[RADIATOR] Bridge Authentication Issue
Hugh Irvine
hugh at open.com.au
Tue Jul 15 18:39:02 CDT 2008
Hello Steve -
The problem appears to be with a bad certificate on the client end:
.....
Fri Jul 11 10:13:42 2008: ERR: EAP PEAP TLS Handshake unsuccessful:
2556: 1 - error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate
Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 1, EAP PEAP TLS
Handshake unsuccessful
Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: REJECT, EAP PEAP
TLS Handshake unsuccessful
Fri Jul 11 10:13:42 2008: INFO: Access rejected for testuser: EAP
PEAP TLS Handshake unsuccessful
Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
*** Sending to 10.24.70.26 port 32770 ....
Code: Access-Reject
Identifier: 186
Authentic: <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
Attributes:
Reply-Message = "Request Denied"
regards
Hugh
On 16 Jul 2008, at 04:47, Caporossi, Stephen G. wrote:
> Mike and Hugh,
>
> I am having issues with a Silex device and have been unable to
> determine what the problem is. Our Cisco Controller appears to
> show the device has authenticated but the security policy does not
> complete. I also opened a Cisco case but, since the controller logs
> show AAA failures, wanted to cover all my bases. Below are the
> config and Trace4 debugs. Silex is also looking into the issue.
>
> Thanks,
> Steve
>
> #Foreground
> #LogStdout
> LogDir c:\Program Files\Radiator\logs
> DbDir c:\Program Files\Radiator
> LogFile %L/%m%d%y.log
> DictionaryFile %D/dictionary
> PidFile %D/radiusd.pid
>
>
>
> AuthPort 1812
> AcctPort 1813
>
> Trace 3
>
> <Client 128.23.246.129>
> Identifier ppp
> Secret nosecret
> DupInterval 2
> NasType Cisco
> SNMPCommunity nosecret
> IgnoreAcctSignature 1
> </Client>
>
> <Client 128.23.36.1>
> Identifier vpn
> IdenticalClients 128.23.242.1
> Secret nosecret
> DupInterval 2
> NasType Cisco
> SNMPCommunity nosecret
> IgnoreAcctSignature 1
> </Client>
>
> <Client 128.23.203.203>
> Identifier hal
> Secret nosecret
> DupInterval 2
> NasType unknown
> IgnoreAcctSignature 1
> </Client>
>
> PreClientHook file:"%D/scripts/acct_adjustment.pl"
>
> <Client 10.24.70.11>
> IdenticalClients
> 10.24.70.12,10.24.70.21,10.24.70.22,10.24.70.31,10.24.70.32,10.24.70.4
> 1,10.24.70.42,10.24.70.13,10.24.70.14,10.24.70.23,10.24.70.24,10.24.70
> .15,10.24.70.16,10.24.70.25,10.24.70.26,10.24.238.41,10.24.238.42
> Secret nosecret
> Identifier airespace
> DupInterval 2
> NasType Cisco
> SNMPCommunity nosecret
> IgnoreAcctSignature 1
> </Client>
>
> #<Log FILE>
> # Identifier debugging
> # Trace 4
> # LogMicroseconds
> # Filename %L/%m%d%y.debug.log
> #</Log>
>
> <Handler Request-Type = Accounting-Request>
> AddToRequest Connect-Info=%{Client:Identifier},Ascend-
> Authen-Alias=%h
> StripFromRequest Class
> <AuthBy RADIUS>
> Host radacct.mdc.musc.edu
> Secret nosecret
> AcctPort 1813
> Retries 10
> AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%
> y.log.missed
> </AuthBy>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <AuthBy INTERNAL>
> Identifier AcctStartStopOnly
> AcctStartResult ACCEPT
> AcctStopResult ACCEPT
> AcctAliveResult IGNORE
> </AuthBy>
>
> <Handler TunnelledByPEAP=1, Client-Identifier=airespace>
> AuthByPolicy ContinueUntilAccept
> RewriteUsername s/(.*)\\(.*)/$2/
> <AuthBy LSA>
> Domain clinlan
> #Group Domain Users
> #DomainController zulu
> EAPType MSCHAP-V2
> </AuthBy>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler TunnelledByTTLS=1, Client-Identifier=airespace>
> AuthByPolicy ContinueUntilAccept
>
> # Strip realm if in MSN format
> RewriteUsername s/(.*)\\(.*)/$2/
>
> #AuthBy LDAPAuthentication
>
> <AuthBy LSA>
> Domain clinlan
> #Group Domain Users
> #DomainController zulu
> EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy UNIX>
> GroupFilename %D/group
> # anonymous-PEAP must be in here:
> Filename %D/radauth_pass.wlan
> </AuthBy>
>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/muscwep/i>
> AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType TTLS, PEAP
> EAPTLS_CAFile %D/certificates/production/ca-bundle.crt
> EAPTLS_CertificateFile %D/certificates/production/%
> h_ips.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%
> h_ips.pem
> EAPTLS_PrivateKeyPassword nosecret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
> PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/c3wep/i>
> AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
> EAPTLS_CertificateFile %D/certificates/production/%
> h_dc1.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%
> h_dc1.pem
> EAPTLS_PrivateKeyPassword nosecret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
> PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/muscsecure/i>
> AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/verisign-
> combo.crt
> EAPTLS_CertificateFile %D/certificates/production/%
> h.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%
> h.pem
> EAPTLS_PrivateKeyPassword nosecret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/devnet/i>
> AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
> EAPTLS_CertificateFile %D/certificates/production/%
> h_dc1.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%
> h_dc1.pem
> EAPTLS_PrivateKeyPassword nosecret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> <Handler Client-Identifier=airespace>
> AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
> <AuthBy UNIX>
> # anonymous-PEAP must be in here:
> GroupFilename %D/group
> Filename %D/radauth_pass.wlan
> NoEAP
> </AuthBy>
> </Handler>
>
> <Handler Client-Identifier=ppp>
> AuthByPolicy ContinueAlways
> #AuthByPolicy ContinueWhileIgnore # Default
> <AuthBy UNIX>
> GroupFilename %D/group
> Filename %D/radauth_pass.ppp
> </AuthBy>
> #syslog functions not available on win32
> #AuthLog authlogger
> # Log accounting to a detail file
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=vpn>
> AuthByPolicy ContinueAlways
> # AuthByPolicy ContinueWhileIgnore # Default
>
> AddToRequestIfNotExist Calling-Station-Id=%{Tunnel-Client-
> Endpoint}
>
> <AuthBy UNIX>
> GroupFilename %D/group
> Filename %D/radauth_pass.vpn
> </AuthBy>
>
> #syslog functions not available on win32
> #AuthLog authlogger
>
> # Log accounting to a detail file
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=hal>
> AuthByPolicy ContinueUntilAccept
> <AuthBy UNIX>
> GroupFilename %D/group
> Filename %D/passwd.nagios
> </AuthBy>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code: Access-Request
> Identifier: 182
> Authentic: <17>z<206><5><223><224>_<158>'<178><225><185>z<20><137>+
> Attributes:
> User-Name = "testuser"
> Calling-Station-Id = "00-80-92-3B-3B-A2"
> Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.70.26
> NAS-Identifier = "c2wism6"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message = <2><19><0><13><1>testuser
> Message-Authenticator =
> <157><172><141><137><138>2<235><127><167>Q<163>qGa<254>i
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG: Deleting session for testuser,
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 19, 13, 1
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 1
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code: Access-Challenge
> Identifier: 182
> Authentic: <17>z<206><5><223><224>_<158>'<178><225><185>z<20><137>+
> Attributes:
> EAP-Message = <1><20><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code: Access-Request
> Identifier: 183
> Authentic: <1><201>g6u<191>>/&<211><25><194><31><132>j<143>
> Attributes:
> User-Name = "testuser"
> Calling-Station-Id = "00-80-92-3B-3B-A2"
> Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.70.26
> NAS-Identifier = "c2wism6"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message = <2><20><0><<25><129><0><0><0>2<22><3><1><0>-
> <1><0><0>)<3><1>_<127><200><129><192><226><203>8<2><210><127>
> <4>v<201><220><176>INt-
> <178>Ap<221>L<221>V<220>ka<21><0><0><2><0><4><1><0>
> Message-Authenticator = Y<30><145><249><201><251>.<153>}
> Y<158><182><163><242>,<172>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG: Deleting session for testuser,
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 20, 60, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP TLS SSL_accept result: -1, 2,
> 8576
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code: Access-Challenge
> Identifier: 183
> Authentic: <1><201>g6u<191>>/&<211><25><194><31><132>j<143>
> Attributes:
> EAP-Message =
> <1><21><3><242><25><193><0><0><10>n<22><3><1><0>J<2><0><0>F<3><1>Hwj<1
> 50><5><238><246>(<163><25>8gQ<254><233>P<155>&<4>GS<27>:
> E<147>S6<239><136><166><156>
> h<193><211><190>;<193><231><144>#<188><195>w<15>/n<142>p<231><154>T9
> \[<170><15><175><162>
> {<195>X<21><10><0><4><0><22><3><1><10><17><11><0><10><13><0><10><10><0
> ><5><161>0<130><5><157>0<130><4><133><160><3><2><1><2><2><10>]
> <244>z<248><0><0><0><0>b<210>0<13><6><9>*<134>H<134><247><13><1><1><5>
> <5><0>0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><22><5>local
> 1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>clinlan1<12>0
> <10><6><3>U<4><3><19><3>DC10<30><23><13>080521171318Z<23><13>100521171
> 318Z0<129><152>1<11>0<9><6><3>U<4><6><19>
> EAP-Message = <2>US1<23>0<21><6><3>U<4><8><19><14>South
> Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1-0
> +<6><3>U<4><10><19>$Medical University of South
> Carolina1<16>0<14><6><3>U<4><11><19><7>OCIO-
> IS1<26>0<24><6><3>U<4><3><19><17>radauth4.musc.edu0<129><159>0<13><6><
> 9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><1
> 29><129><0><202>(<208>g$<252>;<137>Y<29><248>h<31><190><143><202>
> [<127>b<25>=<156><142><26><221>"<233><20>E<224><246><194><235><240><20
> 5><136><157><168>~Y>`<26><203><187>8<23>}<172><197><185>6%
> <215>M,<211><162><184><230><216>TW<226>N<187><204><131>2?
> (<150><18>&<220><240><4><208><147>!<144>*
> EAP-Message = Jb<235>6}<28>|
> <19>*<z<219><250><147><236><148>,<2><191>D<193>e<184><25><237>^<235><3
> ><131>K<0><240><178><227>s<196>8<10><169>Cv<190>I<246><252><185><2><3>
> <1><0><1><163><130><2><196>0<130><2><192>0<11><6><3>U<29><15><4><4><3>
> <2><5><160>0D<6><9>*<134>H<134><247><13><1><9><15><4>7050<14><6><8>*<1
> 34>H<134><247><13><3><2><2><2><0><128>0<14><6><8>*<134>H<134><247><13>
> <3><4><2><2><0><128>0<7><6><5>
> +<14><3><2><7>0<10><6><8>*<134>H<134><247><13><3><7>0<19><6><3>U<29>
> %<4><12>0<10><6><8>
> +<6><1><5><5><7><3><1>0<29><6><3>U<29><14><4><22><4><20>K<242><16><218
> >2<228>_Y<222><161>`-
> <128><130><234><254><235><232>CR0<31><6><3>U<29>#<4><24>0<22><128><20>
> <142><176><22>_
> \k<234>t<22><155><238><238>d<22>@<251>C<171><169><232>0<129><236><6><3
> >U<29><31><4><129><228>0<129><225>0<129><222><160><129><219><160><129>
> <216><134><129><168>
> EAP-Message = ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key%
> 20Services,CN=Services,CN=Configuration,DC=clinlan,DC=local?
> certificateRevocationList?base?objectClass=cRLDistributionPoint<134>
> +http://dc1.clinlan.local/CertEnroll/DC1.crl0<130><1><2><6><8>
> +<6><1><5><5><7><1><1><4><129><245>0<129><242>0<129><164><6><8>
> +<6><1><5><5><7>0<2><134><129><151>ld
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code: Access-Request
> Identifier: 184
> Authentic: <151><160>|<204>'h<135>)<181><241>!<189><140>T<17><130>
> Attributes:
> User-Name = "testuser"
> Calling-Station-Id = "00-80-92-3B-3B-A2"
> Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.70.26
> NAS-Identifier = "c2wism6"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message = <2><21><0><6><25><0>
> Message-Authenticator = <154><240><197><186>
> (<24>1hg<8>a<30><5><161><1><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG: Deleting session for testuser,
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 21, 6, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code: Access-Challenge
> Identifier: 184
> Authentic: <151><160>|<204>'h<135>)<181><241>!<189><140>T<17><130>
> Attributes:
> EAP-Message = <1><22><3><238><25>Aap:///
> CN=DC1,CN=AIA,CN=Public%20Key%
> 20Services,CN=Services,CN=Configuration,DC=clinlan,DC=local?
> cACertificate?base?objectClass=certificationAuthority0I<6><8>
> +<6><1><5><5><7>0<2><134>=http://dc1.clinlan.local/CertEnroll/
> dc1.clinlan.local_DC1.crt0!<6><9>
> +<6><1><4><1><130>7<20><2><4><20><30><18><0>W<0>e<0>b
> EAP-Message =
> <0>S<0>e<0>r<0>v<0>e<0>r0<13><6><9>*<134>H<134><247><13><1><1><5><5><0
> ><3><130><1><1><0>T<144><130><10><254><254>=<12><178>V<214>OA6<135><16
> 4><189><167><196><249><149>g<154><163><149><146><17>}
> <28>`^<139><166><178>S?sC(G<230>6y<249>?
> <25>@<176><7>4q<174><203><191>2D<170><203><231><18><17><15><1><195><20
> 8>ad<28><9><11>Ew<9><170><135><29>2<12><129>I<158><198><252><20><215>t
> <161>'<181><29>v(<161><155>)/i|
> <151><149><191>wM<209>,<26><223>B<19>Z*<164><145>]
> <254>_<188><202><13><11>j<190><15>aM@<247>%
> <188><236><155><163><187>.<186><5>F<208><181><222><5><138><213><242>Z(
> <217><176>0{<139>j<166><190><237>F<170>
> \u<21><175><232>CZ<6><148><193>_<245>$<170>>
> <156>O<187><222><193>Y2<201><243><129><165><207><200>E<253><240><181><
> 178>><173>V=<220>v<180>G<172>E'<15>c<14>ec<21>mQx<9><171>E%|
> q<2><148><1><15>
> EAP-Message = <15>gY<238><175>7rw<6><151><3><208>;<30>b6<24>
> \<129><195><225><161>j<211><150><132><131><166><176><171><133>H<128>s<
> 158><0><4>c0<130><4>_0<130><3>G<160><3><2><1><2><2><16>*<210><251><131
> >
> (<28>l<134>L<219><130><219>B<155><220>t0<13><6><9>*<134>H<134><247><13
> ><1><1><5><5><0>0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><2
> 2><5>local1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>cli
> nlan1<12>0<10><6><3>U<4><3><19><3>DC10<30><23><13>060110204917Z<23><13
> >160110205855Z0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><22>
> <5>local1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>clinl
> an1<12>0<10><6><3>U<4><3><19><3>DC10<130><1>"0<13><6><9>*
> EAP-Message =
> <134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><
> 130><1><1><0><176><1>a<213><134>S<191>~
> $<150>U<251>W<143><193><129><195><20>7A<171><7>nH<0>v<207><220>"<221><
> 164>M<4><234><232><151>I<216>
> \<153><205><217><25><215><146><229><194>Q<135><170><166><158><249><26>
> <5>n<6><139><251>HZ<204><230><186><235><175><212>`<180><178>
> {<197><170><251>vA<0>X<234><175><148><0>A<<10>E<170><214><202><7><246>
> <127><220>j<21>[<184>-
> <234>=<174>><252>&<189><215><173>=<1><245><185><227><181><136>U<255>V;
> <131>]<225>Nn<1>(<188> <249>R/
> <195><186><234>ORet=<204><240><227><0><8>q<6>2<11>b<22><3>S<156>B<167>
> <228><136><19><234><155>Ro0T<140><152><15>e<15><235>'<241>c<1>9<<164><
> 250><189> y<219><230><192><4><196><214>Q<162><211><27>IC*<212>
> \<242><156><200>=<27>3<0>
> $lL<192><152><3><150><254>F<149><30><242>c#U<246><207>9f0X
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code: Access-Request
> Identifier: 185
> Authentic: =<179><31>L<248>H<207><226>M0<165><194><145><210>g;
> Attributes:
> User-Name = "testuser"
> Calling-Station-Id = "00-80-92-3B-3B-A2"
> Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.70.26
> NAS-Identifier = "c2wism6"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message = <2><22><0><6><25><0>
> Message-Authenticator = <213><221>c<197>=c<206><255>|
> <190><158>E<210><129><137>:
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG: Deleting session for testuser,
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 22, 6, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code: Access-Challenge
> Identifier: 185
> Authentic: =<179><31>L<248>H<207><226>M0<165><194><145><210>g;
> Attributes:
> EAP-Message = <1><23><2><164><25><1><130><240>8
> \<188><236><27>vEL<212><161>F<31><210>eo<219><131>cr<190>a<254><131><2
> >4k<0>
> (<236><180><201><2><3><1><0><1><163><130><1>W0<130><1>S0<19><6><9>
> +<6><1><4><1><130>7<20><2><4><6><30><4><0>C<0>A0<11><6><3>U<29><15><4>
> <4><3><2><1><134>0<15><6><3>U<29><19><1><1><255><4><5>0<3><1><1><255>0
> <29><6><3>U<29><14><4><22><4><20><142><176><22>_
> \k<234>t<22><155><238><238>d<22>@<251>C<171><169><232>0<129><236><6><3
> >U<29><31><4><129><228>0<129><225>0<129><222><160><129><219><160><129>
> <216><134><129><168>ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key%
> 20Services,CN=Services,CN=Configuration,DC=clinl
> EAP-Message = an,DC=local?certificateRevocationList?base?
> objectClass=cRLDistributionPoint<134>+http://dc1.clinlan.local/
> CertEnroll/DC1.crl0<16><6><9>
> +<6><1><4><1><130>7<21><1><4><3><2><1><0>0<13><6><9>*<134>H<134><247><
> 13><1><1><5><5><0><3><130><1><1><0>W<140><171>;<255><163><28><7>j<178>
> F<163><201>X<143><237>l<4>*<Z<136><147><149>Q<234> <231><227>}
> <153><246><143>H<129><156>sn#<134>:<7>~<192><142>0<242>t
> $<224><171><166><25><171><211><187>z<127><232><250>6N<158><197>&Qgh<24
> 2><225><130><205><187><255><236>'<180><253><129>c<242>Xf.<157><16><3><
> 153>;<149><168><223><172>>U
> EAP-Message = v<185><8><161>
> $<192>5<225><248><224>Bb<143><31><217><1><249><15><230>q.dGE<211>
> \<15><179><24><127>,<249><185>"<200>Cd!
> <253>h<246><30><158><146><218><196><181>s<17>|
> 6<13><145><245>U<231>j<207><138>AZ*<224>-'<249><9><149><140>HT<148><20
> 2><7>xA<203><10>aC<127>QMw<166>@<232>F<23><129><167><178><21><3>N<157>
> <133>9<187><240><10>r<19>5<217><195>O<0><129>p}
> <167><176><206>s<27><192>}X<216>|N|<128>,<155>4?
> <230><169><188>g90<29><155>bS<28><207><135><6><162>u<167><204>S<196>9<
> 226>AX<233><222><13>m<211><197><231><163>?
> <22><3><1><0><4><14><0><0><0>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code: Access-Request
> Identifier: 186
> Authentic: <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
> Attributes:
> User-Name = "testuser"
> Calling-Station-Id = "00-80-92-3B-3B-A2"
> Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.70.26
> NAS-Identifier = "c2wism6"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message =
> <2><23><0><17><25><129><0><0><0><7><21><3><1><0><2><2>*
> Message-Authenticator = <17>}<<146>)
> <212><251><11><26>,<227><152><219>L<193><207>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG: Deleting session for testuser,
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 23, 17, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
> Fri Jul 11 10:13:42 2008: ERR: EAP PEAP TLS Handshake
> unsuccessful: 2556: 1 - error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 1, EAP PEAP TLS
> Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: REJECT, EAP
> PEAP TLS Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: INFO: Access rejected for testuser: EAP
> PEAP TLS Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code: Access-Reject
> Identifier: 186
> Authentic: <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list