(RADIATOR) TLS problem?

nagataki at nri-net.com nagataki at nri-net.com
Thu Jul 10 22:39:24 CDT 2003


Hi Hugh

Thank you for quickly reply.

> It looks like Radiator is crashing and restarting, so could you also  
> run radiusd from the command line to capture the Perl error message?
> 
> 	perl radiusd -foreground -log_stdout -trace 4 -config_file .....

I ran radiusd from the command line,but perl error message didn't appear
in the stdout.

Logging message is like a same below.

Regards.

Masa

> > Hi everyone,
> >
> > I'm testing wireless LAN connection by using peap(ms-chap2-v2).
> > But I have problems and can't see what is incorrect.
> >
> > One of the problems is that authentication by using certificates  
> > doesn't
> > work constantly.
> > But after radiusd restarted,authentication work well for a short  
> > period.
> >
> > What's mean that "EAP TLS SSL_accept result: -1, 2, 8576" in  
> > server_log?
> > What does cause the problems?
> >
> > So I need you help for resolving problems.
> >
> > Please give me any ideas.
> >
> > Thank you in advance.
> >
> > I'll describe testing environment(includes eap_peap.cfg),server  
> > logging.
> > ----------------------------------------------------------------------- 
> > ----
> > (ENVIRONMENT)
> > 	"Antenna_side"
> > 		Cisco Aironet 1200
> > 	"client_side"
> > 		Windows XP HomeEdition SP1
> > 	"server_side"
> > 		OS:RedHat7.3(kernel-2.4.20)
> > 		Radiator-Demo-3.6 with patches-3.6
> > 		(latest downloaded at 4 july 2003)
> > 		Net_SSLeay.pm-1.23
> > 		Digest-HMAC-1.01
> > 		Digest-SHA1-2.02
> > 		Digest-MD4-1.1
> > 		openssl-0.9.7b
> > 		perl 5.6.1 built for i386-linux
> > 			etc.
> > ------------------------------------
> > (eap_peap.cfg)
> >
> > #Foreground
> > #LogStdout
> > LogDir          /var/log
> > #DbDir          .
> > AuthPort        1812
> > AcctPort        1813
> > DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> > # User a lower trace level in production systems:
> > Trace           4
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <Client DEFAULT>
> >         Secret  mysecret
> >         DupInterval 0
> > </Client>
> >
> > # This is where we autneticate a PEAP inner request, which will be an  
> > EAP
> > # request. The username of the inner request will be anonymous,  
> > although
> > # the identity of the EAP request will be the real username we are
> > # trying to authenticate.
> > <Handler TunnelledByPEAP=1>
> >         <AuthBy FILE>
> >                 # anonymous-PEAP must be in here:
> >                 Filename /etc/radiator/users
> >
> >                 # This tells the PEAP client what types of inner EAP  
> > requests
> >                 # we will honour
> >                 EAPType PEAP,MSCHAP-V2
> >         </AuthBy>
> > </Handler>
> >
> >
> > # The original PEAP request from a NAS will be sent to a matching
> > # Realm or Handler in the usual way, where it will be unpacked and the  
> > inner aut
> > hentication
> > # extracted.
> > # The inner authentication request will be sent again to a matching
> > # Realm or Handler. The special check item TunnelledByPEAP=1 can be  
> > used to sele
> > ct
> > # a specific handler, or else you can use EAPAnonymous to set a  
> > username and rea
> > lm
> > # which can be used to select a Realm clause for the inner request.
> > # This allows you to select an inner authentication method based on  
> > Realm, and/o
> > r the
> > # fact that they were tunnelled. You can therfore act just as a PEAP  
> > server, or
> > also
> > # act as the AAA/H home server, and authenticate PEAP requests locally  
> > or proxy
> > # them to another remote server based on the realm of the inner  
> > authenticaiton r
> > equest.
> > # In this basic example, both the inner and outer authentication are  
> > authenticat
> > ed
> > # from a file by AuthBy FILE
> > <Handler>
> >         <AuthBy FILE>
> >                 # The username of the outer authentication
> >                 #  must be in this file to get anywhere. In this  
> > example,
> >                 # it requires an entry for 'anonymous' which is the  
> > standard use
> > rname
> >                 # in the outer requests, and it also requires an entry  
> > for the
> >                 # actual user name who is trying to connect (ie the  
> > 'Login name'
> >  entered
> >                 # in the Funk Odyssey 'Edit Profile Properties' page
> >                 Filename /etc/radiator/users
> >
> >                 # EAPType sets the EAP type(s) that Radiator will  
> > honour.
> >                 # Options are: MD5-Challenge, One-Time-Password
> >                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> >                 # Multiple types can be comma separated. With the  
> > default (most
> >                 # preferred) type given first
> >                 EAPType PEAP,MSCHAP-V2,LEAP
> >
> >                 # EAPTLS_CAFile is the name of a file of CA  
> > certificates
> >                 # in PEM format. The file can contain several CA  
> > certificates
> >                 # Radiator will first look in EAPTLS_CAFile then in
> >                 # EAPTLS_CAPath, so there usually is no need to set  
> > both
> >                 #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> >                 #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
> >                 EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
> >
> >                 # EAPTLS_CAPath is the name of a directory containing  
> > CA
> >                 # certificates in PEM format. The files each contain  
> > one
> >                 # CA certificate. The files are looked up by the CA
> >                 # subject name hash value
> > #               EAPTLS_CAPath
> >
> >                 # EAPTLS_CertificateFile is the name of a file  
> > containing
> >                 # the servers certificate. EAPTLS_CertificateType
> >                 # specifies the type of the file. Can be PEM or ASN1
> >                 # defaults to ASN1
> >                 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> >                 EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
> >                 EAPTLS_CertificateType PEM
> >
> >                 # EAPTLS_PrivateKeyFile is the name of the file  
> > containing
> >                 # the servers private key. It is sometimes in the same  
> > file
> >                 # as the server certificate (EAPTLS_CertificateFile)
> >                 # If the private key is encrypted (usually the case)
> >                 # then EAPTLS_PrivateKeyPassword is the key to  
> > descrypt it
> >                 #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> >                 #EAPTLS_PrivateKeyPassword whatever
> >                 EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
> >                 EAPTLS_PrivateKeyPassword 1qaz2wsx
> >
> >                 # EAPTLS_RandomFile is an optional file containing
> >                 # randdomness
> > #               EAPTLS_RandomFile %D/certificates/random
> >
> >                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> >                 # size that will be replied by Radiator. It must be  
> > small
> >                 # enough to fit in a single Radius request (ie less  
> > than 4096)
> >                 # and still leave enough space for other attributes
> >                 # Aironet APs seem to need a smaller MaxFragmentSize
> >                 # (eg 1024) than the default of 2048
> >                 EAPTLS_MaxFragmentSize 1024
> >
> >                 # EAPTLS_DHFile if set specifies the DH group file. It
> >                 # may be required if you need to use ephemeral DH keys.
> > #               EAPTLS_DHFile %D/certificates/cert/dh
> >
> >
> >                 # If EAPTLS_CRLCheck is set  and the client presents a  
> > certifica
> > te
> >                 # then Radiator will look for a certificate revocation  
> > list (CRL
> > )
> >                 # for the certificate issuer
> >                 # when authenticating each client. If a CRL file is  
> > not found, o
> > r
> >                 # if the CRL says the certificate has neen revoked,  
> > the authenti
> > cation will
> >                 # fail with an error:
> >                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> >                 # One or more CRLs can be named with the  
> > EAPTLS_CRLFile paramete
> > r.
> >                 # Alternatively, CRLs may follow a file naming  
> > convention:
> >                 #  the hash of the issuer subject name
> >                 # and a suffix that depends on the serial number.
> >                 # eg ab1331b2.r0, ab1331b2.r1 etc.
> >                 # You can find out the hash of the issuer name in a  
> > CRL with
> >                 #  openssl crl -in crl.pem -hash -noout
> >                 # CRLs with tis name convention
> >                 # will be searched in EAPTLS_CAPath, else in the  
> > openssl
> >                 # certificates directory typically  
> > /usr/local/openssl/certs/
> >                 # CRLs are expected to be in PEM format.
> >                 # A CRL files can be generated with openssl like this:
> >                 #  openssl ca -gencrl -revoke cert-clt.pem
> >                 #  openssl ca -gencrl -out crl.pem
> >                 # Use of these flags requires Net_SSLeay-1.21 or later
> >                 #EAPTLS_CRLCheck
> >                 #EAPTLS_CRLFile %D/certificates/crl.pem
> >                 #EAPTLS_CRLFile %D/certificates/revocations.pem
> >
> >                 # Some clients, depending on their configuration, may  
> > require yo
> > u to specify
> >                 # MPPE send and receive keys. This _will_ be required  
> > if you sel
> > ect
> >                 # 'Keys will be generated automatically for data  
> > privacy' in the
> >  Funk Odyssey
> >                 # client Network Properties dialog.
> >                 # Automatically sets MS-MPPE-Send-Key and  
> > MS-MPPE-Recv-Key
> >                 # in the final Access-Accept
> >                 AutoMPPEKeys
> >
> >                 # You can enable some warning messages from the  
> > Net::SSLeay
> >                 # module by setting SSLeayTrace to an integer from 1  
> > to 4
> >                 # 1=ciphers, 2=trace, 3=dump data
> >                 SSLeayTrace 4
> >
> >                 # You can configure the User-Name that will be used  
> > for the inne
> > r
> >                 # authentication. Defaults to 'anonymous'. This can be  
> > useful
> >                 # when proxying the inner authentication. If tehre is  
> > a realm, i
> > t can
> >                 # be used to choose a local Realm to handle the inner  
> > authentica
> > tion.
> >                 # %0 is replaced with the EAP identitiy
> >                 # EAPAnonymous anonymous at some.other.realm
> >
> >                 # You can enable or disable support for TTLS Session  
> > Resumption
> > and
> >                 # PEAP Fast Reconnect with the  
> > EAPTLS_SessionResumption flag.
> >                 # Default is enabled
> >                 #EAPTLS_SessionResumption 0
> >
> >                 # You can limit how long after the initial session  
> > that a sessio
> > n can be resumed
> >                 # with EAPTLS_SessionResumptionLimit (time in  
> > seconds). Defaults
> >  to 43200
> >                 # (12 hours)
> >                 #EAPTLS_SessionResumptionLimit 10
> >         </AuthBy>
> > </Handler>
> > -------------------------------------------------------
> > (server_log)
> >
> > Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file  
> > '/etc/eap_p
> > eap.cfg'
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file  
> > '/etc/radiator/dictiona
> > ry'
> > Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file  
> > '/etc/radiator/dictiona
> > ry.cisco'
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port  
> > 0.0.0.0:1812
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> > Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on  
> > radiator-1 (EV
> > ALUATION) (EVALUATION)
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2150 ....
> > Code:       Access-Request
> > Identifier: 88
> > Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message = <2><199><0><13><1>nagataki
> >         Message-Authenticator =  
> > @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2150 ....
> > Code:       Access-Challenge
> > Identifier: 88
> > Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> >         EAP-Message = <1><200><0><6><25>!
> >         Message-Authenticator =  
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2151 ....
> > Code:       Access-Request
> > Identifier: 89
> > Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message =  
> > <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> > <1>?<13>n<3>- 
> > <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> > 135>'o<25>cg<227><236><19>  
> > u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> > 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10> 
> > <0><9><0>
> > d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> >         Message-Authenticator =  
> > <175>%<20><176><131><25>!3=<178><247><27><31><17
> > 9>Xc
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2151 ....
> > Code:       Access-Challenge
> > Identifier: 89
> > Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> >         EAP-Message =  
> > <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> > <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h< 
> > 246>(<147
> >> S<148>]<193>H<14><183>  
> >> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> > 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231> 
> > <0><3><22
> > 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6> 
> > <9>*<134>
> > H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J 
> > P1<14>0<1
> > 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16 
> > ><6><3>U<
> > 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25> 
> > <6><3>U<4
> >> <3><19><18>ACS03.netcom.ad.jp1#
> >         EAP-Message =  
> > 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> > - 
> > net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0 
> > <9><6><3
> >> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4 
> >> ><7><19><
> > 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11> 
> > <19><8>In
> > ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134> 
> > H<134><24
> > 7><13><1><9><1><22><20>nagataki at nri- 
> > net.com0<129><159>0<13><6><9>*<134>H<134><24
> > 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a< 
> > 215>E
> >         EAP-Message =  
> > <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> > (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192> 
> > <196><194
> >> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A 
> >> <128><235
> >> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/ 
> >> R<<222><133>Y
> > <196><188>/ 
> > <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> > 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3> 
> > U<29>%<4>
> > <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6> 
> > <9>`<134>
> > H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated  
> > Certificate0<29><6><3>U<2
> > 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28 
> > >~<128><2
> > 17><176>J0<129><195><6><3>U<29>
> >         EAP-Message =  
> > #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> > <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129 
> > ><153>0<1
> > 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os 
> > aka1<14>0
> > <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1< 
> > 17>0<15><
> > 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom 
> > .ad.jp1#0
> > !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri- 
> > net.com<130><1><0>0<13
> >> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242>< 
> >> 239><188>
> > 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206 
> > ><14><155
> >         Message-Authenticator =  
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file  
> > '/etc/eap_p
> > eap.cfg'
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file  
> > '/etc/radiator/dictiona
> > ry'
> > Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file  
> > '/etc/radiator/dictiona
> > ry.cisco'
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port  
> > 0.0.0.0:1812
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> > Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on  
> > radiator-1 (EV
> > ALUATION) (EVALUATION)
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2150 ....
> > Code:       Access-Request
> > Identifier: 88
> > Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message = <2><199><0><13><1>nagataki
> >         Message-Authenticator =  
> > @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2150 ....
> > Code:       Access-Challenge
> > Identifier: 88
> > Authentic:  <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> >         EAP-Message = <1><200><0><6><25>!
> >         Message-Authenticator =  
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2151 ....
> > Code:       Access-Request
> > Identifier: 89
> > Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message =  
> > <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> > <1>?<13>n<3>- 
> > <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> > 135>'o<25>cg<227><236><19>  
> > u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> > 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10> 
> > <0><9><0>
> > d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> >         Message-Authenticator =  
> > <175>%<20><176><131><25>!3=<178><247><27><31><17
> > 9>Xc
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2151 ....
> > Code:       Access-Challenge
> > Identifier: 89
> > Authentic:  <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> >         EAP-Message =  
> > <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> > <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h< 
> > 246>(<147
> >> S<148>]<193>H<14><183>  
> >> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> > 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231> 
> > <0><3><22
> > 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6> 
> > <9>*<134>
> > H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J 
> > P1<14>0<1
> > 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16 
> > ><6><3>U<
> > 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25> 
> > <6><3>U<4
> >> <3><19><18>ACS03.netcom.ad.jp1#
> >         EAP-Message =  
> > 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> > - 
> > net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0 
> > <9><6><3
> >> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4 
> >> ><7><19><
> > 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11> 
> > <19><8>In
> > ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134> 
> > H<134><24
> > 7><13><1><9><1><22><20>nagataki at nri- 
> > net.com0<129><159>0<13><6><9>*<134>H<134><24
> > 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a< 
> > 215>E
> >         EAP-Message =  
> > <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> > (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192> 
> > <196><194
> >> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A 
> >> <128><235
> >> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/ 
> >> R<<222><133>Y
> > <196><188>/ 
> > <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> > 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3> 
> > U<29>%<4>
> > <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6> 
> > <9>`<134>
> > H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated  
> > Certificate0<29><6><3>U<2
> > 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28 
> > >~<128><2
> > 17><176>J0<129><195><6><3>U<29>
> >         EAP-Message =  
> > #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> > <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129 
> > ><153>0<1
> > 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os 
> > aka1<14>0
> > <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1< 
> > 17>0<15><
> > 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom 
> > .ad.jp1#0
> > !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri- 
> > net.com<130><1><0>0<13
> >> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242>< 
> >> 239><188>
> > 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206 
> > ><14><155
> >> <226>}<4><202>+<18><229><252><236><232>
> >         EAP-Message =  
> > IO<231>-<155>fv<26><159>[e<7><8><4>r<188><17>(4<221><157>R
> >         Message-Authenticator =  
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2152 ....
> > Code:       Access-Request
> > Identifier: 90
> > Authentic:  <170><217>(? _a<1>9<236><206>U<154><26>J<
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message = <2><201><0><6><25><0>
> >         Message-Authenticator = u  
> > <181><182><231><153>s<166><135>|XT<132>p<141>~
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 201, 6
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2152 ....
> > Code:       Access-Challenge
> > Identifier: 90
> > Authentic:  <170><217>(? _a<1>9<236><206>U<154><26>J<
> > Attributes:
> >         EAP-Message = <1><202><0><242><25><0>  
> > <6>EF<24><2><157><30><150>|<11>L<2
> > 41><213><174>y<168>(<218>5<216><253><165><165><159><232><0><221><185>  
> > e<185>J<27
> >> <3>Lt<159><23>~F{J.<218><19><237><196><201><8><150>z<30><194><171><237 
> >> ><195><22
> > 7><16>8CO%<22><3><1><0><168><13><0><0><160><2><1><2><0><155><0><153>0<1 
> > 29><150>1
> > <11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0 
> > <12><6><3
> >> U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15>< 
> >> 6><3>U<4>
> > <11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0 
> > !<6><9>*<
> > 134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<14><0><0><0>
> >         Message-Authenticator =  
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2153 ....
> > Code:       Access-Request
> > Identifier: 91
> > Authentic:  7<30>#Lb<24><204><189>-%~<187>[<22>N%
> > Attributes:
> >         User-Name = "nagataki"
> >         cisco-avpair = "ssid=hotspot"
> >         NAS-IP-Address = 192.168.0.47
> >         Called-Station-Id = "000c30da9d03"
> >         Calling-Station-Id = "00022d559b31"
> >         NAS-Identifier = "test-AP-1"
> >         NAS-Port = 37
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-IEEE-802-11
> >         Service-Type = Login
> >         EAP-Message =  
> > <2><202><0><199><25><128><0><0><0><189><22><3><1><0><141><
> > 11><0><0><3><0><0><0><16><0><0><130><0><128><10>/ 
> > n<4><252><252>KZ,<14><167><177>
> > A<143><130><226>P<175><240><219>{7<245><217><215><165><192><132>O<207>< 
> > 218><137>
> > @i<141><222>`<159>K<2>A<7>"<142><189><232><197><250>:A<231><235><245>=v 
> > <146><250
> >> \<212><178><247>9<220>t- 
> >> <163><193>v<227><189>M<177>RL<173>w<27>`1<17>0p<227><1
> > 3>"'<153>Cn<196><227>f<243><3><12><228>[%<28><130><195><149>Ah<170>Y<23 
> > ><31><12>
> > <184><239>rB<210>9<164><195><27><152><203>S<210>]<163>i<187><243><20><3 
> > ><1><0><1
> >> <1><22><3><1><0>  
> >> <150>?h<22><185>L<192><242><233><31><16><10><191><225>5<218><2
> > 0>a<142>2q<218><229><26>/<252>Zi<211>j<2><228>
> >         Message-Authenticator =  
> > k<163>5M<251>,<235><134><251><190>V<207><130><15
> > 0><31><221>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG:  Deleting session for nagataki,  
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 202, 199
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP  
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> >
> > ----------------------------------------------------------
> >
> > Best Regards.
> >
> > Masa
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
> 
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
長瀧 匡弘 <nagataki at nri-net.com>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list