(RADIATOR) User always get authentication succeeded after Timeleft expired with 802.1x PEAP/aironet1100 WLAN
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Thu Jul 22 03:46:34 CDT 2004
Hi,Hugh,
I checked the cisco Aironet1100 AP's debug log and I can see the
Session-timeout was received correctly as well: *Mar 3 20:24:49.605:
RADIUS: Session-Timeout [27] 6 60
Here is the AP debug log FYI,thanks! S
Scott
_______
Log of AP:
*Mar 3 20:22:39.332: RADIUS: NAS-Port-Type [61] 6 802.11
wireless [19]
*Mar 3 20:22:39.332: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:39.333: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:39.333: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:39.333: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:39.444: RADIUS: Received from id 21650/120 10.0.0.100:1812,
Access-Challenge, len 174
*Mar 3 20:22:39.444: RADIUS: authenticator C2 65 97 A4 8D FD 70 86 - 82 B6
46 80 AA 54 9C 5E
*Mar 3 20:22:39.444: RADIUS: EAP-Message [79] 136
*Mar 3 20:22:39.444: RADIUS: 01 06 00 86 19 00 69 63 61 74 65 73 31 21 30
1F [??????icates1!0?]
*Mar 3 20:22:39.445: RADIUS: 06 03 55 04 0B 13 18 54 65 73 74 20 43 65 72
74 [??U????Test Cert]
*Mar 3 20:22:39.445: RADIUS: 69 66 69 63 61 74 65 20 53 65 63 74 69 6F 6E
31 [ificate Section1]
*Mar 3 20:22:39.446: RADIUS: 2F 30 2D 06 03 55 04 03 13 26 4F 53 43 20 54
65 [/0-??U???&OSC Te]
*Mar 3 20:22:39.446: RADIUS: 73 74 20 43 41 20 28 64 6F 20 6E 6F 74 20 75
73 [st CA (do not us]
*Mar 3 20:22:39.446: RADIUS: 65 20 69 6E 20 70 72 6F 64 75 63 74 69 6F 6E
29 [e in production)]
*Mar 3 20:22:39.446: RADIUS: 31 20 30 1E 06 09 2A 86 48 86 F7 0D 01 09 01
16 [1 0???*?H???????]
*Mar 3 20:22:39.447: RADIUS: 11 6D 69 6B 65 6D 40 6F 70 65 6E 2E 63 6F 6D
2E [?mikem at open.com.]
*Mar 3 20:22:39.447: RADIUS: 61 75 0E 00 00 00
[au????]
*Mar 3 20:22:39.447: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.448: RADIUS(000000D0): Received from id 21650/120
*Mar 3 20:22:39.448: RADIUS/DECODE: EAP-Message fragments, 134, total 134
bytes
*Mar 3 20:22:39.451: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:39.451: RADIUS: 34
[4]
*Mar 3 20:22:39.451: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:39.451: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.452: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:39.452: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.452: RADIUS(000000D0): sending
*Mar 3 20:22:39.453: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/121, len 314
*Mar 3 20:22:39.453: RADIUS: authenticator 7C 21 47 F4 5E 34 C5 65 - 6A 11
E8 C3 55 59 77 6A
*Mar 3 20:22:39.453: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:39.453: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:39.453: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:39.453: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:39.453: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.453: RADIUS: EAP-Message [79] 201
*Mar 3 20:22:39.454: RADIUS: 02 06 00 C7 19 80 00 00 00 BD 16 03 01 00 8D
0B [????????????????]
*Mar 3 20:22:39.454: RADIUS: 00 00 03 00 00 00 10 00 00 82 00 80 56 3A B9
82 [????????????V:??]
*Mar 3 20:22:39.455: RADIUS: EA CB AF 0D F1 15 00 4C C7 F4 61 96 9B 8D 4F
93 [???????L??a???O?]
*Mar 3 20:22:39.455: RADIUS: 5A 76 82 F1 FA 10 54 1B 50 BD 3F 6B 10 07 8A
E5 [Zv????T?P??k????]
*Mar 3 20:22:39.455: RADIUS: B6 2B AB 79 BC 2A 37 8A D6 A6 C7 7A 8B BD 54
E3 [?+?y?*7????z??T?]
*Mar 3 20:22:39.455: RADIUS: FD F7 59 E4 7E 19 89 FF 73 E4 2C 66 1C E3 29
5E [??Y?~???s?,f??)^]
*Mar 3 20:22:39.456: RADIUS: BB 7D 79 43 C6 F0 48 D7 56 13 5B D7 41 5C 91
27 [?}yC??H?V?[?A\?']
*Mar 3 20:22:39.456: RADIUS: A7 14 80 1A 08 98 27 FC 8F 8A 8E 08 7F E5 74
29 [??????'???????t)]
*Mar 3 20:22:39.457: RADIUS: 51 17 08 10 FE AA D5 59 AA 41 DE A9 B4 5E 4C
C3 [Q??????Y?A???^L?]
*Mar 3 20:22:39.457: RADIUS: AD 72 CE D8 DA 02 48 45 73 C2 6A B5 14 03 01
00 [?r????HEs?j?????]
*Mar 3 20:22:39.457: RADIUS: 01 01 16 03 01 00 20 48 54 88 62 4A AC 71 73
EF [?????? HT?bJ?qs?]
*Mar 3 20:22:39.457: RADIUS: 64 6A 85 39 1D F5 00 F0 FF EE E2 49 9D FD CE
6D [dj?9???????I???m]
*Mar 3 20:22:39.458: RADIUS: 5E 57 2B F1 AE BA 83
[^W+????]
*Mar 3 20:22:39.458: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:39.458: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:39.458: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:39.458: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:39.458: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:39.600: RADIUS: Received from id 21650/121 10.0.0.100:1812,
Access-Challenge, len 93
*Mar 3 20:22:39.600: RADIUS: authenticator 10 1E 37 3A 9C 20 AD 8E - DE 53
E3 61 93 DC E2 87
*Mar 3 20:22:39.600: RADIUS: EAP-Message [79] 55
*Mar 3 20:22:39.600: RADIUS: 01 07 00 35 19 80 00 00 00 2B 14 03 01 00 01
01 [???5?????+??????]
*Mar 3 20:22:39.601: RADIUS: 16 03 01 00 20 DE DE B2 C6 3F D2 CD B9 80 B4
17 [???? ???????????]
*Mar 3 20:22:39.601: RADIUS: AF F2 B0 AA 1F 4C 12 C3 C4 97 B6 04 0D 35 0F
23 [?????L???????5?#]
*Mar 3 20:22:39.602: RADIUS: C1 85 40 CB 56
[??@?V]
*Mar 3 20:22:39.602: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.602: RADIUS(000000D0): Received from id 21650/121
*Mar 3 20:22:39.602: RADIUS/DECODE: EAP-Message fragments, 53, total 53
bytes
*Mar 3 20:22:39.608: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:39.608: RADIUS: 34
[4]
*Mar 3 20:22:39.608: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:39.608: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.608: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:39.609: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.609: RADIUS(000000D0): sending
*Mar 3 20:22:39.610: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/122, len 121
*Mar 3 20:22:39.610: RADIUS: authenticator 34 02 B1 E4 43 5B B8 CF - A9 08
C1 4B B9 0E 35 CF
*Mar 3 20:22:39.610: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:39.610: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:39.610: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:39.610: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:39.610: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.610: RADIUS: EAP-Message [79] 8
*Mar 3 20:22:39.611: RADIUS: 02 07 00 06 19 00
[??????]
*Mar 3 20:22:39.611: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:39.611: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:39.611: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:39.611: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:39.611: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:39.738: RADIUS: Received from id 21650/122 10.0.0.100:1812,
Access-Challenge, len 68
*Mar 3 20:22:39.738: RADIUS: authenticator DA 79 8F 00 6E 94 EF C8 - DA 96
EB 97 61 15 61 92
*Mar 3 20:22:39.739: RADIUS: EAP-Message [79] 30
*Mar 3 20:22:39.739: RADIUS: 01 08 00 1C 19 00 17 03 01 00 11 2E 23 83 10
84 [???????????.#???]
*Mar 3 20:22:39.740: RADIUS: 54 BC 9E DB F1 71 03 F5 17 00 D9 78
[T????q?????x]
*Mar 3 20:22:39.740: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.740: RADIUS(000000D0): Received from id 21650/122
*Mar 3 20:22:39.740: RADIUS/DECODE: EAP-Message fragments, 28, total 28
bytes
*Mar 3 20:22:39.742: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:39.743: RADIUS: 34
[4]
*Mar 3 20:22:39.743: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:39.743: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.743: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:39.744: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:39.744: RADIUS(000000D0): sending
*Mar 3 20:22:39.744: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/123, len 147
*Mar 3 20:22:39.744: RADIUS: authenticator 79 1B 7E 79 62 F5 62 FC - A8 AC
2C 4F FA B2 CF B8
*Mar 3 20:22:39.744: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:39.744: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:39.744: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:39.744: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:39.745: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:39.745: RADIUS: EAP-Message [79] 34
*Mar 3 20:22:39.745: RADIUS: 02 08 00 20 19 00 17 03 01 00 15 E9 FB CA AB
7E [??? ???????????~]
*Mar 3 20:22:39.746: RADIUS: D1 E7 D4 5A 64 B6 8E 7D 1E 43 54 DE A3 7A 58
EB [???Zd??}?CT??zX?]
*Mar 3 20:22:39.746: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:39.746: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:39.746: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:39.746: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:39.746: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:40.024: RADIUS: Received from id 21650/123 10.0.0.100:1812,
Access-Challenge, len 91
*Mar 3 20:22:40.024: RADIUS: authenticator 44 5E 0C 55 33 20 77 71 - AA 7F
FE E2 11 C1 25 95
*Mar 3 20:22:40.025: RADIUS: EAP-Message [79] 53
*Mar 3 20:22:40.025: RADIUS: 01 09 00 33 19 00 17 03 01 00 28 85 B1 8D F0
9E [???3??????(?????]
*Mar 3 20:22:40.025: RADIUS: 58 5A 48 BE AE A3 5B 79 9F 5D E3 00 99 5A CA
19 [XZH???[y?]???Z??]
*Mar 3 20:22:40.025: RADIUS: 11 54 49 55 D3 69 97 5D 89 E8 46 09 DF 4F 63
2B [?TIU?i?]??F??Oc+]
*Mar 3 20:22:40.025: RADIUS: 56 04 FD
[V??]
*Mar 3 20:22:40.026: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:40.026: RADIUS(000000D0): Received from id 21650/123
*Mar 3 20:22:40.027: RADIUS/DECODE: EAP-Message fragments, 51, total 51
bytes
*Mar 3 20:22:40.177: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:40.177: RADIUS: 34
[4]
*Mar 3 20:22:40.177: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:40.177: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:40.177: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:40.177: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:40.177: RADIUS(000000D0): sending
*Mar 3 20:22:41.038: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/124, len 201
*Mar 3 20:22:41.038: RADIUS: authenticator F9 95 7E 62 B6 24 FD B5 - 8A 8D
44 2B 00 55 F5 31
*Mar 3 20:22:41.038: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:41.038: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:41.038: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:41.039: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:41.039: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:41.039: RADIUS: EAP-Message [79] 88
*Mar 3 20:22:41.039: RADIUS: 02 09 00 56 19 00 17 03 01 00 4B D5 AD 2A F0
B1 [???V??????K??*??]
*Mar 3 20:22:41.040: RADIUS: 9C 62 75 A7 42 0F 97 B5 7B E1 96 60 31 14 43
0E [?bu?B???{??`1?C?]
*Mar 3 20:22:41.040: RADIUS: 95 77 4E D4 02 51 99 14 68 D2 74 EE 96 7D A2
57 [?wN??Q??h?t??}?W]
*Mar 3 20:22:41.040: RADIUS: B1 F9 06 40 15 79 CF 99 94 80 DA 8A 2D E3 7F
62 [???@?y??????-??b]
*Mar 3 20:22:41.040: RADIUS: 3F EB C2 99 00 19 70 46 5D EA AC A7 DE 11 21
39 [??????pF]?????!9]
*Mar 3 20:22:41.041: RADIUS: 26 13 ED 9D 74 93
[&???t?]
*Mar 3 20:22:41.041: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:41.041: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:41.041: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:41.041: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:41.042: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:41.789: RADIUS: Received from id 21650/124 10.0.0.100:1812,
Access-Challenge, len 124
*Mar 3 20:22:41.789: RADIUS: authenticator ED 92 11 CF F1 53 94 7A - 1D E8
2F F3 C1 D9 A7 85
*Mar 3 20:22:41.789: RADIUS: EAP-Message [79] 86
*Mar 3 20:22:41.789: RADIUS: 01 0A 00 54 19 00 17 03 01 00 49 1E 18 22 8C
2E [???T??????I??"?.]
*Mar 3 20:22:41.789: RADIUS: 0F FB 68 70 D0 5C E7 E0 DC DA B1 D6 76 B4 60
9E [??hp?\??????v?`?]
*Mar 3 20:22:41.790: RADIUS: 19 03 99 55 67 F0 5E 4E E7 39 A4 2F 73 DD 87
79 [???Ug?^N?9?/s??y]
*Mar 3 20:22:41.790: RADIUS: 94 88 E5 8E A3 6F 13 7C C0 1E 4E C8 0B 4B A3
BF [?????o?|??N??K??]
*Mar 3 20:22:41.791: RADIUS: 0E 52 77 48 D3 32 A6 CD 1B 65 E2 B3 A5 AF E2
A4 [?RwH?2???e??????]
*Mar 3 20:22:41.791: RADIUS: 20 28 F4 DE
[ (??]
*Mar 3 20:22:41.791: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:41.791: RADIUS(000000D0): Received from id 21650/124
*Mar 3 20:22:41.791: RADIUS/DECODE: EAP-Message fragments, 84, total 84
bytes
*Mar 3 20:22:42.712: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:42.713: RADIUS: 34
[4]
*Mar 3 20:22:42.713: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:42.713: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:42.713: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:42.713: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:42.714: RADIUS(000000D0): sending
*Mar 3 20:22:42.775: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/125, len 144
*Mar 3 20:22:42.775: RADIUS: authenticator 2E E4 AA 08 E2 A1 DE 39 - F7 20
DD C8 66 E8 C5 E2
*Mar 3 20:22:42.776: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:42.776: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:42.776: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:42.776: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:42.776: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:42.777: RADIUS: EAP-Message [79] 31
*Mar 3 20:22:42.777: RADIUS: 02 0A 00 1D 19 00 17 03 01 00 12 7F F5 0A 39
BF [??????????????9?]
*Mar 3 20:22:42.777: RADIUS: B7 C3 A4 AB 71 E8 E5 A3 86 A7 DC 90 C6
[????q????????]
*Mar 3 20:22:42.777: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:42.777: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:42.777: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:42.777: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:42.777: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:43.488: RADIUS: Received from id 21650/125 10.0.0.100:1812,
Access-Challenge, len 78
*Mar 3 20:22:43.488: RADIUS: authenticator E8 8E 46 3D 5C DF 0E EE - AE F4
57 80 BA C4 62 FE
*Mar 3 20:22:43.488: RADIUS: EAP-Message [79] 40
*Mar 3 20:22:43.489: RADIUS: 01 0B 00 26 19 00 17 03 01 00 1B 19 AA B7 7D
82 [???&??????????}?]
*Mar 3 20:22:43.489: RADIUS: 10 51 53 66 10 C3 E6 01 B3 5D E2 EC 95 F1 45
E2 [?QSf?????]????E?]
*Mar 3 20:22:43.489: RADIUS: CA 04 4D 24 86 66
[??M$?f]
*Mar 3 20:22:43.489: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:44.321: RADIUS(000000D0): Received from id 21650/125
*Mar 3 20:22:44.321: RADIUS/DECODE: EAP-Message fragments, 38, total 38
bytes
*Mar 3 20:22:44.665: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:22:44.666: RADIUS: 34
[4]
*Mar 3 20:22:44.666: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:44.666: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:44.666: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:22:44.666: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:22:44.666: RADIUS(000000D0): sending
*Mar 3 20:22:44.666: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/126, len 153
*Mar 3 20:22:44.667: RADIUS: authenticator 13 A0 4C 7E C2 80 ED D3 - 68 69
2B 4C AA 69 B5 13
*Mar 3 20:22:44.667: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:22:44.667: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:22:44.667: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:22:44.668: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:22:44.668: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:44.668: RADIUS: EAP-Message [79] 40
*Mar 3 20:22:44.668: RADIUS: 02 0B 00 26 19 00 17 03 01 00 1B 77 F4 BB A7
F6 [???&???????w????]
*Mar 3 20:22:44.668: RADIUS: 65 D4 7B 76 EB F7 3B 50 C7 A9 36 1C 85 1C B0
80 [e?{v??;P??6?????]
*Mar 3 20:22:44.668: RADIUS: 21 0C 19 DF 95 70
[!????p]
*Mar 3 20:22:44.668: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:22:44.669: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:22:44.669: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:44.669: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:22:44.669: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:22:45.601: RADIUS: Received from id 21650/126 10.0.0.100:1812,
Access-Accept, len 184
*Mar 3 20:22:45.602: RADIUS: authenticator 9F EE 9E C1 61 00 A4 89 - E2 F4
47 5E E1 2E 7B DB
*Mar 3 20:22:45.602: RADIUS: Session-Timeout [27] 6 60
*Mar 3 20:22:45.602: RADIUS: EAP-Message [79] 6
*Mar 3 20:22:45.602: RADIUS: 03 0B 00 04
[????]
*Mar 3 20:22:45.603: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:22:45.603: RADIUS: Vendor, Microsoft [26] 58
*Mar 3 20:22:45.603: RADIUS: MS-MPPE-Send-Key [16] 52
*Mar 3 20:22:45.603: RADIUS: C5 21 A8 1F D9 B9 87 DF B2 56 46 9B DB 5D 1A
DA [?!???????VF??]??]
*Mar 3 20:22:45.603: RADIUS: 73 55 8D 4E 8F 3D E1 4E 61 16 2A 19 76 0C 2F
80 [sU?N?=?Na?*?v?/?]
*Mar 3 20:22:45.603: RADIUS: 59 0C D1 60 D9 72 07 EF 90 24 06 5D 78 34 07
EA [Y??`?r???$?]x4??]
*Mar 3 20:22:45.604: RADIUS: 74 27
[t']
*Mar 3 20:22:45.604: RADIUS: Vendor, Microsoft [26] 58
*Mar 3 20:22:45.604: RADIUS: MS-MPPE-Recv-Key [17] 52
*Mar 3 20:22:45.604: RADIUS: CC 94 4D CA E4 F8 B2 2A 85 93 BF 23 1A E4 36
5D [??M????*???#??6]]
*Mar 3 20:22:45.605: RADIUS: 63 9C A0 35 CD D9 2B 61 4F D5 A1 50 AF 83 FF
D1 [c??5??+aO??P????]
*Mar 3 20:22:45.605: RADIUS: BD 57 80 8B E9 E0 41 9F F2 10 2F 10 75 14 EC
C7 [?W????A???/?u???]
*Mar 3 20:22:45.605: RADIUS: 1A 24
[?$]
*Mar 3 20:22:45.605: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
*Mar 3 20:22:45.605: RADIUS: Framed-MTU [12] 6 576
*Mar 3 20:22:45.605: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:22:45.606: RADIUS(000000D0): Received from id 21650/126
*Mar 3 20:22:45.607: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 3 20:22:45.607: found MS AAA_AT_MS_MPPE_SEND_KEY
*Mar 3 20:22:45.607: found MS AAA_AT_MS_MPPE_RECV_KEY
*Mar 3 20:22:45.623: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
000c.f108.37bf Associated KEY_MGMT[NONE]
*Mar 3 20:22:45.625: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:22:45.625: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:47.988: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/135, len 124
*Mar 3 20:24:47.988: RADIUS: authenticator 05 C2 81 2E A4 5B B2 55 - D9 C6
67 86 D5 CC BE CD
*Mar 3 20:24:47.988: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:47.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:47.988: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:47.989: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:47.989: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:47.989: RADIUS: EAP-Message [79] 11
*Mar 3 20:24:47.989: RADIUS: 02 04 00 09 01 6A 6F 68 6E
[?????john]
*Mar 3 20:24:47.990: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:47.990: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:47.990: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:47.990: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:47.990: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:48.122: RADIUS: Received from id 21650/135 10.0.0.100:1812,
Access-Challenge, len 46
*Mar 3 20:24:48.122: RADIUS: authenticator DF 29 4C 4F C9 F4 2C 86 - A3 00
73 FC C1 BE 80 15
*Mar 3 20:24:48.122: RADIUS: EAP-Message [79] 8
*Mar 3 20:24:48.122: RADIUS: 01 05 00 06 19 21
[?????!]
*Mar 3 20:24:48.123: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.123: RADIUS(000000D0): Received from id 21650/135
*Mar 3 20:24:48.123: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 3 20:24:48.126: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:48.127: RADIUS: 34
[4]
*Mar 3 20:24:48.127: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:48.127: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.127: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:48.127: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.128: RADIUS(000000D0): sending
*Mar 3 20:24:48.128: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/136, len 227
*Mar 3 20:24:48.128: RADIUS: authenticator AF B8 88 02 AC 32 9B E8 - 7B 75
42 E7 A4 60 7C 18
*Mar 3 20:24:48.128: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:48.128: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:48.128: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:48.128: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:48.128: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.129: RADIUS: EAP-Message [79] 114
*Mar 3 20:24:48.129: RADIUS: 02 05 00 70 19 80 00 00 00 66 16 03 01 00 61
01 [???p?????f????a?]
*Mar 3 20:24:48.130: RADIUS: 00 00 5D 03 01 40 FF 7D 6C 65 A3 51 80 D9 30
2F [??]??@?}le?Q??0/]
*Mar 3 20:24:48.130: RADIUS: 4E E8 26 EB 9A 19 97 1E BC 03 DC 61 6A AC F0
6B [N?&????????aj??k]
*Mar 3 20:24:48.130: RADIUS: 72 DD 2B 54 6C 20 1E EB 03 D5 47 4B 5A 03 0C
BF [r?+Tl ????GKZ???]
*Mar 3 20:24:48.130: RADIUS: AF 65 1F AE FA 80 08 C4 B3 40 45 C9 6B C3 D5
6D [?e???????@E?k??m]
*Mar 3 20:24:48.130: RADIUS: A6 0B 75 A1 55 50 00 16 00 04 00 05 00 0A 00
09 [??u?UP??????????]
*Mar 3 20:24:48.131: RADIUS: 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01
00 [?d?b?????????c??]
*Mar 3 20:24:48.131: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:48.131: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:48.131: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:48.132: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:48.132: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:48.342: RADIUS: Received from id 21650/136 10.0.0.100:1812,
Access-Challenge, len 172
*Mar 3 20:24:48.342: RADIUS: authenticator 42 F2 CC FC 4C DD 3D C4 - C9 F9
5F 65 FA F1 83 F0
*Mar 3 20:24:48.342: RADIUS: EAP-Message [79] 134
*Mar 3 20:24:48.342: RADIUS: 01 06 00 84 19 80 00 00 00 7A 16 03 01 00 4A
02 [?????????z????J?]
*Mar 3 20:24:48.342: RADIUS: 00 00 46 03 01 40 FB 97 B1 03 8E 00 97 7A B2
B1 [??F??@???????z??]
*Mar 3 20:24:48.342: RADIUS: 1D DF CD CD 5C 29 45 85 35 DD F1 A0 88 E2 87
CC [????\)E?5???????]
*Mar 3 20:24:48.343: RADIUS: 45 AC 75 EF 95 20 1E EB 03 D5 47 4B 5A 03 0C
BF [E?u?? ????GKZ???]
*Mar 3 20:24:48.343: RADIUS: AF 65 1F AE FA 80 08 C4 B3 40 45 C9 6B C3 D5
6D [?e???????@E?k??m]
*Mar 3 20:24:48.344: RADIUS: A6 0B 75 A1 55 50 00 04 00 14 03 01 00 01 01
16 [??u?UP??????????]
*Mar 3 20:24:48.344: RADIUS: 03 01 00 20 CC 0F 0F D9 FF B6 C1 86 8D 4C 35
25 [??? ?????????L5?]
*Mar 3 20:24:48.344: RADIUS: A6 9D 96 68 FB 21 72 2D 07 4B D3 A1 22 F9 42
C7 [???h?!r-?K??"?B?]
*Mar 3 20:24:48.344: RADIUS: E8 84 2D DC
[??-?]
*Mar 3 20:24:48.344: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.345: RADIUS(000000D0): Received from id 21650/136
*Mar 3 20:24:48.345: RADIUS/DECODE: EAP-Message fragments, 132, total 132
bytes
*Mar 3 20:24:48.348: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:48.349: RADIUS: 34
[4]
*Mar 3 20:24:48.349: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:48.349: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.349: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:48.350: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.350: RADIUS(000000D0): sending
*Mar 3 20:24:48.350: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/137, len 168
*Mar 3 20:24:48.350: RADIUS: authenticator BB 1A 9B 86 71 AC 5B 14 - AE 28
BC A7 F5 DF 84 91
*Mar 3 20:24:48.350: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:48.350: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:48.350: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:48.350: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:48.351: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.351: RADIUS: EAP-Message [79] 55
*Mar 3 20:24:48.351: RADIUS: 02 06 00 35 19 80 00 00 00 2B 14 03 01 00 01
01 [???5?????+??????]
*Mar 3 20:24:48.352: RADIUS: 16 03 01 00 20 37 7E 09 B0 67 F9 AB E1 CA A0
3D [???? 7~??g?????=]
*Mar 3 20:24:48.352: RADIUS: 6E FD D9 BF DC A0 7E DE EA 1A BA 33 C6 8C 55
9A [n?????~????3??U?]
*Mar 3 20:24:48.352: RADIUS: E2 7F C3 6C 95
[???l?]
*Mar 3 20:24:48.352: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:48.352: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:48.352: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:48.352: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:48.352: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:48.505: RADIUS: Received from id 21650/137 10.0.0.100:1812,
Access-Challenge, len 68
*Mar 3 20:24:48.506: RADIUS: authenticator 49 45 41 65 98 DF 0D 7D - 90 00
FF A8 F4 2A DA 95
*Mar 3 20:24:48.506: RADIUS: EAP-Message [79] 30
*Mar 3 20:24:48.506: RADIUS: 01 07 00 1C 19 00 17 03 01 00 11 B6 08 28 C1
AA [?????????????(??]
*Mar 3 20:24:48.506: RADIUS: 74 98 2C 2A DD 91 F0 C9 56 FB 27 C5
[t?,*????V?'?]
*Mar 3 20:24:48.506: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.507: RADIUS(000000D0): Received from id 21650/137
*Mar 3 20:24:48.507: RADIUS/DECODE: EAP-Message fragments, 28, total 28
bytes
*Mar 3 20:24:48.510: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:48.510: RADIUS: 34
[4]
*Mar 3 20:24:48.510: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:48.510: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.510: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:48.510: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.510: RADIUS(000000D0): sending
*Mar 3 20:24:48.511: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/138, len 147
*Mar 3 20:24:48.511: RADIUS: authenticator 08 0B 28 0C B5 59 9C 86 - F7 29
A8 68 33 F6 F9 33
*Mar 3 20:24:48.511: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:48.512: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:48.512: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:48.512: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:48.512: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.512: RADIUS: EAP-Message [79] 34
*Mar 3 20:24:48.512: RADIUS: 02 07 00 20 19 00 17 03 01 00 15 BE 41 E8 F9
ED [??? ????????A???]
*Mar 3 20:24:48.512: RADIUS: 8E 9A 86 66 65 74 C8 BB 68 F2 FA 72 B6 D4 6C
D1 [???fet??h??r??l?]
*Mar 3 20:24:48.512: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:48.513: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:48.513: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:48.513: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:48.513: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:48.903: RADIUS: Received from id 21650/138 10.0.0.100:1812,
Access-Challenge, len 91
*Mar 3 20:24:48.903: RADIUS: authenticator 36 70 DE 16 00 C3 3F 2A - 4D 76
FC 95 81 F1 C1 99
*Mar 3 20:24:48.903: RADIUS: EAP-Message [79] 53
*Mar 3 20:24:48.903: RADIUS: 01 08 00 33 19 00 17 03 01 00 28 3D 98 3B 21
9E [???3??????(=?;!?]
*Mar 3 20:24:48.903: RADIUS: E7 2B 18 77 69 5F 28 18 F0 F7 0F 2C AE 67 89
12 [?+?wi_(????,?g??]
*Mar 3 20:24:48.904: RADIUS: E5 19 72 6F A6 31 0C D7 84 D0 6B D5 D4 E3 54
7D [??ro?1????k???T}]
*Mar 3 20:24:48.904: RADIUS: 79 38 CE
[y8?]
*Mar 3 20:24:48.904: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.905: RADIUS(000000D0): Received from id 21650/138
*Mar 3 20:24:48.905: RADIUS/DECODE: EAP-Message fragments, 51, total 51
bytes
*Mar 3 20:24:48.931: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:48.931: RADIUS: 34
[4]
*Mar 3 20:24:48.931: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:48.931: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.931: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:48.931: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:48.931: RADIUS(000000D0): sending
*Mar 3 20:24:48.932: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/139, len 201
*Mar 3 20:24:48.932: RADIUS: authenticator 84 7E 0B 7A FA F4 8E 41 - 4B 51
01 3F 51 5C 90 D0
*Mar 3 20:24:48.932: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:48.932: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:48.933: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:48.933: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:48.933: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:48.933: RADIUS: EAP-Message [79] 88
*Mar 3 20:24:48.933: RADIUS: 02 08 00 56 19 00 17 03 01 00 4B F8 DE F8 86
7B [???V??????K????{]
*Mar 3 20:24:48.933: RADIUS: 2E C1 C8 F1 CF A2 F3 BD F5 73 CD 93 69 65 B9
B2 [.????????s??ie??]
*Mar 3 20:24:48.934: RADIUS: FB 48 55 85 00 77 21 BD FE B4 22 EC 88 8D D0
53 [?HU??w!???"????S]
*Mar 3 20:24:48.934: RADIUS: B7 5C 6F 81 5C 3A 5F B2 92 8B 0F 4F 84 4A AD
5F [?\o?\:_????O?J?_]
*Mar 3 20:24:48.934: RADIUS: CD 2C 7F 7C FC 15 EF C3 CD 13 C8 26 27 59 9E
A1 [?,?|???????&'Y??]
*Mar 3 20:24:48.934: RADIUS: 47 9C C8 FF 40 DB
[G???@?]
*Mar 3 20:24:48.934: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:48.934: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:48.935: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:48.935: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:48.935: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:49.228: RADIUS: Received from id 21650/139 10.0.0.100:1812,
Access-Challenge, len 124
*Mar 3 20:24:49.228: RADIUS: authenticator F8 09 61 74 04 C4 D2 E3 - 39 85
A6 15 9E 60 3F 54
*Mar 3 20:24:49.229: RADIUS: EAP-Message [79] 86
*Mar 3 20:24:49.229: RADIUS: 01 09 00 54 19 00 17 03 01 00 49 CA 49 BD D9
DC [???T??????I?I???]
*Mar 3 20:24:49.229: RADIUS: 05 0D F6 04 C3 95 9D D2 FF B3 62 F6 75 08 83
63 [??????????b?u??c]
*Mar 3 20:24:49.229: RADIUS: A5 EA 99 9A 5B 9F F0 5D 78 5E C2 17 83 E4 CA
71 [????[??]x^?????q]
*Mar 3 20:24:49.230: RADIUS: DE 17 82 5A C8 69 6C 5A E9 3E FA 1A 84 1C 47
87 [???Z?ilZ?>????G?]
*Mar 3 20:24:49.230: RADIUS: DE B1 ED 35 ED 4E 67 50 82 44 A3 ED 10 B5 06
E5 [???5?NgP?D??????]
*Mar 3 20:24:49.230: RADIUS: 3F 89 E4 D6
[????]
*Mar 3 20:24:49.231: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:49.231: RADIUS(000000D0): Received from id 21650/139
*Mar 3 20:24:49.231: RADIUS/DECODE: EAP-Message fragments, 84, total 84
bytes
*Mar 3 20:24:49.234: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:49.234: RADIUS: 34
[4]
*Mar 3 20:24:49.234: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:49.234: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:49.235: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:49.235: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:49.235: RADIUS(000000D0): sending
*Mar 3 20:24:49.235: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/140, len 144
*Mar 3 20:24:49.235: RADIUS: authenticator B0 98 D3 6B 55 4C E0 9A - 2C 8D
F2 62 2D DF E8 E4
*Mar 3 20:24:49.235: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:49.235: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:49.235: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:49.236: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:49.236: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:49.236: RADIUS: EAP-Message [79] 31
*Mar 3 20:24:49.236: RADIUS: 02 09 00 1D 19 00 17 03 01 00 12 F3 A0 8C 2E
49 [??????????????.I]
*Mar 3 20:24:49.237: RADIUS: 1C FA 9C 24 65 C9 52 44 A5 A5 BF 9B 86
[???$e?RD?????]
*Mar 3 20:24:49.237: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:49.237: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:49.237: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:49.237: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:49.237: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:49.454: RADIUS: Received from id 21650/140 10.0.0.100:1812,
Access-Challenge, len 78
*Mar 3 20:24:49.454: RADIUS: authenticator D6 06 65 77 2A 86 BF 35 - 7F 35
22 31 11 57 A0 8C
*Mar 3 20:24:49.454: RADIUS: EAP-Message [79] 40
*Mar 3 20:24:49.455: RADIUS: 01 0A 00 26 19 00 17 03 01 00 1B 21 31 B9 39
07 [???&???????!1?9?]
*Mar 3 20:24:49.455: RADIUS: 88 57 81 46 FD D6 51 9E 00 76 FB 02 3E 1E 0C
A6 [?W?F??Q??v??>???]
*Mar 3 20:24:49.456: RADIUS: 14 1D 3F 74 A5 F4
[???t??]
*Mar 3 20:24:49.456: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:49.456: RADIUS(000000D0): Received from id 21650/140
*Mar 3 20:24:49.456: RADIUS/DECODE: EAP-Message fragments, 38, total 38
bytes
*Mar 3 20:24:49.460: RADIUS: AAA Unsupported [143] 3
*Mar 3 20:24:49.460: RADIUS: 34
[4]
*Mar 3 20:24:49.460: RADIUS(000000D0): Using existing nas_port 465
*Mar 3 20:24:49.460: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:49.460: RADIUS/ENCODE(000000D0): acct_session_id: 220
*Mar 3 20:24:49.461: RADIUS: Pick NAS IP for uid=208 tableid=0
cfg_addr=10.0.0.1 best_addr=0.0.0.0
*Mar 3 20:24:49.461: RADIUS(000000D0): sending
*Mar 3 20:24:49.461: RADIUS(000000D0): Send Access-Request to
10.0.0.100:1812 id 21650/141, len 153
*Mar 3 20:24:49.462: RADIUS: authenticator D9 63 1A 62 D6 57 C6 4E - 26 0A
40 FC AF 7C 8C 4E
*Mar 3 20:24:49.462: RADIUS: User-Name [1] 6 "john"
*Mar 3 20:24:49.462: RADIUS: Framed-MTU [12] 6 1400
*Mar 3 20:24:49.462: RADIUS: Called-Station-Id [30] 16
"000f.34db.6690"
*Mar 3 20:24:49.462: RADIUS: Calling-Station-Id [31] 16
"000c.f108.37bf"
*Mar 3 20:24:49.462: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:49.462: RADIUS: EAP-Message [79] 40
*Mar 3 20:24:49.462: RADIUS: 02 0A 00 26 19 00 17 03 01 00 1B B4 4C 34 C2
8B [???&????????L4??]
*Mar 3 20:24:49.463: RADIUS: 4C A5 F3 4C 45 31 E9 68 4F EB 67 C6 B9 E7 0C
9D [L??LE1?hO?g?????]
*Mar 3 20:24:49.463: RADIUS: 0E 48 EE 70 65 2D
[?H?pe-]
*Mar 3 20:24:49.463: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
*Mar 3 20:24:49.464: RADIUS: NAS-Port [5] 6 465
*Mar 3 20:24:49.464: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:49.464: RADIUS: NAS-IP-Address [4] 6 10.0.0.1
*Mar 3 20:24:49.464: RADIUS: Nas-Identifier [32] 7 "ps-ap"
*Mar 3 20:24:49.605: RADIUS: Received from id 21650/141 10.0.0.100:1812,
Access-Accept, len 184
*Mar 3 20:24:49.605: RADIUS: authenticator E1 6C 5B 8E 0F C9 2D 8F - C0 E8
4B BB CF 18 4D FB
*Mar 3 20:24:49.605: RADIUS: Session-Timeout [27] 6 60
*Mar 3 20:24:49.605: RADIUS: EAP-Message [79] 6
*Mar 3 20:24:49.606: RADIUS: 03 0A 00 04
[????]
*Mar 3 20:24:49.606: RADIUS: Message-Authenticato[80] 18 *
*Mar 3 20:24:49.606: RADIUS: Vendor, Microsoft [26] 58
*Mar 3 20:24:49.606: RADIUS: MS-MPPE-Send-Key [16] 52
*Mar 3 20:24:49.606: RADIUS: E4 C9 02 63 61 B3 91 F3 7F 40 E6 82 EB DC D6
F4 [???ca????@??????]
*Mar 3 20:24:49.606: RADIUS: 3F 49 40 11 F8 B0 8F B5 C3 89 F2 3F F6 70 6B
32 [?I@??????????pk2]
*Mar 3 20:24:49.607: RADIUS: 87 D3 3A C8 A5 E3 17 7D A0 A3 D1 D8 C0 2F C5
DE [??:????}?????/??]
*Mar 3 20:24:49.607: RADIUS: B1 C2
[??]
*Mar 3 20:24:49.607: RADIUS: Vendor, Microsoft [26] 58
*Mar 3 20:24:49.607: RADIUS: MS-MPPE-Recv-Key [17] 52
*Mar 3 20:24:49.608: RADIUS: E8 9E 0A 4B C7 FC 81 61 F1 7D 4D 5F 78 9B 5E
A2 [???K???a?}M_x?^?]
*Mar 3 20:24:49.608: RADIUS: E5 F4 6E 7A 32 28 CB A5 2F 53 39 CE 58 FE CD
F4 [??nz2(??/S9?X???]
*Mar 3 20:24:49.608: RADIUS: 27 C2 5E 6B D9 0D 07 A4 00 A1 11 48 9F AD 15
0D ['?^k???????H????]
*Mar 3 20:24:49.608: RADIUS: F5 9A
[??]
*Mar 3 20:24:49.608: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
*Mar 3 20:24:49.608: RADIUS: Framed-MTU [12] 6 576
*Mar 3 20:24:49.609: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 3 20:24:49.609: RADIUS(000000D0): Received from id 21650/141
*Mar 3 20:24:49.610: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 3 20:24:49.610: found MS AAA_AT_MS_MPPE_SEND_KEY
*Mar 3 20:24:49.610: found MS AAA_AT_MS_MPPE_RECV_KEY
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Hugh Irvine
Sent: Thursday, July 22, 2004 3:31 PM
To: scottxiao at antlabs.com
Cc: radiator at open.com.au; Terry Simons; Mike McCauley
Subject: Re: (RADIATOR) User always get authentication succeeded after
Timeleft expired with 802.1x PEAP/aironet1100 WLAN
Hello Scott -
You will need to check a trace 4 debug to verify that the
Session-Timeout is being set and sent correctly.
If it is being sent correctly, but the access point does not drop the
connection then the problem is with the access point.
If the Session-Timeout is not being decremented correctly then it is
probably a problem with the accounting sent by the access point.
The only way to see what is happening is to look at a trace 4 debug.
regards
Hugh
On 21 Jul 2004, at 23:13, Scott Xiao - ANTlabs wrote:
> Hi,Mike,Hugh,Terry,
> Thanks for your good advice!I am trying to get valid server
> certificate and
> will test it soon,then it should be ok.
>
>
> Hi,
> The current question I am facing is:
> I set the Radiator to use mysql database authentication,I created one
> user
> which supposed only be able to use this account for 1 hour (in the
> test,I
> set to 1minute),after the PEAP authentication ,the user can surf
> internet,after 1 minute the user ID was deleted on my access control
> server
> according to the instruction from Radiator.But the user(on XP)
> automatically
> send the authentication information to the AC and radiator and got
> authentication succeeded and he can surf again,XP can cache the login
> info
> to registry so not prompt for login again.By right,this account should
> be
> expired already.Here below is the config file.What I can do to make
> this
> user can only use the account valid for only 1 hour and the user will
> need
> to get a new account for login?Thanks!
> Rgds
> Scott
> +++++++++++++++++++++++++++++++++++++++++
> Config file on Radiator:
>
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> AuthPort 1812
> AcctPort 1813
>
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret t-antlabs
> DupInterval 0
> </Client>
>
> <Client 192.168.123.9>
> Secret antlabs
> DupInterval 0
> </Client>
>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> # Windows XP when configured for a workgroup might send tunnelled
> user
> names
> # in the format COMPUTERNAME\username (eg BAKER\mikem). This
> # will strip the computer name leaving just the user name
> RewriteUsername s/(.*)\\(.*)/$2/
>
>
> # <AuthBy FILE>
> # Filename %D/users
> #
> # # This tells the PEAP client what types of inner EAP requests
> # # we will honour
> # EAPType MSCHAP-V2
> # </AuthBy>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of the
> real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the AcctLogFileName
> # Must be used in conjunction with PreProcessingHook below
> # PostAuthHook file:"goodies/eap_anon_hook.pl"
>
> #Replace the authby users file to this mysql below for testing--
> Scott --
> : ->
>
> #<Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:idausrdb
> DBUsername antlabs
>
> DBAuth hidenpassword
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> # EAPType MSCHAP-V2
> # EAPType PEAP,MSCHAP-V2
> EAPType MSCHAP-V2
>
>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> # DBSource dbi:mysql:radius
> # DBUsername mikem
> # DBAuth fred
>
> # Only one session per user at a time
> DefaultSimultaneousUse 1
>
> # Let the user in if they have any time left, set
> # the Session-timeout to the time left
> AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where
> USERNAME=%0 and TIMELEFT > 0
> AuthColumnDef 0,User-Password,check
> AuthColumnDef 1,Session-Timeout,reply
>
> # Adjust the time left when they log out
> AccountingStopsOnly
> AcctSQLStatement update SUBSCRIBERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'
>
> </AuthBy>
> #<AuthBy FILE>
> # Filename defuser
> # </AuthBy>
> #</Realm>
>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner
> authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to
> select
> # a specific handler, or else you can use EAPAnonymous to set a
> username and
> realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm,
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server,
> or also
> # act as the AAA/H home server, and authenticate PEAP requests locally
> or
> proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
>
>
> #This below is for outer authentication ,use mysql too.
> #Auth method is PEAP -- Scott
>
> <Handler>
> # <AuthBy FILE>
> # <AuthBy SQL>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the standard username
> # in the outer requests, and it also requires an entry for the
> # actual user name who is trying to connect (ie the 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> # Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default (most
> # preferred) type given first
> #EAPType PEAP
> <AuthBy SQL>
> DBSource dbi:mysql:idausrdb
> DBUsername antlabs
> DBAuth hidenpassword
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
>
> # EAPType PEAP
> # EAPType MSCHAP-V2,PEAP
> EAPType PEAP,MSCHAP-V2
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a certificate
> # then Radiator will look for a certificate revocation list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not found, or
> # if the CRL says the certificate has neen revoked, the
> authentication
> will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may require you to
> specify
> # MPPE send and receive keys. This _will_ be required if you select
> # 'Keys will be generated automatically for data privacy' in the Funk
> Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the inner
> # authentication. Defaults to 'anonymous'. This can be useful
> # when proxying the inner authentication. If tehre is a realm, it can
> # be used to choose a local Realm to handle the inner authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a session
> can be
> resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to
> 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can control which version of the draft PEAP protocol to honour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual
> clients,
> # such as Funk Odyssey Client 2.22 or later.
> EAPTLS_PEAPVersion 1
>
> AuthSelect select TIMELEFT from SUBSCRIBERS where USERNAME=%0
> and
> TIMELEFT > 0
> AuthColumnDef 0,Session-Timeout,reply
>
> </AuthBy>
>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of the
> real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the AcctLogFileName
> # Must be used in conjunction with PostAuthHook above
> # PreProcessingHook file:"goodies/eap_anon_hook.pl"
> </Handler>
>
>
>
> -----Original Message-----
> From: Terry Simons [mailto:galimore at mac.com]
> Sent: Saturday, July 17, 2004 12:45 AM
> To: scottxiao at antlabs.com
> Cc: Mike McCauley; radiator at open.com.au; Hugh Irvine
> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not
> permitted:
> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco
> arionet1100
> AP and Radiator 3.9
>
>
> Hi Scott, Mike, Hugh. ;-)
>
> I'd like to suggest that perhaps it is less than favorable to turn off
> server certificate validation in a production environment because it
> basically allows Man in The Middle attacks to be carried out on users
> in a fashion that a user wouldn't even realize what was going on.
>
> A better solution that purchasing a certificate might be to run your
> own CA and create your own certificates. In fact, this is a much
> better and more secure solution than even using somebody like Verisign.
>
> If you were running a verisign CA signed server certificate for 802.1X
> authentication, I could also request a verisign server certificate, and
> hand it to your user to pull off a Man in the Middle attack. Because
> your client is going to verify Verisign (because that's what your
> certificate was signed against), they will also allow my server
> certificate (which was also signed by verisign). This is a bad idea in
> general, and should probably be avoided.
>
> If you use a private CA to sign your server and client certificates,
> the attacker is not going to be able to produce certificates signed by
> that CA, so they will have a much harder time pulling off a Man in the
> Middle attack.
>
> Anyway, I'm not trying to tell you what to do, but there are
> implications to consider when dealing with 802.1X and ensuring the
> security of your users, and unfortunately the brunt of the work falls
> on the administrator, especially when dealing with certificates. :-)
>
> Cheers,
>
> - Terry
>
> On Jul 16, 2004, at 4:59 AM, Scott Xiao - ANTlabs wrote:
>
>> Thanks Hugh, yes,it's one option;the other one I think is,I need let
>> the
>> customer to purchase an official certificate for the Radius server
>> from
>> ,maybe,Verisign,for the convenience of wlan users because it will not
>> be
>> very secure without " validate server certificate" comparatively any
>> way.
>> Thanks,Hugh and Mike!
>> Scott
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Friday, July 16, 2004 4:07 PM
>> To: scottxiao at antlabs.com
>> Cc: radiator at open.com.au; Mike McCauley
>> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not
>> permitted:
>> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco
>> arionet1100
>> AP and Radiator 3.9
>>
>>
>>
>> Hello Scott -
>>
>> If the authentication succeeds without "validate server certificate"
>> on
>> XP then that is what you should tell your users to do.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 16 Jul 2004, at 16:29, Scott Xiao - ANTlabs wrote:
>>
>>> Hi,
>>> In the config file,I changed back my EAPtype as before and now
>>> authentication succeeded.So what Mike suggested,to comment out REALM
>>> DEFAULT
>>> ,is the key point to resolve the problem (Desired EAP type 25 not
>>> permitted)
>>> ,thanks!!
>>> My other question as I asked before is,now I disabled "validate
>>> server
>>> certificate" on client,how can I let the authentication pass without
>>> requiring the XP client to install any specific certificate?Thanks.
>>> Cheers
>>> Scott
>>>
>>> -----Original Message-----
>>> From: owner-radiator at open.com.au
>>> [mailto:owner-radiator at open.com.au]On
>>> Behalf Of Scott Xiao - ANTlabs
>>> Sent: Friday, July 16, 2004 11:06 AM
>>> To: radiator at open.com.au
>>> Cc: Hugh Irvine; Mike McCauley
>>> Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
>>> problem
>>> with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
>>> AP and
>>> Radiator 3.9
>>>
>>>
>>> Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
>>> problem....
>>> I have modified the configuration file according to your advice:
>>> 1.comment out the <Realm DEFAULT>
>>> 2.Change EAPType to PEAP round the other way with MSChAP-V2
>>> Below is the udpated config file. But when I try to authenticate
>>> after
>>> restart the service,it still give me the erorr " Access rejected for
>>> idatesta: Desired EAP type 25 not permitted" ,See the log below after
>>> the
>>> config file in the email please.What is the problem?For Inner
>>> authentication,do I have to use defuser instead of mySQL?
>>> Thanks for reminder of the the maillist,actually I believe I have
>>> been
>>> in
>>> the mail list for 2 days,I received a lot of email from other
>>> subscribers
>>> regarding their questions.
>>> Please advise,thanks!
>>> Rgds
>>> Scott
>>>
>>> conifig file mysql-peap.cfg (running with /usr/bin/perl
>>> /usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
>>> ........
>>>
>>> <Handler TunnelledByPEAP=1>
>>>
>>> RewriteUsername s/(.*)\\(.*)/$2/
>>>
>>> #<Realm DEFAULT>
>>>
>>> AuthByPolicy ContinueWhileAccept
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:idausrdb
>>> DBUsername
>>> DBAuth
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> # EAPType MSCHAP-V2
>>> EAPType PEAP
>>> </AuthBy>
>>>
>>> #</Realm>
>>>
>>> </Handler>
>>>
>>> <Handler>
>>>
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:idausrdb
>>> DBUsername
>>> DBAuth
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>>
>>> # EAPType PEAP
>>> EAPType MSCHAP-V2
>>>
>>> </AuthBy>
>>>
>>>
>>> The log file:
>>> [root at FC radius]# tail -50 logfile | more
>>> Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
>>> Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
>>> Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25
>>> not
>>> permitte
>>> d
>>> Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired
>>> EAP
>>> type 2
>>> 5 not permitted
>>> Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
>>> *** Sending to 192.168.123.9 port 1647 ....
>>> Code: Access-Reject
>>> Identifier: 18
>>> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>> Proxy-State = 181
>>>
>>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>>> *** Received from 192.168.123.9 port 1647 ....
>>> Code: Access-Request
>>> Identifier: 19
>>> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>>> Attributes:
>>> User-Name = "idatesta"
>>> Framed-MTU = 1400
>>> Called-Station-Id = "000f.34db.6690"
>>> Calling-Station-Id = "000c.f108.37bf"
>>> Message-Authenticator =
>>> Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
>>> EAP-Message = <2><1><0><13><1>idatesta
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> NAS-Port = 419
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 10.0.0.1
>>> NAS-Identifier = "ps-ap"
>>> Proxy-State = 182
>>>
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
>>> Fri Jul 16 00:51:39 2004: DEBUG: Deleting session for idatesta,
>>> 10.0.0.1,
>>> 419
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
>>> Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
>>> Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2
>>> Challenge
>>> Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
>>> MSCHAP-V2 Challenge
>>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>>> -----Original Message-----
>>> From: Mike McCauley [mailto:mikem at open.com.au]
>>> Sent: Friday, July 16, 2004 6:42 AM
>>> To: Scott Xiao - ANTlabs
>>> Cc: Hugh Irvine
>>> Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem
>>> with
>>> my
>>> 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
>>> Radiator
>>> 3.9
>>>
>>>
>>> Hello Scott,
>>>
>>> Your email was identified as spam by my spamassassin, mostly due to
>>> html
>>> content. Its lucky I got to see it. Please dont use HTML.
>>>
>>> BTW, it would be better if you address any future technical questions
>>> you
>>> might have to the Radiator mailing list. That way others can learn
>>> from the question and answer, and possibly contribute in areas
>>> where I am not expert. Also, we have other staff on the mailing list
>>> who can respond when I am not available.
>>>
>>> You can join the Radiator mailing list by sending email with the
>>> single word subscribe in the body (not in the subject line) to
>>> radiator-request at open.com.au
>>> There is an archive at http://www.open.com.au/archives/radiator/
>>>
>>> If you require a guaranteed response to your questions, you should
>>> consider
>>> a support contract, see http://www.open.com.au/support.html
>>>
>>> The problem you report is due to the fact that you have your EAP
>>> types
>>> around
>>> the wrong way, in that the Handler which handles the inner request is
>>> type
>>> PEAP, and the Realm is type MSCHAP-V2. They should be round the other
>>> way.
>>> Also you have a Realm DEFAULT which will get all requests, including
>>> the
>>> inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing
>>> Realms
>>> and
>>> Handlers is generally a bad idea.
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>> On Thu, 15 Jul 2004 09:52 pm, you wrote:
>>>> Spam detection software, running on the system
>>>> "server1.open.com.au",
>>>> has
>>>> identified this incoming email as possible spam. The original
>>>> message
>>>> has been attached to this so you can view it (if it isn't spam) or
>>>> block
>>>> similar future email. If you have any questions, see
>>>> postmaster at open.com.au for details.
>>>>
>>>> Content preview: Hi,Mike, Can you advise?Thanks! Scott
>>>>
>>>> Content analysis details: (5.3 points, 5.0 required)
>>>>
>>>> pts rule name description
>>>> ---- ----------------------
>>>> -------------------------------------------------- 0.8 HTML_30_40
>>>> BODY: Message is 30% to 40% HTML
>>>> 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
>>>> 0.2 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
>>>> 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
>>>> 0.0 HTML_MESSAGE BODY: HTML included in message
>>>> 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text
>>>> 1.1 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
>>>> [203.125.41.199 listed in
>>>> dnsbl.sorbs.net]
>>>> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
>>>> [203.125.41.199 listed in
>>>> dnsbl.sorbs.net]
>>>> 0.1 RCVD_IN_NJABL RBL: Received via a relay in
>>>> dnsbl.njabl.org
>>>> [203.125.41.199 listed in
>>>> dnsbl.njabl.org]
>>>> 1.1 RCVD_IN_DSBL RBL: Received via a relay in
>>>> list.dsbl.org
>>>>
>>>> [<http://dsbl.org/listing?ip=203.125.41.199>]
>>>> 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
>>>> [203.125.41.199 listed in
>>>> dnsbl.njabl.org]
>>>>
>>>> The original message was not completely plain text, and may be
>>>> unsafe
>>>> to
>>>> open with some email clients; in particular, it may contain a virus,
>>>> or confirm that your address can receive spam. If you wish to view
>>>> it, it may be safer to save it to a file and open it with an editor.
>>>
>>> --
>>> Mike McCauley mikem at open.com.au
>>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>>> WWW
>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>> http://www.open.com.au
>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>> TLS,
>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list