(RADIATOR) anonymous at myabc.com
Stuart Kendrick
skendric at fhcrc.org
Mon Oct 9 10:25:07 CDT 2006
hi terry,
*i see ... so this is why i have a realm-less Handler ... to catch
random outer authentication strings like 'anonymous at myabc.com' and
authenticate the outer part ... that must be where the shared secret +
certificate which we install on clients comes into play
and then, assuming the outer part survives the 'realm-less' Handler,
then the inner part heads off to one of three Handlers ... one for LEAP,
one for PEAP, and another for 'TunnelledByTTLS'
thank you for the explanation
*i do see authentication failures as well as successes in my logs. i'm
running at trace level 2, perhaps that is why
so, in fact, i don't at all care what username/realm is used for the
'outer' authentication ... anonymous at myabc.com is as good as anything
. what really matters is whether or not the inner credentials pass my
checks ... and presumably they do, as my logs show 'OK'
thank you for the detail
--sk
Terry Simons wrote:
> Hi Stuart,
>
> You are seeing the Response Identity, which, in the case of some EAP
> types (TTLS and PEAP come to mind) is not required to be the same as the
> actual username.
>
> When an 802.1X session is established, the first thing that happens is
> the creation of the TLS tunnel (in the case of 'secure' EAP types) and
> the real credentials are sent inside the TLS tunnel.
>
> Before the tunnel can be established, the RADIUS server still needs a
> clue about the user authenticating... for instance, if RADIUS didn't
> know who was authenticating, it would not be able to proxy the
> authentication request to the appropriate server. TTLS and PEAP both
> support "anonymous" outer identities.
>
> The actual authentication success or failure is going to depend on the
> credentials in the inner identity.
>
> Another way to think about it is that you have two "authentications"
> happening. The first one hits the default handler (or a specific
> handler, if one matches the Request ID in some manner, such as the
> realm). After the default handler, the request "authenticates again"
> and is processed by the more specific TunneledByPEAP=1 or
> TunneledByTTLS=1 handler... which does the actual credential match and
> success or failure response.
>
> I don't think authentication failures are logged by default... you'll
> probably need to enabled that if you want to see rejections in your
> AuthLog.
>
> - Terry
>
> On Oct 8, 2006, at 8:46 PM, Stuart Kendrick wrote:
>
>> hi,
>>
>> what am i seeing here? i'm used to seeing actual usernames in my log
>> files ... and i would like to think that i'm rejecting access to users
>> which don't hand me a username/password which is valid in my Active
>> Directory domain ... but perhaps not ... what's going on with this
>> 'anonymous at abc.com' user? what is it in my config file which is
>> alloing constructs like 'anonymous at abc.com' to use my wireless access
>> points?
>>
>> --sk
>>
>> stuart kendrick
>> fhcrc
>>
>> [...]
>> Sun Oct 8 18:47:33 2006: wap: OK: fhcrc\skendric: fhcrc\skendric:
>> 10.11.12.16: j3-432-ap : Access-Request:
>> 000b.6c12.c7db: 0013.19d4.83b2
>> Sun Oct 8 18:48:02 2006: wap: OK: FHCRC\bsmith: FHCRC\bsmith:
>> 10.11.11.19: a1-175-ap : Access-Request: 0040.9635.1606:
>> 0013.19cf.e460
>> Sun Oct 8 18:49:30 2006: wap: OK: FHCRC\sclark: FHCRC\sclark:
>> 10.11.58.16: d5-220-ap : Access-Request: 0013.ce54.f45f:
>> 0013.19d4.74f0
>> Sun Oct 8 18:49:55 2006: wap: OK: cyu4: cyu4: 10.11.119.16:
>> le4-033-ap : Access-Request: 0013.cea3.6880: 0012.4324.eae0
>> Sun Oct 8 18:50:14 2006: wap: OK: anonymous: anonymous at myabc.com:
>> 10.11.15.18: a3-149-ap : Access-Request: 0013.0211.257a:
>> 0013.19d4.7780
>> Sun Oct 8 18:53:20 2006: wap: OK: skendric: skendric at fhcrc.org:
>> 10.11.117.15: le3-360-ap : Access-Request:
>> 0018.739f.cee6: 0015.c629.3270
>> [...]
>>
>>
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Received from 10.11.15.18 port 1645 ....
>> Code: Access-Request
>> Identifier: 165
>> Authentic: [...]
>> Attributes:
>> User-Name = "anonymous at myabc.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.19d4.7780"
>> Calling-Station-Id = "0013.0211.257a"
>> Service-Type = Authenticate-Only
>> Message-Authenticator = [...]
>> EAP-Message = <2><1><0><24><1>anonymous at myabc.com
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 7087
>> NAS-IP-Address = 10.11.15.18
>> NAS-Identifier = "a3-149-ap "
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling request with Handler ''
>> Sun Oct 8 19:50:19 2006: DEBUG: Deleting session for
>> anonymous at myabc.com, 10.11.15.18, 7087
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 1, 24
>> Sun Oct 8 19:50:19 2006: DEBUG: Response type 1
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Access challenged for
>> anonymous at myabc.com: EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Sending to 10.11.15.18 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 165
>> Authentic: [...]
>> Attributes:
>> EAP-Message = <1><2><0><6><25>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Received from 10.11.15.18 port 1645 ....
>> Code: Access-Request
>> Identifier: 166
>> Authentic: [...]
>> Attributes:
>> User-Name = "anonymous at myabc.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.19d4.7780"
>> Calling-Station-Id = "0013.0211.257a"
>> Service-Type = Authenticate-Only
>> Message-Authenticator = [...]
>> EAP-Message = [...]
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 7087
>> NAS-IP-Address = 10.11.15.18
>> NAS-Identifier = "a3-149-ap "
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling request with Handler ''
>> Sun Oct 8 19:50:19 2006: DEBUG: Deleting session for
>> anonymous at myabc.com, 10.11.15.18, 7087
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 2, 134
>> Sun Oct 8 19:50:19 2006: DEBUG: Response type 25
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Access challenged for
>> anonymous at myabc.com: EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Sending to 10.11.15.18 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 166
>> Authentic: <238><200><228><243><138><244><203>G<147>jeQ-,<205><175>
>> Attributes:
>> EAP-Message =
>> <1><3><4><10><25><192><0><0><6>Y<22><3><1><0>J<2><0><0>F<3><1>E)<184><235>I<202><27>b<1><143><225><247>~<205><29>}?<176>
>> n)!<3><153>a,a `j<229>A
>> >B5t=<4><133><189><247><248>D<155>j<26><202>o<159>p<128><230>J<247>@v_g<182>-<11>a4J<0>5<0><22><3><1><5><252><11><0><5><248><0><5><245><0><2><155>0<130><2><151>0<130><2><0><160><3><2><1><2><2><1><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>Marconi1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk
>>
>> EAP-Message =
>> @fhcrc.org0<30><23><13>050204233916Z<23><13>150202233916Z0<129><139>1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<18>0<16><6><3>U<4><10><19><9>fhcrc.org1<11>0<9><6><3>U<4><11><19><2>IT1<25>0<23><6><3>U<4><3><19><16>daphne.fhcrc.org1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><220>BP<189><143><254>v<145><133><182><197><160>'<229>;<228>;o<12>SZ<252><232><147><183><192><9><131><219><30><17><213><7>#LfB]<144><148>
>>
>> EAP-Message = &<225><177>#<161>I<135><167>?_<244>
>> ,<31>&<225>/<156><159><148><252><213><236>F{fn
>> <177><208>h<151><252><227>h<247>5<129>d<155><19><181>9<236>~<217>3b<21><206>XI<180><233>?.)6R<198><160><226><138><235><177><237><17><218><137>d<213><245><192><137>l=><204><215><247><173><138>d3%<162><9>;<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0><128><231><186><156>H;<143><208>;<160><239><198>O<153><165><217>"<164>6<140>y<216><221>Q<185><18><238>p-<221><27><207><182>-<250>C<6>/~T+<0>v<251><252><166><179><9><190>G<192>SHok<152><15><208>1
>> \<240>Y<148><21>G<148><222>~<10><19><4><229>^<165><178>4+<144>l<169>sx*"a<187><241><196>E<149><246><245><152>A<27><171><170><247><152><8><163>B<169><217><164><1>_z<135><22><247><248><184>e<235>
>>
>> EAP-Message =
>> de<150><144>Y<245><254>8<5><251><21>!<0><3>T0<130><3>P0<130><2><185><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>Marconi1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<30><23><13>050204233752Z<23><13>150202233752Z0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1
>>
>> EAP-Message = <14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Received from 10.11.15.18 port 1645 ....
>> Code: Access-Request
>> Identifier: 167
>> Authentic: [...]
>> Attributes:
>> User-Name = "anonymous at myabc.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.19d4.7780"
>> Calling-Station-Id = "0013.0211.257a"
>> Service-Type = Authenticate-Only
>> Message-Authenticator = [...]
>> EAP-Message = <2><3><0><6><25><0>
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 7087
>> NAS-IP-Address = 10.11.15.18
>> NAS-Identifier = "a3-149-ap "
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling request with Handler ''
>> Sun Oct 8 19:50:19 2006: DEBUG: Deleting session for
>> anonymous at myabc.com, 10.11.15.18, 7087
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 3, 6
>> Sun Oct 8 19:50:19 2006: DEBUG: Response type 25
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Access challenged for
>> anonymous at myabc.com: EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Sending to 10.11.15.18 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 167
>> Authentic: <228><24>~<30>bQ<202><190>O<223>j<163><240>y<217>7
>> Attributes:
>> EAP-Message =
>> <1><4><2>_<25><0><4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>Marconi1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><217><134><221><199><27><178><241><231><193><30><196>V<136><246>#<155><227><217>[<132><253><228><250><231><224>E<173><227><249>&<9>2<255><243><189><137>de<13><188>E<5><135><248><169><165><214>4<191><23>A<129>V<147>H<230><209>><192>d<154><230>Q<190>5<145><133><234>}<156>N<215><161><201><252><21><182><185><217><16><184>u<253>C<155><225>F<175>B[<231><161>2pw<166><24><229>O<231>
>> <233><18><130><159>g<189>x<16><5><12><194>'<19><163>"<127><202>2<205><173>{<141><247>-<133><132><231><2><3><1><0><1><163><129><221>0<129><218>0<29><6><3>U<29><14><4><22><4><20>H<202>R<175><191>!<239><17><131>
>>
>> EAP-Message =
>> dt<221>B<21><158>@~o%_0<129><170><6><3>U<29>#<4><129><162>0<129><159><128><20>H<202>R<175><191>!<239><17><131>dt<221>B<21><158>@~o%_<161><129><131><164><129><128>0~1<11>0<9><6><3>U<4><6><19><2>US1<11>0<9><6><3>U<4><8><19><2>WA1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>Marconi1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>helpdesk at fhcrc.org<130><1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>{<255><19><161><204><176>W<171>n<253><133><147><196><230><240>.<173><244>'&<235><186>}@.<143><229><157><203><201>`<14>!<23>w<153>
>>
>> EAP-Message =
>> $<175><254>e<152>53<250><154><6><14><209><215><13><30><252><235><164><19>@/<175>&<173>L[<25><28><232><201><156>-f<255><31><175><237><131><29><203><216><187><160><172>I<226><20><141><28>?<160>3<214><248><137><131>z<213>&<194><217><156>L<198>Kr|'<212><164>Z<247><231>6<242>t{<229>?<196><190>>D<190><245>c<132><8>!<220><210><128><22><3><1><0><4><14><0><0><0>
>>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Received from 10.11.15.18 port 1645 ....
>> Code: Access-Request
>> Identifier: 168
>> Authentic: [...]
>> Attributes:
>> User-Name = "anonymous at myabc.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.19d4.7780"
>> Calling-Station-Id = "0013.0211.257a"
>> Service-Type = Authenticate-Only
>> Message-Authenticator = [...]
>> EAP-Message = [...]
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 7087
>> NAS-IP-Address = 10.11.15.18
>> NAS-Identifier = "a3-149-ap "
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling request with Handler ''
>> Sun Oct 8 19:50:19 2006: DEBUG: Deleting session for
>> anonymous at myabc.com, 10.11.15.18, 7087
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 4, 204
>> Sun Oct 8 19:50:19 2006: DEBUG: Response type 25
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Access challenged for
>> anonymous at myabc.com: EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Sending to 10.11.15.18 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 168
>> Authentic: <189><3><20>w<160><184><247><163><174><242><245><197>R<7>+<3>
>> Attributes:
>> EAP-Message = [...]
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Received from 10.11.15.18 port 1645 ....
>> Code: Access-Request
>> Identifier: 169
>> Authentic: [...]
>> Attributes:
>> User-Name = "anonymous at myabc.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.19d4.7780"
>> Calling-Station-Id = "0013.0211.257a"
>> Service-Type = Authenticate-Only
>> Message-Authenticator = [...]
>> EAP-Message = <2><5><0><6><25><0>
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 7087
>> NAS-IP-Address = 10.11.15.18
>> NAS-Identifier = "a3-149-ap "
>>
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling request with Handler ''
>> Sun Oct 8 19:50:19 2006: DEBUG: Deleting session for
>> anonymous at myabc.com, 10.11.15.18, 7087
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with Radius::AuthFILE:
>> Sun Oct 8 19:50:19 2006: DEBUG: Handling with EAP: code 2, 5, 6
>> Sun Oct 8 19:50:19 2006: DEBUG: Response type 25
>> Sun Oct 8 19:50:19 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Access challenged for
>> anonymous at myabc.com: EAP PEAP Challenge
>> Sun Oct 8 19:50:19 2006: DEBUG: Packet dump:
>> *** Sending to 10.11.15.18 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 169
>> Authentic: [...]
>> Attributes:
>> EAP-Message = [...]
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list