(RADIATOR) RE: RE : (RADIATOR) PEAP/MSCHAP-V2 and realms

DELORT Stephane Stephane.DELORT at murex.com
Wed Oct 5 07:07:01 CDT 2005


Hello Hugh, 

I found another workaround for this problem :


<Handler TunnelledByPEAP = 1>
      Identifier =  CheckCorporateUsersFR 
	.....
</Handler>

<Handler TunnelledByPEAP = 1>
	 Identifier =  CheckCorporateUsersFR 
        .....
</Handler>

<Handler TunnelledByPEAP=1>
    AuthByPolicy ContinueWhileAccept
    #The line below must check the mac addresses of all domains
    AuthBy CheckMacAddress
    <AuthBy GROUP>
      AuthBy CheckCorporateUsersFR
      AuthBy CheckCorporateUsersUS
    </AuthBY>
</Handler>


<Handler Called-Station-Id = /MX_WIFI/>
         .....
</Handler>


For sure, this is not as clean as the solution you offer. Moreover it does not take the user's domain into account.
The problem might be when the same user (login/password) exists in two domains.

I will test your solution and let you know of the results.

Thanks and best regards,
Stéphane




-----Message d'origine-----
De : Hugh Irvine [mailto:hugh at open.com.au]
Envoyé : mercredi 5 octobre 2005 13:37
À : DELORT Stephane
Cc : radiator at open.com.au; ZOUAIN Fatek
Objet : Re: RE : (RADIATOR) PEAP/MSCHAP-V2 and realms



Hello Stephane -

There are a number of problems with what you are trying to do.

The first problem is that you cannot rewrite a username that is to be  
used with MS-CHAP. This is a limitation of MS-CHAP.

Instead of using RewriteUsername's and Realm's, you should just do  
something like 


eerze


<Handler User-Name = /^FR-MX-COM/, TunnelledByPEAP = 1>
         .....
</Handler>

<Handler User-Name = /^US-MX-COM/, TunnelledByPEAP = 1>
         .....
</Handler>

<Handler Called-Station-Id = /MX_WIFI/>
         .....
</Handler>


Hope that helps.

regards

Hugh


On 5 Oct 2005, at 11:46, DELORT Stephane wrote:

> Hello Hugh,
>
>
> here is a copy of the the trace 4 debug.
>
> Before you  read it, you should know that the check of the Realm is  
> OK if it is done in the first handler to be called : <Handler  
> Called-Station-Id=/MX_WIFI/ , Realm=FR-MX-COM>
> The problem there is that we cannot change or select the domain  
> controller to be used since there is no link between this handler  
> and the one responsible of the LSA part.
>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 52
> Authentic:  <6><165><135>=Y<221>[2o<181>@<131>r&<146><0>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  EAP-Message = <2><1><0><25><1>FR-MX-COM\fruser
>  User-Name = "FR-MX-COM\fruser"
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <246><238><155><1><198><151><247>>c,<23>p<225>^<137><193>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 1, 25
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 52
> Authentic:  <6><165><135>=Y<221>[2o<181>@<131>r&<146><0>
> Attributes:
>  EAP-Message = <1><2><0><6><25>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 53
> Authentic:  <16><157><137><195>"<223>B@\<190><229>y[<200><194><190>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>CC<144>M_<1 
> 41>+dj<26>D6<18>{857'<179>D<223><133><213><254>II  
> 1<237>s<180><248><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0>< 
> 6><0><19><0><18><0>c<1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <181>2<147><174>q<254>W<147>z<0>3<131><225><195><9><25>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 2, 80
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 53
> Authentic:  <16><157><137><195>"<223>B@\<190><229>y[<200><194><190>
> Attributes:
>  EAP-Message =  
> <1><3><3><242><25><192><0><0><4><147><22><3><1><0>J<2><0><0>F<3><1>CC< 
> 144>L<234><250><213><199><9><9>h<128><191>9<29>h<236><158><31>Z<157>u< 
> 237>3<145>o8<129><234><30><165>% )C(<202><201><191><147>B<253>} 
> <208><164><244>5<155>=N<216>F<222>o<151>8T<188><247><210>R 
> \<132><19><169><0><4><0><22><3><1><3><152><11><0><3><148><0><3><145><0 
> ><3><142>0<130><3><138>0<130><2>r<2><1><12>0<13><6><9>*<134>H<134><247 
> ><13><1><1><4><5><0>0<129><134>1<11>0<9><6><3>U<4><6><19><2>FR1<12>0<1 
> 0><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1<19>0<17> 
> <6><3>U<4><10><19><10>MX S.A. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<16>0<14><6><3>U<4><3><19><7>sy 
> steam1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>sys
>  EAP-Message =  
> team at MX.com0<30><23><13>050809075749Z<23><13>100808075749Z0<129><144>1 
> <11>0<9><6><3>U<4><6><19><2>FR1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0< 
> 12><6><3>U<4><7><19><5>Paris1<21>0<19><6><3>U<4><10><19><12>MX  
> S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com0<130><1 
> >  
> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><13><0>0<130 
> ><1><8><2><130><1><1><0><217>7M<225><241><138>:<189><229><184>u.<249>< 
> 1><29>3pUT<7>Z<171>~!<171>a<248>
>  EAP-Message =  
> <14><161><255><7>^<169><254>OoA<137><137><179><26><15><202><220><167>< 
> 169><228><3><202><17><231><134><241><11><255><161>Dw<146>_<23><198>"n< 
> 180>TJ<209><216><212>RFx^/<148><172><154>S<133>|<233>\=:,<237>\<25>% 
> <228>!^n5@<25><169><216><229>l<15><200><187><135><171>) 
> q<20>'m<18><5>'<127><158><179><139><208><6><139><22><220>6a<173><24>g< 
> 147><239>V(d<190>m<196><249><182>G}<7>wx<14><163><233><238>? 
> <162><151><238><202><211>}m<206>l<237><239><29><193>& 
> +S<147><235><178><8><228>v<209><202>s<186><229>5| 
> W<159><155><25><208><251><221><201>J<248><149><170><16>HZ<153><31><187 
> > 
> $ov<247><160><162><27>:<235><209><211><146><138>4<<167>t<224><244>B"<2 
> 14><148>J<138><149>[<248>S<189><203>rF)<173><226><29><132><163>%<TC 
> $R<154><11><147><213><207> 
> (\M<226><227><225><237>s<151><222>#<2><1><3>0<13><6><9>*<134>H<134><24 
> 7><13><1><1><4><5><0><3><130><1><1><0><0>
>  EAP-Message = O<31><133><169><249><221>| 
> Eg<129><158><242><134><201><9>1<205><6><133><253>h<171> 
> \<153><231><229><147>Y<204><149><192><30><164>&<18>@<135><168><1><137> 
> <175>*t<9>D<241><239><244><198>] 
> <1><144>YW<220><0><241>=<131><246><217><248>W<219>J<152><151><212>t<13 
> 2><4><139><220><209><10><149>q<18><207><8>u<197> 
> $<225>Y<247><10><147>`vjq^x<150>% 
> <153><228>L<31><160>63'<30><4><222><187><227><255>=<128>B<222><207><14 
> 4><208><254><251><191><155><170><0><139>WZI<24><161>O.`*<189>j<194><<1 
> 39>;<252>"\<21><20><226><171><130> 
> [<196><156><238>_<6>Y<151><244><221><133>T3<215><207><228><242><178>J< 
> 185><192>*<254>C<169>9)<180><248>)<168><173><224>/'} 
> <254>w1f<189><177><12>@n<150>R<8>f<205><196>c<15>4t:<139><10><11><26>V 
> <228>P<250><222><187><138><210><222> 
> {8n<202><255>m<182>n<<156>j<13><30><9><143>t<238><214><177><182><233>< 
> 8>w<194><137><230><234><21><254><227>lFA1<133>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 54
> Authentic:  '<146><140><160>c<254><208>Yt<208><4><30>k<7><20><255>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><3><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <161><165>,<28><211><139><216><<23><18>h<144>X<245>`<204>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 3, 6
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 54
> Authentic:  '<146><140><160>c<254><208>Yt<208><4><30>k<7><20><255>
> Attributes:
>  EAP-Message =  
> <1><4><0><177><25><0><207><154><204><141><22><3><1><0><162><13><0><0>< 
> 154><2><1><2><0><149><0><147>0<129><144>1<11>0<9><6><3>U<4><6><19><2>F 
> R1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1 
> <21>0<19><6><3>U<4><10><19><12>MX S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com<14><0>< 
> 0><0>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 55
> Authentic:  E<160><201>1/<168><200><22><14><216><21><151>2_c<132>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><4><1>G<25><128><0><0><1>=<22><3><1><1><13><11><0><0><3><0><0><0><1 
> 6><0><1><2><1><0><139><138><228><219><164><25><13><211>J<194><196><144 
> >g6<132><232> 
> [<232><16>RI<193>B<231><140><164><143>7<250><178><226><173>- 
> i<157>5<196><253><228><220>]<215>am<21><189><218>? 
> <24><147><132><167><243>e<178>f 
> ["<247><192><222><241><11><220>J<206><142><186>ec<195><212><21>DWL<8>  
> <185><144>a<162><201><255><199><220>9<150><218><251><3>t<194><248>p<19 
> ><193><29><154>$<229><230>Lh?<146>I<0>j<152>T<212><140><157><143>! 
> <139>l<7>%;<27>1<246><216><245><175><226><189><130>\<25> 
> $<204>o<143><28><241><148>xC<187><16> 
> $<132><247>1K<188>C<222><157><134>>} 
> <198><20><142>q<234><7><188><148><198><238>nQ<195><192><163><227><195> 
> <19>k<211><203><234><197><232><155><10><239><21>.jX<231><203> 
> $<137><141>@<22>b<237>o:<218><249><173>&u<235><220>W) 
> <173>p<29>l<144><143><252><194>?<244><182><204><130><3><154><247>95
>  EAP-Message = ~c<254><178> 
> $<155><174>j<147><182>@<211><183><148><205> 
> [<185><176>t<247><244><5><248><208><232><253>1<21>| 
> <182><31><209><20><3><1><0><1><1><22><3><1><0>  
> <15><201><30><242>c<167><148><154>`lV<159><2><10>rO=u<225>#<178><226>< 
> 30>\<164>5<201><251>A<_<251>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <0>V<246>ub<141>Tc<144><178><251><238><137>K<16><237>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 4, 327
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 55
> Authentic:  E<160><201>1/<168><200><22><14><216><21><151>2_c<132>
> Attributes:
>  EAP-Message = <1><5><0>5<25><128><0><0><0> 
> +<20><3><1><0><1><1><22><3><1><0> <158>^o_|a<219><161>) 
> <231>W7r<244>]^<17><165><172>!<208>:.<250>rcKRQF<195>D
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 56
> Authentic:  P<12><174>g}3<212><20>5'<148><189>8Z<26><178>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><5><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <198> 
> {<21>r<174>&9<8><160>b<205><194><184><218><229>t
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 5, 6
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 56
> Authentic:  P<12><174>g}3<212><20>5'<148><189>8Z<26><178>
> Attributes:
>  EAP-Message =  
> <1><6><0><28><25><0><23><3><1><0><17><16><31>*<21><183><214>J<244><153 
> ><239><17><190>\<153><16><237><233>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 57
> Authentic:  !<174><197><253>vk<146><242>K<191>}C}<132><239><192>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message = <2><6><0>0<25><0><23><3><1><0>% 
> <4>i<130>R<128><151><2><160><28>]3<10><221>fR<241><13>U<139><231> 
> (<247><224><24><129><144><222>O<141><206><9><192>\<251>wT<178>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> 7<243>5n<207><209>11k<226><143><207><209><7><138>d
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 6, 48
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP PEAP inner authentication  
> request for FR-MX-COM\fruser
> Wed Oct  5 10:35:24 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  q<218>9<193>d<224>x]<173>!<235><175><207><<206><
> Attributes:
>  EAP-Message = <2><6><0><21><1>FR-MX-COM\fruser
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = "FR-MX-COM\fruser"
>  NAS-IP-Address = 172.21.20.202
>  NAS-Identifier = "Trapeze"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler ''
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for , 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthSQL:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 6, 21
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 1, EAP authentication  
> is not permitted.
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy SQL result: REJECT, EAP  
> authentication is not permitted.
> Wed Oct  5 10:35:24 2005: INFO: Access rejected for FR-MX-COM 
> \fruser: EAP authentication is not permitted.
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 3, EAP PEAP inner  
> authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: Access challenged for fruser at FR-MX- 
> COM: EAP PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 57
> Authentic:  !<174><197><253>vk<146><242>K<191>}C}<132><239><192>
> Attributes:
>  EAP-Message =  
> <1><7><0>&<25><0><23><3><1><0><27>v<255><192><202><218><186><214><14>R 
> :J<231>y<246><171>n<140><197><7><252><226>#<18>=\<18><127>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 58
> Authentic:  m<224><249><160><6><153>9Yr<140><185><30>q<134>%<255>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "FR-MX-COM\fruser"
>  EAP-Message =  
> <2><7><0>&<25><0><23><3><1><0><27><179>&<198><202><144>% 
> <242>eR<151>QC<26><1><166><160>X<240><178>><25>o<18>Hd<146><197>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <174><31>Z<30><209>uGQ<148><149><141><204><150><250><255>K
>
> Wed Oct  5 10:35:24 2005: DEBUG: Rewrote user name to fruser at FR-MX-COM
> Wed Oct  5 10:35:24 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:24 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for FR-MX-COM\fruser, 172.21.20.202,
> Wed Oct  5 10:35:24 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:24 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='FR-MX-COM\fruser'':
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:24 2005: DEBUG: Handling with EAP: code 2, 7, 38
> Wed Oct  5 10:35:24 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:24 2005: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Wed Oct  5 10:35:24 2005: DEBUG: AuthBy FILE result: REJECT, PEAP  
> Authentication Failure
> Wed Oct  5 10:35:24 2005: INFO: Access rejected for fruser at FR-MX- 
> COM: PEAP Authentication Failure
> Wed Oct  5 10:35:24 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Reject
> Identifier: 58
> Authentic:  m<224><249><160><6><153>9Yr<140><185><30>q<134>%<255>
> Attributes:
>  EAP-Message = <4><7><0><4>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  Reply-Message = "Request Denied"
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 59
> Authentic:   
> (<199><255><177><0><245><252><150>M<182>p<23>5<158><236><4>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  EAP-Message = <2><1><0><25><1>US-MX-COM\ususer
>  User-Name = "US-MX-COM\ususer"
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <19><223><167><146>j;<233><141>G`dJ~<19><166>F
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 1, 25
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 59
> Authentic:   
> (<199><255><177><0><245><252><150>M<182>p<23>5<158><236><4>
> Attributes:
>  EAP-Message = <1><2><0><6><25>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 60
> Authentic:  8<163><200><218>7<139>!<11>c<208><155><232><12><195>B<1>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>CC<144>ZV<2 
> 07><174>Oy<<216><3>% 
> 2<242><128><29><130>3<187><22>p<164><151><202><218>"? 
> <17><2><169><213><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0>< 
> 6><0><19><0><18><0>c<1><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <137><187><144><237>5<5>| 
> <160><195><182>wc<250> <20>s
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 2, 80
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 60
> Authentic:  8<163><200><218>7<139>!<11>c<208><155><232><12><195>B<1>
> Attributes:
>  EAP-Message =  
> <1><3><3><242><25><192><0><0><4><147><22><3><1><0>J<2><0><0>F<3><1>CC< 
> 144>Y`i<6><137>d<154>#<30>\a<210><179>_<5><13><13>+<151>! 
> r`<215><6><217><23><244><129><202>  
> K<217>m"<247>5Nn<229>;:<4>V<151>20<204><24>"T<231><131>*<152><137>"N<2 
> 26><12>Y<242>z<0><4><0><22><3><1><3><152><11><0><3><148><0><3><145><0> 
> <3><142>0<130><3><138>0<130><2>r<2><1><12>0<13><6><9>*<134>H<134><247> 
> <13><1><1><4><5><0>0<129><134>1<11>0<9><6><3>U<4><6><19><2>FR1<12>0<10 
> ><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1<19>0<17>< 
> 6><3>U<4><10><19><10>MX S.A. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<16>0<14><6><3>U<4><3><19><7>sy 
> steam1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>sys
>  EAP-Message =  
> team at MX.com0<30><23><13>050809075749Z<23><13>100808075749Z0<129><144>1 
> <11>0<9><6><3>U<4><6><19><2>FR1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0< 
> 12><6><3>U<4><7><19><5>Paris1<21>0<19><6><3>U<4><10><19><12>MX  
> S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com0<130><1 
> >  
> 0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><13><0>0<130 
> ><1><8><2><130><1><1><0><217>7M<225><241><138>:<189><229><184>u.<249>< 
> 1><29>3pUT<7>Z<171>~!<171>a<248>
>  EAP-Message =  
> <14><161><255><7>^<169><254>OoA<137><137><179><26><15><202><220><167>< 
> 169><228><3><202><17><231><134><241><11><255><161>Dw<146>_<23><198>"n< 
> 180>TJ<209><216><212>RFx^/<148><172><154>S<133>|<233>\=:,<237>\<25>% 
> <228>!^n5@<25><169><216><229>l<15><200><187><135><171>) 
> q<20>'m<18><5>'<127><158><179><139><208><6><139><22><220>6a<173><24>g< 
> 147><239>V(d<190>m<196><249><182>G}<7>wx<14><163><233><238>? 
> <162><151><238><202><211>}m<206>l<237><239><29><193>& 
> +S<147><235><178><8><228>v<209><202>s<186><229>5| 
> W<159><155><25><208><251><221><201>J<248><149><170><16>HZ<153><31><187 
> > 
> $ov<247><160><162><27>:<235><209><211><146><138>4<<167>t<224><244>B"<2 
> 14><148>J<138><149>[<248>S<189><203>rF)<173><226><29><132><163>%<TC 
> $R<154><11><147><213><207> 
> (\M<226><227><225><237>s<151><222>#<2><1><3>0<13><6><9>*<134>H<134><24 
> 7><13><1><1><4><5><0><3><130><1><1><0><0>
>  EAP-Message = O<31><133><169><249><221>| 
> Eg<129><158><242><134><201><9>1<205><6><133><253>h<171> 
> \<153><231><229><147>Y<204><149><192><30><164>&<18>@<135><168><1><137> 
> <175>*t<9>D<241><239><244><198>] 
> <1><144>YW<220><0><241>=<131><246><217><248>W<219>J<152><151><212>t<13 
> 2><4><139><220><209><10><149>q<18><207><8>u<197> 
> $<225>Y<247><10><147>`vjq^x<150>% 
> <153><228>L<31><160>63'<30><4><222><187><227><255>=<128>B<222><207><14 
> 4><208><254><251><191><155><170><0><139>WZI<24><161>O.`*<189>j<194><<1 
> 39>;<252>"\<21><20><226><171><130> 
> [<196><156><238>_<6>Y<151><244><221><133>T3<215><207><228><242><178>J< 
> 185><192>*<254>C<169>9)<180><248>)<168><173><224>/'} 
> <254>w1f<189><177><12>@n<150>R<8>f<205><196>c<15>4t:<139><10><11><26>V 
> <228>P<250><222><187><138><210><222> 
> {8n<202><255>m<182>n<<156>j<13><30><9><143>t<238><214><177><182><233>< 
> 8>w<194><137><230><234><21><254><227>lFA1<133>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 61
> Authentic:  S%h<145>}<239><227><246>|<221>3<247>x<14><146>d
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><3><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <12>2<162><134>- 
> <159>c<19>e<225><6><204><193><145><131>~
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 3, 6
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 61
> Authentic:  S%h<145>}<239><227><246>|<221>3<247>x<14><146>d
> Attributes:
>  EAP-Message =  
> <1><4><0><177><25><0><207><154><204><141><22><3><1><0><162><13><0><0>< 
> 154><2><1><2><0><149><0><147>0<129><144>1<11>0<9><6><3>U<4><6><19><2>F 
> R1<12>0<10><6><3>U<4><8><19><3>IDF1<14>0<12><6><3>U<4><7><19><5>Paris1 
> <21>0<19><6><3>U<4><10><19><12>MX S.A.S. 
> 1<16>0<14><6><3>U<4><11><19><7>systeam1<24>0<22><6><3>U<4><3><19><15>S 
> tephane Delort1  
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>fruser at MX.com<14><0>< 
> 0><0>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 62
> Authentic:  (T<29><1>|l<215><166><20>p<149><231><25>Fe<148>
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><4><1>G<25><128><0><0><1>=<22><3><1><1><13><11><0><0><3><0><0><0><1 
> 6><0><1><2><1><0><189><253><141><1><18>qb<25><129><21><251><30><17> 
> $<228><232><246>9<226>><195><138><132>A<5>S<244>Q! 
> d,w<218>=<23><173><177>4o,<181><17>cr<135><12>=<158><242><143><231>Dc< 
> 197><143><220><223><170>b<5><181>0<208><234><135>.<4><23><180><207><24 
> 2><243><155><163> <205><3><200>Ui<209>o}V^<10><165>J 
> \<27><205><133><20><145><186><136>><25><238><236><252>.Q<207><168><224 
> ><162><245><209><31><134>*"<31><181>A<247>v<150><14><156><26>v<0><140> 
> <231><184><17><20><8><10>Y<249><164><16><237>h<224><10><151> 
> +<198><171>T<179><26>m5S- 
> G<237><143><17><227>*5<243><223>nK<4>s<255>Oq<253><216><24>=<155><23>` 
> <191><10><253>#<202><138><167><0><184><192>Y<237><222><177><184><11><1 
> 6>7<251><145>/w<218><226><157>9<139>n<189><161>(<139>] 
> <153><198><21><30>W1<162><180><161><136>,<160><224>*N{R<242>
>  EAP-Message = <169><181><4><4><241><200><128><187><234><195><228>} 
> <132>~] 
> <217>G<9><224><149><237><203>&<140><181><143>#<159><199>7<179>2<20><3> 
> <1><0><1><1><22><3><1><0> <225>S<199>M\4<129>\<176>;@<219><1><20> 
> {<210>k<21>Fn<0><172>}<197><155>q<204><15><200><253>&y
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator =  
> <13><142><20><10><141><151>:<253><25><193><134><184><188>8<216><218>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 4, 327
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 62
> Authentic:  (T<29><1>|l<215><166><20>p<149><231><25>Fe<148>
> Attributes:
>  EAP-Message = <1><5><0>5<25><128><0><0><0> 
> +<20><3><1><0><1><1><22><3><1><0>  
> <221>@<194><187>Z<129>kF<254><129><220>#<190><xK<28><144>B:b<5><145>lz 
> <249><167><159><128>R{<235>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 63
> Authentic:  fS<221><w<133><170><197>7O<236><26><29><19><163>K
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><5><0><6><25><0>
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <24><190><144>| 
> <174><229><29><246><232><9><127><241><170>M<233><251>
>
> Wed Oct  5 10:35:37 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:37 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:37 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:37 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:37 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:37 2005: DEBUG: Handling with EAP: code 2, 5, 6
> Wed Oct  5 10:35:37 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:37 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP Challenge
> Wed Oct  5 10:35:37 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 63
> Authentic:  fS<221><w<133><170><197>7O<236><26><29><19><163>K
> Attributes:
>  EAP-Message =  
> <1><6><0><28><25><0><23><3><1><0><17><206><136><220>n<252><209>Ij<127> 
> <204><235><153><230><144><127><234>O
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 64
> Authentic:  7<245><244><210>p<189>i<163>M<231><212><160>b>xY
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message = <2><6><0>0<25><0><23><3><1><0>%<7> 
> \<230><194><208><136><174><150><240><214><140><6>/<146>! 
> <20><5><248>u<214><198><143><151><173>6<164> 
> $<174>II0<213><235><238><208>sC
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <0><149><254><30><218><7><184> 
> [<253>J<249><203>mRq%
>
> Wed Oct  5 10:35:38 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 6, 48
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:38 2005: DEBUG: EAP PEAP inner authentication  
> request for US-MX-COM\ususer
> Wed Oct  5 10:35:38 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:   
> <0><171><222><212>A<162>W<182><131><188><149><198><173><20>h<182>
> Attributes:
>  EAP-Message = <2><6><0><21><1>US-MX-COM\ususer
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = "US-MX-COM\ususer"
>  NAS-IP-Address = 172.21.20.202
>  NAS-Identifier = "Trapeze"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler ''
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for , 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthSQL:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 6, 21
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 1
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 1, EAP authentication  
> is not permitted.
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy SQL result: REJECT, EAP  
> authentication is not permitted.
> Wed Oct  5 10:35:38 2005: INFO: Access rejected for US-MX-COM 
> \ususer: EAP authentication is not permitted.
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 3, EAP PEAP inner  
> authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: Access challenged for ususer at US-MX- 
> COM: EAP PEAP inner authentication redespatched to a Handler
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Challenge
> Identifier: 64
> Authentic:  7<245><244><210>p<189>i<163>M<231><212><160>b>xY
> Attributes:
>  EAP-Message =  
> <1><7><0>&<25><0><23><3><1><0><27><221><140><25>L<13><220><157><202><1 
> 82>A2, <153><7><1><137>J<133>?<0><0><188><251><0><249><243>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Received from 172.21.20.202 port 20005 ....
> Code:       Access-Request
> Identifier: 65
> Authentic:  ;H<160>T3<190><11><253>r@`<242>0<31>3C
> Attributes:
>  NAS-Port-Id = "1/1"
>  Calling-Station-Id = "00-04-23-6D-E4-78"
>  Called-Station-Id = "00-0B-0E-13-17-41:MX_WIFI"
>  Service-Type = Framed-User
>  User-Name = "US-MX-COM\ususer"
>  EAP-Message =  
> <2><7><0>&<25><0><23><3><1><0><27><152><128><171><30>z0<209><27><179>< 
> 138><27>A<166><228><231>uW<160>d<2>&<222>Y<171><11><198>}
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-Identifier = "Trapeze"
>  NAS-IP-Address = 172.21.20.202
>  Message-Authenticator = <245>B| 
> tG<28>.<198><27>w<241><192><142><237><202><241>
>
> Wed Oct  5 10:35:38 2005: DEBUG: Rewrote user name to ususer at US-MX-COM
> Wed Oct  5 10:35:38 2005: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/MX_WIFI/ '
> Wed Oct  5 10:35:38 2005: DEBUG: GUEST_SESSION_DB Deleting session  
> for US-MX-COM\ususer, 172.21.20.202,
> Wed Oct  5 10:35:38 2005: DEBUG: do query is: 'delete from  
> ONLINEUSERS where ACCTSESSIONID='' and FRAMEDIPADDRESS='00-04-23-6D- 
> E4-78'':
> Wed Oct  5 10:35:38 2005: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from ONLINEUSERS where  
> LOGIN='US-MX-COM\ususer'':
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct  5 10:35:38 2005: DEBUG: Handling with EAP: code 2, 7, 38
> Wed Oct  5 10:35:38 2005: DEBUG: Response type 25
> Wed Oct  5 10:35:38 2005: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Wed Oct  5 10:35:38 2005: DEBUG: AuthBy FILE result: REJECT, PEAP  
> Authentication Failure
> Wed Oct  5 10:35:38 2005: INFO: Access rejected for ususer at US-MX- 
> COM: PEAP Authentication Failure
> Wed Oct  5 10:35:38 2005: DEBUG: Packet dump:
> *** Sending to 172.21.20.202 port 20005 ....
> Code:       Access-Reject
> Identifier: 65
> Authentic:  ;H<160>T3<190><11><253>r@`<242>0<31>3C
> Attributes:
>  EAP-Message = <4><7><0><4>
>  Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  Reply-Message = "Request Denied"
>
>
> Regards,
>
> Stéphane
>
>
>
>
>
>
>
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Date: mer. 05/10/2005 10:24
> À: DELORT Stephane
> Cc: radiator at open.com.au; ZOUAIN Fatek
> Objet : Re: (RADIATOR) PEAP/MSCHAP-V2 and realms
>
>
> Salut Stephane -
>
> Could you please send us a copy of the trace 4 debug showing what is
> happening?
>
> regards
>
> Hugh
>
>
> On 5 Oct 2005, at 11:08, DELORT Stephane wrote:
>
> > Hello all,
> >
> > my company have different agencies in different country. Each
> > agency has its own active directory with its own domain.
> > So, we've got fr.murex.com for france and us.murex.com for the us.
> >
> > I would like to authenticate the users in their realms.
> >
> > In order to do this I did :
> >
> > **********************************************
> >
> > ...
> >
> > # Tried with and without
> > RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> >
> >
> > # FR corporate users
> >
> > <Handler TunnelledByPEAP=1, realm=FR-MX-COM>
> >     AuthByPolicy ContinueWhileAccept
> >     AuthBy CheckMacAddress
> >     AuthBy CheckCorporateUsersFR
> > </Handler>
> >
> > <AuthBy LSA>
> >     Identifier CheckCorporateUsersFR
> >
> >     Group wifi
> >     DomainController frdomaincontroller
> >     EAPType MSCHAP-V2
> > </AuthBy>
> >
> >
> > # US corporate users
> >
> > <Handler TunnelledByPEAP=1, realm=US-MX-COM >
> >     AuthByPolicy ContinueWhileAccept
> >     AuthBy CheckMacAddress
> >     AuthBy CheckCorporateUsersUS
> > </Handler>
> >
> > <AuthBy LSA>
> >     Identifier CheckCorporateUsersUS
> >     DomainController usdomaincontroller
> >     EAPType MSCHAP-V2
> >     AddToReply TRPZ-VLAN-Name = mx_corpo
> > </AuthBy>
> >
> >
> >
> > <Handler Called-Station-Id=/MX_WIFI/ >
> >     MaxSessions 1
> >     <AuthBy FILE>
> >         EAPAnonymous    %0
> >
> >         EAPType PEAP
> >         EAPTLS_CAFile %D/certificates/certifs_murex/mycert.crt
> >
> >         EAPTLS_CertificateFile %D/certificates/certifs_murex/
> > mycert.crt
> >         EAPTLS_CertificateType PEM
> >
> >         EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/ 
> mycert.key
> >         EAPTLS_PrivateKeyPassword murex
> >
> >         EAPTLS_MaxFragmentSize 1000
> >         AutoMPPEKeys
> >         SSLeayTrace 4
> >         EAPTLS_SessionResumptionLimit 120
> >         EAPTLS_PEAPVersion 0
> >
> >     </AuthBy>
> > </Handler>
> >
> >
> > *************************************************
> >
> > Stil, this does not work.
> > Is there a mean to accomplish what I want without having to
> > authenticate the users against the central domain controller ?
> >
> > If I use the central domain controller (the 'father' of US-MX-COM
> > and FR-MX-COM), what happens when two users have the same login and
> > password ?
> >
> >
> > Best regards,
> > Stéphane
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list