(RADIATOR) EAP-TLS + LDAP

Hugh Irvine hugh at open.com.au
Wed Oct 27 02:53:37 CDT 2004


Hello Miklos -

I think you should try using the default SearchFilter which will  
automatically use the Identity contained in the EAP-Message.

The default SearchFilter is:

	SearchFilter (%0=%1)

See sections 6.36.15 and 23.4 in the Radiator 3.11 reference manual  
("doc/ref.html").

regards

Hugh


On 27 Oct 2004, at 00:08, Tirpak Miklos wrote:

> Hello Hugh,
>
> I send you the config file and the debug attached. The searchfilter in  
> the ldap query is uid=Miklos Tirpak which is not correct, it should be  
> mail=mtirpak at sztaki.hu. I should do the following somehow:
>
> 1. Get the realm from the eap request. For example, the user belongs  
> to our domain, if the issuer of the certificate was NIIF CA
> 2. If the realm is not our, proxy the radius request toward.
> 3. If the realm is our check if the cerificate is correct
> 4. Look at the revocation list.
> 5. Search the user in LDAP based on his e-mail address
> 5a. If the user is in the database, pass the VLAN attributtes back to  
> the switch in a radius accept
> 5b. If the user is not in the db, pass a default attrib to the switch  
> in a radius accept (or the switch can use its own default setting)
>
> Is this the correct way of setting up EAP-TLS authentication with  
> LDAP? How do others do it?
>
> Thank you,
> Miklos
>
> On 10/23/04 01:24, Hugh Irvine wrote:
>> Hello Miklos -
>> Could you please send me a copy of your configuration file (no  
>> secrets)  and a complete trace 4 debug showing what is happening with  
>> what you  have so far? I would like to see the contents of the radius  
>> requests so  I can make suggestions.
>> regards
>> Hugh
>> On 22 Oct 2004, at 18:54, Tirpak Miklos wrote:
>>> Hello!
>>>
>>> I would like to use EAP-TLS as dot1x authentication, and get the  
>>> vlan  name from LDAP after the successfull authentication. The  
>>> search filter  has to contain the e-mail address of the user instead  
>>> of the name,  because the name is not unique in our database. The  
>>> searchfilter for  exapmle should be: uid=mtirpak at sztaki.hu
>>>
>>> The problem is, that the radius request does not contain the e-main   
>>> address as an attributte, it contains only the user name: User-Name  
>>> =  "Miklos Tirpak". The e-mail address is in the eap message. Is  
>>> there  any way to make the search filter based on the e-mail  
>>> address? Like  %{some_attributte}, or with a script?
>>>
>>> The realm is also not included in the radius attributtes, so I have  
>>> to  get is from the eap message. This is the same problem as above.
>>>
>>> Thanks,
>>> Miklos
>>>
>>> --   
>>> --------------------------------------------------------------------- 
>>> -- ----
>>>   Miklos Tirpak
>>>   Computer and Automation Research Institute   e-mail :   
>>> mtirpak at sztaki.hu
>>>   Hungarian Academy of Sciences                phone  : (361)  
>>> 279-6011
>>>   H-1132 Budapest, Victor Hugo u 18-22         fax    : (361)  
>>> 279-6021
>>>
>>> -- 
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>
> -- 
> ----------------------------------------------------------------------- 
> ----
>   Miklos Tirpak
>   Computer and Automation Research Institute   e-mail :  
> mtirpak at sztaki.hu
>   Hungarian Academy of Sciences                phone  : (361) 279-6011
>   H-1132 Budapest, Victor Hugo u 18-22         fax    : (361) 279-6021
>
> # radius.cfg
> #
> # This is a very simple radius.cfg that you can use to get started.
> # only the most important parameters are set here. The full set
> # of parameters can be seen in radius.cfg in the top of the  
> distribution tree.
> #
> # As it stands, it will authenticate a single client and a
> # single realm from a flat file
> # database, and save the accounting info to a single details file.
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: radius.cfg,v 1.3 1999/01/28 05:13:52 mikem Exp $
>
> # Set this to the directory where your logfile and details file are to  
> go
> LogDir	/var/log/radiator
>
> # listen
> BindAddress	195.111.0.46
> AuthPort	1812
> AcctPort	1813
>
> # runs in foregroud
> Foreground
> #LogStdout
> LogFile /home/mtirpak/debug/Radiator/eap_tls_ldap.log
> Trace	4
>
> # Set this to the database directory. It should contain these files:
> # users           The user database
> # dictionary      The dictionary for your NAS
> DbDir /usr/local/etc/radiator
>
> # This clause defines a single client to listen to
> <Client 195.111.96.134>
> 	Secret	secret
> </Client>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
> 	Secret secret
> 	DupInterval 0
> </Client>
>
> <AuthBy LDAP2>
> 	# The filename defaults to %D/users
> 	Identifier	eap-auth
> 	EAPType		TLS
>
> 	# certificate of the CA
> 	EAPTLS_CAFile	/etc/radiator/certificates/NIIF/cacert.pem
> 	# EAPTLS_CAPath	/etc/radiator/certificates/NIIF
>
> 	# certificate of the radius server
> 	EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
> 	EAPTLS_CertificateType PEM
> 	
> 	# peivate key of the radius server
> 	EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
> 	EAPTLS_PrivateKeyPassword secret
>
> 	# check the revocation list
> 	EAPTLS_CRLCheck
> 	EAPTLS_CRLFile	/etc/radiator/revocation_list/list.pem
>
> 	# LDAP parameters
> 	Host		directory.iif.hu
>
> 	# bind
> 	AuthDN		uid=radius-802.1x,ou=applications,ou=hboneadmin,o=niif,c=hu
> 	AuthPassword	secret
>
> 	# search
> 	BaseDN		ou=users,ou=hboneadmin,o=niif,c=hu
> 	SearchFilter	(uid=%{User-Name})
> 	PasswordAttr
>
> 	# reply items
> 	AuthAttrDef	radiusTunnelType, Tunnel-Type, reply
> 	AuthAttrDef	radiusTunnelMediumType, Tunnel-Medium-Type, reply
> 	AuthAttrDef	radiusTunnelPrivateGroupID, Tunnel-Private-Group-ID, reply
> 	
> 	
> </AuthBy>
>
> # This clause handles all users from all realms by looking them up
> # in the users file at /usr/local/etc/raddb/users
> <Realm DEFAULT>
> 	AuthBy eap-auth
> 	#PacketTrace
> 	RejectHasReason
> 	# Log accounting to the detail file in LogDir
> 	AcctLogFileName	%L/detail
> </Realm>
>
> Tue Oct 26 15:44:03 2004: DEBUG: Finished reading configuration file  
> '/etc/radiator/radius.cfg'
> Tue Oct 26 15:44:03 2004: DEBUG: Reading dictionary file  
> '/usr/local/etc/radiator/dictionary'
> Tue Oct 26 15:44:03 2004: DEBUG: Creating authentication port  
> 195.111.0.46:1812
> Tue Oct 26 15:44:03 2004: DEBUG: Creating accounting port  
> 195.111.0.46:1813
> Tue Oct 26 15:44:03 2004: NOTICE: Server started: Radiator 3.10 on  
> tirpi (LOCKED)
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code:       Access-Request
> Identifier: 94
> Authentic:  <205>j<146><138>M<29><177><31><28><223><210><162>x-#<224>
> Attributes:
> 	NAS-IP-Address = 195.111.96.134
> 	Cisco-NAS-Port = "FastEthernet0/37"
> 	NAS-Port-Type = Async
> 	User-Name = "Miklos Tirpak"
> 	Service-Type = Framed-User
> 	Framed-MTU = 1500
> 	Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> 	EAP-Message = <2><0><0><18><1>Miklos Tirpak
> 	Message-Authenticator =  
> <131><171>l<10><168>)<215>5s<168><236><195><17><157>c<14>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:27 2004: DEBUG:  Deleting session for Miklos Tirpak,  
> 195.111.96.134,
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> eap-auth
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with EAP: code 2, 0, 18
> Tue Oct 26 15:44:27 2004: DEBUG: Response type 1
> Tue Oct 26 15:44:27 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Access challenged for Miklos Tirpak:  
> EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code:       Access-Challenge
> Identifier: 94
> Authentic:  <205>j<146><138>M<29><177><31><28><223><210><162>x-#<224>
> Attributes:
> 	EAP-Message = <1><1><0><6><13>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code:       Access-Request
> Identifier: 95
> Authentic:  <131><11><238><145>'<16>)<8><12><26>g<180><182><219><230>n
> Attributes:
> 	NAS-IP-Address = 195.111.96.134
> 	Cisco-NAS-Port = "FastEthernet0/37"
> 	NAS-Port-Type = Async
> 	User-Name = "Miklos Tirpak"
> 	Service-Type = Framed-User
> 	Framed-MTU = 1500
> 	Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> 	EAP-Message =  
> <2><1><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>A~T<186><10> 
> <145><151><184><147>! 
> 2<206><155><16><252><13>=<205>I`<127><195><197><221><184>>T>S<13><239>x 
> <0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0 
> >c<1><0>
> 	Message-Authenticator =  
> <181><130>}r7<192>a<247><1>L<240><225><201><31><230><248>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:27 2004: DEBUG:  Deleting session for Miklos Tirpak,  
> 195.111.96.134,
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> eap-auth
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with EAP: code 2, 1, 80
> Tue Oct 26 15:44:27 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:27 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Access challenged for Miklos Tirpak:  
> EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code:       Access-Challenge
> Identifier: 95
> Authentic:  <131><11><238><145>'<16>)<8><12><26>g<180><182><219><230>n
> Attributes:
> 	EAP-Message =  
> <1><2><3><164><13><128><0><0><3><154><22><3><1><0>J<2><0><0>F<3><1>A~T< 
> 187>K<161>y<249>e(<29><143>ja<141>xj<247><134>m<255>Z<240><146><172><13 
> ><233>iZ<218>z! C<254><212><10>}<146>  
> <31><205><176>5oh<23><206><215>C<190><191>a+z<150>g<227>"<180>7<13>>56< 
> 0><4><0><22><3><1><2><219><11><0><2><215><0><2><212><0><2><209>0<130><2 
> ><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247>< 
> 13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15>< 
> 6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30> 
> 0<28><6><3>U<4><10><19><21>OSC Demo  
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> 	EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in  
> production)1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30> 
> <23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19>< 
> 2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9 
> >Melbourne1<24>0<22><6><3>U<4><10><19><15>My Test  
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159> 
> 0<13><6><9>*<134>H<134><247><13><1><1>
> 	EAP-Message =  
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><2 
> 34>/ 
> <241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#< 
> 234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><13 
> 8><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/ 
> <16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><171>< 
> 154><249><220>v<17><159><2>x<29><136><148>: 
> b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<22 
> 6><136><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19> 
> <6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H< 
> 134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>> 
> q<129>X<13>=l? 
> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><225><253>? 
> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><2 
> 48>oba<
> 	EAP-Message =  
> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25 
> >w<215><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><25 
> 4><206>U? 
> <214>)<181>I2^<157><225><174><232>2e<185>k<131><22><3><1><0>f<13><0><0> 
> ^<2><1><2><0>Y<0>W0U1<11>0<9><6><3>U<4><6><19><2>HU1<13>0<11><6><3>U<4> 
> <10><19><4>NIIF1 0<30><6><3>U<4><11><19><23>Certificate  
> Authorities1<21>0<19><6><3>U<4><3><19><12>NIIF Root CA<14><0><0><0>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code:       Access-Request
> Identifier: 96
> Authentic:  <154><251>o<214><212><185>S<192>z<154>C<9><14><127>;U
> Attributes:
> 	NAS-IP-Address = 195.111.96.134
> 	Cisco-NAS-Port = "FastEthernet0/37"
> 	NAS-Port-Type = Async
> 	User-Name = "Miklos Tirpak"
> 	Service-Type = Framed-User
> 	Framed-MTU = 1500
> 	Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> 	EAP-Message =  
> <2><2><5><19><13><128><0><0><5><9><22><3><1><4><217><11><0><3><201><0>< 
> 3><198><0><3><195>0<130><3><191>0<130><2><167><160><3><2><1><2><2><5><0 
> ><186><190><250><244>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0U1 
> <11>0<9><6><3>U<4><6><19><2>HU1<13>0<11><6><3>U<4><10><19><4>NIIF1  
> 0<30><6><3>U<4><11><19><23>Certificate  
> Authorities1<21>0<19><6><3>U<4><3><19><12>NIIF Root  
> CA0<30><23><13>041018145522Z<23><13>051018145522Z0i1<11>0<9><6><3>U<4>< 
> 6><19><2>HU1<16>0<14><6><3>U<4><10><19><7>NIIF  
> CA1<14>0<12><6><3>U<4><11><19><5>HBONE1<22>0<20><6><3>U<4><3><19><13>Mi 
> klos Tirpak1
> 	EAP-Message =   
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mtirpak at sztaki.hu0<129 
> ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0< 
> 129><137><2><129><129><0><206><211>m<8>}<189>*I<29><162>@<240><215><16> 
> <250><227><132>M<214>#<187><235>_<145><218><19>zFT8|I<19><248><16><187> 
> <180><3><184><184><217><147><246><14><164><157><198>M<21><9>y<253><206> 
> ,<140><134><19><193>\<129>8<163><206>_<198><224><216>'C<143>&<230><211> 
> <173><140>.<180><239><157>! 
> <234>G<245><151><225>1<252><20>S<225><177><138>D`<17>F'<251>o<16>be<144 
> ><137>M<194>; 
> <8>F<131><178>@`#<209>p<159>~g<255>eGR<180><129><137><212><139><2><3><1 
> ><0><1><163><130><1><4>0<130><1><0>0<17><6><9>`<134>H<1><134><248>B<1>< 
> 1><4><4><3><2><5><160>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><22 
> 4>0<28><6><3>U<29><17><4><21>0<19><129><17>mt
> 	EAP-Message =  
> irpak at sztaki.hu0<31><6><3>U<29>#<4><24>0<22><128><20><0>  
> <244>i}<11>o<228>7fm<177><0><226><245>g1[<161>W0<129><155><6><3>U<29>  
> <4><129><147>0<129><144>0<129><141><6><11>+<6><1><4><1><221><10><1><3>< 
> 1><0>0~0: 
> <6><8>+<6><1><5><5><7><2><2>0.0<11><22><4>NIIF0<3><2><1><1><26><31>Issu 
> ed for HBONE  
> Administrators0@<6><8>+<6><1><5><5><7><2><1><22>4http://www.ca.iif.hu/ 
> en/policies/ 
> NIIF_CA_CPS_1.0.pdf0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><1 
> 30><1><1><0><203><4><16><31>~<212><201><196>s<186><212>=<217>; 
> <189>w%<2>3<150>Uq<13><208>[<147><203>
> 	EAP-Message =  
> <131>P<151>6<134><139>"<6><227><152>S<213><149><146>c<236><168><190>6<1 
> 62>/ 
> <~<<176>G<131><171><221><195><180><13>q<234>4<248><157><191><216>e<203> 
> -<155><209><184>_<214><221>l<177><143><172><140><172><184>zw<133><174>< 
> 230><138>D<149><160><163>]<30><150><255><8>fLFR<23>zY.<16><250><9>! 
> <144>j<10><28>Cp<165>O<164><222><j<242><20><179>W  
> <9><173><239><225><149><224><161>]<236><198>Gtd<245><217><130><25><152> 
> .<222><133><194><202>2<159>qR;<17>d\`/  
> <149><31><184><214><229><240><189><174>,`<225><1>$U<153>#<208><254><143 
> >T<166>}<18>5<131>R<160><135><237><136><239><1><233><155><4>8<213>~<222 
> ><234><1><183>=<237>jR<246><3>U]<145>Q<17><193><26><23><187><203><31>eM 
> <12><174><191><245><246>]<195><238>7<25><221><192><244>+<245><176><220> 
> y<3><241><219><188>"TZ<17><172>|6<130><22><10>B$<150><16><0><0><130><0> 
> <128>5<196><137>@<240><164><245><133><233><22><170><172><153><129>\7<14 
> 1>(
> 	EAP-Message =  
> N<171><217><152><231><178>D"<197><139>&<255>,~<0><249><233>N<135>xj<249 
> >D<23>Y<136><<208><157><159>T<195><21>_<0><200><130>3<163><161>Z<141>K< 
> 198><5><142><137><223><162><172><161><27><3>; 
> I5X<181><10><151>p<31><190><11><139>'<154>}<227>t<1>.<157>g<253><202><1 
> 34><137><166>63l<145><28>9<182>`<130>h<190><137><137>Y<217><250><139><1 
> 2><196>y<250><212><162>5<212><250><9><201>=<138><246><15><0><0><130><0> 
> <128>r<190><212>eQ<197>'<212>}- 
> G<6><231><225>qw<177>I%T7f<217><144>pz<231><230>GU%<149><154><0>t+<208> 
> <141>bi<225><229><172><184>Cw<158><22>j<5><154><165><235><227><237><170 
> ><151><20><182><223>[<148><213><217>X<145>? 
> <144><198><167>9h<175>l<5>y<240><241><216>[<158>50<138><179><191><255>< 
> 215><31><4>0]<229><155><164><13><162><2>! 
> f&,<136><234><237><195><11>u at Y<165><178><229><22><13><227><19>0<180>bV  
> j<20><132><184><195><233><20><3><1><0><1><1><22><3><1>
> 	EAP-Message = <0>  
> <192><166><13><197><214><241><184>-<168><5><250>cC<149>? 
> <13><165><227><226>%Y<211><197><28>(3<234>.<156><137>h<204>
> 	Message-Authenticator = <152>5<218><13><n<206>Ib<19>f<189>+<24>2e
>
> Tue Oct 26 15:44:28 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:28 2004: DEBUG:  Deleting session for Miklos Tirpak,  
> 195.111.96.134,
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> eap-auth
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with EAP: code 2, 2, 1299
> Tue Oct 26 15:44:28 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:28 2004: INFO: Connecting to directory.iif.hu, port  
> 389
> Tue Oct 26 15:44:28 2004: INFO: Attempting to bind to LDAP server  
> directory.iif.hu:389)
> Tue Oct 26 15:44:28 2004: DEBUG: No entries for Miklos Tirpak found in  
> LDAP database
> Tue Oct 26 15:44:28 2004: DEBUG: Radius::AuthLDAP2 looks for match  
> with Miklos Tirpak
> Tue Oct 26 15:44:28 2004: INFO: Connecting to directory.iif.hu, port  
> 389
> Tue Oct 26 15:44:28 2004: INFO: Attempting to bind to LDAP server  
> directory.iif.hu:389)
> Tue Oct 26 15:44:28 2004: DEBUG: No entries for DEFAULT found in LDAP  
> database
> Tue Oct 26 15:44:28 2004: INFO: EAP TLS Could not authenticate user  
> Miklos Tirpak: No such user
> Tue Oct 26 15:44:28 2004: INFO: EAP TLS certificate verification  
> failed: 50,  3472: 1 - error:140890B2:SSL  
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> Tue Oct 26 15:44:28 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:28 2004: DEBUG: Access challenged for Miklos Tirpak:  
> EAP TLS Challenge
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code:       Access-Challenge
> Identifier: 96
> Authentic:  <154><251>o<214><212><185>S<192>z<154>C<9><14><127>;U
> Attributes:
> 	EAP-Message = <1><3><0><17><13><128><0><0><0><7><21><3><1><0><2><2>(
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code:       Access-Request
> Identifier: 97
> Authentic:  <246>}5<23>"<188><22>/<242>c<222><127><220>i<251><177>
> Attributes:
> 	NAS-IP-Address = 195.111.96.134
> 	Cisco-NAS-Port = "FastEthernet0/37"
> 	NAS-Port-Type = Async
> 	User-Name = "Miklos Tirpak"
> 	Service-Type = Framed-User
> 	Framed-MTU = 1500
> 	Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> 	EAP-Message = <2><3><0><6><13><0>
> 	Message-Authenticator =  
> <165><226><228><209><224>><3><240><135><144>vWu<251>_<193>
>
> Tue Oct 26 15:44:28 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:28 2004: DEBUG:  Deleting session for Miklos Tirpak,  
> 195.111.96.134,
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> eap-auth
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Tue Oct 26 15:44:28 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:28 2004: DEBUG: EAP result: 1, TLS Alert acknowledged
> Tue Oct 26 15:44:28 2004: INFO: Access rejected for Miklos Tirpak: TLS  
> Alert acknowledged
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code:       Access-Reject
> Identifier: 97
> Authentic:  <246>}5<23>"<188><22>/<242>c<222><127><220>i<251><177>
> Attributes:
> 	EAP-Message = <4><3><0><4>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Reply-Message = "TLS Alert acknowledged"
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list