(RADIATOR) AuthBy LSA / Domain keyword
Stuart Kendrick
skendric at fhcrc.org
Tue Oct 3 20:44:56 CDT 2006
hi,
i'd like to better understand the 'Domain xyz' keyword, in an AuthBy LSA
stanza ... specifically, i'm wanting to take advantage of my multiple
domain controllers, and i'm concerned that i'm not doing that currently
i'm running Radiator-3.15 w/patches on a Windows Server 2003 machine,
authenticating against an Active Directory sitting on top of more
Windows 2003 machines
here's what my wireless stanzas look like currently. notice the use of
'DomainController dc1'. i'm concerned that if 'dc1' goes down, that
Radiator won't use 'dc2' and 'dc3' for authentication
CURRENT RADIUS.CFG
[...]
<Handler TunnelledByPEAP=1>
# Authenticate with Windows LSA
<AuthBy LSA>
DomainController dc1
EAPType MSCHAP-V2
</AuthBy>
AcctLogFileName %L/detail
</Handler>
<Handler TunnelledByTTLS=1>
# Authenticate with Windows LSA
<AuthBy LSA>
DomainController dc1
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
<Handler Realm=fhcrc.org>
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
RewriteUsername s/^([^@]+).*/$1/
Filename C:/[...]/users
</AuthBy>
<AuthBy LSA>
RewriteUsername s/^([^@]+).*/$1/
DomainController dc1
EAPType LEAP
</AuthBy>
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
<Handler>
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
Filename C:/[...]/users
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CAFile C:/[...]/cacert.pem
EAPTLS_CertificateFile C:/[...]/doozle.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
and here's what my users file looks like:
mikem User-Password=secret
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
here's what a typical authentication session looks like with debugging
cranked up. this is a Cisco wireless phone employing LEAP, powering up,
authenticating, and then powering down.
Tue Oct 3 18:03:07 2006: DEBUG: Finished reading configuration file
'C:\[...]\radius.cfg'
Tue Oct 3 18:03:07 2006: DEBUG: Reading dictionary file
'C:/[...]/dictionary'
Tue Oct 3 18:03:07 2006: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Oct 3 18:03:07 2006: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Oct 3 18:03:07 2006: NOTICE: Server started: Radiator 3.15 on Doozle
Tue Oct 3 18:03:08 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 44
Authentic: <163><251>jJ%<241><131><181>}<209>i<2><192><242><175>w
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 273
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 273
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP authentication is
not permitted.
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
LEAP Challenge
Tue Oct 3 18:03:24 2006: DEBUG: Access challenged for
skendric at fhcrc.org: EAP LEAP Challenge
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Challenge
Identifier: 44
Authentic: [...]
Attributes:
EAP-Message = [...]skendric at fhcrc.org
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 45
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = [...]skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 273
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 273
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:03:24 2006: DEBUG: Reading users file C:/Program
Files/Radiator/users
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such user:
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no such
user skendric
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
[skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0,
Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Accept
Identifier: 45
Authentic: #<197><205><130>{`<31><23>"X<191>s<173>,e5
Attributes:
EAP-Message = <3><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 46
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <1><2><0> <17><1><0><8><131><13>,,<196>L2Uskendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 273
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 273
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such user:
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no such
user skendric
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
[skendric at fhcrc.org]
Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0, EAP LEAP Accept
Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT, EAP LEAP
Accept
Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Accept
Identifier: 46
Authentic: [...]
Attributes:
EAP-Message = [...]ILsskendric at fhcrc.org
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
cisco-avpair = "leap:session-key=[...]"
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1646 ....
Code: Accounting-Request
Identifier: 18
Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
Attributes:
Acct-Session-Id = "00000019"
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
cisco-avpair = "ssid=Marconi"
cisco-avpair = "nas-location=unspecified"
User-Name = "skendric at fhcrc.org"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-IEEE-802-11
Cisco-NAS-Port = "273"
NAS-Port = 273
Service-Type = Framed-User
NAS-IP-Address = 10.10.31.3
Acct-Delay-Time = 0
Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:03:24 2006: DEBUG: Adding session for skendric at fhcrc.org,
10.10.31.3, 273
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Oct 3 18:03:24 2006: DEBUG: Accounting accepted
Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1646 ....
Code: Accounting-Response
Identifier: 18
Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
Attributes:
Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1646 ....
Code: Accounting-Request
Identifier: 19
Authentic: <11><207><255><176><213><246>|<14>G2<229>(<6><198><218><191>
Attributes:
Acct-Session-Id = "00000019"
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
cisco-avpair = "ssid=Marconi"
cisco-avpair = "nas-location=unspecified"
cisco-avpair = "vlan-id=0"
cisco-avpair = "auth-algo-type=eap-leap"
User-Name = "skendric at fhcrc.org"
Acct-Authentic = RADIUS
cisco-avpair = "connect-progress=Call Up"
Acct-Session-Time = 15
Acct-Input-Octets = 7936
Acct-Output-Octets = 16962
Acct-Input-Packets = 98
Acct-Output-Packets = 92
Acct-Terminate-Cause = Lost-Carrier
cisco-avpair = "disc-cause-ext=No Reason"
Acct-Status-Type = Stop
NAS-Port-Type = Wireless-IEEE-802-11
Cisco-NAS-Port = "273"
NAS-Port = 273
Service-Type = Framed-User
NAS-IP-Address = 10.10.31.3
Acct-Delay-Time = 0
Tue Oct 3 18:03:39 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:03:39 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 273
Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:03:39 2006: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Oct 3 18:03:39 2006: DEBUG: Accounting accepted
Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1646 ....
Code: Accounting-Response
Identifier: 19
Authentic: [...]
Attributes:
ok, so far so good. now, i figure, let's use the 'Domain' keyword
instead of the 'DomainController' keyword ... i'm guessing that if i use
the 'Domain' keyword, that AuthBy LSA will rely on the local machine's
ability to locate domain controllers
PROPOSED CONFIG FILE
[...]
<Handler TunnelledByPEAP=1>
# Authenticate with Windows LSA
<AuthBy LSA>
Domain fhcrc.org
EAPType MSCHAP-V2
</AuthBy>
AcctLogFileName %L/detail
</Handler>
<Handler TunnelledByTTLS=1>
# Authenticate with Windows LSA
<AuthBy LSA>
Domain fhcrc.org
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
<Handler Realm=fhcrc.org>
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
RewriteUsername s/^([^@]+).*/$1/
Filename C:/[...]/users
</AuthBy>
<AuthBy LSA>
RewriteUsername s/^([^@]+).*/$1/
Domain fhcrc.org
EAPType LEAP
</AuthBy>
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
<Handler>
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
Filename C:/[...]/users
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CAFile C:/[...]/cacert.pem
EAPTLS_CertificateFile C:/[...]/doozle.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</AuthBy>
AcctLogFileName %L/detail
AuthLog wap-authlog
</Handler>
all i did was replace 'DomainController dc1' with 'Domain fhcrc.org'
now, many of my wireless devices continue to authenticate just fine ...
but not the Cisco phone:
Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 47
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 274
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 274
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP authentication is
not permitted.
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
LEAP Challenge
Tue Oct 3 18:04:28 2006: DEBUG: Access challenged for
skendric at fhcrc.org: EAP LEAP Challenge
Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Challenge
Identifier: 47
Authentic: [...]
Attributes:
EAP-Message = [...]skendric at fhcrc.org
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 48
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = [...]skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 274
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 274
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:04:28 2006: DEBUG: Reading users file C:/[...]/users
Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE REJECT: No such user:
skendric [skendric at fhcrc.org]
Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP LEAP failed: no such
user skendric
Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA looks for match with
skendric [skendric at fhcrc.org]
Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
[skendric at fhcrc.org]
Tue Oct 3 18:04:28 2006: WARNING: Could not LogonUserNetworkMSCHAP:
Logon failure: unknown user name or bad password.
Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, Bad LEAP Password
Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: REJECT, Bad LEAP
Password
Tue Oct 3 18:04:28 2006: INFO: Access rejected for skendric at fhcrc.org:
Bad LEAP Password
Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Reject
Identifier: 48
Authentic: [...]
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
for grins, i tried using 'Domain FHCRC' (the NetBIOS name of my Active
Directory domain) ... and now i see PEAP messages, instead of LEAP
messages, in the debug output ... i don't understand that ...
authentication continues to fail
Tue Oct 3 18:28:39 2006: DEBUG: Finished reading configuration file
'C:\[...]\radius.cfg'
Tue Oct 3 18:28:39 2006: DEBUG: Reading dictionary file
'C:/[...]/dictionary'
Tue Oct 3 18:28:39 2006: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Oct 3 18:28:39 2006: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Oct 3 18:28:39 2006: NOTICE: Server started: Radiator 3.15 on Daphne
Tue Oct 3 18:28:40 2006: DEBUG: Packet dump:
Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 50
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <2><3><0><21><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 276
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:28:54 2006: DEBUG: Handling request with Handler ''
Tue Oct 3 18:28:54 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 276
Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:28:54 2006: DEBUG: Handling with EAP: code 2, 3, 21
Tue Oct 3 18:28:54 2006: DEBUG: Response type 1
Tue Oct 3 18:28:54 2006: DEBUG: Resuming session for
Radius::Context=HASH(0x1c77694)
Tue Oct 3 18:28:54 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Oct 3 18:28:54 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
PEAP Challenge
Tue Oct 3 18:28:54 2006: DEBUG: Access challenged for
skendric at fhcrc.org: EAP PEAP Challenge
Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Challenge
Identifier: 50
Authentic: [...]
Attributes:
EAP-Message = <1><4><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 51
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <2><5><0><21><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 276
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:28:56 2006: DEBUG: Handling request with Handler ''
Tue Oct 3 18:28:56 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 276
Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:28:56 2006: DEBUG: Handling with EAP: code 2, 5, 21
Tue Oct 3 18:28:56 2006: DEBUG: Response type 1
Tue Oct 3 18:28:56 2006: DEBUG: Resuming session for
Radius::Context=HASH(0x1c77694)
Tue Oct 3 18:28:56 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Oct 3 18:28:56 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
PEAP Challenge
Tue Oct 3 18:28:56 2006: DEBUG: Access challenged for
skendric at fhcrc.org: EAP PEAP Challenge
Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Challenge
Identifier: 51
Authentic: [...]
Attributes:
EAP-Message = <1><6><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
*** Received from 10.10.31.3 port 1645 ....
Code: Access-Request
Identifier: 52
Authentic: [...]
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator = [...]
EAP-Message = <2><7><0><21><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 276
NAS-IP-Address = 10.10.31.3
NAS-Identifier = "skendric-ap "
Tue Oct 3 18:28:58 2006: DEBUG: Handling request with Handler ''
Tue Oct 3 18:28:58 2006: DEBUG: Deleting session for
skendric at fhcrc.org, 10.10.31.3, 276
Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthGROUP:
Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Oct 3 18:28:58 2006: DEBUG: Handling with EAP: code 2, 7, 21
Tue Oct 3 18:28:58 2006: DEBUG: Response type 1
Tue Oct 3 18:28:58 2006: DEBUG: Resuming session for
Radius::Context=HASH(0x1c77694)
Tue Oct 3 18:28:58 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Oct 3 18:28:58 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
PEAP Challenge
Tue Oct 3 18:28:58 2006: DEBUG: Access challenged for
skendric at fhcrc.org: EAP PEAP Challenge
Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
*** Sending to 10.10.31.3 port 1645 ....
Code: Access-Challenge
Identifier: 52
Authentic: [...]
Attributes:
EAP-Message = <1><8><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
OK, so ...
-am i on the right track? will the 'DomainController dc1' keyword limit
Radiator to employing the single domain controller, dc1, as the
authentication source?
-why does the 'Domain' keyword break authentication for LEAP clients?
-why does the NetBIOS name for my Active Directory domain give different
results than the DNS name, wrt to LEAP clients? [well, i suppose the
*result* is the same ... but the shift from LEAP to PEAP in the debug
output seems odd to me]
input appreciated,
--sk
stuart kendrick
fhcrc
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list