(RADIATOR) leap / no record in log
Stuart Kendrick
skendric at fhcrc.org
Thu Apr 19 22:36:12 CDT 2007
hi,
i'm having trouble persuading Cisco 7920 WiFi VoIP phones (LEAP) to
work. in fact, i don't even see their authentication efforts show up in
my log (my 'wap' log, where i can see other WiFi clients scrolling by,
as they associate and authenticate), unless i crank Trace from 2 to 4
pointers?
--sk
stuart kendrick
fhcrc
Radiator-3.16 / Windows 2003
Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
*** Received from 140.107.231.2 port 1645 ....
Code: Access-Request
Identifier: 117
Authentic: <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
Attributes:
User-Name = "skendric at fhcrc.org"
Framed-MTU = 1400
Called-Station-Id = "0013.c48a.e0e0"
Calling-Station-Id = "000d.282e.7ca8"
Service-Type = Login-User
Message-Authenticator =
A><148><250><247><153><249><212>A<16>L<161><12><221>i<245>
EAP-Message = <2><1><0><23><1>skendric at fhcrc.org
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 321
NAS-IP-Address = 140.107.231.2
NAS-Identifier = "skendric-ap "
Thu Apr 19 19:07:59 2007: DEBUG: Handling request with Handler
'Realm=fhcrc.org'
Thu Apr 19 19:07:59 2007: DEBUG: Deleting session for
skendric at fhcrc.org, 140.107.231.2, 321
Thu Apr 19 19:07:59 2007: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER='140.107.231.2' and NASPORT=0321':
Thu Apr 19 19:07:59 2007: DEBUG: Handling with Radius::AuthLSA:
Thu Apr 19 19:07:59 2007: DEBUG: Handling with EAP: code 2, 1, 23
Thu Apr 19 19:07:59 2007: DEBUG: Response type 1
Thu Apr 19 19:07:59 2007: DEBUG: EAP result: 3, EAP LEAP Challenge
Thu Apr 19 19:07:59 2007: DEBUG: AuthBy LSA result: CHALLENGE, EAP LEAP
Challenge
Thu Apr 19 19:07:59 2007: DEBUG: Access challenged for
skendric at fhcrc.org: EAP LEAP Challenge
Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
*** Sending to 140.107.231.2 port 1645 ....
Code: Access-Challenge
Identifier: 117
Authentic: <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
Attributes:
EAP-Message =
<1><2><0>"<17><1><0><8><23>P<192>#L<21><194><168>skendric at fhcrc.org
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
########## GLOBAL PARAMETERS ############
# Misc
PidFile C:/Program Files/Radiator/radius.pid
DbDir C:/Program Files/Radiator
# Log error messages to the console [doesn't work --sk]
Foreground
LogStdout
# This defines the %L token
LogDir G:/Radiator/Logs
# Default logfile for startup and other general messages. In theory,
the <Log FILE> directive below disables this ... but
# in practice, it does not
LogFile %L/logfile
# Set logging level
Trace 2
########## LOG FILE DEFINITIONS ##########
<Log FILE>
Identifier general-log
Filename %L/General/%Y-%m-%d-general
LogFormat %l: general: %1: %2: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</Log>
<AuthLog FILE>
Identifier rad-authlog
Filename G:/Radiator/Logs/RAD/%Y-%m-%d-rad
LogSuccess 1
SuccessFormat %l: rad: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: rad: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier vpn-authlog
Filename %L/VPN/%Y-%m-%d-vpn
LogSuccess 1
SuccessFormat %l: vpn: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: vpn: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier wap-authlog
Filename %L/WAP/%Y-%m-%d-wap
LogSuccess 1
SuccessFormat %l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
# Log captive portal users. Note that this log is logging
%{Framed-IP-Address} to show which client tried authentication. Do not
change.
<AuthLog FILE>
Identifier cpl-authlog
Filename %L/CPL/%Y-%m-%d-cpl
LogSuccess 1
SuccessFormat %l: cpl: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Framed-IP-Address}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: cpl: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Framed-IP-Address}: %{Called-Station-Id}
</AuthLog>
########## CLIENT DEFINITIONS ############
# VPN Servers
<Client cf-vpn-private.fhcrc.org>
Secret secret
Identifier vpn-servers
IdenticalClients cf-vpn.fhcrc.org
# IdenticalClients md-vpn.fhcrc.org, md-vpn-private.fhcrc.org
# This is the base address for Framed-Group = 0
FramedGroupBaseAddress x.x.x.x
</Client>
# Dial-up servers
<Client cf-rad.fhcrc.org>
Secret secret
Identifier dialup-servers
</Client>
# Captive Portals
<Client 66.150.172.22>
Secret secret
Identifier cpl-servers
IdenticalClients x.x.x.x y.y.y.y
</Client>
# Wireless access points
<Client DEFAULT>
Secret secret
</Client>
########## AUTHENTICATION HANDLERS ############
##### Captive Portals #####
<Handler Client-Identifier=cpl-servers>
<AuthBy RADMIN>
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:mysql:radmin:localhost
DBUsername user
DBAuth passwd
# Never look up the DEFAULT user
NoDefault
# You can add to or change these if you want, but you
# will probably want to change the database schema first
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
# AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
# This updates the time and octets left
# for this user
AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
# AddToReply Framed-Protocol = PPP,\
# Framed-IP-Netmask = 255.255.255.255,\
# Framed-Routing = None,\
# Framed-MTU = 1500,\
# Framed-Compression = Van-Jacobson-TCP-IP
# If you intend to use rcrypt reversible encryption
# for passwords in your Radmin database, you must
# RcryptKey here to be the same secret key you
# defined in your Radmin Site.pm, and also set
# PasswordFormat in your Site.pm.
# RcryptKey mysecret
# If you intend to use Unix encryption in your database,
# you will need to set EncryptedPasssword here,
# as well as setting PasswordFormat in your Site.pm
# EncryptedPassword
# You can change the max bad login count from the
# default of 5 with something like
# MaxBadLogins 10
</AuthBy>
# This clause logs all authentication successes and failures to
# the RADAUTHLOG table. Suitable for use with RAdmin version 1.6
<AuthLog SQL>
# This database spec usually should be exactly the same
# as in <AuthBy RADMIN> above
DBSource dbi:mysql:radmin:localhost
DBUsername user
DBAuth passwd
LogSuccess
SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE)
values (%t, '%n', 1)
LogFailure
FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE,
REASON) values (%t, '%n', 0, %1)
</AuthLog>
AcctLogFileName %L/detail
AuthLog cpl-authlog
</Handler>
<SessionDatabase SQL>
# This database spec usually should be exactly the same
# as in <AuthBy RADMIN> above
DBSource dbi:mysql:radmin:localhost
DBUsername user
DBAuth password
</SessionDatabase>
# You can also set up an address pool for Radiator to manage.
# The standard Radmin tables include a RADPOOL address pool table.
# see the example in addressallocator.cfg
##### VPN Servers #####
<Handler Client-Identifier=vpn-servers>
AuthByPolicy ContinueUntilAccept
RejectHasReason
# Handle Electrical Consulting Services (ECS) access
<AuthBy LSA>
Domain FHCRC
Group ECS
</AuthBy>
# Handle Software VPN users
<AuthBy LSA>
Domain FHCRC
Group VPNSW
</AuthBy>
# Log it
AuthLog vpn-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
##### Dialup Servers #####
<Handler Client-Identifier=dialup-servers>
AuthByPolicy ContinueUntilAccept
RejectHasReason
# Handle T-Lite users
<AuthBy LSA>
Domain FHCRC
Group T-Lite
AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,
Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,
cisco-avpair = "ip:addr-pool=t-lite"
</AuthBy>
# Handle T-Free users
<AuthBy LSA>
Domain FHCRC
Group T-Free
AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,
Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,
cisco-avpair = "ip:addr-pool=t-free"
</AuthBy>
StripFromReply Callback-Number
# Log it
AuthLog rad-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using PEAP #####
<Handler TunnelledByPEAP=1>
RejectHasReason
<AuthBy LSA>
EAPType MSCHAP-V2
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using EAP-TLS #####
<Handler TunnelledByTTLS=1>
RejectHasReason
<AuthBy LSA>
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
AuthByPolicy ContinueWhileReject
RejectHasReason
<AuthBy LSA>
RewriteUsername s/^([^@]+).*/$1/
EAPType LEAP
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Outer Handler #####
<Handler>
AuthByPolicy ContinueUntilAccept
RejectHasReason
<AuthBy FILE>
Filename %D/users.anonymous
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CAFile C:[...]/Radiator/cacert.pem
EAPTLS_CertificateFile C:[...]/Radiator/machine.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile C:[...]/Radiator/machine.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_MaxFragmentSize 1024
EAPAnonymous %0
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list