EAPTLS_CRLCheck is set  and the client presents a certifica
te
                # then Radiator will look for a certificate revocation list (CRL
)
                # for the certificate issuer
                # when authenticating each client. If a CRL file is not found, o
r
                # if the CRL says the certificate has neen revoked, the authenti
cation will
                # fail with an error:
                #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                # One or more CRLs can be named with the EAPTLS_CRLFile paramete
r.
                # Alternatively, CRLs may follow a file naming convention:
                #  the hash of the issuer subject name
                # and a suffix that depends on the serial number.
                # eg ab1331b2.r0, ab1331b2.r1 etc.
                # You can find out the hash of the issuer name in a CRL with
                #  openssl crl -in crl.pem -hash -noout
                # CRLs with tis name convention
                # will be searched in EAPTLS_CAPath, else in the openssl
                # certificates directory typically /usr/local/openssl/certs/
                # CRLs are expected to be in PEM format.
                # A CRL files can be generated with openssl like this:
                #  openssl ca -gencrl -revoke cert-clt.pem
                #  openssl ca -gencrl -out crl.pem
                # Use of these flags requires Net_SSLeay-1.21 or later
                #EAPTLS_CRLCheck
                #EAPTLS_CRLFile %D/certificates/crl.pem
                #EAPTLS_CRLFile %D/certificates/revocations.pem

                # Some clients, depending on their configuration, may require yo
u to specify
                # MPPE send and receive keys. This _will_ be required if you sel
ect
                # 'Keys will be generated automatically for data privacy' in the
 Funk Odyssey
                # client Network Properties dialog.
                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                # in the final Access-Accept
                AutoMPPEKeys

                # You can enable some warning messages from the Net::SSLeay
                # module by setting SSLeayTrace to an integer from 1 to 4
                # 1=ciphers, 2=trace, 3=dump data
                SSLeayTrace 4

                # You can configure the User-Name that will be used for the inne
r
                # authentication. Defaults to 'anonymous'. This can be useful
                # when proxying the inner authentication. If tehre is a realm, i
t can
                # be used to choose a local Realm to handle the inner authentica
tion.
                # %0 is replaced with the EAP identitiy
                # EAPAnonymous anonymous at some.other.realm

                # You can enable or disable support for TTLS Session Resumption
and
                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                # Default is enabled
                #EAPTLS_SessionResumption 0

                # You can limit how long after the initial session that a sessio
n can be resumed
                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
 to 43200
                # (12 hours)
                #EAPTLS_SessionResumptionLimit 10
        </AuthBy>
</Handler>
-------------------------------------------------------
(server_log)

Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on radiator-1 (EV
ALUATION) (EVALUATION)
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2150 ....
Code:       Access-Request
Identifier: 88
Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><199><0><13><1>nagataki
        Message-Authenticator = @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2150 ....
Code:       Access-Challenge
Identifier: 88
Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
        EAP-Message = <1><200><0><6><25>!
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2151 ....
Code:       Access-Request
Identifier: 89
Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
<1>?<13>n<3>-<249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
135>'o<25>cg<227><236><19> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10><0><9><0>
d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
        Message-Authenticator = <175>%<20><176><131><25>!3=<178><247><27><31><17
9>Xc

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2151 ....
Code:       Access-Challenge
Identifier: 89
Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
        EAP-Message = <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
<0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<246>(<147
>S<148>]<193>H<14><183> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231><0><3><22
8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6><9>*<134>
H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<1
2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<
4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4
><3><19><18>ACS03.netcom.ad.jp1#
        EAP-Message = 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
-net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0<9><6><3
>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><
5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>In
ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>H<134><24
7><13><1><9><1><22><20>nagataki at nri-net.com0<129><159>0<13><6><9>*<134>H<134><24
7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<215>E
        EAP-Message = <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
(*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192><196><194
><30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A<128><235
>a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/R<<222><133>Y
<196><188>/<250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>U<29>%<4>
<12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6><9>`<134>
H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated Certificate0<29><6><3>U<2
9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28>~<128><2
17><176>J0<129><195><6><3>U<29>
        EAP-Message = #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
<29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129><153>0<1
29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<130><1><0>0<13
><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><239><188>
5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206><14><155
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on radiator-1 (EV
ALUATION) (EVALUATION)
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2150 ....
Code:       Access-Request
Identifier: 88
Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><199><0><13><1>nagataki
        Message-Authenticator = @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2150 ....
Code:       Access-Challenge
Identifier: 88
Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
Attributes:
        EAP-Message = <1><200><0><6><25>!
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2151 ....
Code:       Access-Request
Identifier: 89
Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
<1>?<13>n<3>-<249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
135>'o<25>cg<227><236><19> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10><0><9><0>
d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
        Message-Authenticator = <175>%<20><176><131><25>!3=<178><247><27><31><17
9>Xc

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2151 ....
Code:       Access-Challenge
Identifier: 89
Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
Attributes:
        EAP-Message = <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
<0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<246>(<147
>S<148>]<193>H<14><183> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231><0><3><22
8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6><9>*<134>
H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<1
2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<
4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4
><3><19><18>ACS03.netcom.ad.jp1#
        EAP-Message = 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
-net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0<9><6><3
>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><
5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>In
ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>H<134><24
7><13><1><9><1><22><20>nagataki at nri-net.com0<129><159>0<13><6><9>*<134>H<134><24
7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<215>E
        EAP-Message = <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
(*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192><196><194
><30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A<128><235
>a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/R<<222><133>Y
<196><188>/<250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>U<29>%<4>
<12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6><9>`<134>
H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated Certificate0<29><6><3>U<2
9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28>~<128><2
17><176>J0<129><195><6><3>U<29>
        EAP-Message = #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
<29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129><153>0<1
29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
<12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<130><1><0>0<13
><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><239><188>
5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206><14><155
><226>}<4><202>+<18><229><252><236><232>
        EAP-Message = IO<231>-<155>fv<26><159>[e<7><8><4>r<188><17>(4<221><157>R
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2152 ....
Code:       Access-Request
Identifier: 90
Authentic:  <170><217>(? _a<1>9<236><206>U<154><26>J<
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><201><0><6><25><0>
        Message-Authenticator = u <181><182><231><153>s<166><135>|XT<132>p<141>~

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 201, 6
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.47 port 2152 ....
Code:       Access-Challenge
Identifier: 90
Authentic:  <170><217>(? _a<1>9<236><206>U<154><26>J<
Attributes:
        EAP-Message = <1><202><0><242><25><0> <6>EF<24><2><157><30><150>|<11>L<2
41><213><174>y<168>(<218>5<216><253><165><165><159><232><0><221><185> e<185>J<27
><3>Lt<159><23>~F{J.<218><19><237><196><201><8><150>z<30><194><171><237><195><22
7><16>8CO%<22><3><1><0><168><13><0><0><160><2><1><2><0><155><0><153>0<129><150>1
<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3
>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4>
<11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<
134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<14><0><0><0>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
*** Received from 192.168.0.47 port 2153 ....
Code:       Access-Request
Identifier: 91
Authentic:  7<30>#Lb<24><204><189>-%~<187>[<22>N%
Attributes:
        User-Name = "nagataki"
        cisco-avpair = "ssid=hotspot"
        NAS-IP-Address = 192.168.0.47
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b31"
        NAS-Identifier = "test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><202><0><199><25><128><0><0><0><189><22><3><1><0><141><
11><0><0><3><0><0><0><16><0><0><130><0><128><10>/n<4><252><252>KZ,<14><167><177>
A<143><130><226>P<175><240><219>{7<245><217><215><165><192><132>O<207><218><137>
@i<141><222>`<159>K<2>A<7>"<142><189><232><197><250>:A<231><235><245>=v<146><250
> \<212><178><247>9<220>t-<163><193>v<227><189>M<177>RL<173>w<27>`1<17>0p<227><1
3>"'<153>Cn<196><227>f<243><3><12><228>[%<28><130><195><149>Ah<170>Y<23><31><12>
<184><239>rB<210>9<164><195><27><152><203>S<210>]<163>i<187><243><20><3><1><0><1
><1><22><3><1><0> <150>?h<22><185>L<192><242><233><31><16><10><191><225>5<218><2
0>a<142>2q<218><229><26>/<252>Zi<211>j<2><228>
        Message-Authenticator = k<163>5M<251>,<235><134><251><190>V<207><130><15
0><31><221>

Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki, 192.168.0.47, 3
7
Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 202, 199
Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:

----------------------------------------------------------

Best Regards.

Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list