(RADIATOR) TLS problem?
nagataki at nri-net.com
nagataki at nri-net.com
Thu Jul 10 22:39:24 CDT 2003
Hi Hugh
Thank you for quickly reply.
> It looks like Radiator is crashing and restarting, so could you also
> run radiusd from the command line to capture the Perl error message?
>
> perl radiusd -foreground -log_stdout -trace 4 -config_file .....
I ran radiusd from the command line,but perl error message didn't appear
in the stdout.
Logging message is like a same below.
Regards.
Masa
> > Hi everyone,
> >
> > I'm testing wireless LAN connection by using peap(ms-chap2-v2).
> > But I have problems and can't see what is incorrect.
> >
> > One of the problems is that authentication by using certificates
> > doesn't
> > work constantly.
> > But after radiusd restarted,authentication work well for a short
> > period.
> >
> > What's mean that "EAP TLS SSL_accept result: -1, 2, 8576" in
> > server_log?
> > What does cause the problems?
> >
> > So I need you help for resolving problems.
> >
> > Please give me any ideas.
> >
> > Thank you in advance.
> >
> > I'll describe testing environment(includes eap_peap.cfg),server
> > logging.
> > -----------------------------------------------------------------------
> > ----
> > (ENVIRONMENT)
> > "Antenna_side"
> > Cisco Aironet 1200
> > "client_side"
> > Windows XP HomeEdition SP1
> > "server_side"
> > OS:RedHat7.3(kernel-2.4.20)
> > Radiator-Demo-3.6 with patches-3.6
> > (latest downloaded at 4 july 2003)
> > Net_SSLeay.pm-1.23
> > Digest-HMAC-1.01
> > Digest-SHA1-2.02
> > Digest-MD4-1.1
> > openssl-0.9.7b
> > perl 5.6.1 built for i386-linux
> > etc.
> > ------------------------------------
> > (eap_peap.cfg)
> >
> > #Foreground
> > #LogStdout
> > LogDir /var/log
> > #DbDir .
> > AuthPort 1812
> > AcctPort 1813
> > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> > # User a lower trace level in production systems:
> > Trace 4
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <Client DEFAULT>
> > Secret mysecret
> > DupInterval 0
> > </Client>
> >
> > # This is where we autneticate a PEAP inner request, which will be an
> > EAP
> > # request. The username of the inner request will be anonymous,
> > although
> > # the identity of the EAP request will be the real username we are
> > # trying to authenticate.
> > <Handler TunnelledByPEAP=1>
> > <AuthBy FILE>
> > # anonymous-PEAP must be in here:
> > Filename /etc/radiator/users
> >
> > # This tells the PEAP client what types of inner EAP
> > requests
> > # we will honour
> > EAPType PEAP,MSCHAP-V2
> > </AuthBy>
> > </Handler>
> >
> >
> > # The original PEAP request from a NAS will be sent to a matching
> > # Realm or Handler in the usual way, where it will be unpacked and the
> > inner aut
> > hentication
> > # extracted.
> > # The inner authentication request will be sent again to a matching
> > # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> > used to sele
> > ct
> > # a specific handler, or else you can use EAPAnonymous to set a
> > username and rea
> > lm
> > # which can be used to select a Realm clause for the inner request.
> > # This allows you to select an inner authentication method based on
> > Realm, and/o
> > r the
> > # fact that they were tunnelled. You can therfore act just as a PEAP
> > server, or
> > also
> > # act as the AAA/H home server, and authenticate PEAP requests locally
> > or proxy
> > # them to another remote server based on the realm of the inner
> > authenticaiton r
> > equest.
> > # In this basic example, both the inner and outer authentication are
> > authenticat
> > ed
> > # from a file by AuthBy FILE
> > <Handler>
> > <AuthBy FILE>
> > # The username of the outer authentication
> > # must be in this file to get anywhere. In this
> > example,
> > # it requires an entry for 'anonymous' which is the
> > standard use
> > rname
> > # in the outer requests, and it also requires an entry
> > for the
> > # actual user name who is trying to connect (ie the
> > 'Login name'
> > entered
> > # in the Funk Odyssey 'Edit Profile Properties' page
> > Filename /etc/radiator/users
> >
> > # EAPType sets the EAP type(s) that Radiator will
> > honour.
> > # Options are: MD5-Challenge, One-Time-Password
> > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> > # Multiple types can be comma separated. With the
> > default (most
> > # preferred) type given first
> > EAPType PEAP,MSCHAP-V2,LEAP
> >
> > # EAPTLS_CAFile is the name of a file of CA
> > certificates
> > # in PEM format. The file can contain several CA
> > certificates
> > # Radiator will first look in EAPTLS_CAFile then in
> > # EAPTLS_CAPath, so there usually is no need to set
> > both
> > #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> > #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
> > EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
> >
> > # EAPTLS_CAPath is the name of a directory containing
> > CA
> > # certificates in PEM format. The files each contain
> > one
> > # CA certificate. The files are looked up by the CA
> > # subject name hash value
> > # EAPTLS_CAPath
> >
> > # EAPTLS_CertificateFile is the name of a file
> > containing
> > # the servers certificate. EAPTLS_CertificateType
> > # specifies the type of the file. Can be PEM or ASN1
> > # defaults to ASN1
> > #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> > EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
> > EAPTLS_CertificateType PEM
> >
> > # EAPTLS_PrivateKeyFile is the name of the file
> > containing
> > # the servers private key. It is sometimes in the same
> > file
> > # as the server certificate (EAPTLS_CertificateFile)
> > # If the private key is encrypted (usually the case)
> > # then EAPTLS_PrivateKeyPassword is the key to
> > descrypt it
> > #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> > #EAPTLS_PrivateKeyPassword whatever
> > EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
> > EAPTLS_PrivateKeyPassword 1qaz2wsx
> >
> > # EAPTLS_RandomFile is an optional file containing
> > # randdomness
> > # EAPTLS_RandomFile %D/certificates/random
> >
> > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> > # size that will be replied by Radiator. It must be
> > small
> > # enough to fit in a single Radius request (ie less
> > than 4096)
> > # and still leave enough space for other attributes
> > # Aironet APs seem to need a smaller MaxFragmentSize
> > # (eg 1024) than the default of 2048
> > EAPTLS_MaxFragmentSize 1024
> >
> > # EAPTLS_DHFile if set specifies the DH group file. It
> > # may be required if you need to use ephemeral DH keys.
> > # EAPTLS_DHFile %D/certificates/cert/dh
> >
> >
> > # If EAPTLS_CRLCheck is set and the client presents a
> > certifica
> > te
> > # then Radiator will look for a certificate revocation
> > list (CRL
> > )
> > # for the certificate issuer
> > # when authenticating each client. If a CRL file is
> > not found, o
> > r
> > # if the CRL says the certificate has neen revoked,
> > the authenti
> > cation will
> > # fail with an error:
> > # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> > # One or more CRLs can be named with the
> > EAPTLS_CRLFile paramete
> > r.
> > # Alternatively, CRLs may follow a file naming
> > convention:
> > # the hash of the issuer subject name
> > # and a suffix that depends on the serial number.
> > # eg ab1331b2.r0, ab1331b2.r1 etc.
> > # You can find out the hash of the issuer name in a
> > CRL with
> > # openssl crl -in crl.pem -hash -noout
> > # CRLs with tis name convention
> > # will be searched in EAPTLS_CAPath, else in the
> > openssl
> > # certificates directory typically
> > /usr/local/openssl/certs/
> > # CRLs are expected to be in PEM format.
> > # A CRL files can be generated with openssl like this:
> > # openssl ca -gencrl -revoke cert-clt.pem
> > # openssl ca -gencrl -out crl.pem
> > # Use of these flags requires Net_SSLeay-1.21 or later
> > #EAPTLS_CRLCheck
> > #EAPTLS_CRLFile %D/certificates/crl.pem
> > #EAPTLS_CRLFile %D/certificates/revocations.pem
> >
> > # Some clients, depending on their configuration, may
> > require yo
> > u to specify
> > # MPPE send and receive keys. This _will_ be required
> > if you sel
> > ect
> > # 'Keys will be generated automatically for data
> > privacy' in the
> > Funk Odyssey
> > # client Network Properties dialog.
> > # Automatically sets MS-MPPE-Send-Key and
> > MS-MPPE-Recv-Key
> > # in the final Access-Accept
> > AutoMPPEKeys
> >
> > # You can enable some warning messages from the
> > Net::SSLeay
> > # module by setting SSLeayTrace to an integer from 1
> > to 4
> > # 1=ciphers, 2=trace, 3=dump data
> > SSLeayTrace 4
> >
> > # You can configure the User-Name that will be used
> > for the inne
> > r
> > # authentication. Defaults to 'anonymous'. This can be
> > useful
> > # when proxying the inner authentication. If tehre is
> > a realm, i
> > t can
> > # be used to choose a local Realm to handle the inner
> > authentica
> > tion.
> > # %0 is replaced with the EAP identitiy
> > # EAPAnonymous anonymous at some.other.realm
> >
> > # You can enable or disable support for TTLS Session
> > Resumption
> > and
> > # PEAP Fast Reconnect with the
> > EAPTLS_SessionResumption flag.
> > # Default is enabled
> > #EAPTLS_SessionResumption 0
> >
> > # You can limit how long after the initial session
> > that a sessio
> > n can be resumed
> > # with EAPTLS_SessionResumptionLimit (time in
> > seconds). Defaults
> > to 43200
> > # (12 hours)
> > #EAPTLS_SessionResumptionLimit 10
> > </AuthBy>
> > </Handler>
> > -------------------------------------------------------
> > (server_log)
> >
> > Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file
> > '/etc/eap_p
> > eap.cfg'
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file
> > '/etc/radiator/dictiona
> > ry'
> > Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file
> > '/etc/radiator/dictiona
> > ry.cisco'
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port
> > 0.0.0.0:1812
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> > Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on
> > radiator-1 (EV
> > ALUATION) (EVALUATION)
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2150 ....
> > Code: Access-Request
> > Identifier: 88
> > Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message = <2><199><0><13><1>nagataki
> > Message-Authenticator =
> > @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2150 ....
> > Code: Access-Challenge
> > Identifier: 88
> > Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> > EAP-Message = <1><200><0><6><25>!
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2151 ....
> > Code: Access-Request
> > Identifier: 89
> > Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message =
> > <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> > <1>?<13>n<3>-
> > <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> > 135>'o<25>cg<227><236><19>
> > u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> > 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10>
> > <0><9><0>
> > d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> > Message-Authenticator =
> > <175>%<20><176><131><25>!3=<178><247><27><31><17
> > 9>Xc
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2151 ....
> > Code: Access-Challenge
> > Identifier: 89
> > Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> > EAP-Message =
> > <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> > <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<
> > 246>(<147
> >> S<148>]<193>H<14><183>
> >> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> > 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231>
> > <0><3><22
> > 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6>
> > <9>*<134>
> > H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J
> > P1<14>0<1
> > 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16
> > ><6><3>U<
> > 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25>
> > <6><3>U<4
> >> <3><19><18>ACS03.netcom.ad.jp1#
> > EAP-Message =
> > 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> > -
> > net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0
> > <9><6><3
> >> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4
> >> ><7><19><
> > 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11>
> > <19><8>In
> > ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>
> > H<134><24
> > 7><13><1><9><1><22><20>nagataki at nri-
> > net.com0<129><159>0<13><6><9>*<134>H<134><24
> > 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<
> > 215>E
> > EAP-Message =
> > <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> > (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192>
> > <196><194
> >> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A
> >> <128><235
> >> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/
> >> R<<222><133>Y
> > <196><188>/
> > <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> > 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>
> > U<29>%<4>
> > <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6>
> > <9>`<134>
> > H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated
> > Certificate0<29><6><3>U<2
> > 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28
> > >~<128><2
> > 17><176>J0<129><195><6><3>U<29>
> > EAP-Message =
> > #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> > <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129
> > ><153>0<1
> > 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os
> > aka1<14>0
> > <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<
> > 17>0<15><
> > 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom
> > .ad.jp1#0
> > !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-
> > net.com<130><1><0>0<13
> >> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><
> >> 239><188>
> > 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206
> > ><14><155
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:27 2003: NOTICE: SIGHUP received: restarting
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading users file /etc/radiator/users
> > Thu Jul 10 22:52:27 2003: DEBUG: Finished reading configuration file
> > '/etc/eap_p
> > eap.cfg'
> > Thu Jul 10 22:52:27 2003: DEBUG: Reading dictionary file
> > '/etc/radiator/dictiona
> > ry'
> > Thu Jul 10 22:52:28 2003: DEBUG: Reading dictionary file
> > '/etc/radiator/dictiona
> > ry.cisco'
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating authentication port
> > 0.0.0.0:1812
> > Thu Jul 10 22:52:28 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> > Thu Jul 10 22:52:28 2003: NOTICE: Server started: Radiator 3.6 on
> > radiator-1 (EV
> > ALUATION) (EVALUATION)
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2150 ....
> > Code: Access-Request
> > Identifier: 88
> > Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message = <2><199><0><13><1>nagataki
> > Message-Authenticator =
> > @<249>g<211>hf<213>)=<234>4<22>1<185><170><30>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 199, 13
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 1
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2150 ....
> > Code: Access-Challenge
> > Identifier: 88
> > Authentic: <127><13><206><209>j<189><215>E<158><10>w<239>38<167><128>
> > Attributes:
> > EAP-Message = <1><200><0><6><25>!
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2151 ....
> > Code: Access-Request
> > Identifier: 89
> > Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message =
> > <2><200><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3>
> > <1>?<13>n<3>-
> > <249>&<20>t<176><218><173>4<220><218><146><165><136><252>l<16><7>/<
> > 135>'o<25>cg<227><236><19>
> > u<217><247>@<144>Q'L<168>L<165>><1><166>A<236><166>I<
> > 130>Z<160><176><]<255><174><244><236>'o.<138><0><22><0><4><0><5><0><10>
> > <0><9><0>
> > d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> > Message-Authenticator =
> > <175>%<20><176><131><25>!3=<178><247><27><31><17
> > 9>Xc
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 200, 112
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2151 ....
> > Code: Access-Challenge
> > Identifier: 89
> > Authentic: <30><148>,2<221><167><247>EE<179><30><239><217><29>FS
> > Attributes:
> > EAP-Message =
> > <1><201><4><10><25><192><0><0><4><236><22><3><1><0>J<2><0>
> > <0>F<3><1>?<13>o<176>Hgc<171>#z<250><201><175><13>\p<224>8<210>j<246>h<
> > 246>(<147
> >> S<148>]<193>H<14><183>
> >> <147>\vQ<17>$<252><227><161><216>ZVu<22>K<180>(!<191>H<2
> > 16>QNc<181>(@<230>e<195><29>_<0><4><0><22><3><1><3><235><11><0><3><231>
> > <0><3><22
> > 8><0><3><225>0<130><3><221>0<130><3>F<160><3><2><1><2><2><1><1>0<13><6>
> > <9>*<134>
> > H<134><247><13><1><1><4><5><0>0<129><150>1<11>0<9><6><3>U<4><6><19><2>J
> > P1<14>0<1
> > 2><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4><7><19><5>Osaka1<18>0<16
> > ><6><3>U<
> > 4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11><19><8>Internet1<27>0<25>
> > <6><3>U<4
> >> <3><19><18>ACS03.netcom.ad.jp1#
> > EAP-Message =
> > 0!<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri
> > -
> > net.com0<30><23><13>030630053113Z<23><13>040629053113Z0<129><150>1<11>0
> > <9><6><3
> >> U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0<12><6><3>U<4
> >> ><7><19><
> > 5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><6><3>U<4><11>
> > <19><8>In
> > ternet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0!<6><9>*<134>
> > H<134><24
> > 7><13><1><9><1><22><20>nagataki at nri-
> > net.com0<129><159>0<13><6><9>*<134>H<134><24
> > 7><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><236>a<
> > 215>E
> > EAP-Message =
> > <190>P<186>B<164><237><173>g<197>d(<187>XdR<252>&$g-><172>
> > (*<246>+<144><20><209><252><220><28><132>CVW<21>eTl<156><225><178><192>
> > <196><194
> >> <30>w<175>t<169><191>{<222><173>L<237><3><221><5>>QG<209>jA<168><226>A
> >> <128><235
> >> a<239>to<17>G<199>P<31>1<198><157><168><175><197><200><233><178>B/
> >> R<<222><133>Y
> > <196><188>/
> > <250><198><238><199><159><169>0<12><2><232><30>`J<139><4><144>&<183><
> > 160>nE<18><191>u<223><2><3><1><0><1><163><130><1>70<130><1>30<19><6><3>
> > U<29>%<4>
> > <12>0<10><6><8>+<6><1><5><5><7><3><1>0<9><6><3>U<29><19><4><2>0<0>0,<6>
> > <9>`<134>
> > H<1><134><248>B<1><13><4><31><22><29>OpenSSL Generated
> > Certificate0<29><6><3>U<2
> > 9><14><4><22><4><20>eZ<255><236>Z<189><146><4><185><252>O<165>$<237><28
> > >~<128><2
> > 17><176>J0<129><195><6><3>U<29>
> > EAP-Message =
> > #<4><129><187>0<129><184><128><20><166><16><130><186><13>z
> > <29><214><193>%<156><17><153><192><157>Qx+<31>z<161><129><156><164><129
> > ><153>0<1
> > 29><150>1<11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Os
> > aka1<14>0
> > <12><6><3>U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<
> > 17>0<15><
> > 6><3>U<4><11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom
> > .ad.jp1#0
> > !<6><9>*<134>H<134><247><13><1><9><1><22><20>nagataki at nri-
> > net.com<130><1><0>0<13
> >> <6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>,<25>w<242><
> >> 239><188>
> > 5<139>W@#'<174><178>E<232><184><231><220>^2C<174><233>4<25><233>92J<206
> > ><14><155
> >> <226>}<4><202>+<18><229><252><236><232>
> > EAP-Message =
> > IO<231>-<155>fv<26><159>[e<7><8><4>r<188><17>(4<221><157>R
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2152 ....
> > Code: Access-Request
> > Identifier: 90
> > Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message = <2><201><0><6><25><0>
> > Message-Authenticator = u
> > <181><182><231><153>s<166><135>|XT<132>p<141>~
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 201, 6
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.47 port 2152 ....
> > Code: Access-Challenge
> > Identifier: 90
> > Authentic: <170><217>(? _a<1>9<236><206>U<154><26>J<
> > Attributes:
> > EAP-Message = <1><202><0><242><25><0>
> > <6>EF<24><2><157><30><150>|<11>L<2
> > 41><213><174>y<168>(<218>5<216><253><165><165><159><232><0><221><185>
> > e<185>J<27
> >> <3>Lt<159><23>~F{J.<218><19><237><196><201><8><150>z<30><194><171><237
> >> ><195><22
> > 7><16>8CO%<22><3><1><0><168><13><0><0><160><2><1><2><0><155><0><153>0<1
> > 29><150>1
> > <11>0<9><6><3>U<4><6><19><2>JP1<14>0<12><6><3>U<4><8><19><5>Osaka1<14>0
> > <12><6><3
> >> U<4><7><19><5>Osaka1<18>0<16><6><3>U<4><10><19><9>NRINetcom1<17>0<15><
> >> 6><3>U<4>
> > <11><19><8>Internet1<27>0<25><6><3>U<4><3><19><18>ACS03.netcom.ad.jp1#0
> > !<6><9>*<
> > 134>H<134><247><13><1><9><1><22><20>nagataki at nri-net.com<14><0><0><0>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.47 port 2153 ....
> > Code: Access-Request
> > Identifier: 91
> > Authentic: 7<30>#Lb<24><204><189>-%~<187>[<22>N%
> > Attributes:
> > User-Name = "nagataki"
> > cisco-avpair = "ssid=hotspot"
> > NAS-IP-Address = 192.168.0.47
> > Called-Station-Id = "000c30da9d03"
> > Calling-Station-Id = "00022d559b31"
> > NAS-Identifier = "test-AP-1"
> > NAS-Port = 37
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Service-Type = Login
> > EAP-Message =
> > <2><202><0><199><25><128><0><0><0><189><22><3><1><0><141><
> > 11><0><0><3><0><0><0><16><0><0><130><0><128><10>/
> > n<4><252><252>KZ,<14><167><177>
> > A<143><130><226>P<175><240><219>{7<245><217><215><165><192><132>O<207><
> > 218><137>
> > @i<141><222>`<159>K<2>A<7>"<142><189><232><197><250>:A<231><235><245>=v
> > <146><250
> >> \<212><178><247>9<220>t-
> >> <163><193>v<227><189>M<177>RL<173>w<27>`1<17>0p<227><1
> > 3>"'<153>Cn<196><227>f<243><3><12><228>[%<28><130><195><149>Ah<170>Y<23
> > ><31><12>
> > <184><239>rB<210>9<164><195><27><152><203>S<210>]<163>i<187><243><20><3
> > ><1><0><1
> >> <1><22><3><1><0>
> >> <150>?h<22><185>L<192><242><233><31><16><10><191><225>5<218><2
> > 0>a<142>2q<218><229><26>/<252>Zi<211>j<2><228>
> > Message-Authenticator =
> > k<163>5M<251>,<235><134><251><190>V<207><130><15
> > 0><31><221>
> >
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling request with Handler ''
> > Thu Jul 10 22:52:48 2003: DEBUG: Deleting session for nagataki,
> > 192.168.0.47, 3
> > 7
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with Radius::AuthFILE:
> > Thu Jul 10 22:52:48 2003: DEBUG: Handling with EAP: code 2, 202, 199
> > Thu Jul 10 22:52:48 2003: DEBUG: Response type 25
> > Thu Jul 10 22:52:48 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> > Thu Jul 10 22:52:48 2003: DEBUG: Access challenged for nagataki: EAP
> > PEAP Challe
> > nge
> > Thu Jul 10 22:52:48 2003: DEBUG: Packet dump:
> >
> > ----------------------------------------------------------
> >
> > Best Regards.
> >
> > Masa
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
長瀧 匡弘 <nagataki at nri-net.com>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list