(RADIATOR) leap / no record in log

Hugh Irvine hugh at open.com.au
Fri Apr 20 01:00:49 CDT 2007 

Hello Stuart -

Assuming that what you show below is an authentication request from  
the device in question, Radiator is sending a LEAP challenge and  
hearing nothing further.

You will need to check the device configuration and the AP  
configuration.

Trace 4 debug is what you need to see all of the debug messages.

regards

Hugh


On 20 Apr 2007, at 13:36, Stuart Kendrick wrote:

> hi,
>
> i'm having trouble persuading Cisco 7920 WiFi VoIP phones (LEAP) to  
> work.  in fact, i don't even see their authentication efforts show  
> up in my log (my 'wap' log, where i can see other WiFi clients  
> scrolling by, as they associate and authenticate), unless i crank  
> Trace from 2 to 4
>
> pointers?
>
> --sk
>
> stuart kendrick
> fhcrc
>
>
> Radiator-3.16 / Windows 2003
>
> Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
> *** Received from 140.107.231.2 port 1645 ....
> Code:       Access-Request
> Identifier: 117
> Authentic:  <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
> Attributes:
> 	User-Name = "skendric at fhcrc.org"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.c48a.e0e0"
> 	Calling-Station-Id = "000d.282e.7ca8"
> 	Service-Type = Login-User
> 	Message-Authenticator =  
> A><148><250><247><153><249><212>A<16>L<161><12><221>i<245>
> 	EAP-Message = <2><1><0><23><1>skendric at fhcrc.org
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 321
> 	NAS-IP-Address = 140.107.231.2
> 	NAS-Identifier = "skendric-ap               "
>
> Thu Apr 19 19:07:59 2007: DEBUG: Handling request with Handler  
> 'Realm=fhcrc.org'
> Thu Apr 19 19:07:59 2007: DEBUG:  Deleting session for  
> skendric at fhcrc.org, 140.107.231.2, 321
> Thu Apr 19 19:07:59 2007: DEBUG: do query is: 'delete from  
> RADONLINE where NASIDENTIFIER='140.107.231.2' and NASPORT=0321':
> Thu Apr 19 19:07:59 2007: DEBUG: Handling with Radius::AuthLSA:
> Thu Apr 19 19:07:59 2007: DEBUG: Handling with EAP: code 2, 1, 23
> Thu Apr 19 19:07:59 2007: DEBUG: Response type 1
> Thu Apr 19 19:07:59 2007: DEBUG: EAP result: 3, EAP LEAP Challenge
> Thu Apr 19 19:07:59 2007: DEBUG: AuthBy LSA result: CHALLENGE, EAP  
> LEAP Challenge
> Thu Apr 19 19:07:59 2007: DEBUG: Access challenged for  
> skendric at fhcrc.org: EAP LEAP Challenge
> Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
> *** Sending to 140.107.231.2 port 1645 ....
> Code:       Access-Challenge
> Identifier: 117
> Authentic:  <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
> Attributes:
> 	EAP-Message =  
> <1><2><0>"<17><1><0><8><23>P<192>#L<21><194><168>skendric at fhcrc.org
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
>
> ########## GLOBAL PARAMETERS ############
>
> # Misc
> PidFile		C:/Program Files/Radiator/radius.pid
> DbDir           C:/Program Files/Radiator
>
> # Log error messages to the console [doesn't work --sk]
> Foreground
> LogStdout
>
> # This defines the %L token
> LogDir          G:/Radiator/Logs
>
> # Default logfile for startup and other general messages.  In  
> theory, the <Log FILE> directive below disables this ... but
> # in practice, it does not
> LogFile		%L/logfile
>
> # Set logging level
> Trace   2
>
>
>
> ########## LOG FILE DEFINITIONS ##########
>
> <Log FILE>
> 	Identifier	general-log
> 	Filename	%L/General/%Y-%m-%d-general
> 	LogFormat	%l: general: %1: %2: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> </Log>
>
> <AuthLog FILE>
> 	Identifier	rad-authlog
> 	Filename	G:/Radiator/Logs/RAD/%Y-%m-%d-rad
> 	LogSuccess 1
> 	SuccessFormat	%l: rad: OK: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> 	LogFailure 1
> 	FailureFormat	%l: rad: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> </AuthLog>
>
> <AuthLog FILE>
> 	Identifier	vpn-authlog
> 	Filename	%L/VPN/%Y-%m-%d-vpn
> 	LogSuccess 1
> 	SuccessFormat	%l: vpn: OK: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> 	LogFailure 1
> 	FailureFormat	%l: vpn: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> </AuthLog>
>
> <AuthLog FILE>
> 	Identifier	wap-authlog
> 	Filename	%L/WAP/%Y-%m-%d-wap
> 	LogSuccess 1
> 	SuccessFormat	%l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> 	LogFailure 1
> 	FailureFormat	%l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Calling-Station-Id}: %{Called-Station-Id}
> </AuthLog>
>
> # Log captive portal users. Note that this log is logging %{Framed- 
> IP-Address} to show which client tried authentication. Do not change.
>
> <AuthLog FILE>
> 	Identifier	cpl-authlog
> 	Filename	%L/CPL/%Y-%m-%d-cpl
> 	LogSuccess 1
> 	SuccessFormat	%l: cpl: OK: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Framed-IP-Address}: %{Called-Station-Id}
> 	LogFailure 1
> 	FailureFormat	%l: cpl: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: % 
> {Framed-IP-Address}: %{Called-Station-Id}
> </AuthLog>
>
>
> ########## CLIENT DEFINITIONS ############
>
> # VPN Servers
> <Client cf-vpn-private.fhcrc.org>
> 	Secret secret
> 	Identifier vpn-servers
> 	IdenticalClients cf-vpn.fhcrc.org
> #	IdenticalClients md-vpn.fhcrc.org, md-vpn-private.fhcrc.org
> #       This is the base address for Framed-Group = 0
> 	FramedGroupBaseAddress x.x.x.x
> </Client>
>
>
> # Dial-up servers
> <Client cf-rad.fhcrc.org>
> 	Secret secret
> 	Identifier dialup-servers
> </Client>
>
> # Captive Portals
> <Client 66.150.172.22>
> 	Secret secret
> 	Identifier cpl-servers
> 	IdenticalClients x.x.x.x y.y.y.y
> </Client>
>
> # Wireless access points
> <Client DEFAULT>
> 	Secret secret
> </Client>
>
>
>
> ########## AUTHENTICATION HANDLERS ############
>
> ##### Captive Portals #####
> <Handler Client-Identifier=cpl-servers>
> 	<AuthBy RADMIN>
> 		# Change DBSource, DBUsername, DBAuth for your database
> 		# See the reference manual. You will also have to
> 		# change the one in <SessionDatabse SQL> below
> 		# so its the same
> 		DBSource	dbi:mysql:radmin:localhost
> 		DBUsername	user
> 		DBAuth		passwd
> 		
> 		# Never look up the DEFAULT user
> 		NoDefault
>
> 		# You can add to or change these if you want, but you
> 		# will probably want to change the database schema first
> 		AccountingTable	RADUSAGE
> 		AcctColumnDef	USERNAME,User-Name
> 		AcctColumnDef	TIME_STAMP,Timestamp,integer
> 		AcctColumnDef	ACCTSTATUSTYPE,Acct-Status-Type,integer
> 		AcctColumnDef	ACCTDELAYTIME,Acct-Delay-Time,integer
> 		AcctColumnDef	ACCTINPUTOCTETS,Acct-Input-Octets,integer
> 		AcctColumnDef	ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> 		AcctColumnDef	ACCTSESSIONID,Acct-Session-Id
> 		AcctColumnDef	ACCTSESSIONTIME,Acct-Session-Time,integer
> 		AcctColumnDef	ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> 		AcctColumnDef	FRAMEDIPADDRESS,Framed-IP-Address
> 		AcctColumnDef	NASIDENTIFIER,NAS-IP-Address
> 		AcctColumnDef	NASIDENTIFIER,NAS-Identifier
> 		AcctColumnDef	NASPORT,NAS-Port,integer
> 		AcctColumnDef	DNIS,Called-Station-Id
> #		AcctColumnDef	CALLINGSTATIONID,Calling-Station-Id
>
> 		# This updates the time and octets left
> 		# for this user
> 		AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct- 
> Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},  
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>
> 		# These are the classic things to add to each users
> 		# reply to allow a PPP dialup session. It may be
> 		# different for your NAS. This will add some
> 		# reply items to everyone's reply
> 		# AddToReply Framed-Protocol = PPP,\
>         	#	Framed-IP-Netmask = 255.255.255.255,\
>         	#	Framed-Routing = None,\
>         	#	Framed-MTU = 1500,\
> 		#	Framed-Compression = Van-Jacobson-TCP-IP
> 		
> 		# If you intend to use rcrypt reversible encryption
> 		# for passwords in your Radmin database, you must
> 		# RcryptKey here to be the same secret key you
> 		# defined in your Radmin Site.pm, and also set
> 		# PasswordFormat in your Site.pm.
> 		# RcryptKey mysecret
>
> 		# If you intend to use Unix encryption in your database,
> 		# you will need to set EncryptedPasssword here,
> 		# as well as setting PasswordFormat in your Site.pm
> 		# EncryptedPassword
>
> 		# You can change the max bad login count from the
> 		# default of 5 with something like
> 		# MaxBadLogins 10
> 	</AuthBy>
>
> 	# This clause logs all authentication successes and failures to
> 	# the RADAUTHLOG table. Suitable for use with RAdmin version 1.6
> 	<AuthLog SQL>
> 		# This database spec usually should be exactly the same
> 		# as in <AuthBy RADMIN> above
> 		DBSource	dbi:mysql:radmin:localhost
> 		DBUsername	user
> 		DBAuth		passwd
>
> 		LogSuccess
> 		SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE)  
> values (%t, '%n', 1)
> 		LogFailure
> 		FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE,  
> REASON) values (%t, '%n', 0, %1)
> 	</AuthLog>
>
> 	AcctLogFileName	%L/detail
> 	AuthLog		cpl-authlog
>
> </Handler>
>
> <SessionDatabase SQL>
> 	# This database spec usually should be exactly the same
> 	# as in <AuthBy RADMIN> above
> 	DBSource	dbi:mysql:radmin:localhost
> 	DBUsername	user
> 	DBAuth		password
> 	
> </SessionDatabase>
>
> # You can also set up an address pool for Radiator to manage.
> # The standard Radmin tables include a RADPOOL address pool table.
> # see the example in addressallocator.cfg
>
>
>
> ##### VPN Servers #####
> <Handler Client-Identifier=vpn-servers>
> 	AuthByPolicy	ContinueUntilAccept
> 	RejectHasReason
> 	
> 	# Handle Electrical Consulting Services (ECS) access
> 	<AuthBy LSA>
> 		Domain FHCRC
> 		Group ECS
> 	</AuthBy>
> 	
> 	# Handle Software VPN users
> 	<AuthBy LSA>
> 		Domain FHCRC
> 		Group VPNSW
> 	</AuthBy>	
>
> 	# Log it
> 	AuthLog			vpn-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> ##### Dialup Servers #####
> <Handler Client-Identifier=dialup-servers>
> 	AuthByPolicy ContinueUntilAccept
> 	RejectHasReason
>
> 	# Handle T-Lite users
> 	<AuthBy LSA>
> 		Domain FHCRC
> 		Group T-Lite
> 		AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,  
> Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,  
> Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,  
> cisco-avpair = "ip:addr-pool=t-lite"
> 	</AuthBy>
> 	
> 	# Handle T-Free users
> 	<AuthBy LSA>
> 		Domain FHCRC
> 		Group T-Free
> 		AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,  
> Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,  
> Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,  
> cisco-avpair = "ip:addr-pool=t-free"
> 	</AuthBy>
> 	StripFromReply Callback-Number	
>
> 	# Log it
> 	AuthLog			rad-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
>
> #### Wireless Clients using PEAP #####
> <Handler TunnelledByPEAP=1>
> 	RejectHasReason
> 	<AuthBy LSA>
> 		EAPType MSCHAP-V2
> 	</AuthBy>	
>
> 	# Log it
> 	AuthLog			wap-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
>
> #### Wireless Clients using EAP-TLS #####
> <Handler TunnelledByTTLS=1>
> 	RejectHasReason
> 	<AuthBy LSA>
> 	</AuthBy>
>
> 	# Log it
> 	AuthLog			wap-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> #### Wireless Clients using LEAP #####
> <Handler Realm=fhcrc.org>
> 	AuthByPolicy ContinueWhileReject
> 	RejectHasReason
> 	<AuthBy LSA>
> 		RewriteUsername s/^([^@]+).*/$1/
> 		EAPType LEAP
> 	</AuthBy>
>
> 	# Log it
> 	AuthLog			wap-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> #### Outer Handler #####
> <Handler>	
> 	AuthByPolicy	ContinueUntilAccept
> 	RejectHasReason
>  	<AuthBy FILE>				
> 		Filename %D/users.anonymous
> 		EAPType PEAP,TTLS
> 		EAPTLS_PEAPVersion 0
> 		EAPTLS_CAFile C:[...]/Radiator/cacert.pem		
> 		EAPTLS_CertificateFile C:[...]/Radiator/machine.pem
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile C:[...]/Radiator/machine.pem
> 		EAPTLS_PrivateKeyPassword secret
> 		EAPTLS_MaxFragmentSize 1024
> 		EAPAnonymous %0
> 		AutoMPPEKeys
> 		SSLeayTrace 4							
>  	</AuthBy>
> 	
> 	# Log it
> 	AuthLog			wap-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list