(RADIATOR) leap / no record in log
Stuart Kendrick
skendric at fhcrc.org
Mon Apr 30 13:35:45 CDT 2007
just to close the loop on this ...
turns out my device was ignoring LEAP challenges, under some circumstances
thanx for pointing me in the right direction
--sk
Hugh Irvine wrote:
>
> Hello Stuart -
>
> Assuming that what you show below is an authentication request from the
> device in question, Radiator is sending a LEAP challenge and hearing
> nothing further.
>
> You will need to check the device configuration and the AP configuration.
>
> Trace 4 debug is what you need to see all of the debug messages.
>
> regards
>
> Hugh
>
>
> On 20 Apr 2007, at 13:36, Stuart Kendrick wrote:
>
>> hi,
>>
>> i'm having trouble persuading Cisco 7920 WiFi VoIP phones (LEAP) to
>> work. in fact, i don't even see their authentication efforts show up
>> in my log (my 'wap' log, where i can see other WiFi clients scrolling
>> by, as they associate and authenticate), unless i crank Trace from 2 to 4
>>
>> pointers?
>>
>> --sk
>>
>> stuart kendrick
>> fhcrc
>>
>>
>> Radiator-3.16 / Windows 2003
>>
>> Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
>> *** Received from 140.107.231.2 port 1645 ....
>> Code: Access-Request
>> Identifier: 117
>> Authentic: <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator =
>> A><148><250><247><153><249><212>A<16>L<161><12><221>i<245>
>> EAP-Message = <2><1><0><23><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 321
>> NAS-IP-Address = 140.107.231.2
>> NAS-Identifier = "skendric-ap "
>>
>> Thu Apr 19 19:07:59 2007: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Thu Apr 19 19:07:59 2007: DEBUG: Deleting session for
>> skendric at fhcrc.org, 140.107.231.2, 321
>> Thu Apr 19 19:07:59 2007: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='140.107.231.2' and NASPORT=0321':
>> Thu Apr 19 19:07:59 2007: DEBUG: Handling with Radius::AuthLSA:
>> Thu Apr 19 19:07:59 2007: DEBUG: Handling with EAP: code 2, 1, 23
>> Thu Apr 19 19:07:59 2007: DEBUG: Response type 1
>> Thu Apr 19 19:07:59 2007: DEBUG: EAP result: 3, EAP LEAP Challenge
>> Thu Apr 19 19:07:59 2007: DEBUG: AuthBy LSA result: CHALLENGE, EAP
>> LEAP Challenge
>> Thu Apr 19 19:07:59 2007: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP LEAP Challenge
>> Thu Apr 19 19:07:59 2007: DEBUG: Packet dump:
>> *** Sending to 140.107.231.2 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 117
>> Authentic: <160>A<213>j<150><250><226><149><230>hK<224><239>K<4><225>
>> Attributes:
>> EAP-Message =
>> <1><2><0>"<17><1><0><8><23>P<192>#L<21><194><168>skendric at fhcrc.org
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>>
>>
>> ########## GLOBAL PARAMETERS ############
>>
>> # Misc
>> PidFile C:/Program Files/Radiator/radius.pid
>> DbDir C:/Program Files/Radiator
>>
>> # Log error messages to the console [doesn't work --sk]
>> Foreground
>> LogStdout
>>
>> # This defines the %L token
>> LogDir G:/Radiator/Logs
>>
>> # Default logfile for startup and other general messages. In theory,
>> the <Log FILE> directive below disables this ... but
>> # in practice, it does not
>> LogFile %L/logfile
>>
>> # Set logging level
>> Trace 2
>>
>>
>>
>> ########## LOG FILE DEFINITIONS ##########
>>
>> <Log FILE>
>> Identifier general-log
>> Filename %L/General/%Y-%m-%d-general
>> LogFormat %l: general: %1: %2: %U: %n: %c: %{NAS-Identifier}:
>> %T: %{Calling-Station-Id}: %{Called-Station-Id}
>> </Log>
>>
>> <AuthLog FILE>
>> Identifier rad-authlog
>> Filename G:/Radiator/Logs/RAD/%Y-%m-%d-rad
>> LogSuccess 1
>> SuccessFormat %l: rad: OK: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> LogFailure 1
>> FailureFormat %l: rad: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> </AuthLog>
>>
>> <AuthLog FILE>
>> Identifier vpn-authlog
>> Filename %L/VPN/%Y-%m-%d-vpn
>> LogSuccess 1
>> SuccessFormat %l: vpn: OK: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> LogFailure 1
>> FailureFormat %l: vpn: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> </AuthLog>
>>
>> <AuthLog FILE>
>> Identifier wap-authlog
>> Filename %L/WAP/%Y-%m-%d-wap
>> LogSuccess 1
>> SuccessFormat %l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> LogFailure 1
>> FailureFormat %l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Calling-Station-Id}: %{Called-Station-Id}
>> </AuthLog>
>>
>> # Log captive portal users. Note that this log is logging
>> %{Framed-IP-Address} to show which client tried authentication. Do not
>> change.
>>
>> <AuthLog FILE>
>> Identifier cpl-authlog
>> Filename %L/CPL/%Y-%m-%d-cpl
>> LogSuccess 1
>> SuccessFormat %l: cpl: OK: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Framed-IP-Address}: %{Called-Station-Id}
>> LogFailure 1
>> FailureFormat %l: cpl: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
>> %{Framed-IP-Address}: %{Called-Station-Id}
>> </AuthLog>
>>
>>
>> ########## CLIENT DEFINITIONS ############
>>
>> # VPN Servers
>> <Client cf-vpn-private.fhcrc.org>
>> Secret secret
>> Identifier vpn-servers
>> IdenticalClients cf-vpn.fhcrc.org
>> # IdenticalClients md-vpn.fhcrc.org, md-vpn-private.fhcrc.org
>> # This is the base address for Framed-Group = 0
>> FramedGroupBaseAddress x.x.x.x
>> </Client>
>>
>>
>> # Dial-up servers
>> <Client cf-rad.fhcrc.org>
>> Secret secret
>> Identifier dialup-servers
>> </Client>
>>
>> # Captive Portals
>> <Client 66.150.172.22>
>> Secret secret
>> Identifier cpl-servers
>> IdenticalClients x.x.x.x y.y.y.y
>> </Client>
>>
>> # Wireless access points
>> <Client DEFAULT>
>> Secret secret
>> </Client>
>>
>>
>>
>> ########## AUTHENTICATION HANDLERS ############
>>
>> ##### Captive Portals #####
>> <Handler Client-Identifier=cpl-servers>
>> <AuthBy RADMIN>
>> # Change DBSource, DBUsername, DBAuth for your database
>> # See the reference manual. You will also have to
>> # change the one in <SessionDatabse SQL> below
>> # so its the same
>> DBSource dbi:mysql:radmin:localhost
>> DBUsername user
>> DBAuth passwd
>>
>> # Never look up the DEFAULT user
>> NoDefault
>>
>> # You can add to or change these if you want, but you
>> # will probably want to change the database schema first
>> AccountingTable RADUSAGE
>> AcctColumnDef USERNAME,User-Name
>> AcctColumnDef TIME_STAMP,Timestamp,integer
>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>> AcctColumnDef NASPORT,NAS-Port,integer
>> AcctColumnDef DNIS,Called-Station-Id
>> # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
>>
>> # This updates the time and octets left
>> # for this user
>> AcctSQLStatement update RADUSERS set
>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
>> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
>> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>>
>> # These are the classic things to add to each users
>> # reply to allow a PPP dialup session. It may be
>> # different for your NAS. This will add some
>> # reply items to everyone's reply
>> # AddToReply Framed-Protocol = PPP,\
>> # Framed-IP-Netmask = 255.255.255.255,\
>> # Framed-Routing = None,\
>> # Framed-MTU = 1500,\
>> # Framed-Compression = Van-Jacobson-TCP-IP
>>
>> # If you intend to use rcrypt reversible encryption
>> # for passwords in your Radmin database, you must
>> # RcryptKey here to be the same secret key you
>> # defined in your Radmin Site.pm, and also set
>> # PasswordFormat in your Site.pm.
>> # RcryptKey mysecret
>>
>> # If you intend to use Unix encryption in your database,
>> # you will need to set EncryptedPasssword here,
>> # as well as setting PasswordFormat in your Site.pm
>> # EncryptedPassword
>>
>> # You can change the max bad login count from the
>> # default of 5 with something like
>> # MaxBadLogins 10
>> </AuthBy>
>>
>> # This clause logs all authentication successes and failures to
>> # the RADAUTHLOG table. Suitable for use with RAdmin version 1.6
>> <AuthLog SQL>
>> # This database spec usually should be exactly the same
>> # as in <AuthBy RADMIN> above
>> DBSource dbi:mysql:radmin:localhost
>> DBUsername user
>> DBAuth passwd
>>
>> LogSuccess
>> SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME,
>> TYPE) values (%t, '%n', 1)
>> LogFailure
>> FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME,
>> TYPE, REASON) values (%t, '%n', 0, %1)
>> </AuthLog>
>>
>> AcctLogFileName %L/detail
>> AuthLog cpl-authlog
>>
>> </Handler>
>>
>> <SessionDatabase SQL>
>> # This database spec usually should be exactly the same
>> # as in <AuthBy RADMIN> above
>> DBSource dbi:mysql:radmin:localhost
>> DBUsername user
>> DBAuth password
>>
>> </SessionDatabase>
>>
>> # You can also set up an address pool for Radiator to manage.
>> # The standard Radmin tables include a RADPOOL address pool table.
>> # see the example in addressallocator.cfg
>>
>>
>>
>> ##### VPN Servers #####
>> <Handler Client-Identifier=vpn-servers>
>> AuthByPolicy ContinueUntilAccept
>> RejectHasReason
>>
>> # Handle Electrical Consulting Services (ECS) access
>> <AuthBy LSA>
>> Domain FHCRC
>> Group ECS
>> </AuthBy>
>>
>> # Handle Software VPN users
>> <AuthBy LSA>
>> Domain FHCRC
>> Group VPNSW
>> </AuthBy>
>>
>> # Log it
>> AuthLog vpn-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>>
>> ##### Dialup Servers #####
>> <Handler Client-Identifier=dialup-servers>
>> AuthByPolicy ContinueUntilAccept
>> RejectHasReason
>>
>> # Handle T-Lite users
>> <AuthBy LSA>
>> Domain FHCRC
>> Group T-Lite
>> AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,
>> Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,
>> Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,
>> cisco-avpair = "ip:addr-pool=t-lite"
>> </AuthBy>
>>
>> # Handle T-Free users
>> <AuthBy LSA>
>> Domain FHCRC
>> Group T-Free
>> AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,
>> Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP,
>> Framed-MTU = 1500, Idle-Timeout = 3600, Session-Timeout = 28800,
>> cisco-avpair = "ip:addr-pool=t-free"
>> </AuthBy>
>> StripFromReply Callback-Number
>>
>> # Log it
>> AuthLog rad-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>>
>>
>> #### Wireless Clients using PEAP #####
>> <Handler TunnelledByPEAP=1>
>> RejectHasReason
>> <AuthBy LSA>
>> EAPType MSCHAP-V2
>> </AuthBy>
>>
>> # Log it
>> AuthLog wap-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>>
>>
>> #### Wireless Clients using EAP-TLS #####
>> <Handler TunnelledByTTLS=1>
>> RejectHasReason
>> <AuthBy LSA>
>> </AuthBy>
>>
>> # Log it
>> AuthLog wap-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>>
>> #### Wireless Clients using LEAP #####
>> <Handler Realm=fhcrc.org>
>> AuthByPolicy ContinueWhileReject
>> RejectHasReason
>> <AuthBy LSA>
>> RewriteUsername s/^([^@]+).*/$1/
>> EAPType LEAP
>> </AuthBy>
>>
>> # Log it
>> AuthLog wap-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>>
>> #### Outer Handler #####
>> <Handler>
>> AuthByPolicy ContinueUntilAccept
>> RejectHasReason
>> <AuthBy FILE>
>> Filename %D/users.anonymous
>> EAPType PEAP,TTLS
>> EAPTLS_PEAPVersion 0
>> EAPTLS_CAFile C:[...]/Radiator/cacert.pem
>> EAPTLS_CertificateFile C:[...]/Radiator/machine.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile C:[...]/Radiator/machine.pem
>> EAPTLS_PrivateKeyPassword secret
>> EAPTLS_MaxFragmentSize 1024
>> EAPAnonymous %0
>> AutoMPPEKeys
>> SSLeayTrace 4
>> </AuthBy>
>>
>> # Log it
>> AuthLog wap-authlog
>> AcctLogFileName %L/Acct/%Y-%m-%d-acct
>> </Handler>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list