(RADIATOR) EAP-TLS + LDAP
Hugh Irvine
hugh at open.com.au
Wed Oct 27 02:53:37 CDT 2004
Hello Miklos -
I think you should try using the default SearchFilter which will
automatically use the Identity contained in the EAP-Message.
The default SearchFilter is:
SearchFilter (%0=%1)
See sections 6.36.15 and 23.4 in the Radiator 3.11 reference manual
("doc/ref.html").
regards
Hugh
On 27 Oct 2004, at 00:08, Tirpak Miklos wrote:
> Hello Hugh,
>
> I send you the config file and the debug attached. The searchfilter in
> the ldap query is uid=Miklos Tirpak which is not correct, it should be
> mail=mtirpak at sztaki.hu. I should do the following somehow:
>
> 1. Get the realm from the eap request. For example, the user belongs
> to our domain, if the issuer of the certificate was NIIF CA
> 2. If the realm is not our, proxy the radius request toward.
> 3. If the realm is our check if the cerificate is correct
> 4. Look at the revocation list.
> 5. Search the user in LDAP based on his e-mail address
> 5a. If the user is in the database, pass the VLAN attributtes back to
> the switch in a radius accept
> 5b. If the user is not in the db, pass a default attrib to the switch
> in a radius accept (or the switch can use its own default setting)
>
> Is this the correct way of setting up EAP-TLS authentication with
> LDAP? How do others do it?
>
> Thank you,
> Miklos
>
> On 10/23/04 01:24, Hugh Irvine wrote:
>> Hello Miklos -
>> Could you please send me a copy of your configuration file (no
>> secrets) and a complete trace 4 debug showing what is happening with
>> what you have so far? I would like to see the contents of the radius
>> requests so I can make suggestions.
>> regards
>> Hugh
>> On 22 Oct 2004, at 18:54, Tirpak Miklos wrote:
>>> Hello!
>>>
>>> I would like to use EAP-TLS as dot1x authentication, and get the
>>> vlan name from LDAP after the successfull authentication. The
>>> search filter has to contain the e-mail address of the user instead
>>> of the name, because the name is not unique in our database. The
>>> searchfilter for exapmle should be: uid=mtirpak at sztaki.hu
>>>
>>> The problem is, that the radius request does not contain the e-main
>>> address as an attributte, it contains only the user name: User-Name
>>> = "Miklos Tirpak". The e-mail address is in the eap message. Is
>>> there any way to make the search filter based on the e-mail
>>> address? Like %{some_attributte}, or with a script?
>>>
>>> The realm is also not included in the radius attributtes, so I have
>>> to get is from the eap message. This is the same problem as above.
>>>
>>> Thanks,
>>> Miklos
>>>
>>> --
>>> ---------------------------------------------------------------------
>>> -- ----
>>> Miklos Tirpak
>>> Computer and Automation Research Institute e-mail :
>>> mtirpak at sztaki.hu
>>> Hungarian Academy of Sciences phone : (361)
>>> 279-6011
>>> H-1132 Budapest, Victor Hugo u 18-22 fax : (361)
>>> 279-6021
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>
> --
> -----------------------------------------------------------------------
> ----
> Miklos Tirpak
> Computer and Automation Research Institute e-mail :
> mtirpak at sztaki.hu
> Hungarian Academy of Sciences phone : (361) 279-6011
> H-1132 Budapest, Victor Hugo u 18-22 fax : (361) 279-6021
>
> # radius.cfg
> #
> # This is a very simple radius.cfg that you can use to get started.
> # only the most important parameters are set here. The full set
> # of parameters can be seen in radius.cfg in the top of the
> distribution tree.
> #
> # As it stands, it will authenticate a single client and a
> # single realm from a flat file
> # database, and save the accounting info to a single details file.
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: radius.cfg,v 1.3 1999/01/28 05:13:52 mikem Exp $
>
> # Set this to the directory where your logfile and details file are to
> go
> LogDir /var/log/radiator
>
> # listen
> BindAddress 195.111.0.46
> AuthPort 1812
> AcctPort 1813
>
> # runs in foregroud
> Foreground
> #LogStdout
> LogFile /home/mtirpak/debug/Radiator/eap_tls_ldap.log
> Trace 4
>
> # Set this to the database directory. It should contain these files:
> # users The user database
> # dictionary The dictionary for your NAS
> DbDir /usr/local/etc/radiator
>
> # This clause defines a single client to listen to
> <Client 195.111.96.134>
> Secret secret
> </Client>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
> Secret secret
> DupInterval 0
> </Client>
>
> <AuthBy LDAP2>
> # The filename defaults to %D/users
> Identifier eap-auth
> EAPType TLS
>
> # certificate of the CA
> EAPTLS_CAFile /etc/radiator/certificates/NIIF/cacert.pem
> # EAPTLS_CAPath /etc/radiator/certificates/NIIF
>
> # certificate of the radius server
> EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # peivate key of the radius server
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword secret
>
> # check the revocation list
> EAPTLS_CRLCheck
> EAPTLS_CRLFile /etc/radiator/revocation_list/list.pem
>
> # LDAP parameters
> Host directory.iif.hu
>
> # bind
> AuthDN uid=radius-802.1x,ou=applications,ou=hboneadmin,o=niif,c=hu
> AuthPassword secret
>
> # search
> BaseDN ou=users,ou=hboneadmin,o=niif,c=hu
> SearchFilter (uid=%{User-Name})
> PasswordAttr
>
> # reply items
> AuthAttrDef radiusTunnelType, Tunnel-Type, reply
> AuthAttrDef radiusTunnelMediumType, Tunnel-Medium-Type, reply
> AuthAttrDef radiusTunnelPrivateGroupID, Tunnel-Private-Group-ID, reply
>
>
> </AuthBy>
>
> # This clause handles all users from all realms by looking them up
> # in the users file at /usr/local/etc/raddb/users
> <Realm DEFAULT>
> AuthBy eap-auth
> #PacketTrace
> RejectHasReason
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Realm>
>
> Tue Oct 26 15:44:03 2004: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Oct 26 15:44:03 2004: DEBUG: Reading dictionary file
> '/usr/local/etc/radiator/dictionary'
> Tue Oct 26 15:44:03 2004: DEBUG: Creating authentication port
> 195.111.0.46:1812
> Tue Oct 26 15:44:03 2004: DEBUG: Creating accounting port
> 195.111.0.46:1813
> Tue Oct 26 15:44:03 2004: NOTICE: Server started: Radiator 3.10 on
> tirpi (LOCKED)
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code: Access-Request
> Identifier: 94
> Authentic: <205>j<146><138>M<29><177><31><28><223><210><162>x-#<224>
> Attributes:
> NAS-IP-Address = 195.111.96.134
> Cisco-NAS-Port = "FastEthernet0/37"
> NAS-Port-Type = Async
> User-Name = "Miklos Tirpak"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> EAP-Message = <2><0><0><18><1>Miklos Tirpak
> Message-Authenticator =
> <131><171>l<10><168>)<215>5s<168><236><195><17><157>c<14>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:27 2004: DEBUG: Deleting session for Miklos Tirpak,
> 195.111.96.134,
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with Radius::AuthLDAP2:
> eap-auth
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with EAP: code 2, 0, 18
> Tue Oct 26 15:44:27 2004: DEBUG: Response type 1
> Tue Oct 26 15:44:27 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Access challenged for Miklos Tirpak:
> EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code: Access-Challenge
> Identifier: 94
> Authentic: <205>j<146><138>M<29><177><31><28><223><210><162>x-#<224>
> Attributes:
> EAP-Message = <1><1><0><6><13>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code: Access-Request
> Identifier: 95
> Authentic: <131><11><238><145>'<16>)<8><12><26>g<180><182><219><230>n
> Attributes:
> NAS-IP-Address = 195.111.96.134
> Cisco-NAS-Port = "FastEthernet0/37"
> NAS-Port-Type = Async
> User-Name = "Miklos Tirpak"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> EAP-Message =
> <2><1><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>A~T<186><10>
> <145><151><184><147>!
> 2<206><155><16><252><13>=<205>I`<127><195><197><221><184>>T>S<13><239>x
> <0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0
> >c<1><0>
> Message-Authenticator =
> <181><130>}r7<192>a<247><1>L<240><225><201><31><230><248>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:27 2004: DEBUG: Deleting session for Miklos Tirpak,
> 195.111.96.134,
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with Radius::AuthLDAP2:
> eap-auth
> Tue Oct 26 15:44:27 2004: DEBUG: Handling with EAP: code 2, 1, 80
> Tue Oct 26 15:44:27 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:27 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Access challenged for Miklos Tirpak:
> EAP TLS Challenge
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code: Access-Challenge
> Identifier: 95
> Authentic: <131><11><238><145>'<16>)<8><12><26>g<180><182><219><230>n
> Attributes:
> EAP-Message =
> <1><2><3><164><13><128><0><0><3><154><22><3><1><0>J<2><0><0>F<3><1>A~T<
> 187>K<161>y<249>e(<29><143>ja<141>xj<247><134>m<255>Z<240><146><172><13
> ><233>iZ<218>z! C<254><212><10>}<146>
> <31><205><176>5oh<23><206><215>C<190><191>a+z<150>g<227>"<180>7<13>>56<
> 0><4><0><22><3><1><2><219><11><0><2><215><0><2><212><0><2><209>0<130><2
> ><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><
> 13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><
> 6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>
> 0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><
> 2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9
> >Melbourne1<24>0<22><6><3>U<4><10><19><15>My Test
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>
> 0<13><6><9>*<134>H<134><247><13><1><1>
> EAP-Message =
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><2
> 34>/
> <241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<
> 234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><13
> 8><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/
> <16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><171><
> 154><249><220>v<17><159><2>x<29><136><148>:
> b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<22
> 6><136><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19>
> <6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<
> 134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>
> q<129>X<13>=l?
> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><225><253>?
> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><2
> 48>oba<
> EAP-Message =
> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25
> >w<215><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><25
> 4><206>U?
> <214>)<181>I2^<157><225><174><232>2e<185>k<131><22><3><1><0>f<13><0><0>
> ^<2><1><2><0>Y<0>W0U1<11>0<9><6><3>U<4><6><19><2>HU1<13>0<11><6><3>U<4>
> <10><19><4>NIIF1 0<30><6><3>U<4><11><19><23>Certificate
> Authorities1<21>0<19><6><3>U<4><3><19><12>NIIF Root CA<14><0><0><0>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:27 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code: Access-Request
> Identifier: 96
> Authentic: <154><251>o<214><212><185>S<192>z<154>C<9><14><127>;U
> Attributes:
> NAS-IP-Address = 195.111.96.134
> Cisco-NAS-Port = "FastEthernet0/37"
> NAS-Port-Type = Async
> User-Name = "Miklos Tirpak"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> EAP-Message =
> <2><2><5><19><13><128><0><0><5><9><22><3><1><4><217><11><0><3><201><0><
> 3><198><0><3><195>0<130><3><191>0<130><2><167><160><3><2><1><2><2><5><0
> ><186><190><250><244>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0U1
> <11>0<9><6><3>U<4><6><19><2>HU1<13>0<11><6><3>U<4><10><19><4>NIIF1
> 0<30><6><3>U<4><11><19><23>Certificate
> Authorities1<21>0<19><6><3>U<4><3><19><12>NIIF Root
> CA0<30><23><13>041018145522Z<23><13>051018145522Z0i1<11>0<9><6><3>U<4><
> 6><19><2>HU1<16>0<14><6><3>U<4><10><19><7>NIIF
> CA1<14>0<12><6><3>U<4><11><19><5>HBONE1<22>0<20><6><3>U<4><3><19><13>Mi
> klos Tirpak1
> EAP-Message =
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mtirpak at sztaki.hu0<129
> ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<
> 129><137><2><129><129><0><206><211>m<8>}<189>*I<29><162>@<240><215><16>
> <250><227><132>M<214>#<187><235>_<145><218><19>zFT8|I<19><248><16><187>
> <180><3><184><184><217><147><246><14><164><157><198>M<21><9>y<253><206>
> ,<140><134><19><193>\<129>8<163><206>_<198><224><216>'C<143>&<230><211>
> <173><140>.<180><239><157>!
> <234>G<245><151><225>1<252><20>S<225><177><138>D`<17>F'<251>o<16>be<144
> ><137>M<194>;
> <8>F<131><178>@`#<209>p<159>~g<255>eGR<180><129><137><212><139><2><3><1
> ><0><1><163><130><1><4>0<130><1><0>0<17><6><9>`<134>H<1><134><248>B<1><
> 1><4><4><3><2><5><160>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><22
> 4>0<28><6><3>U<29><17><4><21>0<19><129><17>mt
> EAP-Message =
> irpak at sztaki.hu0<31><6><3>U<29>#<4><24>0<22><128><20><0>
> <244>i}<11>o<228>7fm<177><0><226><245>g1[<161>W0<129><155><6><3>U<29>
> <4><129><147>0<129><144>0<129><141><6><11>+<6><1><4><1><221><10><1><3><
> 1><0>0~0:
> <6><8>+<6><1><5><5><7><2><2>0.0<11><22><4>NIIF0<3><2><1><1><26><31>Issu
> ed for HBONE
> Administrators0@<6><8>+<6><1><5><5><7><2><1><22>4http://www.ca.iif.hu/
> en/policies/
> NIIF_CA_CPS_1.0.pdf0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><1
> 30><1><1><0><203><4><16><31>~<212><201><196>s<186><212>=<217>;
> <189>w%<2>3<150>Uq<13><208>[<147><203>
> EAP-Message =
> <131>P<151>6<134><139>"<6><227><152>S<213><149><146>c<236><168><190>6<1
> 62>/
> <~<<176>G<131><171><221><195><180><13>q<234>4<248><157><191><216>e<203>
> -<155><209><184>_<214><221>l<177><143><172><140><172><184>zw<133><174><
> 230><138>D<149><160><163>]<30><150><255><8>fLFR<23>zY.<16><250><9>!
> <144>j<10><28>Cp<165>O<164><222><j<242><20><179>W
> <9><173><239><225><149><224><161>]<236><198>Gtd<245><217><130><25><152>
> .<222><133><194><202>2<159>qR;<17>d\`/
> <149><31><184><214><229><240><189><174>,`<225><1>$U<153>#<208><254><143
> >T<166>}<18>5<131>R<160><135><237><136><239><1><233><155><4>8<213>~<222
> ><234><1><183>=<237>jR<246><3>U]<145>Q<17><193><26><23><187><203><31>eM
> <12><174><191><245><246>]<195><238>7<25><221><192><244>+<245><176><220>
> y<3><241><219><188>"TZ<17><172>|6<130><22><10>B$<150><16><0><0><130><0>
> <128>5<196><137>@<240><164><245><133><233><22><170><172><153><129>\7<14
> 1>(
> EAP-Message =
> N<171><217><152><231><178>D"<197><139>&<255>,~<0><249><233>N<135>xj<249
> >D<23>Y<136><<208><157><159>T<195><21>_<0><200><130>3<163><161>Z<141>K<
> 198><5><142><137><223><162><172><161><27><3>;
> I5X<181><10><151>p<31><190><11><139>'<154>}<227>t<1>.<157>g<253><202><1
> 34><137><166>63l<145><28>9<182>`<130>h<190><137><137>Y<217><250><139><1
> 2><196>y<250><212><162>5<212><250><9><201>=<138><246><15><0><0><130><0>
> <128>r<190><212>eQ<197>'<212>}-
> G<6><231><225>qw<177>I%T7f<217><144>pz<231><230>GU%<149><154><0>t+<208>
> <141>bi<225><229><172><184>Cw<158><22>j<5><154><165><235><227><237><170
> ><151><20><182><223>[<148><213><217>X<145>?
> <144><198><167>9h<175>l<5>y<240><241><216>[<158>50<138><179><191><255><
> 215><31><4>0]<229><155><164><13><162><2>!
> f&,<136><234><237><195><11>u at Y<165><178><229><22><13><227><19>0<180>bV
> j<20><132><184><195><233><20><3><1><0><1><1><22><3><1>
> EAP-Message = <0>
> <192><166><13><197><214><241><184>-<168><5><250>cC<149>?
> <13><165><227><226>%Y<211><197><28>(3<234>.<156><137>h<204>
> Message-Authenticator = <152>5<218><13><n<206>Ib<19>f<189>+<24>2e
>
> Tue Oct 26 15:44:28 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:28 2004: DEBUG: Deleting session for Miklos Tirpak,
> 195.111.96.134,
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with Radius::AuthLDAP2:
> eap-auth
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with EAP: code 2, 2, 1299
> Tue Oct 26 15:44:28 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:28 2004: INFO: Connecting to directory.iif.hu, port
> 389
> Tue Oct 26 15:44:28 2004: INFO: Attempting to bind to LDAP server
> directory.iif.hu:389)
> Tue Oct 26 15:44:28 2004: DEBUG: No entries for Miklos Tirpak found in
> LDAP database
> Tue Oct 26 15:44:28 2004: DEBUG: Radius::AuthLDAP2 looks for match
> with Miklos Tirpak
> Tue Oct 26 15:44:28 2004: INFO: Connecting to directory.iif.hu, port
> 389
> Tue Oct 26 15:44:28 2004: INFO: Attempting to bind to LDAP server
> directory.iif.hu:389)
> Tue Oct 26 15:44:28 2004: DEBUG: No entries for DEFAULT found in LDAP
> database
> Tue Oct 26 15:44:28 2004: INFO: EAP TLS Could not authenticate user
> Miklos Tirpak: No such user
> Tue Oct 26 15:44:28 2004: INFO: EAP TLS certificate verification
> failed: 50, 3472: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> Tue Oct 26 15:44:28 2004: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Oct 26 15:44:28 2004: DEBUG: Access challenged for Miklos Tirpak:
> EAP TLS Challenge
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code: Access-Challenge
> Identifier: 96
> Authentic: <154><251>o<214><212><185>S<192>z<154>C<9><14><127>;U
> Attributes:
> EAP-Message = <1><3><0><17><13><128><0><0><0><7><21><3><1><0><2><2>(
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Received from 195.111.96.134 port 1812 ....
> Code: Access-Request
> Identifier: 97
> Authentic: <246>}5<23>"<188><22>/<242>c<222><127><220>i<251><177>
> Attributes:
> NAS-IP-Address = 195.111.96.134
> Cisco-NAS-Port = "FastEthernet0/37"
> NAS-Port-Type = Async
> User-Name = "Miklos Tirpak"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = "00-0f-1f-b4-fd-2d"
> EAP-Message = <2><3><0><6><13><0>
> Message-Authenticator =
> <165><226><228><209><224>><3><240><135><144>vWu<251>_<193>
>
> Tue Oct 26 15:44:28 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 26 15:44:28 2004: DEBUG: Deleting session for Miklos Tirpak,
> 195.111.96.134,
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with Radius::AuthLDAP2:
> eap-auth
> Tue Oct 26 15:44:28 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Tue Oct 26 15:44:28 2004: DEBUG: Response type 13
> Tue Oct 26 15:44:28 2004: DEBUG: EAP result: 1, TLS Alert acknowledged
> Tue Oct 26 15:44:28 2004: INFO: Access rejected for Miklos Tirpak: TLS
> Alert acknowledged
> Tue Oct 26 15:44:28 2004: DEBUG: Packet dump:
> *** Sending to 195.111.96.134 port 1812 ....
> Code: Access-Reject
> Identifier: 97
> Authentic: <246>}5<23>"<188><22>/<242>c<222><127><220>i<251><177>
> Attributes:
> EAP-Message = <4><3><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "TLS Alert acknowledged"
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list