(RADIATOR) Question about AuthBy ADSI

Hugh Irvine hugh at open.com.au
Wed Jul 30 19:10:46 CDT 2003


Hello Steve -

Your configuration file is incorrect.

You cannot have Realms inside Handlers. If you are using Handlers, you  
must use only Handlers and they cannot be placed inside other Handlers.  
You cannot have <Log ...> clauses inside <AuthBy ...> clauses either.

regards

Hugh


On Thursday, Jul 31, 2003, at 02:29 Australia/Melbourne, Steve  
Caporossi wrote:

> Hugh,
> Layers 8 & 9 prevent me from running Radiator on anything but a Linux  
> box, I have no bias. :-)
>
> I am not very familiar with AD.  My understanding is that policies can  
> be managed for users, machines, etc.  In our environment, we are  
> mapping drives and limiting machines/user rights to resources.  We  
> would like for these policies to be passed down from the AD server.
>
> In the meantime...I have been trying to get it working via LDAP2.
>
> Unfortunately, I must be missing something because it does not look  
> like AuthBy LDAP 2 is ever being used.
>
> I attached my config and a debug of an attempt to connect from a  
> machine logging into the domain.  Can you tell me what I am missing?
>
> Notice that I have the Tunnelled by TTLS and PEAP commented out, *do  
> not* have an anonymous user in my password file, but, I can  
> authenticate wireless users via TTLS sucessfully.  Am I mistaken or  
> should this be happening? - Just not those trying to authenticate to  
> the domain.
>
> Thanks,
> Steve
>
> Hugh Irvine wrote:
>
>> Hello Steve -
>> You can use the AuthBy RADIUS clause to forward radius requests to a  
>> remote radius server. The exact configuration will depend on what  
>> else you are already doing in your configuration file. I am not sure  
>> I understand what you mean by "domain policies" - can you give me a  
>> bit more detail?
>> BTW - Radiator runs just fine on W2K server.
>> regards
>> Hugh
>> On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve  
>> Caporossi wrote:
>>> Running radiator on a W2K server does not appear to be an option for  
>>> us...I need to forward any domain logins ie, domain\username to a  
>>> Windows radius server, but only if they try to login to the domain.   
>>> Has anyone done this and be willing to share their methodology?
>>>
>>> Can the domain policies be passed down to the machine as well using  
>>> AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages,  
>>> or disadvantages, between these?
>>>
>>> Thanks,
>>> Steve
>>>
>>> Hugh Irvine wrote:
>>>
>>>> Hello Steve -
>>>> Correct. AuthBy ADSI and the new AuthBy LSA clauses are only  
>>>> supported on recent Windows releases.
>>>> You can either try the AuthBy NT clause, or you can run an instance  
>>>> of Radiator on the Windows host and proxy requests to it.
>>>> You will find details on AuthBy NT in section 6.27 of the manual  
>>>> ("doc/ref.html").
>>>> regards
>>>> Hugh
>>>> On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve  
>>>> Caporossi wrote:
>>>>
>>>>> I am running radiator 3.6 (fully patched) on RH7.3 and need to tie  
>>>>> into AD for domain login and username/password checking.  In the  
>>>>> reference manual section 6.40 <AuthBy ADSI> it has the statement,
>>>>>
>>>>> <snip>
>>>>> It is only available on Windows 2000 platforms. It is implemented  
>>>>> in AuthADSI.pm"
>>>>> </snip>
>>>>>
>>>>> I am a little confused...does this mean that radiator needs to be  
>>>>> running on W2K?
>>>>>
>>>>> Thanks,
>>>>> --  
>>>>> Steve
>>>>>
>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>> NB: have you included a copy of your configuration file (no  
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>
>>>
>>> --  
>>> Steve Caporossi
>>> Network Systems Engineer
>>> Center for Computing and Information Technology
>>> Medical University of South Carolina
>>> 843.876.5083
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> --  
> Steve Caporossi
> Network Systems Engineer
> Center for Computing and Information Technology
> Medical University of South Carolina
> 843.876.5083
> # radius.cfg
> #
>
> #Foreground
> #LogStdout
> LogFile         /var/log/radius/%m%d%y.log
> LogDir          /var/log/radius
> DbDir           /etc/radiusserver
> PidFile         /var/run/radius.pid
> DictionaryFile  /etc/radiusserver/dictionary
>
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace           4
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
>
> # Add Clients below...
>
> <Client xxx.xxx.xxx.1>
>         Identifier ppp
>         Secret mysecret
>         DupInterval 2
>         NasType Cisco
>         SNMPCommunity private
> </Client>
>
> <Client xxx.xxx.xxx.2>
>         Identifier ppp
>         Secret mysecret
>         DupInterval 2
>         NasType Cisco
>         SNMPCommunity private
> </Client>
>
> <Client xxx.xxx.xxx.1>
>         Identifier vpn
>         Secret mysecret
>         DupInterval 2
>         NasType Cisco
>         SNMPCommunity private
> </Client>
>
> <Client DEFAULT>
>         Identifier wlan
>         Secret mysecret
>         DupInterval 2
>         NasType Cisco
>         SNMPCommunity private
>         IgnoreAcctSignature
> </Client>
>
> #
> #
> ################ PPP Config ##########################
>
> <Handler Client-Identifier=ppp>
>
>         # AuthByPolicy ContinueAlways
>         AuthByPolicy ContinueWhileIgnore      # Default
>
>         <AuthBy SQL>
>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      dbuser
>                 DBAuth          password
>
>                 AuthSelect
>
>                 # Only insert Start and Stop requests, ack everything  
> else
>                 HandleAcctStatusTypes Start,Stop
>
>                 AccountingTable ACCOUNTING
>
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   CONNTYPE,%{Client:Identifier},formatted
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef    
> TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   CALLEDSTATIONID,Called-Station-Id
>                 AcctColumnDef   CALLINGSTATIONID,Calling-Station-Id
>                 AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic
>
>                 AcctFailedLogFileName  
> %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
>         </AuthBy>
>
>
>         <AuthBy UNIX>
>         DefaultSimultaneousUse 1
>                 Filename /etc/passwd.ppp
>         </AuthBy>
>
>         # Log accounting to a detail file
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>
> </Handler>
>
> ################ VPN Config ##########################
>
> <Handler Client-Identifier=vpn>
>
>         # AuthByPolicy ContinueAlways
>         AuthByPolicy ContinueWhileIgnore      # Default
>
>
>         <AuthBy SQL>
>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      dbuser
>                 DBAuth          password
>
>                 AuthSelect
>
>                 # Only insert Start and Stop requests, ack everything  
> else
>                 HandleAcctStatusTypes Start,Stop
>
>                 AccountingTable ACCOUNTING
>
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   CONNTYPE,%{Client:Identifier},formatted
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef    
> TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic
>                 AcctColumnDef   CLASS,Class
>                 AcctColumnDef    
> TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
>
>                 AcctFailedLogFileName  
> %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
>         </AuthBy>
>
>         <AuthBy UNIX>
>         DefaultSimultaneousUse 1
>                 Filename /etc/passwd.vpn
>         </AuthBy>
>
>         # Log accounting to a detail file
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>
> </Handler>
>
> ################ WIRELESS Config ########################
>
>
> #<Handler TunnelledByPEAP=1>
> #        # Windows XP when configured for a workgroup might send  
> tunnelled user names
> #        # in the format COMPUTERNAME\username (eg BAKER\mikem). This
> #        # will strip the computer name leaving just the user name
> #        RewriteUsername s/(.*)\\(.*)/$2/
> #
> #       <AuthBy FILE>
> #
> #               # anonymous-PEAP must be in here:
> #                Filename %D/users
> #
> #                # This tells the PEAP client what types of inner EAP  
> requests
> #                # we will honour
> #                EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge
> #                # Need these for TTLS:
> #                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> #                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> #                EAPTLS_CertificateType PEM
> #                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> #                EAPTLS_PrivateKeyPassword whatever
> #                EAPTLS_MaxFragmentSize 500
> #        </AuthBy>
> #</Handler>
>
>
>
> # <Handler TunnelledByTTLS=1>
> #       <AuthBy FILE>
> #                # anonymous-PEAP must be in here:
> #                Filename %D/users
> #
> #                # This tells the PEAP client what types of inner EAP  
> requests
> #                # we will honour
> #                EAPType TTLS,MSCHAP-V2,MD5,TLS
> #                # Need these for TLS
> #                EAPTLS_CAFile /usr/local/ssl/certs/radiusserver.pem
> #                EAPTLS_CertificateFile  
> /usr/local/ssl/certs/radiusserver.pem
> #                EAPTLS_CertificateType PEM
> #                EAPTLS_PrivateKeyFile  
> /usr/local/ssl/certs/radiusserver.pem
> #                EAPTLS_PrivateKeyPassword password
> #        </AuthBy>
> # </Handler>
>
>
> <Handler Client-Identifier=wlan>
>
>         # AuthByPolicy ContinueAlways
>         AuthByPolicy ContinueWhileIgnore      # Default
>
>         <AuthBy SQL>
>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      dbuser
>                 DBAuth          password
>
>                 AuthSelect
>
>                 # Only insert Start and Stop requests, ack everything  
> else
>                 HandleAcctStatusTypes Start,Stop
>
>                 AccountingTable ACCOUNTING
>
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   CONNTYPE,%{Client:Identifier},formatted
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef    
> TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic
>
>                 AcctFailedLogFileName  
> %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
>         </AuthBy>
>
>        <Realm DOMAIN>
>         # Strip realm
>         RewriteUsername s/(.*)\\(.*)/$2/
>         <AuthBy LDAP2>
>                 Host    xxx.xxx.xxx.1
>                 AuthDN cn=radiusserver,dc=DOMAIN,dc=local
>                 AuthPassword    password
>                 AuthPassword    password
>                 BaseDN          ou=MUSC Users,dc=DOMAIN,dc=local
>                 ServerChecksPassword
>                 UsernameAttr cn
>
>
>        <Log FILE>
>                Filename %L/debug-AD
>                Trace 4
>        </Log FILE>
>
>         </AuthBy>
>        </Realm>
>
>         <AuthBy UNIX>
>
>                 Filename /etc/passwd.ppp
>
>                 EAPType TTLS
>
>                 EAPTLS_CAFile /usr/local/ssl/certs/radiusserver.pem
>
>                 EAPTLS_CertificateFile  
> /usr/local/ssl/certs/radiusserver.pem
>                 EAPTLS_CertificateType PEM
>
>                 EAPTLS_PrivateKeyFile  
> /usr/local/ssl/certs/radiusserver.pem
>                 EAPTLS_PrivateKeyPassword password
>
>                 EAPTLS_MaxFragmentSize 1024
>
>                 AutoMPPEKeys
>
>                 # You can enable some warning messages from the  
> Net::SSLeay
>                 # module by setting SSLeayTrace to an integer from 1  
> to 4
>                 # 1=ciphers, 2=trace, 3=dump data
>                 SSLeayTrace 4
>
>         </AuthBy>
>
>
>        PreProcessingHook file:"/etc/radiusserver/eap_anon_hook.pl"
>        PostAuthHook file:"/etc/radiusserver/eap_anon_hook.pl"
>
>         # Log accounting to a detail file
>        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>
> </Handler>
>
> ##Session Management RADONLINE
>
> <SessionDatabase SQL>
>
>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      dbuser
>                 DBAuth          password
>
>   AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
>   ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
>   SERVICETYPE, CONNTYPE, TUNNELCLIENTENDPOINT) values  
> ('%U','%N',0%{NAS-Port},'%{Acct-Session-Id}', \
>   %{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}', \
>   '%{Service-Type}','%{Client:Identifier}',  
> '%{Tunnel-Client-Endpoint}')
>
>   DeleteQuery delete from RADONLINE where \
>   NASIDENTIFIER='%N' and NASPORT=0%{NAS-Port}
>
> </SessionDatabase>
>
> <SessionDatabase SQL>
>
>                 DBSource         
> dbi:mysql:database=radius;host=radiusserver2.musc.edu
>                 DBUsername      dbuser
>                 DBAuth          password
>
>   AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
>   ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
>   SERVICETYPE, CONNTYPE, TUNNELCLIENTENDPOINT) values  
> ('%U','%N',0%{NAS-Port},'%{Acct-Session-Id}', \
>   %{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}', \
>   '%{Service-Type}','%{Client:Identifier}',  
> '%{Tunnel-Client-Endpoint}')
>
>   DeleteQuery delete from RADONLINE where \
>   NASIDENTIFIER='%N' and NASPORT=0%{NAS-Port}
>
> </SessionDatabase>
>
>
> *********************************DEBUG********************************* 
> ***************
>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx..156 port 2157 ....
> Code:       Access-Request
> Identifier: 16
> Authentic:  <14><18>"-<161><137>\eX<17><231><170><140><164>k<135>
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=myssid"
>         NAS-IP-Address = xxx.xxx.xxx..156
>         Called-Station-Id = "004096585a95"
>         Calling-Station-Id = "00078592640e"
>         NAS-Identifier = "usb3ap"
>         NAS-Port = 38
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message = <2><13><0><14><1>anonymous
>         Message-Authenticator =  
> <153><129><23>T<204>C<140>t<185>>e<147>t<6><204>o
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for anonymous,  
> xxx.xxx.xxx..156, 38
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 13, 14
> Wed Jul 30 11:48:26 2003: DEBUG: Response type 1
> Wed Jul 30 11:48:26 2003: DEBUG: Resuming session for  
> Radius::Context=HASH(0x85a5f90)
>
> Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx..156 port 2157 ....
> Code:       Access-Challenge
> Identifier: 16
> Authentic:  <14><18>"-<161><137>\eX<17><231><170><140><164>k<135>
> Attributes:
>         EAP-Message = <1><14><0><6><21>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx..156 port 2158 ....
> Code:       Access-Request
> Identifier: 17
> Authentic:  <212><180><160>3Be<145>CR-<191><222><236><163><237><252>
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=myssid"
>         NAS-IP-Address = xxx.xxx.xxx..156
>         Called-Station-Id = "004096585a95"
>         Calling-Station-Id = "00078592640e"
>         NAS-Identifier = "usb3ap"
>         NAS-Port = 38
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message =  
> <2><14><0>b<21><128><0><0><0>X<22><3><1><0>S<1><0><0>O<3><1>?'<232><202 
> ><161><238>J<229>d<8><204>8<135>?<188><230><127><167><235><8>0<155>iB;V 
> <196>a<146><179>#<177><0><0>(<0><22><0><19><0>f<0><21><0><18><0><10><0> 
> <5><0><4><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0><17><0><3><0><6><0><8> 
> <1><0>
>         Message-Authenticator =  
> <215><206><30>D<142><214><12><136>7<186><175><207>C&V<12>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for anonymous,  
> xxx.xxx.xxx..156, 38
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 14, 98
> Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
> Wed Jul 30 11:48:26 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx..156 port 2158 ....
> Code:       Access-Challenge
> Identifier: 17
> Authentic:  <212><180><160>3Be<145>CR-<191><222><236><163><237><252>
> Attributes:
>         EAP-Message =  
> <1><15><4><10><21><192><0><0><5><0><22><3><1><0>J<2><0><0>F<3><1>?'<232 
> ><202><140><232>(kE<200><236><205><165><4>k<244><146><3><0><30>P<144>J< 
> 197><133><234>r<158>^cc<6>  
> <252>F<21><210><174><153><2><186><206><208><211><175>Z(YE<226>M at V<224>< 
> 237><201><196><198>J<170><211><149>oA<3><0><10><0><22><3><1><3><234><11 
> ><0><3><230><0><3><227><0><3><224>0<130><3><220>0<130><3>E<160><3><2><1 
> ><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><171> 
> 1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21><6><3>U<4><8><19><14>South  
> Carolina1<19>0<17><6><3>U<4><7><19><10>mcbanks0<31><6><3>U<4><10><19><2 
> 4>Medical University of  
> SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>
>         EAP-Message = U<4><3><19><17>radiator.musc.edu1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>username at musc.edu0<30> 
> <23><13>030303203707Z<23><13>040302203707Z0<129><171>1<11>0<9><6><3>U<4 
> ><6><19><2>US1<23>0<21><6><3>U<4><8><19><14>South  
> Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 
> 19><24>Medical University of  
> SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad 
> iator.musc.edu1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>username
>         EAP-Message =  
> @musc.edu0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3>< 
> 129><141><0>0<129><137><2><129><129><0><171>8<134><175><148>p<9>K<181>< 
> 221><14><170><246><4><208>xLl<182><195>=<163><153><165>@<202><4><20><13 
> 3><19>9<178><<179><134><12><229><249><10><127><176><165><149><187>t<237 
> ><237><244><238><184><249><184><9>jO2<160><250>'<1><245><219>v<239>3K~< 
> 5>  
> &<154><223><235><248>Y<167><249><210><200><174><198><15><145><146><238> 
> <190><143><5>.x6<159>`<189>L<20>\<247>j<142>/ 
> <238><184><14><142><6>u<194><147><130><26><165><23>\<151>%<185><28>Z<16 
> 7><185><165><205><176><202><18>|<135><2><3><1><0><1><163><130><1><12>0< 
> 130><1><8>0<29><6><3>U<29><14><4><22><4><20><227>ks|N<178><252><22><5>t 
> Z<212><175>l<198><2>1;6w0<129><216><6><3>U<29>#<4><129><208>0<129><205> 
> <128><20><227>ks|N<178><252><22><5>tZ<212><175>l<198><2>1;6w<161><129>< 
> 177><164><129><174>0
>         EAP-Message =  
> <129><171>1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21><6><3>U<4><8><19><14 
> >South  
> Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 
> 19><24>Medical University of  
> SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad 
> iator.musc.edu1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>username at musc.edu<130> 
> <1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134>< 
> 247><13><1><1><4><5><0><3><129><129><0>1\<206><157><219><233>w<206>]<<1 
> 4><227>\}<221>go<181>O<250><232><174><21><252>'<162>Jg<166><152><247><1 
> 6><242><222>><248><211><204><213><2>PF<30><234>
>         EAP-Message =  
> <16><161><156>#I<169><217>%<128><25><151><241>F<21>f<25><128><252>iqb/
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx..156 port 2159 ....
> Code:       Access-Request
> Identifier: 18
> Authentic:  a<249><155>@<133><30><252><254>FfoD<173><159><241><229>
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=myssid"
>         NAS-IP-Address = xxx.xxx.xxx..156
>         Called-Station-Id = "004096585a95"
>         Calling-Station-Id = "00078592640e"
>         NAS-Identifier = "usb3ap"
>         NAS-Port = 38
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message = <2><15><0><6><21><0>
>         Message-Authenticator =  
> o<242><215><6>:<190><235><167><220><202><225><233>VZp{
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for anonymous,  
> xxx.xxx.xxx..156, 38
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 15, 6
> Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
> Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx..156 port 2159 ....
> Code:       Access-Challenge
> Identifier: 18
> Authentic:  a<249><155>@<133><30><252><254>FfoD<173><159><241><229>
> Attributes:
>         EAP-Message =  
> <1><16><1><6><21><0><132><255>&6(<137>3<247>V<169>k<187><158>C<167><207 
> ><190><193><147><153><19><250><17><168><213><233>g<172><30><178><169>(< 
> 140><153><25><177><11><183><147><226>r<7>f<5><203>F<199><203>r<5><237>k 
> \s- 
> <224><211>J<253><138><208><227><22><3><1><0><189><13><0><0><181><2><1>< 
> 2><0><176><0><174>0<129><171>1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21>< 
> 6><3>U<4><8><19><14>South  
> Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 
> 19><24>Medical University of  
> SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad 
> iator.musc.edu1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>username at mus
>         EAP-Message = c.edu<14><0><0><0>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx..156 port 2160 ....
> Code:       Access-Request
> Identifier: 19
> Authentic:  '<156><25>G&<250>1<220>@<131>Gw<14><157>sY
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=myssid"
>         NAS-IP-Address = xxx.xxx.xxx..156
>         Called-Station-Id = "004096585a95"
>         Calling-Station-Id = "00078592640e"
>         NAS-Identifier = "usb3ap"
>         NAS-Port = 38
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message =  
> <2><16><0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0>< 
> 0><0><22><3><1><0><134><16><0><0><130><0><128>]weJ{,<222><29><9>  
> S0}5<244><249><191>H<195><149>D<241>H<251>:<162><177>=<193>Y<223><28><2 
> 02>Y<198><16><172><164>J<231><180><175><217><134>2U<7><153><28>@<15><16 
> 6>BP<130>)<180><21>?<166><150>B<199><137>9<148><154>_<198>J<8><11><6><1 
> 69><25><7>t,<191><247><188><17><172>ru<235><255><147>"Q<190>k<129>p<243 
> ><235><165>F<247><160><169><189><16><172><203><255><220>N<211>i- 
> I<177>c<146><206>l<227>4/ 
> <31>L<187>,QZ<23><219><20><3><1><0><1><1><22><3><1><0>(<170><8><137>7<7 
> ><132><164><219><164>d_<18>4<221><170><10><156><12><153><166><154>Z<157 
> ><173><134><20><132><148>j<173><148><26><247>q<164><233><245><243>u<246 
> >
>         Message-Authenticator =  
> ~X<161><215><179><183><26><30>1<160><247>B<2><195><246>N
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for anonymous,  
> xxx.xxx.xxx..156, 38
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 16, 212
> Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
> Wed Jul 30 11:48:26 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx..156 port 2160 ....
> Code:       Access-Challenge
> Identifier: 19
> Authentic:  '<156><25>G&<250>1<220>@<131>Gw<14><157>sY
> Attributes:
>         EAP-Message =  
> <1><17><0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(<212><19 
> 0><131><211>SL<185><136><229><183><161>8D<2><232><202><237>0I<9><242>*< 
> 216><152>E<191><193><4>gR<237>9<162><212><182><27><183><155>q<131>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx..156 port 2161 ....
> Code:       Access-Request
> Identifier: 20
> Authentic:  <180><225><21>Ti<179><155><152>4<187><247><222><207><154>wB
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=myssid"
>         NAS-IP-Address = xxx.xxx.xxx..156
>         Called-Station-Id = "004096585a95"
>         Calling-Station-Id = "00078592640e"
>         NAS-Identifier = "usb3ap"
>         NAS-Port = 38
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message =  
> <2><17><0>O<21><128><0><0><0>E<23><3><1><0>@<158><187><237><248>N<2><16 
> 2>PN<148><241><9><136>:R<21><128><148>oW<153><206>_<158><3><23><206><15 
> 8><12><222><9><252>2L<215>/'P<209><142>1<157>  
> <191>E<171><229><225><193><26><194>s<155>%q<150>VMZ<198><15>r`<24>
>         Message-Authenticator =  
> <163><238><171><248>C<229>*<176>{<14><148>K<202><172><178>`
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for anonymous,  
> xxx.xxx.xxx..156, 38
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 17, 79
> Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
> Wed Jul 30 11:48:26 2003: DEBUG: EAP TTLS inner authentication request  
> for DOMAIN\username
> Wed Jul 30 11:48:26 2003: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:   
> <243>{<176><14>X<183><196><251><240>}<251>H<221><172><142><234>
> Attributes:
>         User-Name = "DOMAIN\username"
>         User-Password = "password"
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler  
> 'Client-Identifier=wlan'
> Wed Jul 30 11:48:26 2003: DEBUG:  Deleting session for ,  
> xxx.xxx.xxx..156,
> Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=0':
>
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
> Wed Jul 30 11:48:26 2003: DEBUG: Radius::AuthUNIX looks for match with  
> DOMAIN\username
> Wed Jul 30 11:48:26 2003: INFO: Access rejected for DOMAIN\username:  
> No such user
> Wed Jul 30 11:48:26 2003: INFO: Access rejected for anonymous: EAP  
> TTLS inner authentication redespatched to a Handler
> Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx..156 port 2161 ....
> Code:       Access-Reject
> Identifier: 20
> Authentic:  <180><225><21>Ti<179><155><152>4<187><247><222><207><154>wB
> Attributes:
>         EAP-Message = <4><17><0><4>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list