(RADIATOR) I need a little help with the log file

Stewart, Bill wjs-corp at kaman.com
Thu Apr 7 06:06:54 CDT 2005 

Mike,

	Thanks for your input.  I've got the logfile without any errors now,
but it seems to be stuck on sending a challenge se below.  any ideas?

Thu Apr  7 06:58:39 2005: DEBUG: Packet dump:
*** Received from 149.158.3.250 port 1208 ....
Code:       Access-Request
Identifier: 183
Authentic:  <210><10><0><0>"<23><0><0><176>&<0><0><196><31><0><0>
Attributes:
	Message-Authenticator =
<242><136><231><132><27><149><220><242>sI<132>(<11>n#<204>
	User-Name = "LAN_KCNT\wjs"
	NAS-IP-Address = 149.158.3.250
	NAS-Port = 2
	NAS-Port-Type = Wireless-IEEE-802-11
	Calling-Station-Id = "00-01-f4-ec-97-29"
	EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
	Framed-MTU = 1000

Thu Apr  7 06:58:39 2005: DEBUG: Handling request with Handler ''
Thu Apr  7 06:58:39 2005: DEBUG:  Deleting session for LAN_KCNT\wjs,
149.158.3.250, 2
Thu Apr  7 06:58:39 2005: DEBUG: Handling with Radius::AuthFILE: 
Thu Apr  7 06:58:39 2005: DEBUG: Handling with EAP: code 2, 1, 17
Thu Apr  7 06:58:39 2005: DEBUG: Response type 1
Thu Apr  7 06:58:40 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Apr  7 06:58:40 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
Challenge
Thu Apr  7 06:58:40 2005: DEBUG: Access challenged for LAN_KCNT\wjs: EAP
PEAP Challenge
Thu Apr  7 06:58:40 2005: DEBUG: Packet dump:
*** Sending to 149.158.3.250 port 1208 ....
Code:       Access-Challenge
Identifier: 183
Authentic:  <210><10><0><0>"<23><0><0><176>&<0><0><196><31><0><0>
Attributes:
	EAP-Message = <1><2><0><6><25>!
	Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Apr  7 06:59:09 2005: DEBUG: Packet dump:
*** Received from 149.158.3.250 port 1209 ....
Code:       Access-Request
Identifier: 184
Authentic:  <184>m<0><0>\\<0><0><202><10><0><0><214>x<0><0>
Attributes:
	User-Name = "00-01-f4-ec-97-29"
	User-Password =
"I<152><221><218><193>ia<194>g<131>"<165><244><31>'`"
	NAS-IP-Address = 149.158.3.250
	NAS-Port = 2

Thu Apr  7 06:59:09 2005: DEBUG: Handling request with Handler ''
Thu Apr  7 06:59:09 2005: DEBUG:  Deleting session for 00-01-f4-ec-97-29,
149.158.3.250, 2
Thu Apr  7 06:59:09 2005: DEBUG: Handling with Radius::AuthFILE: 
Thu Apr  7 06:59:09 2005: DEBUG: Radius::AuthFILE looks for match with
00-01-f4-ec-97-29
Thu Apr  7 06:59:09 2005: DEBUG: AuthBy FILE result: REJECT, No such user
Thu Apr  7 06:59:09 2005: INFO: Access rejected for 00-01-f4-ec-97-29: No
such user
Thu Apr  7 06:59:09 2005: DEBUG: Packet dump:
*** Sending to 149.158.3.250 port 1209 ....
Code:       Access-Reject
Identifier: 184
Authentic:  <184>m<0><0>\\<0><0><202><10><0><0><214>x<0><0>
Attributes:
	Reply-Message = "Request Denied"


RADIUS.CFG

# lsa_eap_peap.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# PEAP authentication as used by Windows XP (starting with SP1)
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate Wireless PEAP users from a Windows LSA,
which
# permits authentication against any Windows Active Directory Domain
# or NT Domain.
# It will accept requests from any client and try to handle request
# for any realm.
# To use this LSA, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security
policy
# enabled.
# Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not
Home edition).
#
# To use this example, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security
policy
# enabled. This is not possible with Windows XP Home edition.
# 
# Requires the Win32-Lsa perl module from Open System Consultants.
# Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like
this:
#   ppm install --location=http://www.open.com.au/radiator/free-downloads
Win32-Lsa
#
# Users will only be authenticated if they have the 'Access this computer
from the network'
# security policy enabled. Their other account restrictions will also be
checked
# CHAP passwords can only be authenticated if the user has their 
# 'Store password using reversible encryption' option enabled in their
Account
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and 
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires openssl and Net_SSLeay.
#
# You should consider this file to be a starting point only
# $Id: lsa_eap_peap.cfg,v 1.5 2004/06/06 04:08:13 mikem Exp $

#Foreground
LogStdout
LogDir		c:/Program Files/Radiator
DbDir		c:/Program Files/Radiator
# User a lower trace level in production systems:
Trace 		4
AuthPort 1812
DictionaryFile %D/dictionary

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	mysecret
	DupInterval 0
</Client>

<Client 149.158.3.250>
        Secret mysecret
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
	# Authenticate with Windows LSA
	<AuthBy LSA>
		# Specifies which Windows Domain is ALWAYS to be used to
authenticate
		# users (even if they specify a different domain in their
username). 
		# Empty string means the local machine only
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		Domain LAN_KCNT

		# Specifies the Windows Domain to use if the user does not
		# specify a doain domain in their username.
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		DefaultDomain LAN_KCNT

		# You can check whether each user is the member of a windows
group
		# with the Group parameter. If more than one Group is
specified, then the
		# user must be a member of at least one of them. Requires
Win32::NetAdmin
		# (which is installed by default with ActivePerl). If no
Group
		# parameters are specified, then Group checks will not be
performed.
		#Group Administrators
		#Group Domain Users

		# You can specify which domain controller will be used to
check group
		# membership with the DomainController parameter. If no
Group parameters
		# are specified, DomainController wil not be used. Defaults
to
		# empty string, meaning the default controller of the host
where this
		# instance of Radaitor is running.
		DomainController kcnt1.kaman.com

		# This tells the PEAP client what types of inner EAP
requests
		# we will honour
		EAPType MSCHAP-V2
	</AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner
authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
select
# a specific handler, or else you can use EAPAnonymous to set a username and
realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm,
and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server,
or also 
# act as the AAA/H home server, and authenticate PEAP requests locally or
proxy
# them to another remote server based on the realm of the inner
authenticaiton request.
# In this basic example, both the inner and outer authentication are
authenticated
# from a file by AuthBy FILE
<Handler>
	<AuthBy FILE>
		# The username of the outer authentication
		#  must be in this file to get anywhere. In this example,
		# it requires an entry for 'anonymous' which is the standard
username 
		# in the outer requests, and it also requires an entry for
the
		# actual user name who is trying to connect (ie the 'Login
name' entered
		# in the Funk Odyssey 'Edit Profile Properties' page
		Filename %D/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default
(most
		# preferred) type given first
		EAPType PEAP

		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA
certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
    		# certificates in PEM format. The files each contain one 
		# CA certificate. The files are looked up by the CA 
		# subject name hash value
		EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
		EAPTLS_RandomFile %D/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than
4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even
smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
		EAPTLS_DHFile %D/certificates/cert/dh
		

		# If EAPTLS_CRLCheck is set  and the client presents a
certificate
		# then Radiator will look for a certificate revocation list
(CRL) 
		# for the certificate issuer
		# when authenticating each client. If a CRL file is not
found, or
		# if the CRL says the certificate has neen revoked, the
authentication will 
		# fail with an error:
		#   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
		# One or more CRLs can be named with the EAPTLS_CRLFile
parameter.
		# Alternatively, CRLs may follow a file naming convention: 
		#  the hash of the issuer subject name 
		# and a suffix that depends on the serial number.
		# eg ab1331b2.r0, ab1331b2.r1 etc.
		# You can find out the hash of the issuer name in a CRL with
		#  openssl crl -in crl.pem -hash -noout
		# CRLs with tis name convention
		# will be searched in EAPTLS_CAPath, else in the openssl 
		# certificates directory typically /usr/local/openssl/certs/
		# CRLs are expected to be in PEM format.
		# A CRL files can be generated with openssl like this:
		#  openssl ca -gencrl -revoke cert-clt.pem
		#  openssl ca -gencrl -out crl.pem
		# Use of these flags requires Net_SSLeay-1.21 or later
		#EAPTLS_CRLCheck
		#EAPTLS_CRLFile %D/certificates/crl.pem
		#EAPTLS_CRLFile %D/certificates/revocations.pem
		
		# Some clients, depending on their configuration, may
require you to specify
		# MPPE send and receive keys. This _will_ be required if you
select
		# 'Keys will be generated automatically for data privacy' in
the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the
inner
		# authentication. Defaults to 'anonymous'. This can be
useful
		# when proxying the inner authentication. If tehre is a
realm, it can 
		# be used to choose a local Realm to handle the inner
authentication.
		# %0 is replaced with the EAP identitiy
		# EAPAnonymous anonymous at some.other.realm

		# You can enable or disable support for TTLS Session
Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption
flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a
session can be resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds).
Defaults to 43200
		# (12 hours)
		#EAPTLS_SessionResumptionLimit 10
	</AuthBy>
</Handler>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list