(RADIATOR) (Radiator) Issue of "validate server certificate" authentication failure on XP client -WLAN 802.1x PEAP MSCHAPv2 testing with a Cisco arionet1100 AP and Radiator 3.9

Scott Xiao - ANTlabs scottxiao at antlabs.com
Fri Jul 16 01:36:58 CDT 2004


My current question as I asked before is,now I disabled "validate server
certificate" on XP client,how can I let the authentication pass without
requiring the XP client to  install any  specific certificate (PEAP MS CHAP
v2)?Thanks.
Cheers
Scott

-----Original Message-----
From: Scott Xiao - ANTlabs [mailto:scottxiao at antlabs.com]
Sent: Wednesday, July 14, 2004 10:34 AM
To: Hugh Irvine
Cc: Nicola Wassell; Joanne Davis
Subject: RE: problem with my 802.1x PEAP MSCHAPv2 testing with a Cisco
arionet1100 AP and Radiator 3.9


Hi Hugh,
No ,I don't think so. For ETP-TLS setup, the client needs a certificate,so
does the RADIUS server.But for PEAP_MSchapV2,only AAA server needs cert.When
I configure the client to enable "validate the server certificate",it will
just prompt the user user to verify the cert of the server,and I did see
that screen,after I click "ok" to accept it, I should be able to get
"authentication succeeded" result.But now, I cannot get it through.Please
double check and adivse,thanks!
Rgds
Scott

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Wednesday, July 14, 2004 7:26 AM
To: scottxiao at antlabs.com
Cc: Nicola Wassell; Joanne Davis
Subject: Re: problem with my 802.1x PEAP MSCHAPv2 testing with a Cisco
arionet1100 AP and Radiator 3.9



Hello Scott -

I would have thought that if you configure your client to verify the
server certificate the only way it could do that is by having a client
certificate?

regards

Hugh


On 13 Jul 2004, at 15:25, Scott Xiao - ANTlabs wrote:

> Hi,Hugh,
> Thanks. Yes, the certificates directory is in /etc/radiator, so the
> certs
> should be able to be found since I set the DB directory already(as
> below)
> . No ,I didn't install any cert on my win xp client since I think PEAP
> doesn't require the client to install certificate,am I right?
> Is my OpenSSL version correct?How can I know if the OpenSSL is
> working?Thanks
> Scott
> ////
>
> LogStdout
> LogDir          /var/log/radius
> DbDir           /etc/radiator
> # User a lower trace level in production systems:
> Trace           4
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, July 13, 2004 1:02 PM
> To: scottxiao at antlabs.com
> Cc: Nicola Wassell; Joanne Davis
> Subject: Re: problem with my 802.1x PEAP MSCHAPv2 testing with a Cisco
> arionet1100 AP and Radiator 3.9
>
>
>
> Hello Scott -
>
> In your configuration file you are using "%D/certificates/...." for the
> certificate location on the Radiator server, so if you have specified
> DbDir correctly the certificates will be found (Ie. DbDir
> /etc/radiator).
>
> Have you also installed the client certificate on the Windows machine?
>
> regards
>
> Hugh
>
>
> On 13 Jul 2004, at 12:51, Scott Xiao - ANTlabs wrote:
>
>> Hi,Hugh
>> Thanks for reply
>> So you mean it's not necessary to install cert on this Radiator
>> server?I
>> just copied the certificates directory to  /etc/radiator , it should
>> work
>> without any extra installation,right?so why it always says  "EAP
>> result: 2,
>> EAP PEAP Nothing to read or write" if I enable "validate server
>> certificate"
>> on xp client?Which directory is in use?How to check if the
>> certificates are
>> installed properly?Thanks!
>> Rgds
>> Scott
>>
>> [root at FC root]# cd /etc/radiator/
>> [root at FC radiator]# pwd
>> /etc/radiator
>> [root at FC radiator]# ls certificates/
>> cert-clt.p12  cert-clt.pem  cert-srv.pem  demoCA  README  root.der
>> root.pem
>> [root at FC radiator]# more eap_peap.cfg  | grep certi
>> # In order to test this, you can user the sample test certificates
>> # WILL need to install a real valid server certificate and
>>                 # EAPTLS_CAFile is the name of a file of CA
>> certificates
>>                 # in PEM format. The file can contain several CA
>> certificates
>>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>                 # certificates in PEM format. The files each contain
>> one
>>                 # CA certificate. The files are looked up by the CA
>>                 # the servers certificate. EAPTLS_CertificateType
>>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>                 # as the server certificate (EAPTLS_CertificateFile)
>>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> #               EAPTLS_RandomFile %D/certificates/random
>> #               EAPTLS_DHFile %D/certificates/cert/dh
>>                 # If EAPTLS_CRLCheck is set  and the client presents a
>> certifica
>> te
>>                 # then Radiator will look for a certificate revocation
>> list
>> (CRL
>> )
>>                 # for the certificate issuer
>>                 # if the CRL says the certificate has neen revoked,
>> the
>> authenti
>> cation will
>>                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate
>> returned
>>                 # certificates directory typically
>> /usr/local/openssl/certs/
>>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>> [root at FC radiator]#
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, July 13, 2004 10:10 AM
>> To: scottxiao at antlabs.com
>> Cc: Nicola Wassell; Joanne Davis
>> Subject: Re: problem with my 802.1x PEAP MSCHAPv2 testing with a Cisco
>> arionet1100 AP and Radiator 3.9
>>
>>
>>
>> Hello Scott -
>>
>> There are some test certificates in the Radiator distribution in the
>> "certificates" directory which will work for testing.
>>
>> If you use different certificates they must be installed in the place
>> specified in the Radiator configuration file.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 12 Jul 2004, at 22:14, Scott Xiao - ANTlabs wrote:
>>
>>> Hi,Hugh
>>> I found it works when I disabble/unckeck "validate server
>>> certificate"
>>> in my
>>> winxp client PEAP setting,is there anything special for the
>>> certificates?need install cert on the radiator server?
>>> Thanks
>>> Scott
>>>
>>>
>>>
>>>         Framed-Protocol = PPP
>>>         Framed-IP-Netmask = 255.255.255.255
>>>         Framed-Routing = None
>>>         Framed-MTU = 1500
>>>         Framed-Compression = Van-Jacobson-TCP-IP
>>>         EAP-Message = <3><11><0><4>
>>> Code:       Access-Request
>>> Identifier: 117
>>> Authentic:  pi<135><150>v<172><222>Lf+<6><247><24><223><140>l
>>> Attributes:
>>>         User-Name = "antlabs"
>>>         Framed-MTU = 1400
>>>         Called-Station-Id = "000f.34db.6690"
>>>         Calling-Station-Id = "000c.f108.37bf"
>>>         Message-Authenticator =
>>> :<247><152><147><17><239><178>r0O<157><130>h<134><183>(
>>>         EAP-Message =
>>> <2><11><0>&<25><0><23><3><1><0><27>n<2><211><161>d<26><244><213><155>
>>> <
>>> 2
>>> 51><1
>>> 58>Kh<219><15>$<170><250>q<
>>> 233>4<7><202>BX,A
>>>         NAS-Port-Type = Wireless-IEEE-802-11
>>>         NAS-Port = 390
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = 192.168.123.19
>>>         NAS-Identifier = "ps-ap"
>>>
>>> Sun Jul 11 13:09:35 2004: DEBUG: Handling request with Handler ''
>>> Sun Jul 11 13:09:35 2004: DEBUG:  Deleting session for antlabs,
>>> 192.168.123.19, 390
>>> Sun Jul 11 13:09:35 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Sun Jul 11 13:09:35 2004: DEBUG: Handling with EAP: code 2, 11, 38
>>> Sun Jul 11 13:09:35 2004: DEBUG: Response type 25
>>> Sun Jul 11 13:09:35 2004: DEBUG: EAP result: 0,
>>> Sun Jul 11 13:09:35 2004: DEBUG: Access accepted for antlabs
>>> Sun Jul 11 13:09:35 2004: DEBUG: Packet dump:
>>> *** Sending to 192.168.123.19 port 21645 ....
>>> Code:       Access-Accept
>>> Identifier: 117
>>> Authentic:  pi<135><150>v<172><222>Lf+<6><247><24><223><140>l
>>> Attributes:
>>>         Service-Type = Framed-User
>>>         Framed-Protocol = PPP
>>>         Framed-IP-Netmask = 255.255.255.255
>>>         Framed-Routing = None
>>>         Framed-MTU = 1500
>>>         Framed-Compression = Van-Jacobson-TCP-IP
>>>         EAP-Message = <3><11><0><4>
>>>         Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>         MS-MPPE-Send-Key =
>>> "<202><141>L<164>&<185>[<190>S<199><254><199><146><252><22><195><215>
>>> d
>>> <
>>> 129><
>>> 150><161>%C<150><191>5
>>> <10>g<171>|<229><14><17>9<184><27>x{`_,O<184>nac<21><190>bQ"
>>>         MS-MPPE-Recv-Key =
>>> "<187><145><26>)<246>D<143><157><131><250><134><165><207><166><153>M:
>>> <241><1
>>> 92>J<152><243><182><30
>>>> <240><207><177><197>n4<232>4<156><157>7<140><179><139><168><202><132
>>>> >
>>>> P
>>>> Y<1><
>>> 192><156><190><186><160>'"
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: Monday, July 12, 2004 3:33 PM
>>> To: scottxiao at antlabs.com
>>> Cc: Nicola Wassell; Joanne Davis
>>> Subject: Re: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>> Cisco
>>> arionet1100 AP and Radiator 3.9
>>>
>>>
>>>
>>> Hello Scott -
>>>
>>> Yes all versions of aironet are supported.
>>>
>>> There has also been considerable discussion about EAP on the mailing
>>> list:
>>>
>>> 	www.open.com.au/archives/radiator
>>>
>>> and the FAQ has some information too:
>>>
>>> 	www.open.com.au/radiator/faq.html
>>>
>>> BTW - what 802.1x client software are you using?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 12 Jul 2004, at 17:24, Scott Xiao - ANTlabs wrote:
>>>
>>>> Hello Hugh,
>>>> Thanks for your email! Yes, I did intalled those perl moduless with
>>>> CPAN
>>>> ,and openssl is included in the complete installation of Ferado
>>>> Core2
>>>> Linux.I will get some more trace 4 debug.Btw,does aironet 1100
>>>> supported?If
>>>> not,I can change to cisco aironet 340 AP.
>>>> Rgds
>>>> Scott
>>>>
>>>> -----Original Message-----
>>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>>> Sent: Monday, July 12, 2004 3:02 PM
>>>> To: Joanne Davis; scottxiao at antlabs.com; Nicola Wassell
>>>> Subject: Re: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>> Cisco
>>>> arionet1100 AP and Radiator 3.9
>>>>
>>>>
>>>>
>>>> Hello Scott -
>>>>
>>>> The Radiator log file shows things proceeding normally, but then
>>>> ending
>>>> abruptly.
>>>>
>>>> Could you please send me a more complete trace 4 debug showing the
>>>> complete trace, together with any error messages from Perl if there
>>>> is
>>>> a crash. I am assuming that you have installed all of the
>>>> prerequisites
>>>> that are required?
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 12 Jul 2004, at 14:02, Nicola Wassell wrote:
>>>>
>>>>> Hello Scott
>>>>>
>>>>> I have passed your question on to our technical support team. I
>>>>> will
>>>>> be
>>>>> out of the office until 20 July 2004. Please post any further
>>>>> technical
>>>>> questions to the Radiator Mailing list or sales questions to
>>>>> info at open.com.au
>>>>>
>>>>> Regards, Nicola
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Scott Xiao - ANTlabs [mailto:scottxiao at antlabs.com]
>>>>>> Sent: Monday, 12 July 2004 1:48 PM
>>>>>> To: Nicola Wassell
>>>>>> Subject: RE: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>>> Cisco
>>>>>> arionet1100 AP and Radiator 3.9
>>>>>>
>>>>>> Thanks Nicola,
>>>>>>> From a document,It mentioned RADIATOR is compatible with 802.1x
>>>>> enabled
>>>>>> AP
>>>>>> "Cisco Aironet AP340, 350/352, 1200" ,while I am using Aironet
>>>>> 1100,will
>>>>>> it
>>>>>> be any issue on this?Thanks
>>>>>> Scott
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Nicola Wassell [mailto:nicola at open.com.au]
>>>>>> Sent: Monday, July 12, 2004 11:09 AM
>>>>>> To: scottxiao at antlabs.com
>>>>>> Subject: RE: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>>> Cisco
>>>>>> arionet1100 AP and Radiator 3.9
>>>>>>
>>>>>>
>>>>>> Hello Scott
>>>>>>
>>>>>> I will ask our technical support team if they have any comments
>>>>>> about
>>>>>> your problem.
>>>>>>
>>>>>> Regards, Nicola
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Scott Xiao - ANTlabs [mailto:scottxiao at antlabs.com]
>>>>>>> Sent: Monday, 12 July 2004 12:13 PM
>>>>>>> To: Nicola Wassell
>>>>>>> Subject: RE: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>> Cisco
>>>>>>> arionet1100 AP and Radiator 3.9
>>>>>>>
>>>>>>> Hi,Nicola,
>>>>>>> I have not got any reply yet.Yes,I did subscribed last Friday but
>>>>> also
>>>>>>> nothing coming in yet....
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Nicola Wassell [mailto:nicola at open.com.au]
>>>>>>> Sent: Saturday, July 10, 2004 9:26 AM
>>>>>>> To: scottxiao at antlabs.com
>>>>>>> Subject: RE: problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>> Cisco
>>>>>>> arionet1100 AP and Radiator 3.9
>>>>>>>
>>>>>>>
>>>>>>> Hello Scott
>>>>>>>
>>>>>>> I have passed your question on to our technical support team.
>>>>>>>
>>>>>>> If you need further technical assistance, we recommend that you:
>>>>>>>
>>>>>>> - subscribe to our very active Radiator Mailing List at
>>>>>>> http://www.open.com.au/mailing.html
>>>>>>>
>>>>>>> - check the extensive online Reference Manual and FAQs at
>>>>>>> http://www.open.com.au/radiator/documentation.html
>>>>>>>
>>>>>>> - use the Mailing List Archive at
>>>>>>> http://www.open.com.au/archives/radiator/
>>>>>>>
>>>>>>> I will contact you during the evaluation period however please
>>>>> contact
>>>>>>> us if we can be of assistance while you evaluate the product
>>>>>>> against
>>>>>>> your selection criteria.
>>>>>>>
>>>>>>> Regards, Nicola
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Scott Xiao - ANTlabs [mailto:scottxiao at antlabs.com]
>>>>>>>> Sent: Friday, 9 July 2004 10:46 PM
>>>>>>>> To: Nicola Wassell
>>>>>>>> Subject: Re:problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>>> Cisco
>>>>>>>> arionet1100 AP and Radiator 3.9
>>>>>>>>
>>>>>>>> Re:problem with my 802.1x PEAP MSCHAPv2 testing with a Cisco
>>>>>>> arionet1100
>>>>>>>> AP
>>>>>>>> and Radiator 3.9
>>>>>>>> Hi,
>>>>>>>> I got a problem with my 802.1x PEAP MSCHAPv2 testing with a
>>>>>>>> Cisco
>>>>>>>> arionet1100 AP and Radiator 3.9. I think it's EAP config issue
>>>>> .From
>>>>>>> the
>>>>>>>> debug screen on Radiator,it keeps saying "EAP result:2, EAP PEAP
>>>>>>> nothing
>>>>>>>> to
>>>>>>>> read or write " or "EAP result: 3, EAP PEAP Challenge" .And it's
>>>>>>>> authentication request was denied finally.Can you advise?Thanks!
>>>>>>>> My cfg file and log as below.
>>>>>>>> Rgds
>>>>>>>> Scott
>>>>>>>> cfg file:
>>>>>>>> # eap_peap.cfg
>>>>>>>> #
>>>>>>>> # Example Radiator configuration file.
>>>>>>>> # This very simple file will allow you to get started with
>>>>>>>> # PEAP authentication as used by Windows XP (starting with SP1)
>>>>>>>> # We suggest you start simple, prove to yourself that it
>>>>>>>> # works and then develop a more complicated configuration.
>>>>>>>> #
>>>>>>>> # This example will authenticate from a standard users file in
>>>>>>>> # the current directory.
>>>>>>>> # It will accept requests from any client and try to handle
>>>>> request
>>>>>>>> # for any realm.
>>>>>>>> # And it will print out what its doing in great detail.
>>>>>>>> #
>>>>>>>> # In order to authenticate, the clients user name must be in
>>>>> ./users
>>>>>>>> # (the password is irrelevant for EAP TLS).
>>>>>>>> #
>>>>>>>> # In order to test this, you can user the sample test
>>>>>>>> certificates
>>>>>>>> # supplied with Radiator. For production, you
>>>>>>>> # WILL need to install a real valid server certificate and
>>>>>>>> # key for Radiator to use. Runs with openssl on Unix and
>>>>>>>> Windows.
>>>>>>>> #
>>>>>>>> # See radius.cfg for more complete examples of features and
>>>>>>>> # syntax, and refer to the reference manual for a complete
>>>>>> description
>>>>>>>> # of all the features and syntax.
>>>>>>>> #
>>>>>>>> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
>>>>>>>> # Requires openssl 0.9.7beta3 or later from www.openssl.org
>>>>>>>> # Requires Digest-HMAC from CPAN
>>>>>>>> # Requires Digest-SHA1 from CPAN
>>>>>>>> #
>>>>>>>> # You should consider this file to be a starting point only
>>>>>>>> # $Id: eap_peap.cfg,v 1.10 2003/10/31 03:52:35 mikem Exp $
>>>>>>>>
>>>>>>>> Foreground
>>>>>>>> LogStdout
>>>>>>>> LogDir            .
>>>>>>>> DbDir      .
>>>>>>>> # User a lower trace level in production systems:
>>>>>>>> Trace             4
>>>>>>>>
>>>>>>>> # You will probably want to add other Clients to suit your site,
>>>>>>>> # one for each NAS you want to work with
>>>>>>>> <Client DEFAULT>
>>>>>>>>       Secret antlabs
>>>>>>>>       DupInterval 0
>>>>>>>> </Client>
>>>>>>>>
>>>>>>>>
>>>>>>>> #<Client 192.168.123.79>
>>>>>>>> #      Secret  antlabs
>>>>>>>> #      DupInterval 0
>>>>>>>> #</Client>
>>>>>>>>
>>>>>>>>
>>>>>>>> # This is where we autneticate a PEAP inner request, which will
>>>>>>>> be
>>>>>> an
>>>>>>> EAP
>>>>>>>> # request. The username of the inner request will be anonymous,
>>>>>>> although
>>>>>>>> # the identity of the EAP request will be the real username we
>>>>>>>> are
>>>>>>>> # trying to authenticate.
>>>>>>>> <Handler TunnelledByPEAP=1>
>>>>>>>>       <AuthBy FILE>
>>>>>>>>             Filename %D/users
>>>>>>>>
>>>>>>>>             # This tells the PEAP client what types of inner EAP
>>>>>>> requests
>>>>>>>>             # we will honour
>>>>>>>>             EAPType MSCHAP-V2
>>>>>>>>       </AuthBy>
>>>>>>>>       # This hook fixes the problem with some implementations of
>>>>>> PEAP,
>>>>>>>> where
>>>>>>>> the
>>>>>>>>       # accounting requests have the User-Name of anonymous,
>>>>> instead
>>>>>>> of
>>>>>>>> the
>>>>>>>> real
>>>>>>>>       # users name. After authenticating the inner TTLS request,
>>>>> the
>>>>>>>>       # PostAuthHook caches the _real_ user name in an SQL
>>>>>>>> table,
>>>>>>>>       # The PreProcessingHook replaces the 'anonymous' user name
>>>>> in
>>>>>>>>       # accounting requests with the
>>>>>>>>       # real user name that was previously cached for the NAS
>>>>>>>> and
>>>>>> NAS-
>>>>>>>> Port.
>>>>>>>>       # You can see the correct real User-Name logged in the
>>>>>>>> AcctLogFileName
>>>>>>>>       # Must be used in conjunction with PreProcessingHook below
>>>>>>>> #      PostAuthHook file:"goodies/eap_anon_hook.pl"
>>>>>>>> </Handler>
>>>>>>>>
>>>>>>>>
>>>>>>>> # The original PEAP request from a NAS will be sent to a
>>>>>>>> matching
>>>>>>>> # Realm or Handler in the usual way, where it will be unpacked
>>>>>>>> and
>>>>>> the
>>>>>>>> inner
>>>>>>>> authentication
>>>>>>>> # extracted.
>>>>>>>> # The inner authentication request will be sent again to a
>>>>> matching
>>>>>>>> # Realm or Handler. The special check item TunnelledByPEAP=1 can
>>>>> be
>>>>>>> used
>>>>>>>> to
>>>>>>>> select
>>>>>>>> # a specific handler, or else you can use EAPAnonymous to set a
>>>>>>> username
>>>>>>>> and
>>>>>>>> realm
>>>>>>>> # which can be used to select a Realm clause for the inner
>>>>> request.
>>>>>>>> # This allows you to select an inner authentication method based
>>>>> on
>>>>>>> Realm,
>>>>>>>> and/or the
>>>>>>>> # fact that they were tunnelled. You can therfore act just as a
>>>>> PEAP
>>>>>>>> server,
>>>>>>>> or also
>>>>>>>> # act as the AAA/H home server, and authenticate PEAP requests
>>>>>> locally
>>>>>>> or
>>>>>>>> proxy
>>>>>>>> # them to another remote server based on the realm of the inner
>>>>>>>> authenticaiton request.
>>>>>>>> # In this basic example, both the inner and outer authentication
>>>>> are
>>>>>>>> authenticated
>>>>>>>> # from a file by AuthBy FILE
>>>>>>>> <Handler>
>>>>>>>>       <AuthBy FILE>
>>>>>>>>             # The username of the outer authentication
>>>>>>>>             #  must be in this file to get anywhere. In this
>>>>>> example,
>>>>>>>>             # it requires an entry for 'anonymous' which is the
>>>>>>> standard
>>>>>>>> username
>>>>>>>>             # in the outer requests, and it also requires an
>>>>>>>> entry
>>>>>> for
>>>>>>> the
>>>>>>>>             # actual user name who is trying to connect (ie the
>>>>>> 'Login
>>>>>>>> name'
>>>>>>>> entered
>>>>>>>>             # in the Funk Odyssey 'Edit Profile Properties' page
>>>>>>>>             Filename %D/users
>>>>>>>>
>>>>>>>>             # EAPType sets the EAP type(s) that Radiator will
>>>>>> honour.
>>>>>>>>             # Options are: MD5-Challenge, One-Time-Password
>>>>>>>>             # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>>>>>>>>             # Multiple types can be comma separated. With the
>>>>>> default
>>>>>>>> (most
>>>>>>>>             # preferred) type given first
>>>>>>>>             #EAPType PEAP
>>>>>>>>             EAPType PEAP,MSCHAP-V2
>>>>>>>>
>>>>>>>>             # EAPTLS_CAFile is the name of a file of CA
>>>>> certificates
>>>>>>>>             # in PEM format. The file can contain several CA
>>>>>>> certificates
>>>>>>>>             # Radiator will first look in EAPTLS_CAFile then in
>>>>>>>>             # EAPTLS_CAPath, so there usually is no need to set
>>>>> both
>>>>>>>>             EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>>>>>>>
>>>>>>>>             # EAPTLS_CAPath is the name of a directory
>>>>>>>> containing
>>>>> CA
>>>>>>>>             # certificates in PEM format. The files each contain
>>>>> one
>>>>>>>>             # CA certificate. The files are looked up by the CA
>>>>>>>>             # subject name hash value
>>>>>>>> #           EAPTLS_CAPath
>>>>>>>>
>>>>>>>>             # EAPTLS_CertificateFile is the name of a file
>>>>>> containing
>>>>>>>>             # the servers certificate. EAPTLS_CertificateType
>>>>>>>>             # specifies the type of the file. Can be PEM or ASN1
>>>>>>>>             # defaults to ASN1
>>>>>>>>             EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>>>>>>>             EAPTLS_CertificateType PEM
>>>>>>>>
>>>>>>>>             # EAPTLS_PrivateKeyFile is the name of the file
>>>>>> containing
>>>>>>>>             # the servers private key. It is sometimes in the
>>>>>>>> same
>>>>>>> file
>>>>>>>>             # as the server certificate (EAPTLS_CertificateFile)
>>>>>>>>             # If the private key is encrypted (usually the case)
>>>>>>>>             # then EAPTLS_PrivateKeyPassword is the key to
>>>>> descrypt
>>>>>> it
>>>>>>>>             EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>>>>>>>             EAPTLS_PrivateKeyPassword whatever
>>>>>>>>
>>>>>>>>             # EAPTLS_RandomFile is an optional file containing
>>>>>>>>             # randdomness
>>>>>>>> #           EAPTLS_RandomFile %D/certificates/random
>>>>>>>>
>>>>>>>>             # EAPTLS_MaxFragmentSize sets the maximum TLS
>>>>>>>> fragemt
>>>>>>>>             # size that will be replied by Radiator. It must be
>>>>>> small
>>>>>>>>             # enough to fit in a single Radius request (ie less
>>>>> than
>>>>>>> 4096)
>>>>>>>>             # and still leave enough space for other attributes
>>>>>>>>             # Aironet APs seem to need a smaller MaxFragmentSize
>>>>>>>>             # (eg 1024) than the default of 2048. Others need
>>>>>>>> even
>>>>>>> smaller
>>>>>>>> sizes.
>>>>>>>>             EAPTLS_MaxFragmentSize 1000
>>>>>>>>
>>>>>>>>             # EAPTLS_DHFile if set specifies the DH group file.
>>>>>>>> It
>>>>>>>>             # may be required if you need to use ephemeral DH
>>>>> keys.
>>>>>>>> #           EAPTLS_DHFile %D/certificates/cert/dh
>>>>>>>>
>>>>>>>>
>>>>>>>>             # If EAPTLS_CRLCheck is set  and the client presents
>>>>>>>> a
>>>>>>>> certificate
>>>>>>>>             # then Radiator will look for a certificate
>>>>>>>> revocation
>>>>>>> list
>>>>>>>> (CRL)
>>>>>>>>             # for the certificate issuer
>>>>>>>>             # when authenticating each client. If a CRL file is
>>>>> not
>>>>>>> found,
>>>>>>>> or
>>>>>>>>             # if the CRL says the certificate has neen revoked,
>>>>> the
>>>>>>>> authentication will
>>>>>>>>             # fail with an error:
>>>>>>>>             #   SSL3_GET_CLIENT_CERTIFICATE:no certificate
>>>>> returned
>>>>>>>>             # One or more CRLs can be named with the
>>>>> EAPTLS_CRLFile
>>>>>>>> parameter.
>>>>>>>>             # Alternatively, CRLs may follow a file naming
>>>>>> convention:
>>>>>>>>             #  the hash of the issuer subject name
>>>>>>>>             # and a suffix that depends on the serial number.
>>>>>>>>             # eg ab1331b2.r0, ab1331b2.r1 etc.
>>>>>>>>             # You can find out the hash of the issuer name in a
>>>>> CRL
>>>>>>> with
>>>>>>>>             #  openssl crl -in crl.pem -hash -noout
>>>>>>>>             # CRLs with tis name convention
>>>>>>>>             # will be searched in EAPTLS_CAPath, else in the
>>>>> openssl
>>>>>>>>             # certificates directory typically
>>>>>>> /usr/local/openssl/certs/
>>>>>>>>             # CRLs are expected to be in PEM format.
>>>>>>>>             # A CRL files can be generated with openssl like
>>>>>>>> this:
>>>>>>>>             #  openssl ca -gencrl -revoke cert-clt.pem
>>>>>>>>             #  openssl ca -gencrl -out crl.pem
>>>>>>>>             # Use of these flags requires Net_SSLeay-1.21 or
>>>>>>>> later
>>>>>>>>             #EAPTLS_CRLCheck
>>>>>>>>             #EAPTLS_CRLFile %D/certificates/crl.pem
>>>>>>>>             #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>>>>>>
>>>>>>>>             # Some clients, depending on their configuration,
>>>>>>>> may
>>>>>>> require
>>>>>>>> you to specify
>>>>>>>>             # MPPE send and receive keys. This _will_ be
>>>>>>>> required
>>>>> if
>>>>>>> you
>>>>>>>> select
>>>>>>>>             # 'Keys will be generated automatically for data
>>>>>> privacy'
>>>>>>> in
>>>>>>>> the
>>>>>>>> Funk Odyssey
>>>>>>>>             # client Network Properties dialog.
>>>>>>>>             # Automatically sets MS-MPPE-Send-Key and
>>>>>> MS-MPPE-Recv-Key
>>>>>>>>             # in the final Access-Accept
>>>>>>>>             AutoMPPEKeys
>>>>>>>>
>>>>>>>>             # You can enable some warning messages from the
>>>>>>> Net::SSLeay
>>>>>>>>             # module by setting SSLeayTrace to an integer from 1
>>>>> to
>>>>>> 4
>>>>>>>>             # 1=ciphers, 2=trace, 3=dump data
>>>>>>>>             SSLeayTrace 4
>>>>>>>>
>>>>>>>>             # You can configure the User-Name that will be used
>>>>> for
>>>>>>> the
>>>>>>>> inner
>>>>>>>>             # authentication. Defaults to 'anonymous'. This can
>>>>>>>> be
>>>>>>> useful
>>>>>>>>             # when proxying the inner authentication. If tehre
>>>>>>>> is
>>>>> a
>>>>>>> realm,
>>>>>>>> it can
>>>>>>>>             # be used to choose a local Realm to handle the
>>>>>>>> inner
>>>>>>>> authentication.
>>>>>>>>             # %0 is replaced with the EAP identitiy
>>>>>>>>             # EAPAnonymous anonymous at some.other.realm
>>>>>>>>
>>>>>>>>             # You can enable or disable support for TTLS Session
>>>>>>>> Resumption
>>>>>>>> and
>>>>>>>>             # PEAP Fast Reconnect with the
>>>>> EAPTLS_SessionResumption
>>>>>>> flag.
>>>>>>>>             # Default is enabled
>>>>>>>>             #EAPTLS_SessionResumption 0
>>>>>>>>
>>>>>>>>             # You can limit how long after the initial session
>>>>> that
>>>>>> a
>>>>>>>> session can be resumed
>>>>>>>>             # with EAPTLS_SessionResumptionLimit (time in
>>>>> seconds).
>>>>>>>> Defaults
>>>>>>>> to 43200
>>>>>>>>             # (12 hours)
>>>>>>>>             #EAPTLS_SessionResumptionLimit 10
>>>>>>>>
>>>>>>>>             # You can control which version of the draft PEAP
>>>>>> protocol
>>>>>>> to
>>>>>>>> honour
>>>>>>>>             # with EAPTLS_PEAPVersion. Defaults to 1. Set it to
>>>>>>>> 0
>>>>>> for
>>>>>>>> unusual clients,
>>>>>>>>             # such as Funk Odyssey Client 2.22 or later.
>>>>>>>>             EAPTLS_PEAPVersion 0
>>>>>>>>       </AuthBy>
>>>>>>>>
>>>>>>>>       # This hook fixes the problem with some implementations of
>>>>>> PEAP,
>>>>>>>> where
>>>>>>>> the
>>>>>>>>       # accounting requests have the User-Name of anonymous,
>>>>> instead
>>>>>>> of
>>>>>>>> the
>>>>>>>> real
>>>>>>>>       # users name. After authenticating the inner TTLS request,
>>>>> the
>>>>>>>>       # PostAuthHook caches the _real_ user name in an SQL
>>>>>>>> table,
>>>>>>>>       # The PreProcessingHook replaces the 'anonymous' user name
>>>>> in
>>>>>>>>       # accounting requests with the
>>>>>>>>       # real user name that was previously cached for the NAS
>>>>>>>> and
>>>>>> NAS-
>>>>>>>> Port.
>>>>>>>>       # You can see the correct real User-Name logged in the
>>>>>>>> AcctLogFileName
>>>>>>>>       # Must be used in conjunction with PostAuthHook above
>>>>>>>> #      PreProcessingHook file:"goodies/eap_anon_hook.pl"
>>>>>>>> </Handler>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>> +
>>>>> +
>>>>> +
>>>>> +
>>>>> +
>>>>>>> ++
>>>>>>>> ++
>>>>>>>> ++++++++++++++++++++++++++
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>> +
>>>>> +
>>>>> +
>>>>> +
>>>>> +
>>>>>>> ++
>>>>>>>> ++
>>>>>>>> ++++++++++++++++++++++++++
>>>>>>>>
>>>>>>>>  Log I captured:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Reading users file ./users
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Reading users file ./users
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Finished reading configuration
>>>>> file
>>>>>>>> '/etc/radiator/eap_peap.cfg'
>>>>>>>> This Radiator license will expire on 2004-08-01
>>>>>>>> This Radiator license will stop operating after 1000 requests
>>>>>>>> To purchase an unlimited full source version of Radiator, see
>>>>>>>> http://www.open.com.au/ordering.html
>>>>>>>> To extend your evaluation period, contact admin at open.com.au
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Reading dictionary file
>>>>>>> './dictionary'
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Creating authentication port
>>>>>>> 0.0.0.0:1645
>>>>>>>> Fri Jul  9 18:52:18 2004: DEBUG: Creating accounting port
>>>>>> 0.0.0.0:1646
>>>>>>>> Fri Jul  9 18:52:18 2004: NOTICE: Server started: Radiator 3.9
>>>>>>>> on
>>>>> FC
>>>>>>>> (EVALUATION)
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG: Packet dump:
>>>>>>>> *** Received from 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 95
>>>>>>>> Authentic:
>>>>>>> <133>0]<165><251><4><182><16><158>nR<3><151><196><148><211>
>>>>>>>> Attributes:
>>>>>>>>       User-Name = "test2"
>>>>>>>>       Framed-MTU = 1400
>>>>>>>>       Called-Station-Id = "000f.34db.6690"
>>>>>>>>       Calling-Station-Id = "000c.f108.37bf"
>>>>>>>>       Message-Authenticator =
>>>>>>>> <12><250><222><249>u~<141><241>Z<14>b8<156><158><143><253>
>>>>>>>>       EAP-Message = <2><2><0><10><1>test2
>>>>>>>>       NAS-Port-Type = Wireless-IEEE-802-11
>>>>>>>>       NAS-Port = 456
>>>>>>>>       Service-Type = Framed-User
>>>>>>>>       NAS-IP-Address = 192.168.123.79
>>>>>>>>       NAS-Identifier = "PS_AP_Aironet1100"
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG: Handling request with Handler
>>>>>>>> ''
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG:  Deleting session for test2,
>>>>>>>> 192.168.123.79, 456
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG: Handling with Radius::AuthFILE:
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG: Handling with EAP: code 2, 2,
>>>>>>>> 10
>>>>>>>> Fri Jul  9 18:52:21 2004: DEBUG: Response type 1
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: EAP result: 3, EAP PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Access challenged for test2:
>>>>>>>> EAP
>>>>>> PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Sending to 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Challenge
>>>>>>>> Identifier: 95
>>>>>>>> Authentic:
>>>>>>> <133>0]<165><251><4><182><16><158>nR<3><151><196><148><211>
>>>>>>>> Attributes:
>>>>>>>>       EAP-Message = <1><3><0><6><25>
>>>>>>>>       Message-Authenticator =
>>>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Received from 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 96
>>>>>>>> Authentic:
>>>>>>> ]C/<176><211><174><187><179>!<133><220><198><199><240>]<14>
>>>>>>>> Attributes:
>>>>>>>>       User-Name = "test2"
>>>>>>>>       Framed-MTU = 1400
>>>>>>>>       Called-Station-Id = "000f.34db.6690"
>>>>>>>>       Calling-Station-Id = "000c.f108.37bf"
>>>>>>>>       Message-Authenticator =
>>>>>>>>
>>>>>> <132><29><1>G<246><254><22><183><194><230><192><1><197><153><163><
>>>>>> 1
>>>>>> 5
>>>>>>>
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <2><3><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>@<238><1
>>>>> 4
>>>>> 0
>>>>>>
>>>>> <
>>>>> 2
>>>>>>> 42
>>>>>>>>> V
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <13>{<200><213><190><232><192><221><133><139><30><147><188><247><25
>>>>> 3
>>>>>>
>>>>> R
>>>>> 1
>>>>> <
>>>>>>> 17
>>>>>>>> 1>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <211>P<183><225><233><24><20>S<162><0><0><22><0><4><0><5><0><10><0>
>>>>> <
>>>>> 9
>>>>>>
>>>>> <
>>>>> 0
>>>>>>>> d
>>>>>>>> <0
>>>>>>>>> b<0><3><0><6><0><19><0><18><0>c<1><0>
>>>>>>>>       NAS-Port-Type = Wireless-IEEE-802-11
>>>>>>>>       NAS-Port = 456
>>>>>>>>       Service-Type = Framed-User
>>>>>>>>       NAS-IP-Address = 192.168.123.79
>>>>>>>>       NAS-Identifier = "PS_AP_Aironet1100"
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling request with Handler
>>>>>>>> ''
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG:  Deleting session for test2,
>>>>>>>> 192.168.123.79, 456
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with Radius::AuthFILE:
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with EAP: code 2, 3,
>>>>>>>> 80
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Response type 25
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: EAP TLS SSL_accept result: -1,
>>>>>>>> 2,
>>>>>>> 8576
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: EAP result: 3, EAP PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Access challenged for test2:
>>>>>>>> EAP
>>>>>> PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Sending to 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Challenge
>>>>>>>> Identifier: 96
>>>>>>>> Authentic:
>>>>>>> ]C/<176><211><174><187><179>!<133><220><198><199><240>]<14>
>>>>>>>> Attributes:
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <1><4><3><242><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<23
>>>>> 8
>>>>>>
>>>>> x
>>>>> <
>>>>> 2
>>>>>>> 30
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 19>N<184>v<195><162><240><246>6<186><216>x,<239><202>1J^%O<144><179
>>>>> >
>>>>> <
>>>>> 1
>>>>> 7
>>>>> 1
>>>>>>>> \
>>>>>>>> <1
>>>>>>>> 63><3><175><193>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <225><220>%QL<230><161><138><163>zH<226><228><191><151><236><221><2
>>>>> 0
>>>>> 0
>>>>>>
>>>>> <
>>>>> 2
>>>>>>> 38
>>>>>>>>> &
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> a<130><143>[<21><220><145><145>9i<202>1<0><4><0><22><3><1><7><27><1
>>>>> 1
>>>>>>
>>>>> <
>>>>> 0
>>>>>>
>>>>>>> <7
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2
>>>>> >
>>>>> <
>>>>> 1
>>>>>>
>>>>> <
>>>>>>> 2>
>>>>>>>> 0<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6
>>>>> >
>>>>> <
>>>>> 3
>>>>>>
>>>>> U
>>>>>>> <4
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<
>>>>> 4
>>>>>>
>>>>> <
>>>>> 7
>>>>>>
>>>>>>> <1
>>>>>>>> 9>
>>>>>>>> <9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
>>>>>>>> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>>>>>>>       EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do
>>>>>>>> not
>>>>>> use
>>>>>>> in
>>>>>>>> production)1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0
>>>>> <
>>>>> 3
>>>>> 0
>>>>>>
>>>>> <
>>>>>>> 23
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2
>>>>> >
>>>>> A
>>>>> U
>>>>> 1
>>>>> <
>>>>>>> 17
>>>>>>>>> 0
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbo
>>>>> u
>>>>> r
>>>>> n
>>>>> e
>>>>> 1
>>>>>>> <2
>>>>>>>> 4>
>>>>>>>> 0<22><6><3>U<4><10><19><15>My Test
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><
>>>>> 1
>>>>> 5
>>>>> 9
>>>>>>
>>>>> 0
>>>>>>> <1
>>>>>>>> 3>
>>>>>>>> <6><9>*<134>H<134><247><13><1><1>
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><21
>>>>> 4
>>>>>>
>>>>> <
>>>>> 2
>>>>> 3
>>>>>>> 4>
>>>>>>>> /<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222
>>>>> >
>>>>> #
>>>>> <
>>>>> 2
>>>>> 3
>>>>>>> 4>
>>>>>>>> <1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 2>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138>
>>>>> <
>>>>> 6
>>>>>>
>>>>> <
>>>>> 1
>>>>>>> 9>
>>>>>>>> <2
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 47>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/
>>>>> <16>HI<220><1
>>>>>>> 69
>>>>>>>>> v
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> N<215>)<31><207><24><157><230>G<186>)<246>J<195><171><154><249><220
>>>>> >
>>>>> v
>>>>> <
>>>>> 1
>>>>> 7
>>>>>>>> <
>>>>>>>> 15
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 9><2>x<29><136><148>:
>>>>> b<170><254><4><207><183><144><210><251>+<233><135>0
>>>>>>> <2
>>>>>>>> 12
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Y<207><158>N<226><136><12><132><143><250><182><218>W<2><3><1><0><1
>>>>>> >
>>>>>> <
>>>>>> 1
>>>>>> 6
>>>>>> 3
>>>>>>>> <
>>>>>>>> 23
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> 0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13
>>>>>> >
>>>>>> <
>>>>>> 6
>>>>>>>
>>>>>> <
>>>>>>> 9>
>>>>>>>> *<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<
>>>>> 1
>>>>> 6
>>>>> 5
>>>>>>
>>>>> <
>>>>>>> 18
>>>>>>>> 8>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> q<129>X<13>=l?
>>>>>> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<20
>>>>>>> 9>
>>>>>>>> <2
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 25><253>?
>>>>> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>
>>>>>>> p<
>>>>>>>> 21
>>>>>>>> 1><248>oba<
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173
>>>>> >
>>>>> <
>>>>> 2
>>>>> 5
>>>>>>
>>>>>>> w<
>>>>>>>> 21
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 5><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><254
>>>>> >
>>>>> <
>>>>> 2
>>>>> 0
>>>>> 6
>>>>>>>> U
>>>>>>>> ?<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<13
>>>>> 0
>>>>>>
>>>>> <
>>>>> 3
>>>>>>
>>>>>>> <1
>>>>>>>> 62
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> <160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4
>>>>>> >
>>>>>> <
>>>>>> 5
>>>>>>>
>>>>>> <
>>>>>>> 0>
>>>>>>>> 0<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19>
>>>>> <
>>>>> 8
>>>>>>
>>>>> V
>>>>> i
>>>>>>> ct
>>>>>>>> or
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> ia1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><1
>>>>> 9
>>>>>>
>>>>> <
>>>>> 2
>>>>> 1
>>>>>>>> O
>>>>>>>> SC
>>>>>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>>>>>>> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
>>>>>>>>       Message-Authenticator =
>>>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Received from 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 97
>>>>>>>> Authentic:
>>>>>>>> {<140><225><249><190><253><156><15><221>x<254><185><250>K<160><1
>>>>>>>> 7
>>>>>>>>>
>>>>>>>> Attributes:
>>>>>>>>       User-Name = "test2"
>>>>>>>>       Framed-MTU = 1400
>>>>>>>>       Called-Station-Id = "000f.34db.6690"
>>>>>>>>       Calling-Station-Id = "000c.f108.37bf"
>>>>>>>>       Message-Authenticator =
>>>>>>>> <240><216><10><137><193>a<10>Hl<205><s<175><145><25><224>
>>>>>>>>       EAP-Message = <2><4><0><6><25><0>
>>>>>>>>       NAS-Port-Type = Wireless-IEEE-802-11
>>>>>>>>       NAS-Port = 456
>>>>>>>>       Service-Type = Framed-User
>>>>>>>>       NAS-IP-Address = 192.168.123.79
>>>>>>>>       NAS-Identifier = "PS_AP_Aironet1100"
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling request with Handler
>>>>>>>> ''
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG:  Deleting session for test2,
>>>>>>>> 192.168.123.79, 456
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with Radius::AuthFILE:
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with EAP: code 2, 4, 6
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Response type 25
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: EAP result: 3, EAP PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Access challenged for test2:
>>>>>>>> EAP
>>>>>> PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Sending to 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Challenge
>>>>>>>> Identifier: 97
>>>>>>>> Authentic:
>>>>>>>> {<140><225><249><190><253><156><15><221>x<254><185><250>K<160><1
>>>>>>>> 7
>>>>>>>>>
>>>>>>>> Attributes:
>>>>>>>>       EAP-Message = <1><5><3><238><25>@t use in production)1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0
>>>>> <
>>>>> 3
>>>>> 0
>>>>>>
>>>>> <
>>>>>>> 23
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4>
>>>>> <
>>>>> 6
>>>>>>
>>>>> <
>>>>> 1
>>>>>>> 9>
>>>>>>>> <2
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19
>>>>>> >
>>>>>> <
>>>>>> 9
>>>>>>>
>>>>>> M
>>>>>>> el
>>>>>>>> bo
>>>>>>>> urne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
>>>>>>>> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>>>>>>> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
>>>>>>>>       EAP-Message = roduction)1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0
>>>>> <
>>>>> 1
>>>>> 2
>>>>> 9
>>>>>>
>>>>>>> <1
>>>>>>>> 59
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<1
>>>>>> 2
>>>>>> 9
>>>>>>>
>>>>>> <
>>>>>> 1
>>>>>>> 37
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199
>>>>> >
>>>>> <
>>>>> 2
>>>>> 1
>>>>> 4
>>>>>>>> <
>>>>>>>> 25
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 3>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P
>>>>> <
>>>>> 8
>>>>>>
>>>>> D
>>>>> x
>>>>>>> J<
>>>>>>>> 13
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 8>n<203>k8<164><239><179>H<237>K<182>mo<155><145><138><143><136><12
>>>>> 7
>>>>>>
>>>>> <
>>>>> 2
>>>>> 3
>>>>>>> 0>
>>>>>>>> <<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<2
>>>>> 1
>>>>> 0
>>>>>>
>>>>> ,
>>>>> <
>>>>>>> 18
>>>>>>>> 5>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <173><234><3>^4<221><252><168>H<178><158><25><235><152><250>g<199><
>>>>> 1
>>>>> 7
>>>>> 2
>>>>>>
>>>>> <
>>>>>>> 25
>>>>>>>> 0>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0
>>>>> >
>>>>> <
>>>>> 1
>>>>>>
>>>>> <
>>>>>>> 16
>>>>>>>> 3>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<
>>>>> 2
>>>>> 3
>>>>> 3
>>>>>>
>>>>> <
>>>>>>> 21
>>>>>>>> 0>
>>>>>>>> F0D<173>f]r<193>H?<164><27>ke0<129><247><6><3>U<29>#
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <4><129><239>0<129><236><128><20><23><2><196>#<233><210>F0D<173>f]r
>>>>> <
>>>>> 1
>>>>> 9
>>>>> 3
>>>>>>
>>>>>>> H?
>>>>>>>> <1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 64><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<
>>>>> 4
>>>>>>
>>>>> <
>>>>> 6
>>>>>>
>>>>>>> <1
>>>>>>>> 9>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><
>>>>> 1
>>>>> 9
>>>>>>
>>>>> <
>>>>> 9
>>>>>>>> M
>>>>>>>> el
>>>>>>>> bourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
>>>>>>>> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>>>>>>> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
>>>>> production)1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<
>>>>> 1
>>>>> 3
>>>>> 0
>>>>>>
>>>>> <
>>>>>>> 1>
>>>>>>>> <0
>>>>>>>>> 0<12><6><3>U<29><19><4><5>0<3>
>>>>>>>>       EAP-Message =
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><
>>>>> 1
>>>>> 2
>>>>> 9
>>>>>>
>>>>> <
>>>>>>> 0>
>>>>>>>> 0<
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 3>=<202><190><236>S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<
>>>>> 2
>>>>> 0
>>>>> 2
>>>>>>
>>>>> <
>>>>>>> 14
>>>>>>>> 3>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <160><29><220>p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>;
>>>>> _<202><25
>>>>>>> 4>
>>>>>>>> <2
>>>>>>>> 42>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><193><29>
>>>>>>>> -
>>>>>>>> <228><19><1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 84>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143><225><
>>>>> 1
>>>>> 4
>>>>> 9
>>>>>>
>>>>> <
>>>>>>> 23
>>>>>>>> 7>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> <135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160>l<21><129>0
>>>>> <
>>>>> 1
>>>>> 9
>>>>> 9
>>>>>>
>>>>>>> 6<
>>>>>>>> 22
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> <3><1><0><220><13><0><0><212><2><1><2><0><207><0><205>0<129><202>1
>>>>>> <
>>>>>> 1
>>>>>> 1
>>>>>>>
>>>>>> 0
>>>>>>> <9
>>>>>>>>> <
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<1
>>>>> 6
>>>>>>
>>>>> <
>>>>> 6
>>>>>>
>>>>>>> <3
>>>>>>>>> U
>>>>>>>> <4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
>>>>>> Certif
>>>>>>>>       Message-Authenticator =
>>>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Received from 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 98
>>>>>>>> Authentic:
>>>>> 'Qr<244><180><238><<196><184><253><179><208><164>`m<197>
>>>>>>>> Attributes:
>>>>>>>>       User-Name = "test2"
>>>>>>>>       Framed-MTU = 1400
>>>>>>>>       Called-Station-Id = "000f.34db.6690"
>>>>>>>>       Calling-Station-Id = "000c.f108.37bf"
>>>>>>>>       Message-Authenticator =
>>>>>>>> ;<132><206>W<135><160>3<127>/-<6><210><5><28>8<131>
>>>>>>>>       EAP-Message = <2><5><0><6><25><0>
>>>>>>>>       NAS-Port-Type = Wireless-IEEE-802-11
>>>>>>>>       NAS-Port = 456
>>>>>>>>       Service-Type = Framed-User
>>>>>>>>       NAS-IP-Address = 192.168.123.79
>>>>>>>>       NAS-Identifier = "PS_AP_Aironet1100"
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling request with Handler
>>>>>>>> ''
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG:  Deleting session for test2,
>>>>>>>> 192.168.123.79, 456
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with Radius::AuthFILE:
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Handling with EAP: code 2, 5, 6
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Response type 25
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: EAP result: 3, EAP PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Access challenged for test2:
>>>>>>>> EAP
>>>>>> PEAP
>>>>>>>> Challenge
>>>>>>>> Fri Jul  9 18:52:22 2004: DEBUG: Packet dump:
>>>>>>>> *** Sending to 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Challenge
>>>>>>>> Identifier: 98
>>>>>>>> Authentic:
>>>>> 'Qr<244><180><238><<196><184><253><179><208><164>`m<197>
>>>>>>>> Attributes:
>>>>>>>>       EAP-Message =
>>>>>>>> <1><6><0><134><25><0>icates1!0<31><6><3>U<4><11><19><24>Test
>>>>>>> Certificate
>>>>>>>> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
>>>>> production)1
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<
>>>>> 1
>>>>> 4
>>>>>>
>>>>> <
>>>>> 0
>>>>>>>> <
>>>>>>>> 0>
>>>>>>>> <0>
>>>>>>>>       Message-Authenticator =
>>>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>>>
>>>>>>>> Fri Jul  9 18:52:23 2004: DEBUG: Packet dump:
>>>>>>>> *** Received from 192.168.123.79 port 21645 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 99
>>>>>>>> Authentic:  <233><185>/><157><166>v,<156><241><175>><165><233>7#
>>>>>>>> Attributes:
>>>>>>>>       User-Name = "test2"
>>>>>>>>       Framed-MTU = 1400
>>>>>>>>       Called-Station-Id = "000f.34db.6690"
>>>>>>>>       Calling-Station-Id = "000c.f108.37bf"
>>>>>>>>       Message-Authenticator = !z
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list