(RADIATOR) LDAP to AD and PEAP problems
Gavin Norman
gavin.norman at europcar.com.au
Thu Jun 21 23:56:39 CDT 2007
We've managed to have our Radius server authenticate off our Active
Directory infrastructure, even with group memberships. You will find our
original posts at
http://www.nabble.com/forum/ViewPost.jtp?post=10354268&framed=y
We're using the LDAP2 module, Here is the AuthBy context:
<AuthBy LDAP2>
Identifier AuthByLDAP
#Debug 255
# LDAP bind
Host dc.mydomain.com.au
HoldServerConnection
Timeout 4
Port 3268
AuthDN cn=Service Account,cn=Users,dc=my,dc=domain,dc=com
,dc=au
AuthPassword servicepass
# The client authentication
ServerChecksPassword
UsernameAttr sAMAccountName
BaseDN ou=All Users,dc=my,dc=domain,dc=com,dc=au
AuthAttrDef sAMAccountName,GENERIC,request
AuthAttrDef memberOf,GENERIC,request
PostSearchHook file:"%D/hooks/ldap_groups.pl"
</AuthBy>
Hope this helps.
Gavin Norman
Helpdesk Administrator
Europcar Asia-Pacific
157 Mickleham Rd
Tullamarine, VIC, 3043
Australia
Ph: 61 3 8336 6669
Mobile: 61 4 1061 2058
Email: gavin.norman at europcar.com.au
www.europcar.com.au
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: Friday, 22 June 2007 11:37 AM
To: Jethro R Binks; Michael Harlow
Cc: Radiator list
Subject: Re: (RADIATOR) LDAP to AD and PEAP problems
Hello Jethro, Hello Michael -
Jethro is correct - you can only use PAP with ServerChecksPassword
against AD.
You best option is to run Radiator on Windows and use the AuthBy LSA
clause.
See section 5.51 in the Radiator 3.17.1 reference manual ("doc/
ref.html").
regards
Hugh
On 21 Jun 2007, at 22:39, Jethro R Binks wrote:
> On Thu, 21 Jun 2007, Michael Harlow wrote:
>
>> I'd like to use LDAP to get Radiator (on Unix) to authenticate
>> users against
>> the AD. So I've set up a test network, a TunneledByPEAP handler,
>> and binding
>> details for AD.
>>
>> I can get as far as searching for a user in the AD, getting back a
>> list of
>> attributes, but none are a password.
>
> As I understand it, you cannot retrieve and view the LDAP attribute
> that
> represents the password, although I gather that the attribute is
> actually
> called "unicodePwd", although I gather it can be altered.
>
> These may have some hints:
>
> http://www.dataflake.org/tracker/issue_00475
> http://geekswithblogs.net/lance/archive/2005/08/19/
> LdapAuthenticationASP.aspx
>
>> There is no attempt to bind as the user to check the password. It
>> makes no
>> difference if I have the ServerChecksPassword option or not.
>
> Our setup is similar to yours. We are using the ServerChecksPassword
> option to bind to AD to check the password is correct.
>
> Comparing your LDAP configuration with ours the only significant
> difference I can see are:
>
> SearchFilter (&(%0=%1)(objectClass=organizationalPerson))
>
> I also have this note:
>
> # If the server is not a global catalogue server, use normal LDAP
> port 389.
> # Otherwise, use GCat port 3268
>
> However, we are using plain PAP, not MSCHAPv2 ...
>
>> Can anyone work out what is going wrong? Can I do PEAP-MSCHAPv2
>> against
>> AD via LDAP? I don't want to use the samba method, or install onto
>> Windows yet. I'd like to be able to extract other things (groups,
>> reply-items) via the LDAP later.
>
> As I vaguely remember this, it cannot be done (outwith running
> Radiator on
> Windows which has access to the Windows APIs). In order to
> authenticate
> with MSCHAPv2, the password needs to be available at both ends (AD
> end,
> and Radius end). Since the Radius server on Unix cannot obtain the
> password, it doesn't work. Gotta rush now, sorry, but this is
> documented
> somewhere, maybe or maybe not in the Radiator docs. I'm sure
> Google with
> know the detail.
>
> Jethro.
>
>>
>>
>> Regards, Michael
>>
>>
>>
>> ################################
>>
>>
>> <Handler Called-Station-Id=/:UANA-ITR-Testing$/>
>> PreProcessingHook file:"/etc/radiator/utas_eap_anon_hook.pl"
>> PostAuthHook file:"/etc/radiator/utas_eap_anon_hook.pl"
>> <AuthBy LDAP2>
>> Debug 255
>> SSLeayTrace 4
>> NoDefault
>> EAPType PEAP
>> Host XXXXXXXXX <-- I don't think this gets
>> called, a typo
>> makes no difference
>> AuthDN cn=XXXXX, ou=accounts, dc=XXXXXX
>> AuthPassword XXXXXXXX
>>
>> BaseDN ou=people, dc=XXXXXXXXX
>> Scope sub
>> UsernameAttr cn
>> PasswordAttr userPassword
>>
>> ServerChecksPassword
>> # NoBindBeforeOp
>> Version 3
>>
>> # Location and starup information for EAP/TTLS
>> certificates
>> EAPTLS_CAFile /etc/radiator/cacert.pem
>> EAPTLS_CertificateFile /etc/radiator/radius.crt
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile /etc/radiator/radius.key
>> EAPTLS_PrivateKeyPassword XXXXXXXXXXXXXXXX
>> EAPTLS_MaxFragmentSize 1200
>> #EAPTLS_SessionResumption no
>> EAPTLS_NoCheckId
>> EAPTLS_PEAPVersion 1
>> EAPTLS_PEAPBrokenV1Label
>> AutoMPPEKeys
>>
>> </AuthBy>
>> </Handler>
>>
>>
>> <Handler TunnelledByPEAP=1>
>> # RewriteUsername s/(.*)\\(.*)/$2/
>> PreProcessingHook file:"/etc/radiator/utas_eap_anon_hook.pl"
>> PostAuthHook file:"/etc/radiator/utas_eap_anon_hook.pl"
>> <AuthBy LDAP2>
>> Debug 255
>> SSLeayTrace 4
>> NoDefault
>> # This tells the PEAP client what types of inner EAP
>> requests
>> # we will honour
>> EAPType MSCHAP-V2
>> Host XXXXXXXXXXXX
>> AuthDN cn=XXXXX,ou=Accounts,dc=XXXXXXXXXX
>> AuthPassword XXXXXXXXX
>> BaseDN ou=people, dc=XXXXXXXXXX
>> Scope sub
>> UsernameAttr cn
>> PasswordAttr userPassword
>> ServerChecksPassword
>> # NoBindBeforeOp
>> Version 3
>> </AuthBy>
>> </Handler>
>>
>>
>>
>> #####################################################################
>> #######
>> ###################
>> Debug output, there are about 6 RADIUS packets before this one,
>> setting up
>> the PEAP tunnel, handshaking, mutual trust etc (I think).
>>
>>
>> Code: Access-Request
>> Identifier: 192
>> Authentic: <174><10><245><211>I03<159>q<255>|<12><204><219><249>S
>> Attributes:
>> User-Name = "roamingouter" <-- My outer ID
>> Calling-Station-Id = "00-19-D2-D6-6A-72" <-- My laptop Mac
>> Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing"
>> <-- AP Mac
>> via WiSM, and SSID
>> NAS-Port = 29 <-- Always seems to be 29 !
>> NAS-IP-Address = 172.31.3.3 <-- WiSM IP
>> NAS-Identifier = "WismB2"
>> Airespace-WLAN-Id = 4
>> Service-Type = Framed-User
>> Framed-MTU = 1300
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Tunnel-Type = 0:VLAN
>> Tunnel-Medium-Type = 0:802
>> Tunnel-Private-Group-ID = 2005
>> EAP-Message = <2><6><0>P<25><1><23><3><1><0>
>> <163>k<146>[;?t<171><146><166><162>7C^d<171>?3<29>Hdq<252><178>?
>> <<167><176>C
>> P<209><175><23><3><1><0>
>> <152><207>%&Nv<248><243>?<136><205><174>D<150>9
>> (<252><8><206><10><228><251><
>> 0>C<7><171>$W<172>h<26>O
>> Message-Authenticator =
>> 5f<133><198><254><19>V<8>]<160><212><197>F2<160><26>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
>> 'Called-Station-Id=/:UANA-ITR-Testing$/'
>> Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
>> 172.31.3.3, 29
>> Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from
>> RADONLINE where
>> NASIDENTIFIER='172.31.3.3' and NASPORT=029':
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 6, 80
>> Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP PEAP inner authentication
>> request for
>> anonymous
>> Thu Jun 21 12:07:33 2007: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: ;<4>9Z<28><25><25>J'<236><211><241>E<29><<235>
>> Attributes:
>> EAP-Message = <2><0><0><9><1>mike
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 172.31.3.3
>> NAS-Identifier = "WismB2"
>> NAS-Port = 29
>> Calling-Station-Id = "00-19-D2-D6-6A-72"
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for anonymous,
>> 172.31.3.3, 29
>> Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from
>> RADONLINE where
>> NASIDENTIFIER='172.31.3.3' and NASPORT=029':
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 0, 9
>> Thu Jun 21 12:07:33 2007: DEBUG: Response type 1
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP MSCHAP-V2
>> Challenge
>> Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
>> MSCHAP-V2 Challenge
>> Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for anonymous: EAP
>> MSCHAP-V2 Challenge
>> Thu Jun 21 12:07:33 2007: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Challenge
>> Identifier: UNDEF
>> Authentic: ;<4>9Z<28><25><25>J'<236><211><241>E<29><<235>
>> Attributes:
>> EAP-Message =
>> <1><1><0>0<26><1><1><0>+<16><238><161><147>/
>> N<182>R<255><192><134>Z<170>A<19
>> 0><204><16>hadmar.its.utas.edu.au
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE,
>> EAP PEAP
>> inner authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for
>> roamingouter: EAP
>> PEAP inner authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
>> *** Sending to 172.31.3.3 port 32770 ....
>>
>> Packet length = 131
>> [SNIP]
>> Code: Access-Challenge
>> Identifier: 192
>> Authentic: <174><10><245><211>I03<159>q<255>|<12><204><219><249>S
>> Attributes:
>> EAP-Message =
>> <1><7><0>
>> [<25><1><23><3><1><0>P<5>xJ<195><8><177><9><31><196><253>g<132><14>
>> <144>;j/
>> i<4><4><27>'<176><213>m<14><132>l<220>6<208><231><212>_q<129>&Ei<137
>>> G<252><1><137><26>n<133><139><227><217><29><207><140>9?
>>> ~~<207>O<5><137><161
>>> 1<254>"Y<25><158>!<179><140>q<174><201><139><228>4<156>]m
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
>> *** Received from 172.31.3.3 port 32770 ....
>>
>> Packet length = 321
>> [SNIP]
>> Code: Access-Request
>> Identifier: 193
>> Authentic: <135>R/<195><12><144><23>OVQ'<148><19><229>}V
>> Attributes:
>> User-Name = "roamingouter"
>> Calling-Station-Id = "00-19-D2-D6-6A-72"
>> Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing"
>> NAS-Port = 29
>> NAS-IP-Address = 172.31.3.3
>> NAS-Identifier = "WismB2"
>> Airespace-WLAN-Id = 4
>> Service-Type = Framed-User
>> Framed-MTU = 1300
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Tunnel-Type = 0:VLAN
>> Tunnel-Medium-Type = 0:802
>> Tunnel-Private-Group-ID = 2005
>> EAP-Message = <2><7><0><144><25><1><23><3><1><0>
>> <176>J^<237>e<224><224>&W<20><187><184><248>v<201><254><188>6<191>!
>> <197><226
>>> <194><171><251><28>C<174><181><192><157>*<23><3><1><0>`<231><22>X<18
>>> ><147><
>> 206><185><0>x<9> _ at 6<221>,
>> <213><196>+*N<Uf<130><2>HT<201><183><25><6><205><153><16>t}
>> z<164><243>$<227>
>> ?
>> <150>Lo<182><212><200><1><252>2<223><163>k<206><224><180><183>c<188><
>> 152><1
>> 95>tp_<158><229><235><8><254><231><196>K.z<174>!
>> <252>&<7>C<219><11><169><16>
>> ,<26>T<173>;`<167><243>b
>> Message-Authenticator =
>> <137><225><197><197><161><219><190><252><187><247><233><236><12><138>
>> <4><246
>>>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
>> 'Called-Station-Id=/:UANA-ITR-Testing$/'
>> Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
>> 172.31.3.3, 29
>> Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from
>> RADONLINE where
>> NASIDENTIFIER='172.31.3.3' and NASPORT=029':
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 7, 144
>> Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP PEAP inner authentication
>> request for
>> anonymous
>> Thu Jun 21 12:07:33 2007: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: I<20><249>C<161><219><198>ii4<137><255>uWr<233>
>> Attributes:
>> EAP-Message =
>> <2><1><0>?<26><2><1><0>:
>> 1<197><251><180><233>K<151><12>t',d<26><196>Z<240><1
>> 74><0><0><0><0><0><0><0><0><199>z<153><14>
>> \<192><209><0><197><197><242><233>
>> <199>L<134><0><213><234><189><219>)<135>+<21><0>mike
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 172.31.3.3
>> NAS-Identifier = "WismB2"
>> NAS-Port = 29
>> Calling-Station-Id = "00-19-D2-D6-6A-72"
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for anonymous,
>> 172.31.3.3, 29
>> Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from
>> RADONLINE where
>> NASIDENTIFIER='172.31.3.3' and NASPORT=029':
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 1, 63
>> Thu Jun 21 12:07:33 2007: DEBUG: Response type 26
>> Thu Jun 21 12:07:33 2007: INFO: Connecting to XXX:389
>> Thu Jun 21 12:07:33 2007: INFO: Attempting to bind to LDAP server
>> XXX:389
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got result for
>> CN=mike,OU=Staff,OU=People,DC=xxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectClass: top person
>> organizationalPerson user
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got cn: mike
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sn: Harlow
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got description: staff_group
>> xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got givenName: Michael
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got initials: xx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got distinguishedName:
>> CN=mike,OU=Staff,OU=People,DC=xxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got instanceType: 4
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got whenCreated: xxxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got whenChanged: xxxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got displayName: Michael Harlow
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got uSNCreated: xxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got memberOf: CN=xxxxx
>> CN=yyyy CN=zzzz
>> CN=wwwwwww
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got uSNChanged: xxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got name: mike
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectGUID: xxxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got userAccountControl: xxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got badPwdCount: 0
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got codePage: 0
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got countryCode: 0
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got badPasswordTime: xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogoff: 0
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogon: xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got pwdLastSet: xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got primaryGroupID: xxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectSid: xxxxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got accountExpires: xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got logonCount: 1
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sAMAccountName: mike
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sAMAccountType: xxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got userPrincipalName:
>> mike at xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=xxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got dSCorePropagationData:
>> xxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogonTimestamp:
>> xxxxxxxxxxxx
>> Thu Jun 21 12:07:33 2007: DEBUG: Radius::AuthLDAP2 looks for match
>> with mike
>> [anonymous]
>> Thu Jun 21 12:07:33 2007: DEBUG: Radius::AuthLDAP2 ACCEPT: : mike
>> [anonymous]
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 1, EAP MSCHAP-V2
>> Authentication
>> failure
>> Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>> MSCHAP-V2
>> Authentication failure
>> Thu Jun 21 12:07:33 2007: INFO: Access rejected for anonymous: EAP
>> MSCHAP-V2
>> Authentication failure
>> Thu Jun 21 12:07:33 2007: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Reject
>> Identifier: UNDEF
>> Authentic: I<20><249>C<161><219><198>ii4<137><255>uWr<233>
>> Attributes:
>> EAP-Message = <4><1><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Reply-Message = "Request Denied"
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE,
>> EAP PEAP
>> inner authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for
>> roamingouter: EAP
>> PEAP inner authentication redespatched to a Handler
>> Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
>> *** Sending to 172.31.3.3 port 32770 ....
>>
>> Packet length = 83
>> [SNIP]
>> Code: Access-Challenge
>> Identifier: 193
>> Authentic: <135>R/<195><12><144><23>OVQ'<148><19><229>}V
>> Attributes:
>> EAP-Message = <1><8><0>+<25><1><23><3><1><0>
>> <27>k<132><16>}
>> +<144>Ch<245>A<183><220><208><227><18><162><185>x<144><219><1
>> 95><202><148><171><176>`<166>h<159><255>:
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
>> *** Received from 172.31.3.3 port 32770 ....
>>
>> Packet length = 257
>> [SNIP]
>> Code: Access-Request
>> Identifier: 194
>> Authentic: <145><157><185>u/<214>.B<197><166><228><<30><212><216>.
>> Attributes:
>> User-Name = "roamingouter"
>> Calling-Station-Id = "00-19-D2-D6-6A-72"
>> Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing"
>> NAS-Port = 29
>> NAS-IP-Address = 172.31.3.3
>> NAS-Identifier = "WismB2"
>> Airespace-WLAN-Id = 4
>> Service-Type = Framed-User
>> Framed-MTU = 1300
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Tunnel-Type = 0:VLAN
>> Tunnel-Medium-Type = 0:802
>> Tunnel-Private-Group-ID = 2005
>> EAP-Message = <2><8><0>P<25><1><23><3><1><0>
>> i<217><233><19>]<193>@<25><145><161><162>x<160>:<27><194>
>> \<137>s<171><189><1
>> 46><186><7>K<183><155>'<183><225><152><200><23><3><1><0>
>> P8fv<24>MNLvF<15><215>^<199><14><226><147><227><196><17>;"<218>&L<134
>> >R<5><1
>> 98><20><156><244>
>> Message-Authenticator =
>> %<177>`<174><237>r:$>)<18><183><31><165><175><233>
>>
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
>> 'Called-Station-Id=/:UANA-ITR-Testing$/'
>> Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
>> 172.31.3.3, 29
>> Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from
>> RADONLINE where
>> NASIDENTIFIER='172.31.3.3' and NASPORT=029':
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 8, 80
>> Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
>> Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 1, PEAP
>> Authentication Failure
>> Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
>> Authentication Failure
>> Thu Jun 21 12:07:33 2007: INFO: Access rejected for roamingouter:
>> PEAP
>> Authentication Failure
>> Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
>> *** Sending to 172.31.3.3 port 32770 ....
>>
>> Packet length = 60
>> [SNIP]
>> Code: Access-Reject
>> Identifier: 194
>> Authentic: <145><157><185>u/<214>.B<197><166><228><<30><212><216>.
>> Attributes:
>> EAP-Message = <4><8><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Reply-Message = "Request Denied"
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --------------------------------------------
>> Michael Harlow Private Bag 69
>> Network Engineer Hobart Tasmania 7001
>> IT Resources Ph 03 6226 1812
>> University of Tasmania Mob 0438 26 1812
>> Michael.Harlow at utas.edu.au Fx 03 6226 7171
>> --------------------------------------------
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
########################################################################
#############
This email was scanned for your safety and protection from
viruses and offensive content. mailmarshal at europcar.com.au
########################################################################
#############
This e-mail and any files attached to it are confidential and
intended solely for the use of the individual or entity to
whom they are addressed. If you have received this e-mail
inadvertently or you are not the intended recipient, you may
not distribute, copy or in any way rely on it. Further, you
should notify the sender immediately and delete the e-mail
from your computer. The contents and opinions contained in
this e-mail are those of the individual sender unless they
are expressly stated to be those of Europcar. Whilst we have
taken precautions to alert us to the presence of computer
viruses, we cannot and do not guarantee that this email and
any files transmitted with it are free from such viruses.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list