(RADIATOR) AuthBy LSA and Lan Manager Auth Level
Hugh Irvine
hugh at open.com.au
Tue Nov 30 05:10:31 CST 2004
Hello Antonio -
You are correct - it is only the outer handler that requires the EAP
parameters.
regards
Hugh
On 30 Nov 2004, at 20:24, António Fernandes wrote:
> Hi,
>
> A question rises to me: being that Handler TunnelledByPEAP couldn't
> you not
> use EAPTLS_CAFile, EAPTLS_CertificateFile, ..., EAPTLS_MaxFragmentSize
> ? The
> only handler that should need that info would be the outer packet
> handler.
> Im I right?
>
>
> Thanks to all,
>
> Antonio Fernandes
> Porto Management School
> University of Porto - Portugal
>
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Kawakubo, Ken
> Sent: segunda-feira, 29 de Novembro de 2004 21:42
> To: 'Kirk T Byers'; Hugh Irvine
> Cc: radiator at open.com.au
> Subject: RE: (RADIATOR) AuthBy LSA and Lan Manager Auth Level
>
> Kirk,
>
> We have successfully implemented PEAP/MSChapv2, EAP-TTLS/PAP, and LEAP
> authentications against Active Directory using AuthBy LSA. We use
> Windows
> built-in client for PEAP/MSChapv2 authentication. The pertinent
> portion of
> the configuration looks like below. Basically, you need to put Authby
> LSA
> under <Handler TunnelledByPEAP=1>. First, radius packets go to
> <Handler>,
> then if they are PEAP authentication packets, they get dispatched to
> <Handler TunnelledByPEAP=1>, and this is the Handler which does
> authentication by LSA. Users file include "anonymous" user only.
>
> Ken Kawakubo
>
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
>
> DomainController xxxxx
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> EAPTLS_CAFile C:/Program Files/Radiator/cacert.pem
> EAPTLS_CertificateFile C:/Program Files/Radiator/xxxxx.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/Program Files/Radiator/xxxxx.pem
> EAPTLS_PrivateKeyPassword everwhat
> EAPTLS_MaxFragmentSize 500
>
>
> </AuthBy>
>
> AcctLogFileName %L/detail
>
> </Handler>
>
>
> <Handler>
>
> <AuthBy FILE>
> Filename C:/Program Files/Radiator/users
>
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
>
> EAPTLS_CAFile C:/Program Files/Radiator/cacert.pem
> EAPTLS_CertificateFile C:/Program
> Files/Radiator/xxxxx.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/xxxxx.pem
> EAPTLS_PrivateKeyPassword everwhat
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
>
>
> AcctLogFileName %L/detail
> AuthLog eap-authlog
>
> </Handler>
>
> -----Original Message-----
> From: Kirk T Byers [mailto:ktbyers at stanford.edu]
> Sent: Monday, November 29, 2004 12:49 PM
> To: Hugh Irvine
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) AuthBy LSA and Lan Manager Auth Level
>
>
> Hugh,
>
> Here is my configuration file and debugging log. I have validated
> that I
> can log into the domain using the username/password that I am testing
> with.
>
> Thanks,
>
> Kirk
>
>
> ******* radius.cfg *******
>
> Foreground
> LogStdout
> LogDir .
> DbDir .
> Trace 4
>
> <Client DEFAULT>
> Secret XXXXXX
> DupInterval 0
> </Client>
>
> <Handler TunnelledByPEAP=1>
>
> <AuthBy LSA>
> #Domain
> Domain NT
> #DefaultDomain NT
>
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
>
> EAPType PEAP
>
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath
>
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile %D/certificates/random
>
> EAPTLS_MaxFragmentSize 1000
>
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> AutoMPPEKeys
>
> SSLeayTrace 4
>
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
>
> ******* END radius.cfg *******
>
>
> ******* TRACE OUTPUT *******
> Mon Nov 29 11:04:20 2004: DEBUG: Reading users file ./users
> Mon Nov 29 11:04:20 2004: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2005-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contact admin at open.com.au
>
> Mon Nov 29 11:04:20 2004: DEBUG: Reading dictionary file './dictionary'
> Mon Nov 29 11:04:20 2004: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Mon Nov 29 11:04:20 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Nov 29 11:04:20 2004: NOTICE: Server started: Radiator 3.9+patches
> on
> testserver (LOCKED)
> Mon Nov 29 11:04:23 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 35
> Authentic: 6<4>(<170><190><226><203><141>n5O+<144><180><153><159>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <192><230><0>M<219>N<248><135><231>'<171><11>h<218><132>t
> EAP-Message = <2><1><0><15><1>NT\testuser
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 286
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:23 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:23 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 286
> Mon Nov 29 11:04:23 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:23 2004: DEBUG: Handling with EAP: code 2, 1, 15
> Mon Nov 29 11:04:23 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:24 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:24 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:24 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 35
> Authentic: 6<4>(<170><190><226><203><141>n5O+<144><180><153><159>
> Attributes:
> EAP-Message = <1><2><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:56 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 36
> Authentic:
> <216><138><0><176><13><239><158>l?<200><212><211>G<212><203><19>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <204>G<136><189><225>x<11>u<219>1$\<172>RY<211>
> EAP-Message = <2><1><0><15><1>NT\testuser
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:56 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:56 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:56 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:56 2004: DEBUG: Handling with EAP: code 2, 1, 15
> Mon Nov 29 11:04:56 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:56 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:56 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:56 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 36
> Authentic:
> <216><138><0><176><13><239><158>l?<200><212><211>G<212><203><19>
> Attributes:
> EAP-Message = <1><2><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 37
> Authentic: <163>3c<250><30>!<v<213><194><145><238>I\<183><179>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <227><174><147><159>v<166>W<248><182>m<133>@<207><172><161>Q
> EAP-Message = <2><2><0><15><1>NT\testuser
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 2, 15
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:57 2004: DEBUG: Resuming session for
> Radius::Context=HASH(0x246f058)
>
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 37
> Authentic: <163>3c<250><30>!<v<213><194><145><238>I\<183><179>
> Attributes:
> EAP-Message = <1><3><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 38
> Authentic:
> <151><182><11>H<246>j2<219><251><202><216>U<163><10><131><172>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> u<132><23><219><136>?<31>{<194><141>}~<155>NV<138>
> EAP-Message =
> <2><3><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>A<171>r<239>
> <246>
> <19><1>ciy<230>5>U<231>o\]<11><163>9mh<149><227><151><133><220><166>
> <176>y<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0>
> <18><
> 0>c<1><0>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 3, 80
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:57 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 38
> Authentic:
> <151><182><11>H<246>j2<219><251><202><216>U<163><10><131><172>
> Attributes:
> EAP-Message =
> <1><4><3><242><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>A<171>r<
> 217><
> 143><205><173>M<152><2><203><227><142><150><149><9><207>.<212><178>k7;
> <254><
> 6><163><146><240><222><200><175><28>
> E<176>BNy<8><177><244>::
> p<134><13>y<183><164>*<215>Y_e<28><230><252><163><17
> 8><161>cl?
> 2<198><0><4><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209
>> 0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<1
>> 34><2
> 47><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<
> 15><6
>> <3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0
>> <28><
> 6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><
> 13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1
> <17>0
> <15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne
> 1<24>
> 0<22><6><3>U<4><10><19><15>My
> Test
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>
> 0<13>
> <6><9>*<134>H<134><247><13><1><1>
> EAP-Message =
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><2
> 34>/<
> 241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<2
> 34><1
> 2>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6><
> 19><2
> 47>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/
> <16>HI<220><169>v
> N<215>)<31><207><24><157><230>G<186>)<246>J<195><171><154><249><220>v<1
> 7><15
> 9><2>x<29><136><148>:
> b<170><254><4><207><183><144><210><251>+<233><135>0<212
>> Y<207><158>N<226><136><12><132><143><250><182><218>W<2><3><1><0><1><16
>> 3><23
>> 0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6>
>> <9>*<
> 134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165>
> <188>
>> q<129>X<13>=l?
>> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><2
> 25><253>?
> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<21
> 1><248>oba<
> EAP-Message =
> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25
> >w<21
> 5><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><254><20
> 6>U?<
> 214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3
> ><162
>> <160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5>
>> <0>0<
> 129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>V
> ictor
> ia1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><2
> 1>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 39
> Authentic:
> <213><239><29><0><5>-<231>H<219><172><199><24><11>i<214><29>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <246><234><230><193><183><194><239>)D<150>f<190><15><145>h<14>
> EAP-Message = <2><4><0><6><25><0>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:57 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:57 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:57 2004: DEBUG: Handling with EAP: code 2, 4, 6
> Mon Nov 29 11:04:57 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:57 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 39
> Authentic:
> <213><239><29><0><5>-<231>H<219><172><199><24><11>i<214><29>
> Attributes:
> EAP-Message = <1><5><3><238><25>@t use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><
> 13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6><
> 19><2
>> AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>
>> Melbo
> urne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
> EAP-Message = roduction)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129
> ><159
>> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><
>> 137><
> 2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><21
> 4><25
> 3>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>D
> xJ<13
> 8>n<203>k8<164><239><179>H<237>K<182>mo<155><145><138><143><136><127><2
> 30><<
> 9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>,
> <185>
> <173><234><3>^4<221><252><168>H<178><158><25><235><152><250>g<199><172>
> <250>
> uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0><1>
> <163>
> <130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233>
> <210>
> F0D<173>f]r<193>H?<164><27>ke0<129><247><6><3>U<29>#
> EAP-Message =
> <4><129><239>0<129><236><128><20><23><2><196>#<233><210>F0D<173>f]r<193
> >H?<1
> 64><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6
> ><19>
> <2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><
> 9>Mel
> bourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130>
> <1><0
>> 0<12><6><3>U<29><19><4><5>0<3>
> EAP-Message =
> <1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129>
> <0>0<
> 3>=<202><190><236>S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<202>
> <143>
> <160><29><220>p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>;
> _<202><254><2
> 42>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><193><29>-
> <228><19><1
> 84>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143><225><149>
> <237>
> <135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160>l<21><129>0<199
> >6<22
>> <3><1><0><220><13><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11>
>> 0<9><
> 6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6
> ><3>U
> <4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certif
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:57 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 40
> Authentic: <195>VW<29><140><156>cP<187><218><248><2><131><243><160>@
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <245><134>2<178>VV<193><240><212>WJ<215><226>2u~
> EAP-Message = <2><5><0><6><25><0>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 5, 6
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 40
> Authentic: <195>VW<29><140><156>cP<187><218><248><2><131><243><160>@
> Attributes:
> EAP-Message =
> <1><6><0><134><25><0>icates1!0<31><6><3>U<4><11><19><24>Test
> Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<14><
> 0><0>
> <0>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 41
> Authentic: <183><KX<175><216><194><233>MlL<206>{<133><192>S
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <241><156><25>^m<211><9>W<21><198><162><146>t<141><200>F
> EAP-Message =
> <2><6><0><199><25><128><0><0><0><189><22><3><1><0><141><11><0><0><3><0>
> <0><0
>> <16><0><0><130><0><128><179><226><223><254>t<181><129><166><210><141>`
>> <206>
> ;
> <140><23><254>m<22>|<171>z<127><156><1><190>p<236>4Q<247>}<246><176><14
> 2><2
> 51><244>Y<229><159>,<163>q<127>$a<179><200><222><216>o<255><11>J[Dk<235
> >.<21
> 1><245>U<141><216><15><197><179>r<4><163><169><202><133>3<25><234><175>
> <30>v
> <194><254>i0<206>o<183><190><24><206><247><190>T<167><185><0><225><186>
> <182>
> <194><14>!
> 6Z<23><254><223>u<178><168><158><149><<206><142><168><233>q<211>;n
> <254><14><219><12><226><147><186>gd<20><3><1><0><1><1><22><3><1><0>
> '<20>l[<190><2>Ae6<148><218><134><239>8<29><15>~7U<17>R<167>/
> <15>M<194><142>
> <25><7><221><154><184>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 6, 199
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 41
> Authentic: <183><KX<175><216><194><233>MlL<206>{<133><192>S
> Attributes:
> EAP-Message =
> <1><7><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> oT<219>#<225><243>0?
> <136><19><132><166><239><2><219>h<215>3<192>K<21><133>9<
> 228><127><239><177><223><212><146>`<182>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 42
> Authentic: <142>_TC<156><171>I<249><191><237><226><202>W;/5
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <198><4><16>!2<193>IL<233><158><166><150><139><208>k!
> EAP-Message = <2><7><0><6><25><0>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 7, 6
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 42
> Authentic: <142>_TC<156><171>I<249><191><237><226><202>W;/5
> Attributes:
> EAP-Message =
> <1><8><0><28><25><0><23><3><1><0><17><171><181>GpNQ<224><219><161><30><
> 3><17
> 6><27><180><210>c<19>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 43
> Authentic: |<218><222>^RHe<239><20><196>X<11><129><252><214><138>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator = @>R<159><153>OK<15>gm<209><254>t<146>NV
> EAP-Message =
> <2><8><0>&<25><0><23><3><1><0><27>"<4><167><159><194><182><248><6><139>
> <188>
> <250>u<243><129><13><231>z<164>h<150><5><241><178><234>qi<176>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 8, 38
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP PEAP inner authentication request
> for
> anonymous
> Mon Nov 29 11:04:58 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <255>X<1><129>G<136>\<161>{<179><241>]<170><144>s<138>
> Attributes:
> EAP-Message = <2><8><0><11><1>NT\testuser
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
> NAS-Port = 287
> Calling-Station-Id = "000c.41a9.930f"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for ,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 8, 11
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 1
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Mon Nov 29 11:04:58 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Nov 29 11:04:58 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> inner authentication redespatched to a Handler
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 43
> Authentic: |<218><222>^RHe<239><20><196>X<11><129><252><214><138>
> Attributes:
> EAP-Message =
> <1><9><0>8<25><0><23><3><1><0>-)\t<212><167><26><168>*<248><11>T<220>s<
> 3><20
> 0><22><170><176>E<179><16>KeG<190>o<137><216><201>XW<148><248>8B<138><1
> 38>)O
> 0(<196><211><252><152>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:58 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 44
> Authentic: <237>MN<251><158><5>h<9><192><191><197><10>[}<169><225>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <146>P<244><17><168><159><159>Sc<255><229><234><230>-<156><233>
> EAP-Message =
> <2><9><0>\<25><0><23><3><1><0>Q*<145>2<145>,|Y<158><165>\O<160><182><23
> 9><16
>> 6z<227><237><189>@<195><130><242><128>h<130><216><250><24>XX<140><179>
>> <217>
> <27><192><157><208><243><213><162>6<209><247>f<165>]<152>&8<175><160>5<
> 217><
> 24><27><189><27>s<206>m\<8><173><154><244>]UX<18><230>a<210><127><255>Z
> V<239
>> d<159>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 9, 92
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:58 2004: DEBUG: EAP PEAP inner authentication request
> for
> anonymous
> Mon Nov 29 11:04:58 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <233><187><249><170>9w<255><26><207><205>j<147>C<160><241>4
> Attributes:
> EAP-Message =
> <2><9><0>A<26><2><9><0>@11<141><24>t<3><31>a<170><169>_T<28><26><25><21
> 7>Z<0
>> <0><0><0><0><0><0><0><14>Z<191><14><152><23><196><0><194>|<204>0<142>o
>> 0<20>
> q<202><137>7<227><204>l<255><0>NT\testuser
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
> NAS-Port = 287
> Calling-Station-Id = "000c.41a9.930f"
>
> Mon Nov 29 11:04:58 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Nov 29 11:04:58 2004: DEBUG: Deleting session for ,
> 171.64.19.234, 287
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Nov 29 11:04:58 2004: DEBUG: Handling with EAP: code 2, 9, 65
> Mon Nov 29 11:04:58 2004: DEBUG: Response type 26
> Mon Nov 29 11:04:58 2004: DEBUG: Radius::AuthLSA looks for match with
> NT\testuser
> Mon Nov 29 11:04:58 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Nov 29 11:04:59 2004: WARNING: Could not LogonUserNetworkMSCHAP
> (V2):
> 3221225581, 0, Logon failure: unknown user name or bad password.
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication
> failure
> Mon Nov 29 11:04:59 2004: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2
> Authentication failure
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Nov 29 11:04:59 2004: DEBUG: Access challenged for NT\testuser:
> EAP PEAP
> inner authentication redespatched to a Handler
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Challenge
> Identifier: 44
> Authentic: <237>MN<251><158><5>h<9><192><191><197><10>[}<169><225>
> Attributes:
> EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27><189>m0<5>X<21><18>*h<1><231>I\<147>
> <230>
> T<142>c<182>9<207>L<127><140>Y<253><144>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code: Access-Request
> Identifier: 45
> Authentic: <232><156><161><194>F<2>5<165>Y<217>0<247><171><167>R<151>
> Attributes:
> User-Name = "NT\testuser"
> Framed-MTU = 1400
> Called-Station-Id = "0011.931f.57c0"
> Calling-Station-Id = "000c.41a9.930f"
> Message-Authenticator =
> <8>f<170><13><172><25><230><250><241>r<241><255><237><189>)8
> EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><155><199><223><161><174><197><134>{
> <137>
> <175><173><191><165><6>p<180><10><162><210><214><191>{h<229><134>_@
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 287
> Service-Type = Framed-User
> NAS-IP-Address = 171.64.19.234
> NAS-Identifier = "ap"
>
> Mon Nov 29 11:04:59 2004: DEBUG: Handling request with Handler ''
> Mon Nov 29 11:04:59 2004: DEBUG: Deleting session for NT\testuser,
> 171.64.19.234, 287
> Mon Nov 29 11:04:59 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 29 11:04:59 2004: DEBUG: Handling with EAP: code 2, 10, 38
> Mon Nov 29 11:04:59 2004: DEBUG: Response type 25
> Mon Nov 29 11:04:59 2004: DEBUG: EAP result: 1, PEAP Authentication
> Failure
> Mon Nov 29 11:04:59 2004: INFO: Access rejected for NT\testuser: PEAP
> Authentication Failure
> Mon Nov 29 11:04:59 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code: Access-Reject
> Identifier: 45
> Authentic: <232><156><161><194>F<2>5<165>Y<217>0<247><171><167>R<151>
> Attributes:
> EAP-Message = <4><10><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> ******* END TRACE OUTPUT *******
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list