(RADIATOR) User always get authentication succeeded after Timeleft expired with 802.1x PEAP/aironet1100 WLAN

Hugh Irvine hugh at open.com.au
Thu Jul 22 21:06:14 CDT 2004


Hello Scott -

Thanks for sending the debug which does indeed show that there are no  
accounting requests.

If there are no accouning requests, then the TIMELEFT is not  
decremented, therefore the authentication will succeed and the  
Session-Timeout will always remain the same.

You will need to find out why the accounting requests are not being  
sent by the access point.

regards

Hugh


On 22 Jul 2004, at 21:25, Scott Xiao - ANTlabs wrote:

> Hi,Hugh,
> I checked the Radiator configure file and added the line of update the
> timeleft for the user,so UAM works well now.But for 802.1x login,the  
> user is
> still authenticated automatically and the  timeleft ( I set to 30  
> seconds)
> value remains.Unless I stop the radiator,the authentication will not  
> fail,
> it seems the radiator or AP didn't send accounting stop to update the  
> mysql
> user database....here is the log...thanks! -- Scott
>  Mon Jul 19 19:21:39 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 156
> Authentic:  }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =  
> <199><212><236><212><233><*B$_$<169><164>Uj<135>
> 	EAP-Message =
> <2><9><0><29><25><0><23><3><1><0><18><139><141><197><223><189><229>4<0> 
> <22>X
> <254><231>1N<27><208><161>V
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 239
>
> Mon Jul 19 19:21:39 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:21:39 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with EAP: code 2, 9, 29
> Mon Jul 19 19:21:39 2004: DEBUG: Response type 25
> Mon Jul 19 19:21:39 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Mon Jul 19 19:21:41 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <165><165><180><156><234>1cd<141><251><2>g<11>,<215><2>
> Attributes:
> 	EAP-Message = <2><9><0><2><26><3>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	NAS-Port = 298
> 	Calling-Station-Id = "000c.f108.37bf"
>
> Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Jul 19 19:21:41 2004: DEBUG: Rewrote user name to anonymous
> Mon Jul 19 19:21:41 2004: DEBUG:  Deleting session for , 10.0.0.1, 298
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 9, 2
> Mon Jul 19 19:21:41 2004: DEBUG: Response type 26
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for anonymous
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Jul 19 19:21:41 2004: DEBUG: Access challenged for john: EAP PEAP  
> inner
> authentication redespatched to a Handler
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 156
> Authentic:  }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> Attributes:
> 	EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27>nL]<255><149>H<227>}s<225>YF<210><20 
> 7><16
>> <213><12><196>0<178>/<13>x<174><179><0><150>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 239
>
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 157
> Authentic:   <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <146><195><193>C<156><240><128><26><15>|=<248><180><225>S<220>
> 	EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><150>l<+<4><2><168><174><238>0<169>? 
> K7<20
> 1><5><25><179>3<146><1><222><253>d<193><16><254>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 240
>
> Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:21:41 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 10, 38
> Mon Jul 19 19:21:41 2004: DEBUG: Response type 25
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for john
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Accept
> Identifier: 157
> Authentic:   <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> Attributes:
> 	Session-Timeout = 30
> 	EAP-Message = <3><10><0><4>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	MS-MPPE-Send-Key =
> "<130><182>^<193>@<204><179><231>"<250><244><140><24><164>F.<140>Yq<179 
> ><191
>> x<225><202><31>W<181><^a><0><207><152>Y<251><150><166>E"<189>JcT? 
>> <146>u<174
>> 2^"
> 	MS-MPPE-Recv-Key =
> "<157>Gq<224><175><146><250><251>- 
> ~<162><161><254><236><28>+<169>gt<153><138
>> <26>M<141><132><243><172>@<143>m<185>B- 
>> '<204><0>h<198><185>il<187>+<175>t<1
> 92><191>C<177><17>"
> 	Proxy-State = 240
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 158
> Authentic:  <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <221>q<184><190><2><202><144><182><225>*<28><130>V<129><194>0
> 	EAP-Message = <2><5><0><9><1>john
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 241
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 5, 9
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 1
> Mon Jul 19 19:22:08 2004: DEBUG: Resuming session for
> Radius::Context=HASH(0x97a1d48)
>
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 158
> Authentic:  <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> Attributes:
> 	EAP-Message = <1><6><0><6><25>!
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 241
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 159
> Authentic:  <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <22><22><16>?0R<156><176><5><167>c<184><203><239><22>F
> 	EAP-Message =
> <2><6><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>@<255><161>< 
> 136>o
> <142><195>,<166><236>\<134><151>t<20>S<175><208>"<243><24>: 
> <142>7<29><17>H<3
> 0><173><190><212>R
> <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13 
> 2><1>
> <175><1><15><210><216>- 
> <230>YJ<163><245><224><176><0><22><0><4><0><5><0><10>
> <0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 242
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 6, 112
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8640
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 159
> Authentic:  <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> Attributes:
> 	EAP-Message =
> <1><7><0><132><25><128><0><0><0>z<22><3><1><0>J<2><0><0>F<3><1>@<251><1 
> 74><2
> 24><143><24>Y<149>><171><222><234><169><131>D%<190><216>R,r(<3>Bb<194>< 
> 137><
> 8><187>u<2><248>
> <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13 
> 2><1>
> <175><1><15><210><216>- 
> <230>YJ<163><245><224><176><0><4><0><20><3><1><0><1><
> 1><22><3><1><0>
> =q<21>A<18><17><18><229>`<254>%<188>; 
> <164>^<245>*<1><28>f~<210>~<164><6>S8<1
> 36><135>22<137>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 242
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 160
> Authentic:  <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator = <163>D<198>7K<190>MU<253><226><251>~$<184><2>Y
> 	EAP-Message =  
> <2><7><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> 9w[<189><147>cUi<229><27>? 
> rQ<190><146>Q<134><10><233><132>d<144><178><129>g<
> 233>uu<<15><18><237>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 243
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 7, 53
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 160
> Authentic:  <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> Attributes:
> 	EAP-Message =
> <1><8><0><28><25><0><23><3><1><0><17><173><244><201>0<135><128><162>O<2 
> 51>B<
> 128><143><232><252><237>Yn
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 243
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 161
> Authentic:  <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> U<137>|<176><173>f<30><186>I<129>Q<131><244><0><174><31>
> 	EAP-Message = <2><8><0>
> <25><0><23><3><1><0><21>w<197><141>U<R<1><26><3>|<5><227>f<215><155><13 
> 3><14
> 5>y@<208><215>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 244
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,  
> 298
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 32
> Mon Jul 19 19:22:09 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:09 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Mon Jul 19 19:22:09 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <29><187><15>Q1<233><173><196>"n1<167>"<212><214><185>
> Attributes:
> 	EAP-Message = <2><8><0><5><1>john
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	NAS-Port = 298
> 	Calling-Station-Id = "000c.f108.37bf"
>
> Mon Jul 19 19:22:09 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Jul 19 19:22:09 2004: DEBUG: Rewrote user name to anonymous
> Mon Jul 19 19:22:09 2004: DEBUG:  Deleting session for , 10.0.0.1, 298
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 5
> Mon Jul 19 19:22:09 2004: DEBUG: Response type 1
> Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for john: EAP PEAP  
> inner
> authentication redespatched to a Handler
> Mon Jul 19 19:22:09 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 161
> Authentic:  <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> Attributes:
> 	EAP-Message =
> <1><9><0>3<25><0><23><3><1><0>(<224>|<156>o<171><203><148><166>2<17><17 
> ><150
>> R<185>?<131>? 
>> >C<3><137>B<161>,<160><2><253><201><195><8><164><233><14>t<13>
> ]ps<1>S
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 244

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list