(RADIATOR) TLS problem?
Hugh Irvine
hugh at open.com.au
Thu Jul 10 17:19:40 CDT 2003
Hello Masa -
Thanks for the configuration and log file.
It looks like Radiator is crashing and restarting, so could you also
run radiusd from the command line to capture the Perl error message?
perl radiusd -foreground -log_stdout -trace 4 -config_file .....
I have copied this mail to Mike, but he is away at the moment so we may
not be able to fix the problem until next week.
regards
Hugh
On Friday, Jul 11, 2003, at 02:49 Australia/Melbourne,
nagataki at nri-net.com wrote:
> Hi everyone,
>
> I'm testing wireless LAN connection by using peap(ms-chap2-v2).
> But I have problems and can't see what is incorrect.
>
> One of the problems is that authentication by using certificates
> doesn't
> work constantly.
> But after radiusd restarted,authentication work well for a short
> period.
>
> What's mean that "EAP TLS SSL_accept result: -1, 2, 8576" in
> server_log?
> What does cause the problems?
>
> So I need you help for resolving problems.
>
> Please give me any ideas.
>
> Thank you in advance.
>
> I'll describe testing environment(includes eap_peap.cfg),server
> logging.
> -----------------------------------------------------------------------
> ----
> (ENVIRONMENT)
> "Antenna_side"
> Cisco Aironet 1200
> "client_side"
> Windows XP HomeEdition SP1
> "server_side"
> OS:RedHat7.3(kernel-2.4.20)
> Radiator-Demo-3.6 with patches-3.6
> (latest downloaded at 4 july 2003)
> Net_SSLeay.pm-1.23
> Digest-HMAC-1.01
> Digest-SHA1-2.02
> Digest-MD4-1.1
> openssl-0.9.7b
> perl 5.6.1 built for i386-linux
> etc.
> ------------------------------------
> (eap_peap.cfg)
>
> #Foreground
> #LogStdout
> LogDir /var/log
> #DbDir .
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> # anonymous-PEAP must be in here:
> Filename /etc/radiator/users
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType PEAP,MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner aut
> hentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to sele
> ct
> # a specific handler, or else you can use EAPAnonymous to set a
> username and rea
> lm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm, and/o
> r the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or
> also
> # act as the AAA/H home server, and authenticate PEAP requests locally
> or proxy
> # them to another remote server based on the realm of the inner
> authenticaiton r
> equest.
> # In this basic example, both the inner and outer authentication are
> authenticat
> ed
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this
> example,
> # it requires an entry for 'anonymous' which is the
> standard use
> rname
> # in the outer requests, and it also requires an entry
> for the
> # actual user name who is trying to connect (ie the
> 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename /etc/radiator/users
>
> # EAPType sets the EAP type(s) that Radiator will
> honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the
> default (most
> # preferred) type given first
> EAPType PEAP,MSCHAP-V2,LEAP
>
> # EAPTLS_CAFile is the name of a file of CA
> certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set
> both
> #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
> EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing
> CA
> # certificates in PEM format. The files each contain
> one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file
> containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the same
> file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> #EAPTLS_PrivateKeyPassword whatever
> EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
> EAPTLS_PrivateKeyPassword 1qaz2wsx
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be
> small
> # enough to fit in a single Radius request (ie less
> than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048
> EAPTLS_MaxFragmentSize 1024
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certifica
> te
> # then Radiator will look for a certificate revocation
> list (CRL
> )
> # for the certificate issuer
> # when authenticating each client. If a CRL file is
> not found, o
> r
> # if the CRL says the certificate has neen revoked,
> the authenti
> cation will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the
> EAPTLS_CRLFile paramete
> r.
> # Alternatively, CRLs may follow a file naming
> convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a
> CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the
> openssl
> # certificates directory typically
> /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require yo
> u to specify
> # MPPE send and receive keys. This _will_ be required
> if you sel
> ect
> # 'Keys will be generated automatically for data
> privacy' in the
> Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and
> MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the
> Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1
> to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used
> for the inne
> r
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is
> a realm, i
> t can
> # be used to choose a local Realm to handle the inner
> authentica
> tion.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption
> and
> # PEAP Fast Reconnect with the
> EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session
> that a sessio
> n can be resumed
> # with EAPTLS_SessionResumptionLimit (time in
> seconds). Defaults
> to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
> -------------------------------------------------------
> (server_log)
>
> Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file
> '/etc/eap_p
> eap.cfg'
> Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona
> ry'
> Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona
> ry.cisco'
> Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on
> radiator-1 (EV
> ALUATION) (EVALUATION)
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2150 ....
> Code: Access-Request
> Identifier: 88
> Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message = <2><199><0><13><1>nagataki
> Message-Authenticator =
> @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.47 port 2150 ....
> Code: Access-Challenge
> Identifier: 88
> Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> Attributes:
> EAP-Message = <1><200><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2151 ....
> Code: Access-Request
> Identifier: 89
> Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message =
> <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> <1>?<13>n<3>-
> <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> 135>'o<25>cg<227><236><19>
> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10>
> <0><9><0>
> d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> Message-Authenticator =
> <175>%<20><176><131><25>!3=<178><247><27><31><17
> 9>Xc
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.47 port 2151 ....
> Code: Access-Challenge
> Identifier: 89
> Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> Attributes:
> EAP-Message =
> <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<
> 246>(<147
>> S<148>]<193>H<14><183>
>> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231>
> <0><3><22
> 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6>
> <9>*<134>
> H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J
> P1<14>0<1
> 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16
> ><6><3>U<
> 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25>
> <6><3>U<4
>> <3><19><18>ACS03.netcom.ad.jp1#
> EAP-Message =
> 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> -
> net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0
> <9><6><3
>> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4
>> ><7><19><
> 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11>
> <19><8>In
> ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>
> H<134><24
> 7><13><1><9><1><22><20>nagataki at nri-
> net.com0<129><159>0<13><6><9>*<134>H<134><24
> 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<
> 215>E
> EAP-Message =
> <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192>
> <196><194
>> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A
>> <128><235
>> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/
>> R<<222><133>Y
> <196><188>/
> <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>
> U<29>%<4>
> <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6>
> <9>`<134>
> H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated
> Certificate0<29><6><3>U<2
> 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28
> >~<128><2
> 17><176>J0<129><195><6><3>U<29>
> EAP-Message =
> #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129
> ><153>0<1
> 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os
> aka1<14>0
> <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<
> 17>0<15><
> 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom
> .ad.jp1#0
> !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-
> net.com<130><1><0>0<13
>> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><
>> 239><188>
> 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206
> ><14><155
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file
> '/etc/eap_p
> eap.cfg'
> Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona
> ry'
> Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona
> ry.cisco'
> Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on
> radiator-1 (EV
> ALUATION) (EVALUATION)
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2150 ....
> Code: Access-Request
> Identifier: 88
> Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message = <2><199><0><13><1>nagataki
> Message-Authenticator =
> @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.47 port 2150 ....
> Code: Access-Challenge
> Identifier: 88
> Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> Attributes:
> EAP-Message = <1><200><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2151 ....
> Code: Access-Request
> Identifier: 89
> Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message =
> <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> <1>?<13>n<3>-
> <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> 135>'o<25>cg<227><236><19>
> u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10>
> <0><9><0>
> d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> Message-Authenticator =
> <175>%<20><176><131><25>!3=<178><247><27><31><17
> 9>Xc
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.47 port 2151 ....
> Code: Access-Challenge
> Identifier: 89
> Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> Attributes:
> EAP-Message =
> <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<
> 246>(<147
>> S<148>]<193>H<14><183>
>> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231>
> <0><3><22
> 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6>
> <9>*<134>
> H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J
> P1<14>0<1
> 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16
> ><6><3>U<
> 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25>
> <6><3>U<4
>> <3><19><18>ACS03.netcom.ad.jp1#
> EAP-Message =
> 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> -
> net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0
> <9><6><3
>> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4
>> ><7><19><
> 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11>
> <19><8>In
> ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>
> H<134><24
> 7><13><1><9><1><22><20>nagataki at nri-
> net.com0<129><159>0<13><6><9>*<134>H<134><24
> 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<
> 215>E
> EAP-Message =
> <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192>
> <196><194
>> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A
>> <128><235
>> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/
>> R<<222><133>Y
> <196><188>/
> <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>
> U<29>%<4>
> <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6>
> <9>`<134>
> H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated
> Certificate0<29><6><3>U<2
> 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28
> >~<128><2
> 17><176>J0<129><195><6><3>U<29>
> EAP-Message =
> #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129
> ><153>0<1
> 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os
> aka1<14>0
> <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<
> 17>0<15><
> 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom
> .ad.jp1#0
> !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-
> net.com<130><1><0>0<13
>> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><
>> 239><188>
> 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206
> ><14><155
>> <226>}<4><202>+<18><229><252><236><232>
> EAP-Message =
> IO<231>-<155>fv<26><159>[e<7><8><4>r<188><17>(4<221><157>R
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2152 ....
> Code: Access-Request
> Identifier: 90
> Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message = <2><201><0><6><25><0>
> Message-Authenticator = u
> <181><182><231><153>s<166><135>|XT<132>p<141>~
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 201, 6
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.47 port 2152 ....
> Code: Access-Challenge
> Identifier: 90
> Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
> Attributes:
> EAP-Message = <1><202><0><242><25><0>
> <6>EF<24><2><157><30><150>|<11>L<2
> 41><213><174>y<168>(<218>5<216><253><165><165><159><232><0><221><185>
> e<185>J<27
>> <3>Lt<159><23>~F{J.<218><19><237><196><201><8><150>z<30><194><171><237
>> ><195><22
> 7><16>8CO%<22><3><1><0><168><13><0><0><160><2><1><2><0><155><0><153>0<1
> 29><150>1
> <11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
> <12><6><3
>> U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
>> 6><3>U<4>
> <11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
> !<6><9>*<
> 134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<14><0><0><0>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.47 port 2153 ....
> Code: Access-Request
> Identifier: 91
> Authentic: 7<30>#Lb<24><204><189>-%~<187>[<22>N%
> Attributes:
> User-Name = "nagataki"
> cisco-avpair = "ssid=hotspot"
> NAS-IP-Address = 192.168.0.47
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b31"
> NAS-Identifier = "test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message =
> <2><202><0><199><25><128><0><0><0><189><22><3><1><0><141><
> 11><0><0><3><0><0><0><16><0><0><130><0><128><10>/
> n<4><252><252>KZ,<14><167><177>
> A<143><130><226>P<175><240><219>{7<245><217><215><165><192><132>O<207><
> 218><137>
> @i<141><222>`<159>K<2>A<7>"<142><189><232><197><250>:A<231><235><245>=v
> <146><250
>> \<212><178><247>9<220>t-
>> <163><193>v<227><189>M<177>RL<173>w<27>`1<17>0p<227><1
> 3>"'<153>Cn<196><227>f<243><3><12><228>[%<28><130><195><149>Ah<170>Y<23
> ><31><12>
> <184><239>rB<210>9<164><195><27><152><203>S<210>]<163>i<187><243><20><3
> ><1><0><1
>> <1><22><3><1><0>
>> <150>?h<22><185>L<192><242><233><31><16><10><191><225>5<218><2
> 0>a<142>2q<218><229><26>/<252>Zi<211>j<2><228>
> Message-Authenticator =
> k<163>5M<251>,<235><134><251><190>V<207><130><15
> 0><31><221>
>
> Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> 192.168.0.47, 3
> 7
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 202, 199
> Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> PEAP Challe
> nge
> Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
>
> ----------------------------------------------------------
>
> Best Regards.
>
> Masa
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list