(RADIATOR) EAP-TTLS Problems

Russell Owen rowen at solutionsit.com.au
Sun Jan 11 22:17:09 CST 2004


Ok, I have rewritten the config file as per a utahgeeks.sourceforge.net example and removed the two Realm DEFAULT clauses and replaced them with handler clauses. The new config file is included. Even thou I have changed the Realm clauses, the anonymous user account is still not read from the %D/users file, if I delete or comment out the anonymous user my client still authenticates successfully (well it still doesn't work but it says authentication is successful). I even changed the AuthBy LSA clauses to AuthBy FILE to see if that made any difference. When I did this I could only authenticate if my "test" username is in that file, but it still made no difference if the anonymous user was there or not. Could this be part of my problem?
 
I also tried the AddToReply tag and inputted the Service-Type and Framed-Protocol in the reply, but this made no difference in allowing me to access the network after authenticating. If anyone else on the list has EAP-TTLS[PAP] working with cisco ap's (1100, 1200 or 340) and needed to use the AddToReply command, I would be interested to know what needed to be added. 
 
Thanks for your help.
Russ.
 
# Radiusd.cfg
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir  c:/Program Files/Radiator
Trace   4

<Client 192.168.22.102>
    NoIgnoreDuplicates Access-Request
     NoIgnoreDuplicates Access-Challenge
 Secret password
 DefaultRealm intheforest.wa.au
 Identifier Wireless
</Client>
<Handler Realm=intheforest.wa.au,Client-Identifier=Wireless>
 RejectHasReason
 RewriteUsername s/^([^@]+).*/$1/
 <AuthBy FILE>
  Filename %D/users
  EAPType TTLS
  EAPTLS_CAFile c:/radiator/certificates/demoCA/cacert.pem
#  EAPTLS_CAPath
  EAPTLS_CertificateFile c:/radiator/certificates/cert-srv.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile c:/radiator/certificates/cert-srv.pem
  EAPTLS_PrivateKeyPassword whatever
#  EAPTLS_RandomFile %D/certificates/random
  EAPTLS_MaxFragmentSize 1000
#  EAPTLS_DHFile %D/certificates/cert/dh
  AutoMPPEKeys
  SSLeayTrace 4
 AddToReply Service-Type = Framed-User, \
   Framed-Protocol = PPP
 </AuthBy>
</Handler>
<Handler Client-Identifier=Wireless>
 RejectHasReason
 <AuthBy LSA>
         EAPTLS_SessionResumption        0
     FailureBackoffTime              1
 </AuthBy>
 AcctLogFileName %D/detail
</Handler>
 

 
________________________________

From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Mon 12/01/2004 11:19 AM
To: Russell Owen
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) EAP-TTLS Problems




Hello Russell -

Thanks for sending the configuration file and debug.

Part of the problem is due to your configuration file containing two 
Realm DEFAULT clauses. In this case, the second Realm DEFAULT will 
overwrite the first one, so that is why your AuthBy FILE does not work 
correctly (the second Realm DEFAULT has the AuthBy LSA).

And you are correct - it appears that the access request is being 
accepted and an Access-Accept is being returned to the AP. I suspect 
that you may require some additional reply attributes in the 
Access-Accept, such as Service-Type = Framed-User and Framed-Protocol = 
PPP.

For the hooks - they require an SQL database with the appropriate 
tables defined and the DBI/DBD modules installed.

regards

Hugh


On 12/01/2004, at 12:56 PM, Russell Owen wrote:

> Hi All,
> I've been racking my brain on this one for a few days now and would 
> appreciate if anyone has some input on what I may be doing wrong!
>  
> Situation is, Radiator eval configured for TTLS with LSA module, cisco 
> 1100 series AP (also tried 1200), Funk Oddyssey client on PPC 2003 and 
> also WinXP client using Alfa-Ariss SecureW2. The radiator logs show 
> that the client is connecting and authenticating with out any problems 
> (that I can see). The Funk client also shows that the Authentication 
> result is a success and the authentication type is EAP-TTLS [PAP]. The 
> WinXP client also connects and authenticates without any problems. 
> After the clients (both WinXp and PPC) connect and authenticate, they 
> are unable to transmit any data over the wireless link. If I diasble 
> EAP, everything works fine. I have also disabled the LSA module and 
> just tried to authenticate with the <AuthBy FILE> module but that 
> dosen't seem to make any difference.
>  
> To me it seems that Radiator is not the problem, as that seems to be 
> authenticating the user correctly, but I could be wrong!
>  
> Another thing i noticed was that after I eable the TTLS hooks as 
> mentioned in EAP_TTLS.cfg, anonymous is still getting logged for both 
> the Inner and Outer user in the Accounting. Could this be related to 
> my problem?
>  
> Thanks in advance,
> Russ.
>  
> Config files and Logs follow (I haven't botherd masking any details as 
> this setup is on a test network and will be changed for production):
>  
> # Radiusd.cfg
> Foreground
> LogStdout
> LogDir  c:/Program Files/Radiator
> DbDir  c:/Program Files/Radiator
> Trace   4
>
>
> <Client 192.168.22.100>
>  Secret password
> </Client>
> <Realm DEFAULT>
>  <AuthBy FILE>
>   Filename %D/users
>   EAPType TTLS
>   EAPTLS_CAFile c:/radiator/certificates/demoCA/cacert.pem
> #  EAPTLS_CAPath
>   EAPTLS_CertificateFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_PrivateKeyPassword whatever
> #  EAPTLS_RandomFile %D/certificates/random
>   EAPTLS_MaxFragmentSize 1000
> #  EAPTLS_DHFile %D/certificates/cert/dh
>   AutoMPPEKeys
>   SSLeayTrace 4
>  </AuthBy>
> </Realm>
> <Realm DEFAULT>
>  <AuthBy LSA>
>   EAPType TTLS
>   EAPTLS_CAFile c:/radiator/certificates/demoCA/cacert.pem
> #  EAPTLS_CAPath
>   EAPTLS_CertificateFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile c:/radiator/certificates/cert-srv.pem
>   EAPTLS_PrivateKeyPassword whatever
> #  EAPTLS_RandomFile %D/certificates/random
>   EAPTLS_MaxFragmentSize 1000
> #  EAPTLS_DHFile %D/certificates/cert/dh
>   AutoMPPEKeys
>   SSLeayTrace 4
>  </AuthBy>
>  PreProcessingHook file:"c:/radiator/goodies/eap_anon_hook.pl"
>  PostAuthHook file:"c:/radiator/goodies/eap_anon_hook.pl"
>  AcctLogFileName %D/detail
> </Realm>
>  
> Radiator Debug:
>  
> Mon Jan 12 10:04:01 2004: DEBUG: Reading users file c:/Program 
> Files/Radiator/users
> Mon Jan 12 10:04:01 2004: DEBUG: Finished reading configuration file 
> 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2004-07-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contactadmin at open.com.au
> Mon Jan 12 10:04:01 2004: DEBUG: Reading dictionary file 'c:/Program 
> Files/Radiator/dictionary'
> Mon Jan 12 10:04:02 2004: DEBUG: Creating authentication port 
> 0.0.0.0:1645
> Mon Jan 12 10:04:02 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Jan 12 10:04:02 2004: NOTICE: Server started: Radiator 3.8 on 
> thebeast (EVALUATION)
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 133
> Authentic:  |<28>E!<165><186><8><243>6t<178><188><191>e<6>w
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = 
> f<214>z<128><<254>(/<203>/<186><141>PH<229><221>
>  EAP-Message = <2><1><0><14><1>anonymous
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:33 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:33 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with EAP: code 2, 1, 14
> Mon Jan 12 10:04:33 2004: DEBUG: Response type 1
> Mon Jan 12 10:04:33 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Access challenged for anonymous: EAP 
> TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 133
> Authentic:  |<28>E!<165><186><8><243>6t<178><188><191>e<6>w
> Attributes:
>  EAP-Message = <1><2><0><6><21>
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:33 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 134
> Authentic:  j<G<4><188>;<139>r5*<239><15>I<179><232><14>
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = 
> <228>w<142><167>~<186><234><182><249><205>3<252><230><216><181><29>
>  EAP-Message = 
> <2><2><0><132><21><128><0><0><0>z<22><3><1><0>u<1><0><0>q<3><1>><205><1
> 61>j<129><132>+<15>j<23><255>HU<178><143><235><200><150><162>A<13>/
> <180>f<15>j-<26>(pA<196> 
> KYB<245>o<14><221><135>G<220><185><200><4><247>r(=<249><212>E<147><227>
> w<4><145><220><183><234><1><254><161><21><0>*<0><22><0><19><0>f<0><21><
> 0><18><0><10><0><5><0><4><0><7><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0>
> <17><0><3><0><6><0><8><1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:33 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:33 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:33 2004: DEBUG: Handling with EAP: code 2, 2, 132
> Mon Jan 12 10:04:33 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:33 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Mon Jan 12 10:04:33 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:33 2004: DEBUG: Access challenged for anonymous: EAP 
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 134
> Authentic:  j<G<4><188>;<139>r5*<239><15>I<179><232><14>
> Attributes:
>  EAP-Message = 
> <1><3><3><242><21><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<2><0><
> 177><27><228><152><134><192><193><129><145><133><255><161><252><157><28
> >,<163><142><137><247>3fD<200>&<157>v<164><236> 
> c<22>n<169><177>Y;
> <132><204>=<20><163><231><189><254><229><170><8><234><7><3><153><25>7<2
> 1>=M<242>X<18><249>@<0><10><0><22><3><1><7><27><11><0><7><23><0><7><20>
> <0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9
> >*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><
> 19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><1
> 9><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo 
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>  EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in 
> production)1 
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><13>030227061500Z<23><13>040227061500Z0u1<11>0<9><6><3>U<4><6><19><
> 2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9
> >Melbourne1<24>0<22><6><3>U<4><10><19><15>My Test 
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>
> 0<13><6><9>*<134>H<134><247><13><1><1>
>  EAP-Message = 
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><186>)<217><24
> 5><205><159>@<144><133><177><255>0<165><3><215>cGR<136><231><253>9<193>
> <13><255>m@<220>y^<160><244><236>Sa'<198>^<231><158>4<156>"<242>IS<151>
> <30><211>$<142><196>!}R<146><166><129>yh<17><162><207><196><0><171>5s<1
> 87><229><139>2<250><146><1><187><207><226><203>5<251><178><1><212><178>
> <141><219>O<253><134><213>N|<172>:
> J<23><173><161><191><141><25>&<198>Fi<17><181><137>Fy<0><177><210><215>
> <186>x<141><197><212>s<145><235>\<164><8>!
> <2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1>
> <5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><
> 129><0><20>m<159><141><185><184><252><248><201>FM<195>PB(^<127>3<24><13
> 6><172><19><211><137><132>EF<170>9<236>^<187><146><253><171><200><183><
> 230><148><142><21>_<9>^<227><10>3<162><186><214><206><197>Tq<219><4>r<2
> 39>?<1><16><203>
>  EAP-Message = 
> T<0><161>wm<173>S<4><0>)<141><209><<197>tT<228><150>P<156><22>^zes^<202
> >u<161><176>F3=<4><200><229><154>q<146><194>cy<23>z*o><219><28><206>t<1
> 96><188><3><195>.%<19>mD<242><149><237>O<138><193><0><4>=0<130><4>90<13
> 0><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1>
> <1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U
> <4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><
> 6><3>U<4><10><19><21>OSC Demo 
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 135
> Authentic:  1<9><236><246>S<8>*<129><205>n<189><252>qOl!
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = ,<19>S6<255>9{<217><245>$z<146>0r)S
>  EAP-Message = <2><3><0><6><21><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP 
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 135
> Authentic:  1<9><236><246>S<8>*<129><205>n<189><252>qOl!
> Attributes:
>  EAP-Message = <1><4><3><238><21>@t use in production)1 
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><13>030227061411Z<23><13>050226061411Z0<129><202>1<11>0<9><6><3>U<4
> ><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4>
> <7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo 
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
>  EAP-Message = roduction)1 
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129
> ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<
> 129><137><2><129><129><0><193>@h<28><185>'<7><254><247>{9<233><245>3S<2
> 09>=<173>>c<144>Z<239>?
> b<150><224><171><219><170><170>i<226><251><234>\Jwi<210><141><249><141>
> <148><224>|<188>V<24><209><8><223>f?
> <149><172><6><226><18><232>1<249><227>$<176>G<164>'Y<193><160>$n<160>e<
> 153>V<166>x<2><162><<244><4><225>T>n<18><<204><210><135><162>T<16><221>
> <6>Pn<9>7<141><197><160><197><245><155>6<3><172><154>p<230><210>Z<159><
> 149><192>C<255><154><220><149><3>*<156>q<2><3><1><0><1><163><130><1>+0<
> 130><1>'0<29><6><3>U<29><14><4><22><4><20><180><27><24>R'<27><169>)<152
> ><148>o<139>c<198><6>9\<249>s<196>0<129><247><6><3>U<29>#
>  EAP-Message = 
> <4><129><239>0<129><236><128><20><180><27><24>R'<27><169>)<152><148>o<1
> 39>c<198><6>9\<249>s<196><161><129><208><164><129><205>0<129><202>1<11>
> 0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<
> 16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130>
> <1><0>0<12><6><3>U<29><19><4><5>0<3>
>  EAP-Message = 
> <1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129>
> <0>A<130>4<253><23>-
> <13><9><9><222>3<19><171>aj<23><187><195>gs<145><194>w<164>1m#<242>t<23
> 3><144><146>&g<162><190><234><145>H<159><10>^6IQ<223><219><193>@><204>b
> <245><12><6><133><147><132><192>fU<165><197><180>k<136>:
> <8><198><152><165>*%<221><237><188><23><251><255><172>'n<142>H<25>q<173
> >t<215><212><221><239><20>FZyd<205><240>Wbd<143><139>q]h<236><127><16><
> 143>tA<163>4I<236><230><147><218>><175>B^<130><0>*9<22><3><1><0><220><1
> 3><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11>0<9><6><3>U<4><6>
> <19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><
> 19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certif
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 136
> Authentic:  <238><28><227><224><27>;Cb<229><6><231>Y<3>Z<230><133>
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = <199>ET<214><200>n6<0>gs<153>!8T<222><194>
>  EAP-Message = <2><4><0><6><21><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 4, 6
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP 
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 136
> Authentic:  <238><28><227><224><27>;Cb<229><6><231>Y<3>Z<230><133>
> Attributes:
>  EAP-Message = 
> <1><5><0><134><21><0>icates1!0<31><6><3>U<4><11><19><24>Test 
> Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in 
> production)1 
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<14><
> 0><0><0>
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 137
> Authentic:  Sd<144>t<163><15>.&<222><156><239>k<16>8<136>Q
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = xeJ'<214>K<218>0-<162>yI<170>q<176><135>
>  EAP-Message = 
> <2><5><0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0><0
> ><0><22><3><1><0><134><16><0><0><130><0><128><149>c<209>A<200><237>m<16
> 0>s4<165><231>\<255><241><4><158><170><148><158><166><26><169>~<214><13
> 8><199>4^<223>)9<172><198><172>_<133><204>O$<184><<173><248>tI<238><166
> ><151><183><157><1><182><207><218>d<184>t<18><185><127><172><216><235><
> 192><171><220>L<250><161>#<14><2><175><2>d<209><<128><2><153><213><140>
> <239>6<156>8@<152><249>}<25><158>&<18>-
> k<164><250><144><134>`<24><170><187><16><127>L<134>.<151><210><<231><23
> 7><132><186>}<185>X<202><163><162>=q<173>C<4><20><3><1><0><1><1><22><3>
> <1><0>(|<190><207>^<18><171><211><15><192><27>W?
> <1><26><252><15><196>V<165>=<163><188>]<6><198>I<205>7s{*o<219><241>)<2
> 39><214><152>5<152>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 5, 212
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Access challenged for anonymous: EAP 
> TTLS Challenge
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Challenge
> Identifier: 137
> Authentic:  Sd<144>t<163><15>.&<222><156><239>k<16>8<136>Q
> Attributes:
>  EAP-Message = 
> <1><6><0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(Ah<1>(<22
> 7><179><222><156><G<137>Vadc<207><159>\<222><134>><167>(<227>m<229><197
> ><151>-<174><229><1><170>G<134> C<202><237>u
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Access-Request
> Identifier: 138
> Authentic:  <187><203>fJw<164>wh<198>$<173>Z<25><136>L6
> Attributes:
>  User-Name = "anonymous"
>  Framed-MTU = 1400
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  Message-Authenticator = 
> <215><194>rXX<1>'<226><8><247>=<149><211><147><174><173>
>  EAP-Message = 
> <2><6><0>\<21><128><0><0><0>R<23><3><1><0><24><245><217><159><213>.<178
> ><228><152>_<3>s<165><11>T<255><224>&<160><200><207><203><254>:
> <157><23><3><1><0>0<1>A<154><130>W2<141><11>k0[ff<6><13>S<212>-
> s<160><224><<156><252><239>[<160><164><187>Gskh<230><214><16><227><242>
> '<214><227><189>J<200><164><149><23><164>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  NAS-Identifier = "ap"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with EAP: code 2, 6, 92
> Mon Jan 12 10:04:34 2004: DEBUG: Response type 21
> Mon Jan 12 10:04:34 2004: DEBUG: EAP TTLS inner authentication request 
> for test
> Mon Jan 12 10:04:34 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  
> <231><227><208><154>w<228><231>z<7><191>pn<233><153><24><145>
> Attributes:
>  User-Name = "test"
>  User-Password = "test"
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Deleting session for test, 
> 192.168.22.100,
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Radius::AuthLSA looks for match with 
> test
> Mon Jan 12 10:04:34 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Jan 12 10:04:34 2004: DEBUG: Access accepted for test
> Mon Jan 12 10:04:34 2004: DEBUG: EAP result: 0, EAP TTLS inner 
> authentication redespatched to a Handler
> Mon Jan 12 10:04:34 2004: DEBUG: Access accepted for anonymous
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Access-Accept
> Identifier: 138
> Authentic:  <187><203>fJw<164>wh<198>$<173>Z<25><136>L6
> Attributes:
>  MS-MPPE-Send-Key = 
> "<224>u<133><227><205><1><23>Ga)u<176><208><254><198>L<176>]<3><7><156>
> <164><28><10><253><200>/
> _c<25><220><167>j<155><141><188><165>]<127><2>B<194>,<17><144><179><239
> ><13><132>r"
>  MS-MPPE-Recv-Key = 
> "<130><199><4>t<28><17><5><222><148><204><207><216><4>;
> e<242><184><239>B<220>C<237><165>R<129><178>t<149><209><7>8Fy<254><222>
> !<240><144>R<237><179><230><252>1<27>z<254><15><218>r"
>  EAP-Message = <3><6><0><4>
>  Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Received from 192.168.22.100 port 21645 ....
> Code:       Accounting-Request
> Identifier: 139
> Authentic:  
> g<187><6><7><247>C<1>!<149><178><212><190><202><242><147><208>
> Attributes:
>  Acct-Session-Id = "0000002B"
>  Called-Station-Id = "000e.8311.6b50"
>  Calling-Station-Id = "0010.c620.88f7"
>  cisco-avpair = "ssid=tsunami"
>  cisco-avpair = "nas-location=unspecified"
>  cisco-avpair = "connect-progress=Call Up"
>  Acct-Authentic = RADIUS
>  User-Name = "anonymous"
>  Acct-Status-Type = Start
>  NAS-Port-Type = Wireless-IEEE-802-11
>  Cisco-NAS-Port = "280"
>  NAS-Port = 280
>  Service-Type = Framed-User
>  NAS-IP-Address = 192.168.22.100
>  Acct-Delay-Time = 0
> Mon Jan 12 10:04:34 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Mon Jan 12 10:04:34 2004: DEBUG:  Adding session for anonymous, 
> 192.168.22.100, 280
> Mon Jan 12 10:04:34 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Jan 12 10:04:34 2004: DEBUG: Accounting accepted
> Mon Jan 12 10:04:34 2004: DEBUG: Packet dump:
> *** Sending to 192.168.22.100 port 21645 ....
> Code:       Accounting-Response
> Identifier: 139
> Authentic:  
> g<187><6><7><247>C<1>!<149><178><212><190><202><242><147><208>
> Attributes:
>  
>  
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040112/010705ac/attachment.html>


More information about the radiator mailing list