(RADIATOR) AuthBy LSA and Lan Manager Auth Level

Hugh Irvine hugh at open.com.au
Tue Nov 30 05:10:31 CST 2004


Hello Antonio -

You are correct - it is only the outer handler that requires the EAP  
parameters.

regards

Hugh


On 30 Nov 2004, at 20:24, António Fernandes wrote:

> Hi,
>
> A question rises to me: being that Handler TunnelledByPEAP couldn't  
> you not
> use EAPTLS_CAFile, EAPTLS_CertificateFile, ..., EAPTLS_MaxFragmentSize  
> ? The
> only handler that should need that info would be the outer packet  
> handler.
> Im I right?
>
>
> Thanks to all,
>
> Antonio Fernandes
> Porto Management School
> University of Porto - Portugal
>
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Kawakubo, Ken
> Sent: segunda-feira, 29 de Novembro de 2004 21:42
> To: 'Kirk T Byers'; Hugh Irvine
> Cc: radiator at open.com.au
> Subject: RE: (RADIATOR) AuthBy LSA and Lan Manager Auth Level
>
> Kirk,
>
> We have successfully implemented PEAP/MSChapv2, EAP-TTLS/PAP, and LEAP
> authentications against Active Directory using AuthBy LSA. We use  
> Windows
> built-in client for PEAP/MSChapv2 authentication. The pertinent  
> portion of
> the configuration looks like below. Basically, you need to put Authby  
> LSA
> under <Handler TunnelledByPEAP=1>. First, radius packets go to  
> <Handler>,
> then if they are PEAP authentication packets, they get dispatched to
> <Handler TunnelledByPEAP=1>, and this is the Handler which does
> authentication by LSA. Users file include "anonymous" user only.
>
> Ken Kawakubo
>
> <Handler TunnelledByPEAP=1>
> 	# Authenticate with Windows LSA
> 	<AuthBy LSA>
> 	
> 		DomainController xxxxx
>
> 		# This tells the PEAP client what types of inner EAP
> requests
> 		# we will honour
> 		EAPType MSCHAP-V2
> 		EAPTLS_CAFile C:/Program Files/Radiator/cacert.pem
> 		EAPTLS_CertificateFile C:/Program Files/Radiator/xxxxx.pem
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile C:/Program Files/Radiator/xxxxx.pem
> 		EAPTLS_PrivateKeyPassword everwhat
> 		EAPTLS_MaxFragmentSize 500
>
>
> 	</AuthBy>
> 		
> 	AcctLogFileName	%L/detail
>
> </Handler>
>
>
> <Handler>
> 	
> 		<AuthBy FILE>
> 			Filename C:/Program Files/Radiator/users
> 		
> 			EAPType PEAP,TTLS
> 			EAPTLS_PEAPVersion 0
>
> 			EAPTLS_CAFile C:/Program Files/Radiator/cacert.pem
> 			EAPTLS_CertificateFile C:/Program
> Files/Radiator/xxxxx.pem
> 			EAPTLS_CertificateType PEM
> 			EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/xxxxx.pem
> 			EAPTLS_PrivateKeyPassword everwhat
> 			EAPTLS_MaxFragmentSize 1024
> 			AutoMPPEKeys
> 			SSLeayTrace 4
> 		</AuthBy>
>
> 			
> 	AcctLogFileName	%L/detail
> 	AuthLog		eap-authlog
> 	
> </Handler>
>
> -----Original Message-----
> From: Kirk T Byers [mailto:ktbyers at stanford.edu]
> Sent: Monday, November 29, 2004 12:49 PM
> To: Hugh Irvine
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) AuthBy LSA and Lan Manager Auth Level
>
>
> Hugh,
>
> Here is my configuration file and debugging log.  I have validated  
> that I
> can log into the domain using the username/password that I am testing  
> with.
>
> Thanks,
>
> Kirk
>
>
> ******* radius.cfg *******
>
> Foreground
> LogStdout
> LogDir		.
> DbDir		.
> Trace 		4
>
> <Client DEFAULT>
> 	Secret	XXXXXX
> 	DupInterval 0
> </Client>
>
> <Handler TunnelledByPEAP=1>
>
> 	<AuthBy LSA>
> 		#Domain
> 		Domain NT
> 		#DefaultDomain NT
>
> 		EAPType MSCHAP-V2
> 	</AuthBy>
> </Handler>
>
>
> <Handler>
> 	<AuthBy FILE>
> 		Filename %D/users
>
> 		EAPType PEAP
>
> 		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> #		EAPTLS_CAPath
>
> 		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> 		EAPTLS_CertificateType PEM
>
> 		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> 		EAPTLS_PrivateKeyPassword whatever
>
> #		EAPTLS_RandomFile %D/certificates/random
>
> 		EAPTLS_MaxFragmentSize 1000
>
> 		#EAPTLS_CRLCheck
> 		#EAPTLS_CRLFile %D/certificates/crl.pem
> 		#EAPTLS_CRLFile %D/certificates/revocations.pem
>
> 		AutoMPPEKeys
>
> 		SSLeayTrace 4
>
> 		#EAPTLS_SessionResumptionLimit 10
> 	</AuthBy>
> </Handler>
>
> ******* END radius.cfg *******
>
>
> ******* TRACE OUTPUT *******
> Mon Nov 29 11:04:20 2004: DEBUG: Reading users file ./users
> Mon Nov 29 11:04:20 2004: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2005-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contact admin at open.com.au
>
> Mon Nov 29 11:04:20 2004: DEBUG: Reading dictionary file './dictionary'
> Mon Nov 29 11:04:20 2004: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Mon Nov 29 11:04:20 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Nov 29 11:04:20 2004: NOTICE: Server started: Radiator 3.9+patches  
> on
> testserver (LOCKED)
> Mon Nov 29 11:04:23 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 35
> Authentic:  6<4>(<170><190><226><203><141>n5O+<144><180><153><159>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <192><230><0>M<219>N<248><135><231>'<171><11>h<218><132>t
> 	EAP-Message = <2><1><0><15><1>NT\testuser
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 286
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:23 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:23 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 286
> Mon Nov 29 11:04:23 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:23 2004: DEBUG: Handling with EAP: code 2, 1, 15
> Mon Nov 29 11:04:23 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:24 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:24 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:24 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 35
> Authentic:  6<4>(<170><190><226><203><141>n5O+<144><180><153><159>
> Attributes:
> 	EAP-Message = <1><2><0><6><25>!
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:56 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 36
> Authentic:   
> <216><138><0><176><13><239><158>l?<200><212><211>G<212><203><19>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <204>G<136><189><225>x<11>u<219>1$\<172>RY<211>
> 	EAP-Message = <2><1><0><15><1>NT\testuser
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:56 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:56 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:56 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:56 2004: DEBUG: Handling with EAP: code 2, 1, 15
> Mon Nov 29 11:04:56 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:56 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:56 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:56 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 36
> Authentic:   
> <216><138><0><176><13><239><158>l?<200><212><211>G<212><203><19>
> Attributes:
> 	EAP-Message = <1><2><0><6><25>!
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 37
> Authentic:  <163>3c<250><30>!<v<213><194><145><238>I\<183><179>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <227><174><147><159>v<166>W<248><182>m<133>@<207><172><161>Q
> 	EAP-Message = <2><2><0><15><1>NT\testuser
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 2, 15
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:57 2004: DEBUG: Resuming session for
> Radius::Context=HASH(0x246f058)
>
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 37
> Authentic:  <163>3c<250><30>!<v<213><194><145><238>I\<183><179>
> Attributes:
> 	EAP-Message = <1><3><0><6><25>!
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 38
> Authentic:   
> <151><182><11>H<246>j2<219><251><202><216>U<163><10><131><172>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> u<132><23><219><136>?<31>{<194><141>}~<155>NV<138>
> 	EAP-Message =
> <2><3><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>A<171>r<239> 
> <246>
> <19><1>ciy<230>5>U<231>o\]<11><163>9mh<149><227><151><133><220><166>
> <176>y<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0> 
> <18><
> 0>c<1><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 3, 80
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:57 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 38
> Authentic:   
> <151><182><11>H<246>j2<219><251><202><216>U<163><10><131><172>
> Attributes:
> 	EAP-Message =
> <1><4><3><242><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>A<171>r< 
> 217><
> 143><205><173>M<152><2><203><227><142><150><149><9><207>.<212><178>k7; 
> <254><
> 6><163><146><240><222><200><175><28>
> E<176>BNy<8><177><244>:: 
> p<134><13>y<183><164>*<215>Y_e<28><230><252><163><17
> 8><161>cl? 
> 2<198><0><4><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209
>> 0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<1 
>> 34><2
> 47><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0< 
> 15><6
>> <3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0 
>> <28><
> 6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> 	EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30> 
> <23><
> 13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1 
> <17>0
> <15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne 
> 1<24>
> 0<22><6><3>U<4><10><19><15>My
> Test
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159> 
> 0<13>
> <6><9>*<134>H<134><247><13><1><1>
> 	EAP-Message =
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><2 
> 34>/<
> 241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<2 
> 34><1
> 2>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6>< 
> 19><2
> 47>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/ 
> <16>HI<220><169>v
> N<215>)<31><207><24><157><230>G<186>)<246>J<195><171><154><249><220>v<1 
> 7><15
> 9><2>x<29><136><148>: 
> b<170><254><4><207><183><144><210><251>+<233><135>0<212
>> Y<207><158>N<226><136><12><132><143><250><182><218>W<2><3><1><0><1><16 
>> 3><23
>> 0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6> 
>> <9>*<
> 134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165> 
> <188>
>> q<129>X<13>=l? 
>> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><2
> 25><253>? 
> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<21
> 1><248>oba<
> 	EAP-Message =
> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25 
> >w<21
> 5><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><254><20 
> 6>U?<
> 214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3 
> ><162
>> <160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5> 
>> <0>0<
> 129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>V 
> ictor
> ia1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><2 
> 1>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 39
> Authentic:   
> <213><239><29><0><5>-<231>H<219><172><199><24><11>i<214><29>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <246><234><230><193><183><194><239>)D<150>f<190><15><145>h<14>
> 	EAP-Message = <2><4><0><6><25><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 4, 6
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 39
> Authentic:   
> <213><239><29><0><5>-<231>H<219><172><199><24><11>i<214><29>
> Attributes:
> 	EAP-Message = <1><5><3><238><25>@t use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30> 
> <23><
> 13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6>< 
> 19><2
>> AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9> 
>> Melbo
> urne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
> 	EAP-Message = roduction)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129 
> ><159
>> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129>< 
>> 137><
> 2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><21 
> 4><25
> 3>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>D 
> xJ<13
> 8>n<203>k8<164><239><179>H<237>K<182>mo<155><145><138><143><136><127><2 
> 30><<
> 9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>, 
> <185>
> <173><234><3>^4<221><252><168>H<178><158><25><235><152><250>g<199><172> 
> <250>
> uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0><1> 
> <163>
> <130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233> 
> <210>
> F0D<173>f]r<193>H?<164><27>ke0<129><247><6><3>U<29>#
> 	EAP-Message =
> <4><129><239>0<129><236><128><20><23><2><196>#<233><210>F0D<173>f]r<193 
> >H?<1
> 64><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6 
> ><19>
> <2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19>< 
> 9>Mel
> bourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130> 
> <1><0
>> 0<12><6><3>U<29><19><4><5>0<3>
> 	EAP-Message =
> <1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129> 
> <0>0<
> 3>=<202><190><236>S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<202> 
> <143>
> <160><29><220>p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>; 
> _<202><254><2
> 42>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><193><29>- 
> <228><19><1
> 84>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143><225><149> 
> <237>
> <135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160>l<21><129>0<199 
> >6<22
>> <3><1><0><220><13><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11> 
>> 0<9><
> 6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6 
> ><3>U
> <4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certif
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 40
> Authentic:  <195>VW<29><140><156>cP<187><218><248><2><131><243><160>@
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <245><134>2<178>VV<193><240><212>WJ<215><226>2u~
> 	EAP-Message = <2><5><0><6><25><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 5, 6
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 40
> Authentic:  <195>VW<29><140><156>cP<187><218><248><2><131><243><160>@
> Attributes:
> 	EAP-Message =
> <1><6><0><134><25><0>icates1!0<31><6><3>U<4><11><19><24>Test
> Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<14>< 
> 0><0>
> <0>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 41
> Authentic:  <183><KX<175><216><194><233>MlL<206>{<133><192>S
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <241><156><25>^m<211><9>W<21><198><162><146>t<141><200>F
> 	EAP-Message =
> <2><6><0><199><25><128><0><0><0><189><22><3><1><0><141><11><0><0><3><0> 
> <0><0
>> <16><0><0><130><0><128><179><226><223><254>t<181><129><166><210><141>` 
>> <206>
> ; 
> <140><23><254>m<22>|<171>z<127><156><1><190>p<236>4Q<247>}<246><176><14 
> 2><2
> 51><244>Y<229><159>,<163>q<127>$a<179><200><222><216>o<255><11>J[Dk<235 
> >.<21
> 1><245>U<141><216><15><197><179>r<4><163><169><202><133>3<25><234><175> 
> <30>v
> <194><254>i0<206>o<183><190><24><206><247><190>T<167><185><0><225><186> 
> <182>
> <194><14>! 
> 6Z<23><254><223>u<178><168><158><149><<206><142><168><233>q<211>;n
> <254><14><219><12><226><147><186>gd<20><3><1><0><1><1><22><3><1><0>
> '<20>l[<190><2>Ae6<148><218><134><239>8<29><15>~7U<17>R<167>/ 
> <15>M<194><142>
> <25><7><221><154><184>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 6, 199
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 41
> Authentic:  <183><KX<175><216><194><233>MlL<206>{<133><192>S
> Attributes:
> 	EAP-Message =
> <1><7><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> oT<219>#<225><243>0? 
> <136><19><132><166><239><2><219>h<215>3<192>K<21><133>9<
> 228><127><239><177><223><212><146>`<182>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 42
> Authentic:  <142>_TC<156><171>I<249><191><237><226><202>W;/5
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <198><4><16>!2<193>IL<233><158><166><150><139><208>k!
> 	EAP-Message = <2><7><0><6><25><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 7, 6
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 42
> Authentic:  <142>_TC<156><171>I<249><191><237><226><202>W;/5
> Attributes:
> 	EAP-Message =
> <1><8><0><28><25><0><23><3><1><0><17><171><181>GpNQ<224><219><161><30>< 
> 3><17
> 6><27><180><210>c<19>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 43
> Authentic:  |<218><222>^RHe<239><20><196>X<11><129><252><214><138>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator = @>R<159><153>OK<15>gm<209><254>t<146>NV
> 	EAP-Message =
> <2><8><0>&<25><0><23><3><1><0><27>"<4><167><159><194><182><248><6><139> 
> <188>
> <250>u<243><129><13><231>z<164>h<150><5><241><178><234>qi<176>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 8, 38
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Mon Nov 29 11:04:58 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <255>X<1><129>G<136>\<161>{<179><241>]<170><144>s<138>
> Attributes:
> 	EAP-Message = <2><8><0><11><1>NT\testuser
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
> 	NAS-Port = 287
> 	Calling-Station-Id = "000c.41a9.930f"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for ,  
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 8, 11
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> inner authentication redespatched to a Handler
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 43
> Authentic:  |<218><222>^RHe<239><20><196>X<11><129><252><214><138>
> Attributes:
> 	EAP-Message =
> <1><9><0>8<25><0><23><3><1><0>-)\t<212><167><26><168>*<248><11>T<220>s< 
> 3><20
> 0><22><170><176>E<179><16>KeG<190>o<137><216><201>XW<148><248>8B<138><1 
> 38>)O
> 0(<196><211><252><152>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 44
> Authentic:  <237>MN<251><158><5>h<9><192><191><197><10>[}<169><225>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <146>P<244><17><168><159><159>Sc<255><229><234><230>-<156><233>
> 	EAP-Message =
> <2><9><0>\<25><0><23><3><1><0>Q*<145>2<145>,|Y<158><165>\O<160><182><23 
> 9><16
>> 6z<227><237><189>@<195><130><242><128>h<130><216><250><24>XX<140><179> 
>> <217>
> <27><192><157><208><243><213><162>6<209><247>f<165>]<152>&8<175><160>5< 
> 217><
> 24><27><189><27>s<206>m\<8><173><154><244>]UX<18><230>a<210><127><255>Z 
> V<239
>> d<159>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 9, 92
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Mon Nov 29 11:04:58 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <233><187><249><170>9w<255><26><207><205>j<147>C<160><241>4
> Attributes:
> 	EAP-Message =
> <2><9><0>A<26><2><9><0>@11<141><24>t<3><31>a<170><169>_T<28><26><25><21 
> 7>Z<0
>> <0><0><0><0><0><0><0><14>Z<191><14><152><23><196><0><194>|<204>0<142>o 
>> 0<20>
> q<202><137>7<227><204>l<255><0>NT\testuser
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
> 	NAS-Port = 287
> 	Calling-Station-Id = "000c.41a9.930f"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Nov 29 11:04:58 2004: DEBUG:  Deleting session for ,  
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 9, 65
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 26
> Mon Nov 29 11:04:58 2004: DEBUG: Radius::AuthLSA looks for match with
> NT\testuser
> Mon Nov 29 11:04:58 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Nov 29 11:04:59 2004: WARNING: Could not LogonUserNetworkMSCHAP  
> (V2):
> 3221225581, 0, Logon failure: unknown user name or bad password.
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 1, EAP MSCHAP-V2  
> Authentication
> failure
> Mon Nov 29 11:04:59 2004: INFO: Access rejected for anonymous: EAP  
> MSCHAP-V2
> Authentication failure
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Nov 29 11:04:59 2004: DEBUG: Access challenged for NT\testuser:  
> EAP PEAP
> inner authentication redespatched to a Handler
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 44
> Authentic:  <237>MN<251><158><5>h<9><192><191><197><10>[}<169><225>
> Attributes:
> 	EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27><189>m0<5>X<21><18>*h<1><231>I\<147> 
> <230>
> T<142>c<182>9<207>L<127><140>Y<253><144>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 45
> Authentic:  <232><156><161><194>F<2>5<165>Y<217>0<247><171><167>R<151>
> Attributes:
> 	User-Name = "NT\testuser"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.931f.57c0"
> 	Calling-Station-Id = "000c.41a9.930f"
> 	Message-Authenticator =
> <8>f<170><13><172><25><230><250><241>r<241><255><237><189>)8
> 	EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><155><199><223><161><174><197><134>{ 
> <137>
> <175><173><191><165><6>p<180><10><162><210><214><191>{h<229><134>_@
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 287
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 171.64.19.234
> 	NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:59 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:59 2004: DEBUG:  Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:59 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:59 2004: DEBUG: Handling with EAP: code 2, 10, 38
> Mon Nov 29 11:04:59 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Mon Nov 29 11:04:59 2004: INFO: Access rejected for NT\testuser: PEAP
> Authentication Failure
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Reject
> Identifier: 45
> Authentic:  <232><156><161><194>F<2>5<165>Y<217>0<247><171><167>R<151>
> Attributes:
> 	EAP-Message = <4><10><0><4>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Reply-Message = "Request Denied"
>
> ******* END TRACE OUTPUT *******
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive  
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list