(RADIATOR) eap-peap mschapv2 (again)
Hugh Irvine
hugh at open.com.au
Sun Dec 30 15:33:21 CST 2007
Hello Bob -
Which LDAP server are you going to be using?
If it is Active Directory, you should run Radiator on Windows and use
the AuthBy LSA clause.
See the example configuration files in "goodies/lsa_eap_peap.cfg" and
"goodies/las_eap_multi.cfg"
regards
Hugh
On 31 Dec 2007, at 00:53, Bob Shafer wrote:
> Dear list,
>
> Like a bad penny, I have returned, for at least one more time.
>
> A couple of times in the last year I've raised questions here about
> theoretical scenarios involving eap-peap mschapv2 and ldap.
>
> I finally am trying to actually *do* something rather than just talk
> about it....
>
> In hopes of walking before running, I thought I'd start by trying
> to use AUTHBY FILE before I attempted AUTHBY LDAP.
>
> I used the goodies/eap-peap.cfg file as a basis for the test and
> the test server certificate provided. I'm using 3.17.1 with
> current patches.
>
> The configuration file I've attached allows my test clients,
> appropriately configured, to authenticate with EAP-TTLS PAP and an
> NTHASH encrypted password.
>
> They also authenticate with EAP-PEAP MSCHAPV2 and an unencrypted
> password is the users file.
>
> But, and here is lies my problem, they all fail with the
> appropriate NTHASH encrypted version of the password.
>
> Because it is for test purposes only, I've included the password I
> used
> in both the nthash and clear text in the users file, which I've also
> attached
>
> Finally, there is a logfile with debug 4 enabled.
>
> Let me know if you need anything more.
>
> Any help that others can offer will be greatly appreciated.
>
> Thanks,
>
> Bob Shafer
> University of Denver
>
> # eap_peap.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PEAP authentication as used by Windows XP (starting with SP1)
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate from a standard users file in
> # the current directory.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # And it will print out what its doing in great detail.
> #
> # In order to authenticate, the clients user name must be in ./users
> # (the password is irrelevant for EAP TLS).
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
> # Requires openssl 0.9.7beta3 or later from www.openssl.org
> # Requires Digest-HMAC from CPAN
> # Requires Digest-SHA1 from CPAN
> #
> # You should consider this file to be a starting point only
> # $Id: eap_peap.cfg,v 1.12 2006/11/09 04:54:31 mikem Exp $
>
> LogDir /var/log/radius
> DbDir /etc/radiator
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret Secret Stuff
> DupInterval 0
> </Client>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy FILE>
> Filename %D/users
>
> # This tells the PEAP client what types of inner EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> UsernameMatchesWithoutRealm
> Filename %D/users
>
> # This tells the PEAP client what types of inner EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of
> the real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the
> AcctLogFileName
> # Must be used in conjunction with PreProcessingHook below
> # PostAuthHook file:"goodies/eap_anon_hook.pl"
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and
> the inner authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to select
> # a specific handler, or else you can use EAPAnonymous to set a
> username and realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm, and/or the
> # fact that they were tunnelled. You can therfore act just as a
> PEAP server, or also
> # act as the AAA/H home server, and authenticate PEAP requests
> locally or proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication
> are authenticated
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the standard
> username
> # in the outer requests, and it also requires an entry for the
> # actual user name who is trying to connect (ie the 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default (most
> # preferred) type given first
> EAPType TTLS, PEAP
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even smaller
> sizes.
> EAPTLS_MaxFragmentSize 1024
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a certificate
> # then Radiator will look for a certificate revocation list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not found, or
> # if the CRL says the certificate has neen revoked, the
> authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may require you
> to specify
> # MPPE send and receive keys. This _will_ be required if you select
> # 'Keys will be generated automatically for data privacy' in the
> Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the inner
> # authentication. Defaults to 'anonymous'. This can be useful
> # when proxying the inner authentication. If tehre is a realm, it
> can
> # be used to choose a local Realm to handle the inner
> authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a session
> can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
> to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can control which version of the draft PEAP protocol to honour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual
> clients,
> # such as Funk Odyssey Client 2.22 or later. For Funk Odyssey
> # version 4, use EAPTLS_PEAPVersion 1,
> # but set EAPTLS_PEAPBrokenV1Label below
> EAPTLS_PEAPVersion 0
>
> # You can make PEAP Version 1 support compatible with
> # nonstandard PEAP V1 clients that use the old broken TLS
> encryption labels that
> # appear to be used frequently, due to Microsofts use of the
> incorrect
> # label in its V0 client. You should use this with Funk Odyssey
> # Client version 4 when EAPTLS_PEAPVersion is set to 1
> #EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of
> the real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the
> AcctLogFileName
> # Must be used in conjunction with PostAuthHook above
> # PreProcessingHook file:"goodies/eap_anon_hook.pl"
> </Handler>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3402 ....
> Code: Access-Request
> Identifier: 0
> Authentic: V;U<3><135><153>\<2><246>B<173><195>M'<161><186>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><0><0><9><1>r2d2
> Message-Authenticator = <169><128><219>;
> 6<200><245>Dh<187><19><236><230><134>7W
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 0, 9
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 1
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP TTLS Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> TTLS Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3402 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: V;U<3><135><153>\<2><246>B<173><195>M'<161><186>
> Attributes:
> EAP-Message = <1><1><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3404 ....
> Code: Access-Request
> Identifier: 0
> Authentic:
> <166>;<210><247>"<199><27><192><<173><18>j<157><155><199><141>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><1><0><6><3><25>
> Message-Authenticator = U<16><204><147><239><171><242>A<21>
> <173><238>]<18>R<186>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 1, 6
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 3
> Sat Dec 29 14:02:54 2007: INFO: EAP Nak desires type 25
> Sat Dec 29 14:02:54 2007: DEBUG: Resuming session for
> Radius::Context=HASH(0x889621c)
>
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3404 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic:
> <166>;<210><247>"<199><27><192><<173><18>j<157><155><199><141>
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3406 ....
> Code: Access-Request
> Identifier: 0
> Authentic: "<143>ht<209><238><239><233>(H<6><200><134>7<11>"
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><2><0>d<25><128><0><0><0>Z<22><3><1><0>U<1><0><0>Q<3><1><0><0><0><3
> ><16><247>O_<164><237><227><252><234>8<241>AY<196>FJ<138>^}C<24>
> ({<150>n<130>y<27><0><0>*<0><22><0><19><0><10><0>f<0><7><0><5><0><4><0
> >e<0>d<0>c<0>b<0>a<0>`<0><21><0><18><0><9><0><20><0><17><0><8><0><6><0
> ><3><1><0>
> Message-Authenticator =
> <249><179>A<211><226><202><207><218><10><11><135>l<201>`<8>A
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 2, 100
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:54 2007: DEBUG: EAP TLS SSL_accept result: -1, 2,
> 8576
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3406 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: "<143>ht<209><238><239><233>(H<6><200><134>7<11>"
> Attributes:
> EAP-Message =
> <1><3><4><10><25><192><0><0><7><186><22><3><1><0>J<2><0><0>F<3><1>Gv<1
> 81><254><184>_<226><223><218><162><159><188><241>3<0>lX<177>'<238>
> (<13><229>Q7<187>{&<150><254><163>G
> <142><217>7<15>z<250><194><167><128>Wke@;.<171>r<200>
> {bG<12><229><169><6><199><2><210><30>;\<164><0><10><0><22><3><1><7>]
> <11><0><7>Y<0><7>V<0><3><3>0<130><2><255>0<130><2>h<160><3><2><1><2><2
> ><9><0><208><227>h|<201>
> [<0><174>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<1
> 1>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18
> >0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certifi
> EAP-Message = cate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do
> not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30
> ><23><13>060404231320Z<23><13>080403231320Z0<129><158>1<11>0<9><6><3>U
> <4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U
> <4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Section1%0#
> EAP-Message =
> <6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9
> >*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><12
> 9><129><0><176>Rk<222><248>e<193><194><2>wM<169>
> (<212>hQ<241>5<146>;<241>q<239><191>O<154><160>%
> <150><172>"<180>W<196><221><17>w~v<169><204><201>g;<150><216><198><30>
> f<163>"b<15><189><231><223><254>-t<231>/
> B<30>"@<226><180>7<135><231><245><174><222><232>`<160><21><138>w
> $<205>B<13><207><22><240>E<166>YAy<236>2!<241><1><30>>
> (W<137><25><211><17>C<224>A<187><157><232><222>V<156><14><239><141>F<1
> 93>v<18><25>Z|<207><213>u%
> W<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>
> +<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><
> 3><129><129><0>=U<184><192>!#q@<160><138><243>)
> EAP-Message = <212><217><226><7>$<147><203>]
> w<228>qD<19>`<186><133><210><144><8>Iy.<29>w<143><176><171><198><13>7_
> <14>V<9><3><181><29><130><148><192>w<197><157><6><196>K<186>rJ*<17><24
> 7><253><4><200><174><224>Ns<243><227>z<252><190>kfm<225><234><206><250
> ><4><252><21><19>u
> 9<225><208><200>&<226>7<250>iB`H=<217><207><207>i<180><173>c<21>C<212>
> <13>Ve<238><19><4>-0n<142>#<3><239><251><25>~<0><4>M0<130><4>I0<130><3
> ><178><160><3><2><1><2><2><9><0><208><227>h|<201>
> [<0><172>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<1
> 1>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18
> >0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4>
> EAP-Message = <11><19><24>Test Certificate Se
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3408 ....
> Code: Access-Request
> Identifier: 0
> Authentic: n<168>!-<214>L<230>4-H<180><2><20><231><172><177>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><3><0><6><25><0>
> Message-Authenticator = |><145><188><16><140><215><195>yy,]G<4>=k
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 3, 6
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3408 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: n<168>!-<214>L<230>4-H<180><2><20><231><172><177>
> Attributes:
> EAP-Message = <1><4><3><192><25><0>ction1/0-<6><3>U<4><3><19>&OSC
> Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30
> ><23><13>060404231320Z<23><13>080403231320Z0<129><202>1<11>0<9><6><3>U
> <4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U
> <4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6>
> EAP-Message = <3>U<4><3><19>&OSC Test CA (do not use in production)
> 1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<12
> 9><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>
> 0<129><137><2><129><129><0><217><133><240>Q<185><135><212><238><223>D<
> 143><14><241><220><192><131><153>x.<141><213><28>6<229>p<204><202><140
> ><215>
> (<186>u<156><136><22><183> ;UM<143>u<166>E<235><221><18><9><201><186><
> 26><142><15><236><29>RxS<172><204><208><130>/
> I<12><155><7>&y=<247><132>'<252><164>t<149>`<19><147>#<27><200><10><19
> 6>K<252>!Yo<241>2e<155><8>i<190>-)<180>.<164>X-
> <232><30><22><12><29><239><150><5><189><31><249><224><0>zv<242><216>)<
> 187>c<246>Sl<227><2><3><1><0><1><163><130><1>30<130><1>/0<29><6><3>U
> EAP-Message = <29><14><4><22><4><20><252><4><246><5>
> \3<27><8>km<204><27><210>H<246>
> [<191>8<191><252>0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><
> 20><252><4><246><5>\3<27><8>km<204><27><210>H<246>
> [<191>8<191><252><161><129><208><164><129><205>0<129><202>1<11>0<9><6>
> <3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6>
> <3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)
> 1 0<30><6><9>*<134>H<134><247><13><1><9>
> EAP-Message = <1><22><17>mikem at open.com.au<130><9><0><208><227>h|
> <201>
> [<0><172>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<1
> 34><247><13><1><1><4><5><0><3><129><129><0>YY<173>5?
> K<135><228>25<175>IJ<247><7>H<160>]
> <139><220><15><153>1<235><190><245><199><136><134>P<144><18>X<191>X<9>
> <153><140>)<11>`<183><239>N)Hew<181><177><135><218>}
> <252><216><210><134>a<167>K<249><172><210><214><223>!
> 4E<155><236><245><141><191><152>wN<224>&<29>&
> {<241><161>Kq<206><137><15>~<127><167><134>;<186><127>Mm<162>s<253><25
> 3>p<167>8<169><223><184><216><214><214><27><175><150><1><17>f<188><157
> >l<246><219><231>R<242>(n<225><197><22><3><1><0><4><14><0><0><0>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3410 ....
> Code: Access-Request
> Identifier: 0
> Authentic: <247><176><159>vp<28><224>j<151><130><210>s+'<18><227>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><4><0><200><25><128><0><0><0><190><22><3><1><0><134><16><0><0><130>
> <0><128>=<18><168>*W<182><223><201><208>if5<26><205>-
> E<132><209>ZUF<157><22><237>w<171><222>v<211><156>vSS
> 5<191><152><246>c<5><165>p(<160>*<10><142>;<137><153><148><194>!
> <133>R<255><15><235><251><175>"<238>97O<248><240><16><248><136><128><3
> 1>Z<238><8><139><226>q<31><12><178><214><253>A<143><169><128><9>|
> 8<157>'A<242>s<22><19><214><231>v<26><197>P<193><229><166>s<212><174><
> 193><25><226>P<236><222><207>^<10><202>Bn
> ('<191><136><182><192>v<20><3><1><0><1><1><22><3><1><0>
> (\Kc<247><245><192>"<142>6<243>4<166><182>U<241>d1_}<166>
> (<240><134><156><5><4><243>S)<26><17><210>ov<148><153><187><232>$<233>
> Message-Authenticator = <197>j<242>Y<199><169>O<215>7,Bv<202>a$<249>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 4, 200
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:54 2007: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3410 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: <247><176><159>vp<28><224>j<151><130><210>s+'<18><227>
> Attributes:
> EAP-Message =
> <1><5><0>=<25><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>
> (<25><242>m<170>!t<224>d$Z<252><226><131><215><199>?
> `<199>7<221><139>n<254><21><182><238>7<211>w at 4<133><175>*w<161>*<214>9
> W
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3412 ....
> Code: Access-Request
> Identifier: 0
> Authentic: <28><145><1>\<19><182>3kUoi<169><254><1><183>y
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><5><0><6><25><0>
> Message-Authenticator =
> E<245><147>Z<146>Z<148>CAp4g<23><141><146><133>
>
> Sat Dec 29 14:02:54 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:54 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:54 2007: DEBUG: Handling with EAP: code 2, 5, 6
> Sat Dec 29 14:02:54 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:54 2007: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP Challenge
> Sat Dec 29 14:02:54 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3412 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: <28><145><1>\<19><182>3kUoi<169><254><1><183>y
> Attributes:
> EAP-Message =
> <1><6><0>#<25><0><23><3><1><0><24><218>Q<239>m<218><1><212><28><214><2
> 37><165>=<3><220><217><174><143><181>/~k<222><232>>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3414 ....
> Code: Access-Request
> Identifier: 0
> Authentic: j<208><243><133>4j<205>*<12><235><251><190><157><128>P<10>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><6><0>+<25><0><23><3><1><0>
> dE<138><217>gl<146>xYb<207>+<250><21><14>A{<163><150><216>df at 3}
> (W<150><24><170><7><15>
> Message-Authenticator = (<0>><174><133>6n<180>W1<11><<186>e<149><17>
>
> Sat Dec 29 14:02:55 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:55 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with EAP: code 2, 6, 43
> Sat Dec 29 14:02:55 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:55 2007: DEBUG: EAP PEAP inner authentication
> request for anonymous
> Sat Dec 29 14:02:55 2007: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <150><170>12,<128>N{U<220>8TRV<201><177>
> Attributes:
> EAP-Message = <2><6><0><5><1>r2d2
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 192.168.2.1
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Calling-Station-Id = "001a70d45b78"
>
> Sat Dec 29 14:02:55 2007: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Sat Dec 29 14:02:55 2007: DEBUG: Deleting session for anonymous,
> 192.168.2.1, 55
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with EAP: code 2, 6, 5
> Sat Dec 29 14:02:55 2007: DEBUG: Response type 1
> Sat Dec 29 14:02:55 2007: DEBUG: EAP result: 3, EAP MSCHAP-V2
> Challenge
> Sat Dec 29 14:02:55 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Sat Dec 29 14:02:55 2007: DEBUG: Access challenged for anonymous:
> EAP MSCHAP-V2 Challenge
> Sat Dec 29 14:02:55 2007: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: <150><170>12,<128>N{U<220>8TRV<201><177>
> Attributes:
> EAP-Message =
> <1><7><0><30><26><1><7><0><25><16><138>u<175><154>j<168>E<213><206>}
> 8<3><198><182><224><kale
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:55 2007: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP inner authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP inner authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3414 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: j<208><243><133>4j<205>*<12><235><251><190><157><128>P<10>
> Attributes:
> EAP-Message =
> <1><7><0>;<25><0><23><3><1><0>0<131><213><165>U<240><4>~<155>S><183><1
> 63>^<15>x8<187>4,<129><13>i<220>B<9>x0S<142><148>3<219>
> {<17><22><1><134>6<210><182><6><137><144>U<212><234><133><23>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3416 ....
> Code: Access-Request
> Identifier: 0
> Authentic: R<159><211><143><151>cm<149><195><139>4<5><150>,?<165>
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><7><0>[<25><0><23><3><1><0>P9<253><12>h%
> _<133><210><165><146><229>N<141>pE}
> <255>F3<133><159><14><26><194><128>Z~<148>m<245><216><18>Q<28><244><12
> 8>J\I/<233>C^Sq<230>D<139><231>e<165><254>_{%
> <19><171><10><20><236><238><129>6<218><192>'9<174><3><156>c<208><168><
> 166>8<25>r9<24>t
> Message-Authenticator = <225>i<25>,SV)<210>D<1>ST<250><151><174>3
>
> Sat Dec 29 14:02:55 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:55 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with EAP: code 2, 7, 91
> Sat Dec 29 14:02:55 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:55 2007: DEBUG: EAP PEAP inner authentication
> request for anonymous
> Sat Dec 29 14:02:55 2007: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: ><28><1><170><197><229>D@^<170>h<183><9><186><235><164>
> Attributes:
> EAP-Message = <2><7><0>;<26><2><7><0>:
> 1<205>V*,<8><31>Q<24>w:l<255><206><22><144><233><0><0><0><0><0><0><0><
> 0><17><211><201>X<201><175>V<179><244><29><171>y<161><209><235><158><1
> 68><166>^"<242><5><165><156><0>r2d2
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 192.168.2.1
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Calling-Station-Id = "001a70d45b78"
>
> Sat Dec 29 14:02:55 2007: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Sat Dec 29 14:02:55 2007: DEBUG: Deleting session for anonymous,
> 192.168.2.1, 55
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with EAP: code 2, 7, 59
> Sat Dec 29 14:02:55 2007: DEBUG: Response type 26
> Sat Dec 29 14:02:55 2007: DEBUG: Radius::AuthFILE looks for match
> with r2d2 [anonymous]
> Sat Dec 29 14:02:55 2007: DEBUG: Radius::AuthFILE ACCEPT: : r2d2
> [anonymous]
> Sat Dec 29 14:02:55 2007: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Sat Dec 29 14:02:55 2007: DEBUG: AuthBy FILE result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Sat Dec 29 14:02:55 2007: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Sat Dec 29 14:02:55 2007: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: ><28><1><170><197><229>D@^<170>h<183><9><186><235><164>
> Attributes:
> EAP-Message = <4><7><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Sat Dec 29 14:02:55 2007: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP inner authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: Access challenged for r2d2: EAP
> PEAP inner authentication redespatched to a Handler
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3416 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: R<159><211><143><151>cm<149><195><139>4<5><150>,?<165>
> Attributes:
> EAP-Message = <1><8><0>+<25><0><23><3><1><0> &;=
> [<20><161><224><208><160>mX<231><198><5>
> \m<11><195><229><209><0><228><20>~<129><224><148>W<140>.b
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Received from 192.168.2.1 port 3418 ....
> Code: Access-Request
> Identifier: 0
> Authentic: <235>aS<135><190>*K5<148><221><245>y<204><10>Zc
> Attributes:
> User-Name = "r2d2"
> NAS-IP-Address = 192.168.2.1
> Called-Station-Id = "001a70ec5073"
> Calling-Station-Id = "001a70d45b78"
> NAS-Identifier = "001a70ec5073"
> NAS-Port = 55
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><8><0>
> +<25><0><23><3><1><0> :D96<175><12><25><246>d6<216>J<236>fo<152><176><
> 239><229><255>,{Sy<130><7>w<22>9<232>NX
> Message-Authenticator =
> <215>A<210><254><232>O<203><140><148><8><227>\-<224><17>
>
> Sat Dec 29 14:02:55 2007: DEBUG: Handling request with Handler ''
> Sat Dec 29 14:02:55 2007: DEBUG: Deleting session for r2d2,
> 192.168.2.1, 55
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with Radius::AuthFILE:
> Sat Dec 29 14:02:55 2007: DEBUG: Handling with EAP: code 2, 8, 43
> Sat Dec 29 14:02:55 2007: DEBUG: Response type 25
> Sat Dec 29 14:02:55 2007: DEBUG: EAP result: 1, PEAP Authentication
> Failure
> Sat Dec 29 14:02:55 2007: DEBUG: AuthBy FILE result: REJECT, PEAP
> Authentication Failure
> Sat Dec 29 14:02:55 2007: INFO: Access rejected for r2d2: PEAP
> Authentication Failure
> Sat Dec 29 14:02:55 2007: DEBUG: Packet dump:
> *** Sending to 192.168.2.1 port 3418 ....
> Code: Access-Reject
> Identifier: 0
> Authentic: <235>aS<135><190>*K5<148><221><245>y<204><10>Zc
> Attributes:
> EAP-Message = <4><8><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
> #
> # Uncomment the one you wish to use
> #
> #r2d2 User-Password = "adV1cespwd"
> #r2d2 User-Password = {NTHASH}7E27EAC953911661F8CE9CD888AE540B
> Service-Type = Framed-User
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list