(RADIATOR) Re: RE : (RADIATOR) PEAP/MSCHAP-V2 and realms

Hugh Irvine hugh at open.com.au
Wed Oct 5 06:36:55 CDT 2005


Hello Stephane -

There are a number of problems with what you are trying to do.

The first problem is that you cannot rewrite a username that is to be  
used with MS-CHAP. This is a limitation of MS-CHAP.

Instead of using RewriteUsername's and Realm's, you should just do  
something like this:


<Handler User-Name = /^FR-MX-COM/, TunnelledByPEAP = 1>
         .....
</Handler>

<Handler User-Name = /^US-MX-COM/, TunnelledByPEAP = 1>
         .....
</Handler>

<Handler Called-Station-Id = /MX_WIFI/>
         .....
</Handler>


Hope that helps.

regards

Hugh


On 5 Oct 2005, at 11:46, DELORT Stephane wrote:

> Hello Hugh,
>
>
> here is a copy of the the trace 4 debug.
>
> Before you  read it, you should know that the check of the Realm is  
> OK if it is done in the first handler to be called : <Handler  
> Called-Station-Id=/MX_WIFI/ , Realm=FR-MX-COM>
> The problem there is that we cannot change or select the domain  
> controller to be used since there is no link between this handler  
> and the one responsible of the LSA part.
>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 52
> Authentic:  <6><165><135>=Y<221>[2o<181>@<131>r&<146><0>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  EAP-Message = <2><1><0><25><1>FR-MX-COM\fruser
>  User-Name = "FR-MX-COM\fruser"
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <246><238><155><1><198><151><247>>c,<23>p<225>^<137><193>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 1, 25
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 52
> Authentic:  <6><165><135>=Y<221>[2o<181>@<131>r&<146><0>
> Attributes:
>  EAP-Message = <1><2><0><6><25>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 53
> Authentic:  <16><157><137><195>"<223>B@\<190><229>y[<200><194><190>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>CC<144>M_<1 
> 41>+dj<26>D6<18>{857'<179>D<223><133><213><254>II  
> 1<237>s<180><248><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0>< 
> 6><0><19><0><18><0>c<1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <181>2<147><174>q<254>W<147>z<0>3<131><225><195><9><25>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 2, 80
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 53
> Authentic:  <16><157><137><195>"<223>B@\<190><229>y[<200><194><190>
> Attributes:
>  EAP-Message =  
> <1><3><3><242><25><192><0><0><4><147><22><3><1><0>J<2><0><0>F<3><1>CC< 
> 144>L<234><250><213><199><9><9>h<128><191>9<29>h<236><158><31>Z<157>u< 
> 237>3<145>o8<129><234><30><165>% )C(<202><201><191><147>B<253>} 
> <208><164><244>5<155>=N<216>F<222>o<151>8T<188><247><210>R 
> \<132><19><169><0><4><0><22><3><1><3><152><11><0><3><148><0><3><145><0 
> ><3><142>0<130><3><138>0<130><2>r<2><1><12>0<13><6><9>*<134>H<134><247 
> ><13><1><1><4><5><0>0<129><134>1<11>0<9><6><3>U<4><6><19><2>FR1<12>0<1 
> 0><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1<19>0<17> 
> <6><3>U<4><10><19><10>MX S.A. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<16>0<14><6><3>U<4><3><19><7>sy 
> steam1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>sys
>  EAP-Message =  
> team at MX.com0<30><23><13>050809075749Z<23><13>100808075749Z0<129><144>1 
> <11>0<9><6><3>U<4><6><19><2>FR1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0< 
> 12><6><3>U<4><7><19><5>Paris1<21>0<19><6><3>U<4><10><19><12>MX  
> S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com0<130><1 
> >  
> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><13><0>0<130 
> ><1><8><2><130><1><1><0><217>7M<225><241><138>:<189><229><184>u.<249>< 
> 1><29>3pUT<7>Z<171>~!<171>a<248>
>  EAP-Message =  
> <14><161><255><7>^<169><254>OoA<137><137><179><26><15><202><220><167>< 
> 169><228><3><202><17><231><134><241><11><255><161>Dw<146>_<23><198>"n< 
> 180>TJ<209><216><212>RFx^/<148><172><154>S<133>|<233>\=:,<237>\<25>% 
> <228>!^n5@<25><169><216><229>l<15><200><187><135><171>) 
> q<20>'m<18><5>'<127><158><179><139><208><6><139><22><220>6a<173><24>g< 
> 147><239>V(d<190>m<196><249><182>G}<7>wx<14><163><233><238>? 
> <162><151><238><202><211>}m<206>l<237><239><29><193>& 
> +S<147><235><178><8><228>v<209><202>s<186><229>5| 
> W<159><155><25><208><251><221><201>J<248><149><170><16>HZ<153><31><187 
> > 
> $ov<247><160><162><27>:<235><209><211><146><138>4<<167>t<224><244>B"<2 
> 14><148>J<138><149>[<248>S<189><203>rF)<173><226><29><132><163>%<TC 
> $R<154><11><147><213><207> 
> (\M<226><227><225><237>s<151><222>#<2><1><3>0<13><6><9>*<134>H<134><24 
> 7><13><1><1><4><5><0><3><130><1><1><0><0>
>  EAP-Message = O<31><133><169><249><221>| 
> Eg<129><158><242><134><201><9>1<205><6><133><253>h<171> 
> \<153><231><229><147>Y<204><149><192><30><164>&<18>@<135><168><1><137> 
> <175>*t<9>D<241><239><244><198>] 
> <1><144>YW<220><0><241>=<131><246><217><248>W<219>J<152><151><212>t<13 
> 2><4><139><220><209><10><149>q<18><207><8>u<197> 
> $<225>Y<247><10><147>`vjq^x<150>% 
> <153><228>L<31><160>63'<30><4><222><187><227><255>=<128>B<222><207><14 
> 4><208><254><251><191><155><170><0><139>WZI<24><161>O.`*<189>j<194><<1 
> 39>;<252>"\<21><20><226><171><130> 
> [<196><156><238>_<6>Y<151><244><221><133>T3<215><207><228><242><178>J< 
> 185><192>*<254>C<169>9)<180><248>)<168><173><224>/'} 
> <254>w1f<189><177><12>@n<150>R<8>f<205><196>c<15>4t:<139><10><11><26>V 
> <228>P<250><222><187><138><210><222> 
> {8n<202><255>m<182>n<<156>j<13><30><9><143>t<238><214><177><182><233>< 
> 8>w<194><137><230><234><21><254><227>lFA1<133>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 54
> Authentic:  '<146><140><160>c<254><208>Yt<208><4><30>k<7><20><255>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><3><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <161><165>,<28><211><139><216><<23><18>h<144>X<245>`<204>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 3, 6
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 54
> Authentic:  '<146><140><160>c<254><208>Yt<208><4><30>k<7><20><255>
> Attributes:
>  EAP-Message =  
> <1><4><0><177><25><0><207><154><204><141><22><3><1><0><162><13><0><0>< 
> 154><2><1><2><0><149><0><147>0<129><144>1<11>0<9><6><3>U<4><6><19><2>F 
> R1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1 
> <21>0<19><6><3>U<4><10><19><12>MX S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com<14><0>< 
> 0><0>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 55
> Authentic:  E<160><201>1/<168><200><22><14><216><21><151>2_c<132>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><4><1>G<25><128><0><0><1>=<22><3><1><1><13><11><0><0><3><0><0><0><1 
> 6><0><1><2><1><0><139><138><228><219><164><25><13><211>J<194><196><144 
> >g6<132><232> 
> [<232><16>RI<193>B<231><140><164><143>7<250><178><226><173>- 
> i<157>5<196><253><228><220>]<215>am<21><189><218>? 
> <24><147><132><167><243>e<178>f 
> ["<247><192><222><241><11><220>J<206><142><186>ec<195><212><21>DWL<8>  
> <185><144>a<162><201><255><199><220>9<150><218><251><3>t<194><248>p<19 
> ><193><29><154>$<229><230>Lh?<146>I<0>j<152>T<212><140><157><143>! 
> <139>l<7>%;<27>1<246><216><245><175><226><189><130>\<25> 
> $<204>o<143><28><241><148>xC<187><16> 
> $<132><247>1K<188>C<222><157><134>>} 
> <198><20><142>q<234><7><188><148><198><238>nQ<195><192><163><227><195> 
> <19>k<211><203><234><197><232><155><10><239><21>.jX<231><203> 
> $<137><141>@<22>b<237>o:<218><249><173>&u<235><220>W) 
> <173>p<29>l<144><143><252><194>?<244><182><204><130><3><154><247>95
>  EAP-Message = ~c<254><178> 
> $<155><174>j<147><182>@<211><183><148><205> 
> [<185><176>t<247><244><5><248><208><232><253>1<21>| 
> <182><31><209><20><3><1><0><1><1><22><3><1><0>  
> <15><201><30><242>c<167><148><154>`lV<159><2><10>rO=u<225>#<178><226>< 
> 30>\<164>5<201><251>A<_<251>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <0>V<246>ub<141>Tc<144><178><251><238><137>K<16><237>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 4, 327
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 55
> Authentic:  E<160><201>1/<168><200><22><14><216><21><151>2_c<132>
> Attributes:
>  EAP-Message = <1><5><0>5<25><128><0><0><0> 
> +<20><3><1><0><1><1><22><3><1><0> <158>^o_|a<219><161>) 
> <231>W7r<244>]^<17><165><172>!<208>:.<250>rcKRQF<195>D
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 56
> Authentic:  P<12><174>g}3<212><20>5'<148><189>8Z<26><178>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><5><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <198> 
> {<21>r<174>&9<8><160>b<205><194><184><218><229>t
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 5, 6
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 56
> Authentic:  P<12><174>g}3<212><20>5'<148><189>8Z<26><178>
> Attributes:
>  EAP-Message =  
> <1><6><0><28><25><0><23><3><1><0><17><16><31>*<21><183><214>J<244><153 
> ><239><17><190>\<153><16><237><233>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 57
> Authentic:  !<174><197><253>vk<146><242>K<191>}C}<132><239><192>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><6><0>0<25><0><23><3><1><0>% 
> <4>i<130>R<128><151><2><160><28>]3<10><221>fR<241><13>U<139><231> 
> (<247><224><24><129><144><222>O<141><206><9><192>\<251>wT<178>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> 7<243>5n<207><209>11k<226><143><207><209><7><138>d
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 6, 48
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP PEAP inner authentication  
> request for FR-MX-COM\fruser
> Wed Oct  5 10:35:24 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  q<218>9<193>d<224>x]<173>!<235><175><207><<206><
> Attributes:
>  EAP-Message = <2><6><0><21><1>FR-MX-COM\fruser
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = "FR-MX-COM\fruser"
>  NAS-IP-Address = 172.21.20.202
>  NAS-Identifier = "Trapeze"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler ''
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for , 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthSQL:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 6, 21
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 1, EAP authentication  
> is not permitted.
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy SQL result: REJECT, EAP  
> authentication is not permitted.
> Wed Oct  5 10:35:24 2005: INFO: Access rejected for FR-MX-COM 
> \fruser: EAP authentication is not permitted.
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP inner  
> authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 57
> Authentic:  !<174><197><253>vk<146><242>K<191>}C}<132><239><192>
> Attributes:
>  EAP-Message =  
> <1><7><0>&<25><0><23><3><1><0><27>v<255><192><202><218><186><214><14>R 
> :J<231>y<246><171>n<140><197><7><252><226>#<18>=\<18><127>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 58
> Authentic:  m<224><249><160><6><153>9Yr<140><185><30>q<134>%<255>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><7><0>&<25><0><23><3><1><0><27><179>&<198><202><144>% 
> <242>eR<151>QC<26><1><166><160>X<240><178>><25>o<18>Hd<146><197>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <174><31>Z<30><209>uGQ<148><149><141><204><150><250><255>K
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 7, 38
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: REJECT, PEAP  
> Authentication Failure
> Wed Oct  5 10:35:24 2005: INFO: Access rejected for fruser at FR-MX- 
> COM: PEAP Authentication Failure
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Reject
> Identifier: 58
> Authentic:  m<224><249><160><6><153>9Yr<140><185><30>q<134>%<255>
> Attributes:
>  EAP-Message = <4><7><0><4>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  Reply-Message = "Request Denied"
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 59
> Authentic:   
> (<199><255><177><0><245><252><150>M<182>p<23>5<158><236><4>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  EAP-Message = <2><1><0><25><1>US-MX-COM\ususer
>  User-Name = "US-MX-COM\ususer"
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <19><223><167><146>j;<233><141>G`dJ~<19><166>F
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 1, 25
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 59
> Authentic:   
> (<199><255><177><0><245><252><150>M<182>p<23>5<158><236><4>
> Attributes:
>  EAP-Message = <1><2><0><6><25>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 60
> Authentic:  8<163><200><218>7<139>!<11>c<208><155><232><12><195>B<1>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>CC<144>ZV<2 
> 07><174>Oy<<216><3>% 
> 2<242><128><29><130>3<187><22>p<164><151><202><218>"? 
> <17><2><169><213><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0>< 
> 6><0><19><0><18><0>c<1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <137><187><144><237>5<5>| 
> <160><195><182>wc<250> <20>s
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 2, 80
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 60
> Authentic:  8<163><200><218>7<139>!<11>c<208><155><232><12><195>B<1>
> Attributes:
>  EAP-Message =  
> <1><3><3><242><25><192><0><0><4><147><22><3><1><0>J<2><0><0>F<3><1>CC< 
> 144>Y`i<6><137>d<154>#<30>\a<210><179>_<5><13><13>+<151>! 
> r`<215><6><217><23><244><129><202>  
> K<217>m"<247>5Nn<229>;:<4>V<151>20<204><24>"T<231><131>*<152><137>"N<2 
> 26><12>Y<242>z<0><4><0><22><3><1><3><152><11><0><3><148><0><3><145><0> 
> <3><142>0<130><3><138>0<130><2>r<2><1><12>0<13><6><9>*<134>H<134><247> 
> <13><1><1><4><5><0>0<129><134>1<11>0<9><6><3>U<4><6><19><2>FR1<12>0<10 
> ><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1<19>0<17>< 
> 6><3>U<4><10><19><10>MX S.A. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<16>0<14><6><3>U<4><3><19><7>sy 
> steam1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>sys
>  EAP-Message =  
> team at MX.com0<30><23><13>050809075749Z<23><13>100808075749Z0<129><144>1 
> <11>0<9><6><3>U<4><6><19><2>FR1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0< 
> 12><6><3>U<4><7><19><5>Paris1<21>0<19><6><3>U<4><10><19><12>MX  
> S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com0<130><1 
> >  
> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><13><0>0<130 
> ><1><8><2><130><1><1><0><217>7M<225><241><138>:<189><229><184>u.<249>< 
> 1><29>3pUT<7>Z<171>~!<171>a<248>
>  EAP-Message =  
> <14><161><255><7>^<169><254>OoA<137><137><179><26><15><202><220><167>< 
> 169><228><3><202><17><231><134><241><11><255><161>Dw<146>_<23><198>"n< 
> 180>TJ<209><216><212>RFx^/<148><172><154>S<133>|<233>\=:,<237>\<25>% 
> <228>!^n5@<25><169><216><229>l<15><200><187><135><171>) 
> q<20>'m<18><5>'<127><158><179><139><208><6><139><22><220>6a<173><24>g< 
> 147><239>V(d<190>m<196><249><182>G}<7>wx<14><163><233><238>? 
> <162><151><238><202><211>}m<206>l<237><239><29><193>& 
> +S<147><235><178><8><228>v<209><202>s<186><229>5| 
> W<159><155><25><208><251><221><201>J<248><149><170><16>HZ<153><31><187 
> > 
> $ov<247><160><162><27>:<235><209><211><146><138>4<<167>t<224><244>B"<2 
> 14><148>J<138><149>[<248>S<189><203>rF)<173><226><29><132><163>%<TC 
> $R<154><11><147><213><207> 
> (\M<226><227><225><237>s<151><222>#<2><1><3>0<13><6><9>*<134>H<134><24 
> 7><13><1><1><4><5><0><3><130><1><1><0><0>
>  EAP-Message = O<31><133><169><249><221>| 
> Eg<129><158><242><134><201><9>1<205><6><133><253>h<171> 
> \<153><231><229><147>Y<204><149><192><30><164>&<18>@<135><168><1><137> 
> <175>*t<9>D<241><239><244><198>] 
> <1><144>YW<220><0><241>=<131><246><217><248>W<219>J<152><151><212>t<13 
> 2><4><139><220><209><10><149>q<18><207><8>u<197> 
> $<225>Y<247><10><147>`vjq^x<150>% 
> <153><228>L<31><160>63'<30><4><222><187><227><255>=<128>B<222><207><14 
> 4><208><254><251><191><155><170><0><139>WZI<24><161>O.`*<189>j<194><<1 
> 39>;<252>"\<21><20><226><171><130> 
> [<196><156><238>_<6>Y<151><244><221><133>T3<215><207><228><242><178>J< 
> 185><192>*<254>C<169>9)<180><248>)<168><173><224>/'} 
> <254>w1f<189><177><12>@n<150>R<8>f<205><196>c<15>4t:<139><10><11><26>V 
> <228>P<250><222><187><138><210><222> 
> {8n<202><255>m<182>n<<156>j<13><30><9><143>t<238><214><177><182><233>< 
> 8>w<194><137><230><234><21><254><227>lFA1<133>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 61
> Authentic:  S%h<145>}<239><227><246>|<221>3<247>x<14><146>d
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><3><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <12>2<162><134>- 
> <159>c<19>e<225><6><204><193><145><131>~
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 3, 6
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 61
> Authentic:  S%h<145>}<239><227><246>|<221>3<247>x<14><146>d
> Attributes:
>  EAP-Message =  
> <1><4><0><177><25><0><207><154><204><141><22><3><1><0><162><13><0><0>< 
> 154><2><1><2><0><149><0><147>0<129><144>1<11>0<9><6><3>U<4><6><19><2>F 
> R1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1 
> <21>0<19><6><3>U<4><10><19><12>MX S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com<14><0>< 
> 0><0>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 62
> Authentic:  (T<29><1>|l<215><166><20>p<149><231><25>Fe<148>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><4><1>G<25><128><0><0><1>=<22><3><1><1><13><11><0><0><3><0><0><0><1 
> 6><0><1><2><1><0><189><253><141><1><18>qb<25><129><21><251><30><17> 
> $<228><232><246>9<226>><195><138><132>A<5>S<244>Q! 
> d,w<218>=<23><173><177>4o,<181><17>cr<135><12>=<158><242><143><231>Dc< 
> 197><143><220><223><170>b<5><181>0<208><234><135>.<4><23><180><207><24 
> 2><243><155><163> <205><3><200>Ui<209>o}V^<10><165>J 
> \<27><205><133><20><145><186><136>><25><238><236><252>.Q<207><168><224 
> ><162><245><209><31><134>*"<31><181>A<247>v<150><14><156><26>v<0><140> 
> <231><184><17><20><8><10>Y<249><164><16><237>h<224><10><151> 
> +<198><171>T<179><26>m5S- 
> G<237><143><17><227>*5<243><223>nK<4>s<255>Oq<253><216><24>=<155><23>` 
> <191><10><253>#<202><138><167><0><184><192>Y<237><222><177><184><11><1 
> 6>7<251><145>/w<218><226><157>9<139>n<189><161>(<139>] 
> <153><198><21><30>W1<162><180><161><136>,<160><224>*N{R<242>
>  EAP-Message = <169><181><4><4><241><200><128><187><234><195><228>} 
> <132>~] 
> <217>G<9><224><149><237><203>&<140><181><143>#<159><199>7<179>2<20><3> 
> <1><0><1><1><22><3><1><0> <225>S<199>M\4<129>\<176>;@<219><1><20> 
> {<210>k<21>Fn<0><172>}<197><155>q<204><15><200><253>&y
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <13><142><20><10><141><151>:<253><25><193><134><184><188>8<216><218>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 4, 327
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 62
> Authentic:  (T<29><1>|l<215><166><20>p<149><231><25>Fe<148>
> Attributes:
>  EAP-Message = <1><5><0>5<25><128><0><0><0> 
> +<20><3><1><0><1><1><22><3><1><0>  
> <221>@<194><187>Z<129>kF<254><129><220>#<190><xK<28><144>B:b<5><145>lz 
> <249><167><159><128>R{<235>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 63
> Authentic:  fS<221><w<133><170><197>7O<236><26><29><19><163>K
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><5><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <24><190><144>| 
> <174><229><29><246><232><9><127><241><170>M<233><251>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 5, 6
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 63
> Authentic:  fS<221><w<133><170><197>7O<236><26><29><19><163>K
> Attributes:
>  EAP-Message =  
> <1><6><0><28><25><0><23><3><1><0><17><206><136><220>n<252><209>Ij<127> 
> <204><235><153><230><144><127><234>O
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 64
> Authentic:  7<245><244><210>p<189>i<163>M<231><212><160>b>xY
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><6><0>0<25><0><23><3><1><0>%<7> 
> \<230><194><208><136><174><150><240><214><140><6>/<146>! 
> <20><5><248>u<214><198><143><151><173>6<164> 
> $<174>II0<213><235><238><208>sC
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <0><149><254><30><218><7><184> 
> [<253>J<249><203>mRq%
>
> Wed Oct  5 10:35:38 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 6, 48
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:38 2005: DEBUG: EAP PEAP inner authentication  
> request for US-MX-COM\ususer
> Wed Oct  5 10:35:38 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:   
> <0><171><222><212>A<162>W<182><131><188><149><198><173><20>h<182>
> Attributes:
>  EAP-Message = <2><6><0><21><1>US-MX-COM\ususer
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = "US-MX-COM\ususer"
>  NAS-IP-Address = 172.21.20.202
>  NAS-Identifier = "Trapeze"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler ''
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for , 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthSQL:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 6, 21
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 1, EAP authentication  
> is not permitted.
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy SQL result: REJECT, EAP  
> authentication is not permitted.
> Wed Oct  5 10:35:38 2005: INFO: Access rejected for US-MX-COM 
> \ususer: EAP authentication is not permitted.
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 3, EAP PEAP inner  
> authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 64
> Authentic:  7<245><244><210>p<189>i<163>M<231><212><160>b>xY
> Attributes:
>  EAP-Message =  
> <1><7><0>&<25><0><23><3><1><0><27><221><140><25>L<13><220><157><202><1 
> 82>A2, <153><7><1><137>J<133>?<0><0><188><251><0><249><243>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 65
> Authentic:  ;H<160>T3<190><11><253>r@`<242>0<31>3C
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><7><0>&<25><0><23><3><1><0><27><152><128><171><30>z0<209><27><179>< 
> 138><27>A<166><228><231>uW<160>d<2>&<222>Y<171><11><198>}
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <245>B| 
> tG<28>.<198><27>w<241><192><142><237><202><241>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 7, 38
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy FILE result: REJECT, PEAP  
> Authentication Failure
> Wed Oct  5 10:35:38 2005: INFO: Access rejected for ususer at US-MX- 
> COM: PEAP Authentication Failure
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Reject
> Identifier: 65
> Authentic:  ;H<160>T3<190><11><253>r@`<242>0<31>3C
> Attributes:
>  EAP-Message = <4><7><0><4>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  Reply-Message = "Request Denied"
>
>
> Regards,
>
> Stéphane
>
>
>
>
>
>
>
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Date: mer. 05/10/2005 10:24
> À: DELORT Stephane
> Cc: radiator at open.com.au; ZOUAIN Fatek
> Objet : Re: (RADIATOR) PEAP/MSCHAP-V2 and realms
>
>
> Salut Stephane -
>
> Could you please send us a copy of the trace 4 debug showing what is
> happening?
>
> regards
>
> Hugh
>
>
> On 5 Oct 2005, at 11:08, DELORT Stephane wrote:
>
> > Hello all,
> >
> > my company have different agencies in different country. Each
> > agency has its own active directory with its own domain.
> > So, we've got fr.murex.com for france and us.murex.com for the us.
> >
> > I would like to authenticate the users in their realms.
> >
> > In order to do this I did :
> >
> > **********************************************
> >
> > ...
> >
> > # Tried with and without
> > RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> >
> >
> > # FR corporate users
> >
> > <Handler TunnelledByPEAP=1, realm=FR-MX-COM>
> >     AuthByPolicy ContinueWhileAccept
> >     AuthBy CheckMacAddress
> >     AuthBy CheckCorporateUsersFR
> > </Handler>
> >
> > <AuthBy LSA>
> >     Identifier CheckCorporateUsersFR
> >
> >     Group wifi
> >     DomainController frdomaincontroller
> >     EAPType MSCHAP-V2
> > </AuthBy>
> >
> >
> > # US corporate users
> >
> > <Handler TunnelledByPEAP=1, realm=US-MX-COM >
> >     AuthByPolicy ContinueWhileAccept
> >     AuthBy CheckMacAddress
> >     AuthBy CheckCorporateUsersUS
> > </Handler>
> >
> > <AuthBy LSA>
> >     Identifier CheckCorporateUsersUS
> >     DomainController usdomaincontroller
> >     EAPType MSCHAP-V2
> >     AddToReply TRPZ-VLAN-Name = mx_corpo
> > </AuthBy>
> >
> >
> >
> > <Handler Called-Station-Id=/MX_WIFI/ >
> >     MaxSessions 1
> >     <AuthBy FILE>
> >         EAPAnonymous    %0
> >
> >         EAPType PEAP
> >         EAPTLS_CAFile %D/certificates/certifs_murex/mycert.crt
> >
> >         EAPTLS_CertificateFile %D/certificates/certifs_murex/
> > mycert.crt
> >         EAPTLS_CertificateType PEM
> >
> >         EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/ 
> mycert.key
> >         EAPTLS_PrivateKeyPassword murex
> >
> >         EAPTLS_MaxFragmentSize 1000
> >         AutoMPPEKeys
> >         SSLeayTrace 4
> >         EAPTLS_SessionResumptionLimit 120
> >         EAPTLS_PEAPVersion 0
> >
> >     </AuthBy>
> > </Handler>
> >
> >
> > *************************************************
> >
> > Stil, this does not work.
> > Is there a mean to accomplish what I want without having to
> > authenticate the users against the central domain controller ?
> >
> > If I use the central domain controller (the 'father' of US-MX-COM
> > and FR-MX-COM), what happens when two users have the same login and
> > password ?
> >
> >
> > Best regards,
> > Stéphane
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list