(RADIATOR) EAP-TTLS Problems

Hugh Irvine hugh at open.com.au
Sun Jan 11 21:19:12 CST 2004


Hello Russell -

Thanks for sending the configuration file and debug.

Part of the problem is due to your configuration file containing two  
Realm DEFAULT clauses. In this case, the second Realm DEFAULT will  
overwrite the first one, so that is why your AuthBy FILE does not work  
correctly (the second Realm DEFAULT has the AuthBy LSA).

And you are correct - it appears that the access request is being  
accepted and an Access-Accept is being returned to the AP. I suspect  
that you may require some additional reply attributes in the  
Access-Accept, such as Service-Type = Framed-User and Framed-Protocol =  
PPP.

For the hooks - they require an SQL database with the appropriate  
tables defined and the DBI/DBD modules installed.

regards

Hugh


On 12/01/2004, at 12:56 PM, Russell Owen wrote:

> Hi All,
> I've been racking my brain on this one for a few days now and would  
> appreciate if anyone has some input on what I may be doing wrong!
>  
> Situation is, Radiator eval configured for TTLS with LSA module, cisco  
> 1100 series AP (also tried 1200), Funk Oddyssey client on PPC 2003 and  
> also WinXP client using Alfa-Ariss SecureW2. The radiator logs show  
> that the client is connecting and authenticating with out any problems  
> (that I can see). The Funk client also shows that the Authentication  
> result is a success and the authentication type is EAP-TTLS [PAP]. The  
> WinXP client also connects and authenticates without any problems.  
> After the clients (both WinXp and PPC) connect and authenticate, they  
> are unable to transmit any data over the wireless link. If I diasble  
> EAP, everything works fine. I have also disabled the LSA module and  
> just tried to authenticate with the <AuthBy FILE> module but that  
> dosen't seem to make any difference.
>  
> To me it seems that Radiator is not the problem, as that seems to be  
> authenticating the user correctly, but I could be wrong!
>  
> Another thing i noticed was that after I eable the TTLS hooks as  
> mentioned in EAP_TTLS.cfg, anonymous is still getting logged for both  
> the Inner and Outer user in the Accounting. Could this be related to  
> my problem?
>  
> Thanks in advance,
> Russ.
>  
> Config files and Logs follow (I haven't botherd masking any details as  
> this setup is on a test network and will be changed for production):
>  
> # Radiusd.cfg
> Foreground
> LogStdout
> LogDir  c:/Program Files/Radiator
> DbDir  c:/Program Files/Radiator
> Trace   4
>
>
> <Client 192.168.22.100>
>  Secret password
> </Client>
> <Realm DEFAULT>
>  <AuthBy FILE>
>   Filename %D/users
>   EAPType TTLS
>   EAPTLS_CAFile c:/radiator/certificates/demoCA/cacert.pem
> #  EAPTLS_CAPath
>   EAPTLS_CertificateFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_PrivateKeyPassword whatever
> #  EAPTLS_RandomFile %D/certificates/random
>   EAPTLS_MaxFragmentSize 1000
> #  EAPTLS_DHFile %D/certificates/cert/dh
>   AutoMPPEKeys
>   SSLeayTrace 4
>  </AuthBy>
> </Realm>
> <Realm DEFAULT>
>  <AuthBy LSA>
>   EAPType TTLS
>   EAPTLS_CAFile c:/radiator/certificates/demoCA/cacert.pem
> #  EAPTLS_CAPath
>   EAPTLS_CertificateFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_PrivateKeyPassword whatever
> #  EAPTLS_RandomFile %D/certificates/random
>   EAPTLS_MaxFragmentSize 1000
> #  EAPTLS_DHFile %D/certificates/cert/dh
>   AutoMPPEKeys
>   SSLeayTrace 4
>  </AuthBy>
>  PreProcessingHook file:"c:/radiator/goodies/eap_anon_hook.pl"
>  PostAuthHook file:"c:/radiator/goodies/eap_anon_hook.pl"
>  AcctLogFileName %D/detail
> </Realm>
>  
> Radiator Debug:
>  
> Mon Jan 12 10:04:01 2004: DEBUG: Reading users file c:/Program  
> Files/Radiator/users
> Mon Jan 12 10:04:01 2004: DEBUG: Finished reading configuration file  
> 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2004-07-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contactadmin at open.com.au
> Mon Jan 12 10:04:01 2004: DEBUG: Reading dictionary file 'c:/Program  
> Files/Radiator/dictionary'
> Mon Jan 12 10:04:02 2004: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Mon Jan 12 10:04:02 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Jan 12 10:04:02 2004: NOTICE: Server started: Radiator 3.8 on  
> thebeast (EVALUATION)
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 133
> Authentic:  |<28>E!<165><186><8><243>6t<178><188><191>e<6>w
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator =  
> f<214>z<128><<254>(/<203>/<186><141>PH<229><221>
>  EAP-Message = <2><1><0><14><1>anonymous
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:33 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:33 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with EAP: code 2, 1, 14
> Mon Jan 12 10:04:33 2004: DEBUG: Response type 1
> Mon Jan 12 10:04:33 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 133
> Authentic:  |<28>E!<165><186><8><243>6t<178><188><191>e<6>w
> Attributes:
>  EAP-Message = <1><2><0><6><21>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 134
> Authentic:  j<G<4><188>;<139>r5*<239><15>I<179><232><14>
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator =  
> <228>w<142><167>~<186><234><182><249><205>3<252><230><216><181><29>
>  EAP-Message =  
> <2><2><0><132><21><128><0><0><0>z<22><3><1><0>u<1><0><0>q<3><1>><205><1 
> 61>j<129><132>+<15>j<23><255>HU<178><143><235><200><150><162>A<13>/ 
> <180>f<15>j-<26>(pA<196>  
> KYB<245>o<14><221><135>G<220><185><200><4><247>r(=<249><212>E<147><227> 
> w<4><145><220><183><234><1><254><161><21><0>*<0><22><0><19><0>f<0><21>< 
> 0><18><0><10><0><5><0><4><0><7><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0> 
> <17><0><3><0><6><0><8><1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:33 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:33 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with EAP: code 2, 2, 132
> Mon Jan 12 10:04:33 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:33 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Mon Jan 12 10:04:33 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 134
> Authentic:  j<G<4><188>;<139>r5*<239><15>I<179><232><14>
> Attributes:
>  EAP-Message =  
> <1><3><3><242><21><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<2><0>< 
> 177><27><228><152><134><192><193><129><145><133><255><161><252><157><28 
> >,<163><142><137><247>3fD<200>&<157>v<164><236>  
> c<22>n<169><177>Y; 
> <132><204>=<20><163><231><189><254><229><170><8><234><7><3><153><25>7<2 
> 1>=M<242>X<18><249>@<0><10><0><22><3><1><7><27><11><0><7><23><0><7><20> 
> <0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9 
> >*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6>< 
> 19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><1 
> 9><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo  
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>  EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in  
> production)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30> 
> <23><13>030227061500Z<23><13>040227061500Z0u1<11>0<9><6><3>U<4><6><19>< 
> 2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9 
> >Melbourne1<24>0<22><6><3>U<4><10><19><15>My Test  
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159> 
> 0<13><6><9>*<134>H<134><247><13><1><1>
>  EAP-Message =  
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><186>)<217><24 
> 5><205><159>@<144><133><177><255>0<165><3><215>cGR<136><231><253>9<193> 
> <13><255>m@<220>y^<160><244><236>Sa'<198>^<231><158>4<156>"<242>IS<151> 
> <30><211>$<142><196>!}R<146><166><129>yh<17><162><207><196><0><171>5s<1 
> 87><229><139>2<250><146><1><187><207><226><203>5<251><178><1><212><178> 
> <141><219>O<253><134><213>N|<172>: 
> J<23><173><161><191><141><25>&<198>Fi<17><181><137>Fy<0><177><210><215> 
> <186>x<141><197><212>s<145><235>\<164><8>! 
> <2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1> 
> <5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129>< 
> 129><0><20>m<159><141><185><184><252><248><201>FM<195>PB(^<127>3<24><13 
> 6><172><19><211><137><132>EF<170>9<236>^<187><146><253><171><200><183>< 
> 230><148><142><21>_<9>^<227><10>3<162><186><214><206><197>Tq<219><4>r<2 
> 39>?<1><16><203>
>  EAP-Message =  
> T<0><161>wm<173>S<4><0>)<141><209><<197>tT<228><150>P<156><22>^zes^<202 
> >u<161><176>F3=<4><200><229><154>q<146><194>cy<23>z*o><219><28><206>t<1 
> 96><188><3><195>.%<19>mD<242><149><237>O<138><193><0><4>=0<130><4>90<13 
> 0><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1> 
> <1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U 
> <4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28>< 
> 6><3>U<4><10><19><21>OSC Demo  
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate  
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 135
> Authentic:  1<9><236><246>S<8>*<129><205>n<189><252>qOl!
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = ,<19>S6<255>9{<217><245>$z<146>0r)S
>  EAP-Message = <2><3><0><6><21><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 135
> Authentic:  1<9><236><246>S<8>*<129><205>n<189><252>qOl!
> Attributes:
>  EAP-Message = <1><4><3><238><21>@t use in production)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30> 
> <23><13>030227061411Z<23><13>050226061411Z0<129><202>1<11>0<9><6><3>U<4 
> ><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4> 
> <7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo  
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate  
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
>  EAP-Message = roduction)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129 
> ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0< 
> 129><137><2><129><129><0><193>@h<28><185>'<7><254><247>{9<233><245>3S<2 
> 09>=<173>>c<144>Z<239>? 
> b<150><224><171><219><170><170>i<226><251><234>\Jwi<210><141><249><141> 
> <148><224>|<188>V<24><209><8><223>f? 
> <149><172><6><226><18><232>1<249><227>$<176>G<164>'Y<193><160>$n<160>e< 
> 153>V<166>x<2><162><<244><4><225>T>n<18><<204><210><135><162>T<16><221> 
> <6>Pn<9>7<141><197><160><197><245><155>6<3><172><154>p<230><210>Z<159>< 
> 149><192>C<255><154><220><149><3>*<156>q<2><3><1><0><1><163><130><1>+0< 
> 130><1>'0<29><6><3>U<29><14><4><22><4><20><180><27><24>R'<27><169>)<152 
> ><148>o<139>c<198><6>9\<249>s<196>0<129><247><6><3>U<29>#
>  EAP-Message =  
> <4><129><239>0<129><236><128><20><180><27><24>R'<27><169>)<152><148>o<1 
> 39>c<198><6>9\<249>s<196><161><129><208><164><129><205>0<129><202>1<11> 
> 0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0< 
> 16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC  
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate  
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130> 
> <1><0>0<12><6><3>U<29><19><4><5>0<3>
>  EAP-Message =  
> <1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129> 
> <0>A<130>4<253><23>- 
> <13><9><9><222>3<19><171>aj<23><187><195>gs<145><194>w<164>1m#<242>t<23 
> 3><144><146>&g<162><190><234><145>H<159><10>^6IQ<223><219><193>@><204>b 
> <245><12><6><133><147><132><192>fU<165><197><180>k<136>: 
> <8><198><152><165>*%<221><237><188><23><251><255><172>'n<142>H<25>q<173 
> >t<215><212><221><239><20>FZyd<205><240>Wbd<143><139>q]h<236><127><16>< 
> 143>tA<163>4I<236><230><147><218>><175>B^<130><0>*9<22><3><1><0><220><1 
> 3><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11>0<9><6><3>U<4><6> 
> <19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7>< 
> 19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certif
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 136
> Authentic:  <238><28><227><224><27>;Cb<229><6><231>Y<3>Z<230><133>
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = <199>ET<214><200>n6<0>gs<153>!8T<222><194>
>  EAP-Message = <2><4><0><6><21><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 4, 6
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 136
> Authentic:  <238><28><227><224><27>;Cb<229><6><231>Y<3>Z<230><133>
> Attributes:
>  EAP-Message =  
> <1><5><0><134><21><0>icates1!0<31><6><3>U<4><11><19><24>Test  
> Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in  
> production)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<14>< 
> 0><0><0>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 137
> Authentic:  Sd<144>t<163><15>.&<222><156><239>k<16>8<136>Q
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = xeJ'<214>K<218>0-<162>yI<170>q<176><135>
>  EAP-Message =  
> <2><5><0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0><0 
> ><0><22><3><1><0><134><16><0><0><130><0><128><149>c<209>A<200><237>m<16 
> 0>s4<165><231>\<255><241><4><158><170><148><158><166><26><169>~<214><13 
> 8><199>4^<223>)9<172><198><172>_<133><204>O$<184><<173><248>tI<238><166 
> ><151><183><157><1><182><207><218>d<184>t<18><185><127><172><216><235>< 
> 192><171><220>L<250><161>#<14><2><175><2>d<209><<128><2><153><213><140> 
> <239>6<156>8@<152><249>}<25><158>&<18>- 
> k<164><250><144><134>`<24><170><187><16><127>L<134>.<151><210><<231><23 
> 7><132><186>}<185>X<202><163><162>=q<173>C<4><20><3><1><0><1><1><22><3> 
> <1><0>(|<190><207>^<18><171><211><15><192><27>W? 
> <1><26><252><15><196>V<165>=<163><188>]<6><198>I<205>7s{*o<219><241>)<2 
> 39><214><152>5<152>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 5, 212
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP  
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 137
> Authentic:  Sd<144>t<163><15>.&<222><156><239>k<16>8<136>Q
> Attributes:
>  EAP-Message =  
> <1><6><0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(Ah<1>(<22 
> 7><179><222><156><G<137>Vadc<207><159>\<222><134>><167>(<227>m<229><197 
> ><151>-<174><229><1><170>G<134> C<202><237>u
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 138
> Authentic:  <187><203>fJw<164>wh<198>$<173>Z<25><136>L6
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator =  
> <215><194>rXX<1>'<226><8><247>=<149><211><147><174><173>
>  EAP-Message =  
> <2><6><0>\<21><128><0><0><0>R<23><3><1><0><24><245><217><159><213>.<178 
> ><228><152>_<3>s<165><11>T<255><224>&<160><200><207><203><254>: 
> <157><23><3><1><0>0<1>A<154><130>W2<141><11>k0[ff<6><13>S<212>- 
> s<160><224><<156><252><239>[<160><164><187>Gskh<230><214><16><227><242> 
> '<214><227><189>J<200><164><149><23><164>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 6, 92
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP TTLS inner authentication request  
> for test
> Mon Jan 12 10:04:34 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:   
> <231><227><208><154>w<228><231>z<7><191>pn<233><153><24><145>
> Attributes:
>  User-Name = "test"
>  User-Password = "test"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for test,  
> 192.168.22.100,
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Radius::AuthLSA looks for match with  
> test
> Mon Jan 12 10:04:34 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Jan 12 10:04:34 2004: DEBUG: Access accepted for test
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 0, EAP TTLS inner  
> authentication redespatched to a Handler
> Mon Jan 12 10:04:34 2004: DEBUG: Access accepted for anonymous
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Accept
> Identifier: 138
> Authentic:  <187><203>fJw<164>wh<198>$<173>Z<25><136>L6
> Attributes:
>  MS-MPPE-Send-Key =  
> "<224>u<133><227><205><1><23>Ga)u<176><208><254><198>L<176>]<3><7><156> 
> <164><28><10><253><200>/ 
> _c<25><220><167>j<155><141><188><165>]<127><2>B<194>,<17><144><179><239 
> ><13><132>r"
>  MS-MPPE-Recv-Key =  
> "<130><199><4>t<28><17><5><222><148><204><207><216><4>; 
> e<242><184><239>B<220>C<237><165>R<129><178>t<149><209><7>8Fy<254><222> 
> !<240><144>R<237><179><230><252>1<27>z<254><15><218>r"
>  EAP-Message = <3><6><0><4>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Accounting-Request
> Identifier: 139
> Authentic:   
> g<187><6><7><247>C<1>!<149><178><212><190><202><242><147><208>
> Attributes:
>  Acct-Session-Id = "0000002B"
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  cisco-avpair = "ssid=tsunami"
>  cisco-avpair = "nas-location=unspecified"
>  cisco-avpair = "connect-progress=Call Up"
>  Acct-Authentic = RADIUS
>  User-Name = "anonymous"
>  Acct-Status-Type = Start
>  NAS-Port-Type = Wireless-IEEE-802-11
>  Cisco-NAS-Port = "280"
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  Acct-Delay-Time = 0
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Adding session for anonymous,  
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Accounting accepted
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Accounting-Response
> Identifier: 139
> Authentic:   
> g<187><6><7><247>C<1>!<149><178><212><190><202><242><147><208>
> Attributes:
>  
>  
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list