(RADIATOR) authenticating wireless client through radiator against vms radius server

John Pertalion pertalionaj at appstate.edu
Wed Mar 30 09:52:46 CST 2005


Hello Hugh,

Thanks for the advice.  I've modified the radius.cfg to use the AuthBy 
File for the outer request and added EAPAnonymous %0 to the outer 
request as it was sending 'anonymous' as the User-Name to the inner 
request.  I also modified the Users file to use my username and 
anonymous with no password checking.  However, I'm getting rejected in 
the AuthBy File and the AuthBy Radius clause when trying to authenticate 
from the client.  radpwtst will work for AuthBy File.  What am I doing 
wrong?  Included are my users file, radius.cfg and the error message I'm 
receiving.

Thanks,

John Pertalion
Appalachian State University

/**********************************/
users file:
# users

pertalionaj

anonymous

/**********************************/
radius.cfg file:
LogDir          /var/log/radius
DbDir           /etc/radiator

AuthPort        1812
AcctPort        1813

# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
         Secret  testsecret
         DupInterval 0
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
         <AuthBy RADIUS>
                 #VMS Radius Server
                 Host testserver
                 Secret testsecret
                 AuthPort 1645
                 AcctPort 1646
                 Retries 3
                 RetryTimeout 5
                 StripFromReply Framed-IP-Netmask,Framed-Compression

                 #eap_peap.cfg contents
                 #EAPType MSCHAP-V2

         </AuthBy>
</Handler>

#<Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
<Handler>
         <AuthBy FILE>
                 Filename %D/users

                 #eap_peap.cfg contents
                 EAPType PEAP
                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 SSLeayTrace 4
                 EAPTLS_PEAPVersion 0

                 #EAPAnonymous specifies the User-Name used in the EAP 
inner request
                 #Using %0 replaces the default 'anonymous' with the EAP 
Identity of
                 #the EAP inner request.  The EAP Identity is the actual 
User-Name needed
                 #to for authentication
                 EAPAnonymous %0
         </AuthBy>
</Handler>

/**********************************/
Log of unsuccessful login from client:

Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 163
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><1><0><16><1>pertalionaj
         Message-Authenticator = 
<235><186><255><24><131><19><228><157>:<212><220><241>i<162><18>D

Wed Mar 30 09:35:47 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:47 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:47 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:47 2005: DEBUG: Handling with EAP: code 2, 1, 16
Wed Mar 30 09:35:47 2005: DEBUG: Response type 1
Wed Mar 30 09:35:47 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 163
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = <1><2><0><6><25>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 162
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = 
<2><2><0>f<25><128><0><0><0>\<22><3><1><0>W<1><0><0>S<3><1>BJ<199>I@;7<170><149>-<136>n<195><195><169><146><19><25><5>4(<27><25><253><145><128><170><194><211>{<212><13><0><0>,<0><5><0><4><0><10><255><131><0><9><255><130><0><3><0><8><0><6><255><128><0><1><0><22><0><21><0><20><0><19><0><18><0><17><0><24><0><27><0><26><0><23><0><25><1><0>
         Message-Authenticator = <222><218>j<9><245>Bot_<223><145>8SQl5

Wed Mar 30 09:35:47 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:47 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:47 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:47 2005: DEBUG: Handling with EAP: code 2, 2, 102
Wed Mar 30 09:35:47 2005: DEBUG: Response type 25
Wed Mar 30 09:35:47 2005: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Wed Mar 30 09:35:47 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 162
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = 
<1><3><3><242><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>BJ<185>C<133>/W<189> 
<239>]<188><214>l<211><219>Z\<161><227><211><162><203>X`<3><29><192><2>%|<197> 
<215>7<154><248><227>M<183>|<198><217>k\<137><204><196><186><<139><129>6<147>`:e^j<255><128>5*)<235><0><5><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
         EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use 
in production)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My 
Test 
Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
         EAP-Message = 
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><234>/<241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/<16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><171><154><249><220>v<17><159><2>x<29><136><148>:b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<226><136><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>q<129>X<13>=l?<174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><225><253>?hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><248>oba<
         EAP-Message = 
JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25>w<215><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><254><206>U?<214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do no
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 164
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><3><0><6><25><0>
         Message-Authenticator = 
<127><239><248><143>Z<210><242><216><229>IZ<141><24><210>|<231>

Wed Mar 30 09:35:47 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:47 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:47 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:47 2005: DEBUG: Handling with EAP: code 2, 3, 6
Wed Mar 30 09:35:47 2005: DEBUG: Response type 25
Wed Mar 30 09:35:47 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 164
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = <1><4><3><238><25>@t use in production)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in p
         EAP-Message = roduction)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><214><253>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>DxJ<138>n<203>k8<164><239><179>H<237>K<182>mo<155><145><138><143><136><127><230><<9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>,<185><173><234><3>^4<221><252><168>H<178><158><25><235><152><250>g<199><172><250>uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0><1><163><130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233><210>F0D<173>f]r<193>H?<164><27>ke0<129><247><6><3>U<29>#
         EAP-Message = 
<4><129><239>0<129><236><128><20><23><2><196>#<233><210>F0D<173>f]r<193>H?<164><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130><1><0>0<12><6><3>U<29><19><4><5>0<3>
         EAP-Message = 
<1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>0<3>=<202><190><236>S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<202><143><160><29><220>p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>;_<202><254><242>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><193><29>-<228><19><184>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143><225><149><237><135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160>l<21><129>0<199>6<22><3><1><0><220><13><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certif
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 166
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><4><0><6><25><0>
         Message-Authenticator = 
<192><203><252><194>B<245><195><191>[<127><246>x<193><211>^<246>

Wed Mar 30 09:35:47 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:47 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:47 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:47 2005: DEBUG: Handling with EAP: code 2, 4, 6
Wed Mar 30 09:35:47 2005: DEBUG: Response type 25
Wed Mar 30 09:35:47 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:47 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 166
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = 
<1><5><0><134><25><0>icates1!0<31><6><3>U<4><11><19><24>Test Certificate 
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<14><0><0><0>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 165
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = 
<2><5><0><208><25><128><0><0><0><198><22><3><1><0><7><11><0><0><3><0><0><0><22><3><1><0><134><16><0><0><130><0><128><157><209>3<29> 
<209><222>3<144>L<178><10>!<154>5<253><241><181><13><224><170>#<154><14>o<145>L<208>N<242><152><227>dC<143>m<170><30><169><.<139>Dhq<30><191>g<220><233><183>1<240><209><249><23>S<4><141><168>I<167><21><176><11>R<176><185><140>1<245>><18>x<19><24><11>0N;<136>E<204><30><253><16>X<201><153><144><182><129>D<201><7><1>=<214>r<18>><2>|}<244>"<248><7>YN<210>a<156><162><137>B<133><162><205>A<144><203><236><10><16>(<218>b<20><3><1><0><1><1><22><3><1><0>$4f<208><13>b<155><195><143>+<246>@BN<175><144>2<31>r<8>g<194><201>qx<242><163><249><153><175><216>k<187>5j<203><27>
         Message-Authenticator = 
<188><134><15><197><243>b<188><225><222>1A<233>j<247><135>y

Wed Mar 30 09:35:48 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:48 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:48 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:48 2005: DEBUG: Handling with EAP: code 2, 5, 208
Wed Mar 30 09:35:48 2005: DEBUG: Response type 25
Wed Mar 30 09:35:48 2005: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Wed Mar 30 09:35:48 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:48 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 165
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = 
<1><6><0>9<25><128><0><0><0>/<20><3><1><0><1><1><22><3><1><0>$L<156><220>g<194><222><135>=<6>Z+<241><2><148><12><244><246><1><13>A<250>T<193><250><249><167>,T|T<245>B<166><210><241><199>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 167
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><6><0><6><25><0>
         Message-Authenticator = 
5<249><144><145>8<251><172>W<183><217><181><2>37K<246>

Wed Mar 30 09:35:48 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:48 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:48 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:48 2005: DEBUG: Handling with EAP: code 2, 6, 6
Wed Mar 30 09:35:48 2005: DEBUG: Response type 25
Wed Mar 30 09:35:48 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 30 09:35:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Wed Mar 30 09:35:48 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Challenge
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 167
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = <1><7><0> 
<25><0><23><3><1><0><21><153><174>e2<171><31><12>|<252>8<188><229><163><223><241><131>W}TP=
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 168
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><7><0>+<25><0><23><3><1><0> 
<30>XT<147><30><235><138>e<227><250><185><28><220>I<174><176><235>E<232>B<29>v<152><140><211>3<149>Q<154>3i<249>
         Message-Authenticator = 
<15><221><200>F<145><146><148>k<195>7#<161><156><204><223>2

Wed Mar 30 09:35:48 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:48 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:48 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:48 2005: DEBUG: Handling with EAP: code 2, 7, 43
Wed Mar 30 09:35:48 2005: DEBUG: Response type 25
Wed Mar 30 09:35:48 2005: DEBUG: EAP PEAP inner authentication request 
for pertalionaj
Wed Mar 30 09:35:48 2005: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  E<246><)<c<133>'J<16>yI<131><251>5<143>
Attributes:
         EAP-Message = <2><7><0><12><1>pertalionaj
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         Calling-Station-Id = "0030651084D0"

Wed Mar 30 09:35:48 2005: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Wed Mar 30 09:35:48 2005: DEBUG:  Deleting session for , 152.10.209.1, 1
Wed Mar 30 09:35:48 2005: DEBUG: Handling with Radius::AuthRADIUS
Wed Mar 30 09:35:48 2005: DEBUG: AuthBy RADIUS creates new local socket 
'0.0.0.0' for sending requests
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Sending to 152.10.1.40 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  E<246><)<c<133>'J<16>yI<131><251>5<143>
Attributes:
         EAP-Message = <2><7><0><12><1>pertalionaj
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         Calling-Station-Id = "0030651084D0"

Wed Mar 30 09:35:48 2005: DEBUG: AuthBy RADIUS result: IGNORE,
Wed Mar 30 09:35:48 2005: DEBUG: EAP result: 2, EAP PEAP inner 
authentication redespatched to a Handler
Wed Mar 30 09:35:48 2005: DEBUG: AuthBy FILE result: IGNORE, EAP PEAP 
inner authentication redespatched to a Handler
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Received from 152.10.1.40 port 1645 ....
Code:       Access-Reject
Identifier: 1
Authentic:  <164>#^Jj<224><134><131><153><214><12><210>X<31><8>v
Attributes:

Wed Mar 30 09:35:48 2005: DEBUG: Received reply in AuthRADIUS for req 1 
from 152.10.1.40:1645
Wed Mar 30 09:35:48 2005: INFO: Access rejected for pertalionaj: Proxied
Wed Mar 30 09:35:48 2005: DEBUG: Access challenged for pertalionaj: EAP 
PEAP Inner authentication failure
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Challenge
Identifier: 168
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = 
<1><8><0>*<25><0><23><3><1><0><31><193><215>H_h<205><173><197><6><169>B<15><208><208><204><166><194><3><165><177>>6~<235>c<234><154><217><226><181><187>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 170
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = 
<2><8><0>*<25><0><23><3><1><0><31><132><138><186><137>6<20><210><139><241><203><160> 
<240>C`<199><164>6<241><175><8><127><167><2><12><156>&<207><155><214><149>
         Message-Authenticator = 
#<12><188><191><214><137><30><15>{<22>Z-w<172><192><222>

Wed Mar 30 09:35:48 2005: DEBUG: Handling request with Handler ''
Wed Mar 30 09:35:48 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Wed Mar 30 09:35:48 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 30 09:35:48 2005: DEBUG: Handling with EAP: code 2, 8, 42
Wed Mar 30 09:35:48 2005: DEBUG: Response type 25
Wed Mar 30 09:35:48 2005: DEBUG: EAP result: 1, PEAP Authentication Failure
Wed Mar 30 09:35:48 2005: DEBUG: AuthBy FILE result: REJECT, PEAP 
Authentication Failure
Wed Mar 30 09:35:48 2005: INFO: Access rejected for pertalionaj: PEAP 
Authentication Failure
Wed Mar 30 09:35:48 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Reject
Identifier: 170
Authentic:  (<23><153><201>=<255><178><235><26><165>f<201>&<232><236><22>
Attributes:
         EAP-Message = <4><8><0><4>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
         Reply-Message = "Request Denied"







Hugh Irvine wrote:
> 
> Hello John -
> 
> Keep in mind that EAP is actually a series of requests that are  
> exchanged, with only the final one in the sequence being the one that  
> contains the user credentials. The initial requests are called the  
> "outer" authentication and the final request is called the "inner"  
> authentication.
> 
> You should probably be using the AuthBy FILE for the "outer"  
> authentication, and only proxy the "inner" authentication with the  
> AuthBy RADIUS clause. Something like this (TunnelledByPEAP=1 indicates  
> the "inner" request):
> 
> LogDir          /var/log/radius
> DbDir           /etc/radiator
> 
> AuthPort        1812
> AcctPort        1813
> 
> # User a lower trace level in production systems:
> Trace           4
> 
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
> 
> # This is where we autneticate a PEAP inner request, which will be an  EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> 
> <Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
>         <AuthBy RADIUS>
>         #<AuthBy FILE>
>                 #Filename %D/users
> 
>                 #VMS Radius Server
>                 Host ####.######.edu
>                 Secret ###########
>                 AuthPort 1645
>                 AcctPort 1646
>                 Retries 3
>                 RetryTimeout 5
>                 StripFromReply Framed-IP-Netmask,Framed-Compression
> 
>                 #eap_peap.cfg contents
>                 EAPType MSCHAP-V2
>         </AuthBy>
> </Handler>
> 
> <Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
>         <AuthBy FILE>
>                 Filename %D/users
>                 #eap_peap.cfg contents
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 0
>         </AuthBy>
> </Handler>
> 
> 
> 
> On 25 Mar 2005, at 20:52, John Pertalion wrote:
> 
>> Hello,
>>
>> I'm having difficulty authenticating a client on a Aruba wireless  
>> network through Radiator against a VMS based radius server.
>>
>> I've tried building up from several simpler scenarios and have had  
>> success.  I can't get the last part working.  I'm stumped because I'm  
>> not really sure of what I'm looking at in the logfile.  Any  
>> suggestions are gratefully appreciated.
>>
>> I can authenticate through Radiator to the VMS based radius server  
>> using radpwtst on the box running the Radiator server with the  
>> radius.cfg listed below.  It's an adaptation of eap_peap.cfg in the  
>> ./goodies
>>
>> I can authenticate from the Aruba switch AAA authentication test  
>> through Radiator to the VMS based radius server using the same  
>> radius.cfg
>>
>> I can authenticate from the client on the Aruba wireless network 
>> using  AuthBy FILE, which is basically the eap_peap.cfg.
>>
>> I can't authenticate from the client on the wireless network through  
>> Radiator to the VMS based radius server.  I've included a log of this  
>> unsuccessful attempt below.  Also is my radius.cfg and a log of a  
>> successful login from the AAA authentication test on the wireless  
>> switch.
>>
>> I'm fairly new to this, so you may need to point out the obvious.
>>
>> Thanks,
>>
>> John Pertalion
>> Appalachian State University
>> Boone, NC
>>
>>
>> / 
>> *********************************************************************** /
>>
>> my radius.cfg:
>>
>> LogDir          /var/log/radius
>> DbDir           /etc/radiator
>>
>> AuthPort        1812
>> AcctPort        1813
>>
>> # User a lower trace level in production systems:
>> Trace           4
>>
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>>         Secret  mysecret
>>         DupInterval 0
>> </Client>
>>
>> # This is where we autneticate a PEAP inner request, which will be an  
>> EAP
>> # request. The username of the inner request will be anonymous,  although
>> # the identity of the EAP request will be the real username we are
>> # trying to authenticate.
>> <Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
>>         <AuthBy RADIUS>
>>         #<AuthBy FILE>
>>                 #Filename %D/users
>>
>>                 #VMS Radius Server
>>                 Host ####.######.edu
>>                 Secret ###########
>>                 AuthPort 1645
>>                 AcctPort 1646
>>                 Retries 3
>>                 RetryTimeout 5
>>                 StripFromReply Framed-IP-Netmask,Framed-Compression
>>
>>                 #eap_peap.cfg contents
>>                 EAPType MSCHAP-V2
>>         </AuthBy>
>> </Handler>
>>
>> <Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
>>         <AuthBy RADIUS>
>>         #<AuthBy FILE>
>>                 #Filename %D/users
>>
>>                 #VMS Radius Server
>>                 Host ####.######.edu
>>                 Secret ###########
>>                 AuthPort 1645
>>                 AcctPort 1646
>>                 Retries 3
>>                 RetryTimeout 5
>>                 StripFromReply Framed-IP-Netmask,Framed-Compression
>>
>>                 #eap_peap.cfg contents
>>                 EAPType PEAP
>>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>                 EAPTLS_CertificateType PEM
>>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>                 EAPTLS_PrivateKeyPassword whatever
>>                 EAPTLS_MaxFragmentSize 1000
>>                 AutoMPPEKeys
>>                 SSLeayTrace 4
>>                 EAPTLS_PEAPVersion 0
>>         </AuthBy>
>> </Handler>
>>
>>
>> / 
>> *********************************************************************** /
>>
>> Log of unsuccessful login from client:
>>
>> Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
>> *** Received from 152.10.209.2 port 32882 ....
>> Code:       Access-Request
>> Identifier: 26
>> Authentic:   o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
>> Attributes:
>>         User-Name = "pertalionaj"
>>         NAS-IP-Address = 152.10.209.1
>>         NAS-Port = 1
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         Calling-Station-Id = "0030651084D0"
>>         Called-Station-Id = "000B86018580"
>>         Framed-MTU = 1100
>>         EAP-Message = <2><1><0><16><1>pertalionaj
>>         Message-Authenticator =  
>> <213>]<237><3>{<189>V8<223><134>xc<254>}<19>=
>>
>> Fri Mar 25 13:23:14 2005: DEBUG: Handling request with Handler  
>> 'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
>> Fri Mar 25 13:23:14 2005: DEBUG:  Deleting session for pertalionaj,  
>> 152.10.209.1, 1
>> Fri Mar 25 13:23:14 2005: DEBUG: Handling with Radius::AuthRADIUS
>> Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
>> *** Sending to 152.10.1.40 port 1645 ....
>> Code:       Access-Request
>> Identifier: 1
>> Authentic:   o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
>> Attributes:
>>         User-Name = "pertalionaj"
>>         NAS-IP-Address = 152.10.209.1
>>         NAS-Port = 1
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         Calling-Station-Id = "0030651084D0"
>>         Called-Station-Id = "000B86018580"
>>         Framed-MTU = 1100
>>         EAP-Message = <2><1><0><16><1>pertalionaj
>>         Message-Authenticator =  
>> <213>]<237><3>{<189>V8<223><134>xc<254>}<19>=
>>
>> Fri Mar 25 13:23:14 2005: DEBUG: AuthBy RADIUS result: IGNORE,
>> Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
>> *** Received from 152.10.1.40 port 1645 ....
>> Code:       Access-Reject
>> Identifier: 1
>> Authentic:  <227><131><30>.<142><137><151><8><201>Z#<173>%;<151>a
>> Attributes:
>>
>> Fri Mar 25 13:23:15 2005: DEBUG: Received reply in AuthRADIUS for req  
>> 1 from 152.10.1.40:1645
>> Fri Mar 25 13:23:15 2005: INFO: Access rejected for pertalionaj:  Proxied
>> Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
>> *** Sending to 152.10.209.2 port 32882 ....
>> Code:       Access-Reject
>> Identifier: 26
>> Authentic:   o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
>> Attributes:
>>         Reply-Message = "Request Denied"
>>
>>
>> / 
>> *********************************************************************** /
>>
>> Log of successful login from Aruba Switch:
>>
>> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
>> *** Received from 152.10.209.2 port 32882 ....
>> Code:       Access-Request
>> Identifier: 25
>> Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
>> Attributes:
>>         User-Name = "pertalionaj"
>>         User-Password =  
>> "<20>~<198><201><152>nR<172><155>1s<201>P<147><187>w"
>>         NAS-IP-Address = 152.10.209.1
>>         NAS-Port = 0
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>
>> Fri Mar 25 13:20:02 2005: DEBUG: Handling request with Handler  
>> 'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
>> Fri Mar 25 13:20:02 2005: DEBUG:  Deleting session for pertalionaj,  
>> 152.10.209.1, 0
>> Fri Mar 25 13:20:02 2005: DEBUG: Handling with Radius::AuthRADIUS
>> Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS creates new local  
>> socket '0.0.0.0' for sending requests
>> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
>> *** Sending to 152.10.1.43 port 1645 ....
>> Code:       Access-Request
>> Identifier: 1
>> Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
>> Attributes:
>>         User-Name = "pertalionaj"
>>         User-Password =  
>> "<132>_J<208><163><4><249><27><214>F<244><238>t<<31><179>"
>>         NAS-IP-Address = 152.10.209.1
>>         NAS-Port = 0
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>
>> Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS result: IGNORE,
>> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
>> *** Received from 152.10.1.43 port 1645 ....
>> Code:       Access-Accept
>> Identifier: 1
>> Authentic:  <3>><175><152><170><196><135><141>Dh<151><<221><9>R<27>
>> Attributes:
>>
>> Fri Mar 25 13:20:02 2005: DEBUG: Received reply in AuthRADIUS for req  
>> 1 from 152.10.1.43:1645
>> Fri Mar 25 13:20:02 2005: DEBUG: Access accepted for pertalionaj
>> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
>> *** Sending to 152.10.209.2 port 32882 ....
>> Code:       Access-Accept
>> Identifier: 25
>> Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
>> Attributes:
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
> 
> NB: I am travelling this week, so there may be delays in our  
> correspondence.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list