(RADIATOR) anonymous at myabc.com

Terry Simons galimore at mac.com
Sun Oct 8 23:41:35 CDT 2006


Hi Stuart,

You are seeing the Response Identity, which, in the case of some EAP  
types (TTLS and PEAP come to mind) is not required to be the same as  
the actual username.

When an 802.1X session is established, the first thing that happens  
is the creation of the TLS tunnel (in the case of 'secure' EAP types)  
and the real credentials are sent inside the TLS tunnel.

Before the tunnel can be established, the RADIUS server still needs a  
clue about the user authenticating... for instance, if RADIUS didn't  
know who was authenticating, it would not be able to proxy the  
authentication request to the appropriate server.  TTLS and PEAP both  
support "anonymous" outer identities.

The actual authentication success or failure is going to depend on  
the credentials in the inner identity.

Another way to think about it is that you have two "authentications"  
happening.  The first one hits the default handler (or a specific  
handler, if one matches the Request ID in some manner, such as the  
realm).  After the default handler, the request "authenticates again"  
and is processed by the more specific TunneledByPEAP=1 or  
TunneledByTTLS=1 handler... which does the actual credential match  
and success or failure response.

I don't think authentication failures are logged by default... you'll  
probably need to enabled that if you want to see rejections in your  
AuthLog.

- Terry

On Oct 8, 2006, at 8:46 PM, Stuart Kendrick wrote:

> hi,
>
> what am i seeing here?  i'm used to seeing actual usernames in my  
> log files ... and i would like to think that i'm rejecting access  
> to users which don't hand me a username/password which is valid in  
> my Active Directory domain ... but perhaps not ... what's going on  
> with this 'anonymous at abc.com' user?  what is it in my config file  
> which is alloing constructs like 'anonymous at abc.com' to use my  
> wireless access points?
>
> --sk
>
> stuart kendrick
> fhcrc
>
> [...]
> Sun Oct  8 18:47:33 2006: wap: OK: fhcrc\skendric: fhcrc\skendric:  
> 10.11.12.16: j3-432-ap                : Access-Request: 000b. 
> 6c12.c7db: 0013.19d4.83b2
> Sun Oct  8 18:48:02 2006: wap: OK: FHCRC\bsmith: FHCRC\bsmith:  
> 10.11.11.19: a1-175-ap               : Access-Request:  
> 0040.9635.1606: 0013.19cf.e460
> Sun Oct  8 18:49:30 2006: wap: OK: FHCRC\sclark: FHCRC\sclark:  
> 10.11.58.16: d5-220-ap               : Access-Request:  
> 0013.ce54.f45f: 0013.19d4.74f0
> Sun Oct  8 18:49:55 2006: wap: OK: cyu4: cyu4: 10.11.119.16:  
> le4-033-ap               : Access-Request: 0013.cea3.6880:  
> 0012.4324.eae0
> Sun Oct  8 18:50:14 2006: wap: OK: anonymous: anonymous at myabc.com:  
> 10.11.15.18: a3-149-ap               : Access-Request:  
> 0013.0211.257a: 0013.19d4.7780
> Sun Oct  8 18:53:20 2006: wap: OK: skendric: skendric at fhcrc.org:  
> 10.11.117.15: le3-360-ap               : Access-Request:  
> 0018.739f.cee6: 0015.c629.3270
> [...]
>
>
>
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Received from 10.11.15.18 port 1645 ....
> Code:       Access-Request
> Identifier: 165
> Authentic:  [...]
> Attributes:
> 	User-Name = "anonymous at myabc.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.19d4.7780"
> 	Calling-Station-Id = "0013.0211.257a"
> 	Service-Type = Authenticate-Only
> 	Message-Authenticator = [...]
> 	EAP-Message = <2><1><0><24><1>anonymous at myabc.com
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 7087
> 	NAS-IP-Address = 10.11.15.18
> 	NAS-Identifier = "a3-149-ap               "
>
> Sun Oct  8 19:50:19 2006: DEBUG: Handling request with Handler ''
> Sun Oct  8 19:50:19 2006: DEBUG:  Deleting session for  
> anonymous at myabc.com, 10.11.15.18, 7087
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 1, 24
> Sun Oct  8 19:50:19 2006: DEBUG: Response type 1
> Sun Oct  8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Access challenged for  
> anonymous at myabc.com: EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Sending to 10.11.15.18 port 1645 ....
> Code:       Access-Challenge
> Identifier: 165
> Authentic:  [...]
> Attributes:
> 	EAP-Message = <1><2><0><6><25>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Received from 10.11.15.18 port 1645 ....
> Code:       Access-Request
> Identifier: 166
> Authentic:  [...]
> Attributes:
> 	User-Name = "anonymous at myabc.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.19d4.7780"
> 	Calling-Station-Id = "0013.0211.257a"
> 	Service-Type = Authenticate-Only
> 	Message-Authenticator = [...]
> 	EAP-Message = [...]
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 7087
> 	NAS-IP-Address = 10.11.15.18
> 	NAS-Identifier = "a3-149-ap               "
>
> Sun Oct  8 19:50:19 2006: DEBUG: Handling request with Handler ''
> Sun Oct  8 19:50:19 2006: DEBUG:  Deleting session for  
> anonymous at myabc.com, 10.11.15.18, 7087
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 2, 134
> Sun Oct  8 19:50:19 2006: DEBUG: Response type 25
> Sun Oct  8 19:50:19 2006: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Sun Oct  8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Access challenged for  
> anonymous at myabc.com: EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Sending to 10.11.15.18 port 1645 ....
> Code:       Access-Challenge
> Identifier: 166
> Authentic:  <238><200><228><243><138><244><203>G<147>jeQ-,<205><175>
> Attributes:
> 	EAP-Message =  
> <1><3><4><10><25><192><0><0><6>Y<22><3><1><0>J<2><0><0>F<3><1>E) 
> <184><235>I<202><27>b<1><143><225><247>~<205><29>}?<176> n)! 
> <3><153>a,a `j<229>A  
> >B5t=<4><133><189><247><248>D<155>j<26><202>o<159>p<128><230>J<247>@v_ 
> g<182>- 
> <11>a4J<0>5<0><22><3><1><5><252><11><0><5><248><0><5><245><0><2><155>0 
> <130><2><151>0<130><2><0><160><3><2><1><2><2><1><1>0<13><6><9>*<134>H< 
> 134><247><13><1><1><4><5><0>0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9> 
> <6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<12>< 
> 6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6> 
> <3>U<4><3><19><7>Marconi1! 
> 0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk
> 	EAP-Message =  
> @fhcrc.org0<30><23><13>050204233916Z<23><13>150202233916Z0<129><139>1< 
> 11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14> 
> <6><3>U<4><7><19><7>Seattle1<18>0<16><6><3>U<4><10><19><9>fhcrc.org1<1 
> 1>0<9><6><3>U<4><11><19><2>IT1<25>0<23><6><3>U<4><3><19><16>daphne.fhc 
> rc.org1! 
> 0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<1 
> 29><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0 
> >0<129><137><2><129><129><0><220>BP<189><143><254>v<145><133><182><197 
> ><160>'<229>;<228>;o<12>SZ<252><232><147><183><192><9><131><219><30><1 
> 7><213><7>#LfB]<144><148>
> 	EAP-Message = &<225><177>#<161>I<135><167>?_<244> ,<31>&<225>/ 
> <156><159><148><252><213><236>F{fn  
> <177><208>h<151><252><227>h<247>5<129>d<155><19><181>9<236>~<217>3b<21 
> ><206>XI<180><233>?.) 
> 6R<198><160><226><138><235><177><237><17><218><137>d<213><245><192><13 
> 7>l=><204><215><247><173><138>d3% 
> <162><9>;<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>% 
> <4><12>0<10><6><8> 
> +<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>< 
> 3><129><129><0><128><231><186><156>H;<143><208>;<160><239><198>O<153>< 
> 165><217>"<164>6<140>y<216><221>Q<185><18><238>p- 
> <221><27><207><182>-<250>C<6>/~T 
> +<0>v<251><252><166><179><9><190>G<192>SHok<152><15><208>1  
> \<240>Y<148><21>G<148><222>~<10><19><4><229>^<165><178>4 
> +<144>l<169>sx*"a<187><241><196>E<149><246><245><152>A<27><171><170><2 
> 47><152><8><163>B<169><217><164><1>_z<135><22><247><248><184>e<235>
> 	EAP-Message = de<150><144>Y<245><254>8<5><251><21>! 
> <0><3>T0<130><3>P0<130><2><185><160><3><2><1><2><2><1><0>0<13><6><9>*< 
> 134>H<134><247><13><1><1><4><5><0>0~1<11>0<9><6><3>U<4><6><19><2>US1<1 
> 1>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14> 
> 0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0< 
> 14><6><3>U<4><3><19><7>Marconi1! 
> 0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<3 
> 0><23><13>050204233752Z<23><13>150202233752Z0~1<11>0<9><6><3>U<4><6><1 
> 9><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Se 
> attle1
> 	EAP-Message = <14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Received from 10.11.15.18 port 1645 ....
> Code:       Access-Request
> Identifier: 167
> Authentic:  [...]
> Attributes:
> 	User-Name = "anonymous at myabc.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.19d4.7780"
> 	Calling-Station-Id = "0013.0211.257a"
> 	Service-Type = Authenticate-Only
> 	Message-Authenticator = [...]
> 	EAP-Message = <2><3><0><6><25><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 7087
> 	NAS-IP-Address = 10.11.15.18
> 	NAS-Identifier = "a3-149-ap               "
>
> Sun Oct  8 19:50:19 2006: DEBUG: Handling request with Handler ''
> Sun Oct  8 19:50:19 2006: DEBUG:  Deleting session for  
> anonymous at myabc.com, 10.11.15.18, 7087
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 3, 6
> Sun Oct  8 19:50:19 2006: DEBUG: Response type 25
> Sun Oct  8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Access challenged for  
> anonymous at myabc.com: EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Sending to 10.11.15.18 port 1645 ....
> Code:       Access-Challenge
> Identifier: 167
> Authentic:  <228><24>~<30>bQ<202><190>O<223>j<163><240>y<217>7
> Attributes:
> 	EAP-Message =  
> <1><4><2>_<25><0><4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>Marconi 
> 1! 
> 0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<1 
> 29><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0 
> >0<129><137><2><129><129><0><217><134><221><199><27><178><241><231><19 
> 3><30><196>V<136><246>#<155><227><217> 
> [<132><253><228><250><231><224>E<173><227><249>&<9>2<255><243><189><13 
> 7>de<13><188>E<5><135><248><169><165><214>4<191><23>A<129>V<147>H<230> 
> <209>><192>d<154><230>Q<190>5<145><133><234>} 
> <156>N<215><161><201><252><21><182><185><217><16><184>u<253>C<155><225 
> >F<175>B[<231><161>2pw<166><24><229>O<231>  
> <233><18><130><159>g<189>x<16><5><12><194>'<19><163>"<127><202>2<205>< 
> 173>{<141><247>- 
> <133><132><231><2><3><1><0><1><163><129><221>0<129><218>0<29><6><3>U<2 
> 9><14><4><22><4><20>H<202>R<175><191>!<239><17><131>
> 	EAP-Message = dt<221>B<21><158>@~o% 
> _0<129><170><6><3>U<29>#<4><129><162>0<129><159><128><20>H<202>R<175>< 
> 191>!<239><17><131>dt<221>B<21><158>@~o% 
> _<161><129><131><164><129><128>0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0 
> <9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<1 
> 2><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14> 
> <6><3>U<4><3><19><7>Marconi1! 
> 0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org<13 
> 0><1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<13 
> 4><247><13><1><1><4><5><0><3><129><129><0> 
> {<255><19><161><204><176>W<171>n<253><133><147><196><230><240>.<173><2 
> 44>'&<235><186>}@.<143><229><157><203><201>`<14>!<23>w<153>
> 	EAP-Message =  
> $<175><254>e<152>53<250><154><6><14><209><215><13><30><252><235><164>< 
> 19>@/<175>&<173>L[<25><28><232><201><156>- 
> f<255><31><175><237><131><29><203><216><187><160><172>I<226><20><141>< 
> 28>? 
> <160>3<214><248><137><131>z<213>&<194><217><156>L<198>Kr|'<212><164>Z< 
> 247><231>6<242>t{<229>?<196><190>>D<190><245>c<132><8>! 
> <220><210><128><22><3><1><0><4><14><0><0><0>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Received from 10.11.15.18 port 1645 ....
> Code:       Access-Request
> Identifier: 168
> Authentic:  [...]
> Attributes:
> 	User-Name = "anonymous at myabc.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.19d4.7780"
> 	Calling-Station-Id = "0013.0211.257a"
> 	Service-Type = Authenticate-Only
> 	Message-Authenticator = [...]
> 	EAP-Message = [...]
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 7087
> 	NAS-IP-Address = 10.11.15.18
> 	NAS-Identifier = "a3-149-ap               "
>
> Sun Oct  8 19:50:19 2006: DEBUG: Handling request with Handler ''
> Sun Oct  8 19:50:19 2006: DEBUG:  Deleting session for  
> anonymous at myabc.com, 10.11.15.18, 7087
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 4, 204
> Sun Oct  8 19:50:19 2006: DEBUG: Response type 25
> Sun Oct  8 19:50:19 2006: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Sun Oct  8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Access challenged for  
> anonymous at myabc.com: EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Sending to 10.11.15.18 port 1645 ....
> Code:       Access-Challenge
> Identifier: 168
> Authentic:   
> <189><3><20>w<160><184><247><163><174><242><245><197>R<7>+<3>
> Attributes:
> 	EAP-Message = [...]
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Received from 10.11.15.18 port 1645 ....
> Code:       Access-Request
> Identifier: 169
> Authentic:  [...]
> Attributes:
> 	User-Name = "anonymous at myabc.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.19d4.7780"
> 	Calling-Station-Id = "0013.0211.257a"
> 	Service-Type = Authenticate-Only
> 	Message-Authenticator = [...]
> 	EAP-Message = <2><5><0><6><25><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 7087
> 	NAS-IP-Address = 10.11.15.18
> 	NAS-Identifier = "a3-149-ap               "
>
> Sun Oct  8 19:50:19 2006: DEBUG: Handling request with Handler ''
> Sun Oct  8 19:50:19 2006: DEBUG:  Deleting session for  
> anonymous at myabc.com, 10.11.15.18, 7087
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
> Sun Oct  8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 5, 6
> Sun Oct  8 19:50:19 2006: DEBUG: Response type 25
> Sun Oct  8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Access challenged for  
> anonymous at myabc.com: EAP PEAP Challenge
> Sun Oct  8 19:50:19 2006: DEBUG: Packet dump:
> *** Sending to 10.11.15.18 port 1645 ....
> Code:       Access-Challenge
> Identifier: 169
> Authentic:  [...]
> Attributes:
> 	EAP-Message = [...]
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list