[RADIATOR] Bridge Authentication Issue

Hugh Irvine hugh at open.com.au
Tue Jul 15 18:39:02 CDT 2008


Hello Steve -

The problem appears to be with a bad certificate on the client end:

.....

Fri Jul 11 10:13:42 2008: ERR: EAP PEAP TLS Handshake unsuccessful:   
2556: 1 - error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad  
certificate

Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 1, EAP PEAP TLS  
Handshake unsuccessful
Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: REJECT, EAP PEAP  
TLS Handshake unsuccessful
Fri Jul 11 10:13:42 2008: INFO: Access rejected for testuser: EAP  
PEAP TLS Handshake unsuccessful
Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
*** Sending to 10.24.70.26 port 32770 ....
Code:       Access-Reject
Identifier: 186
Authentic:  <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
Attributes:
         Reply-Message = "Request Denied"


regards

Hugh



On 16 Jul 2008, at 04:47, Caporossi, Stephen G. wrote:

> Mike and Hugh,
>
> I am having issues with a Silex device and have been unable to  
> determine what the problem is.  Our Cisco Controller appears to  
> show the device has authenticated but the security policy does not  
> complete. I also opened a Cisco case but, since the controller logs  
> show AAA failures, wanted to cover all my bases. Below are the  
> config and Trace4 debugs. Silex is also looking into the issue.
>
> Thanks,
> Steve
>
> #Foreground
> #LogStdout
> LogDir          c:\Program Files\Radiator\logs
> DbDir                   c:\Program Files\Radiator
> LogFile         %L/%m%d%y.log
> DictionaryFile  %D/dictionary
> PidFile         %D/radiusd.pid
>
>
>
> AuthPort 1812
> AcctPort 1813
>
> Trace            3
>
> <Client 128.23.246.129>
>         Identifier                       ppp
>         Secret                   nosecret
>         DupInterval                     2
>         NasType                 Cisco
>         SNMPCommunity           nosecret
>         IgnoreAcctSignature     1
> </Client>
>
> <Client 128.23.36.1>
>         Identifier                      vpn
>         IdenticalClients                128.23.242.1
>         Secret                  nosecret
>         DupInterval                     2
>         NasType                 Cisco
>         SNMPCommunity           nosecret
>         IgnoreAcctSignature     1
> </Client>
>
> <Client 128.23.203.203>
>         Identifier hal
>         Secret nosecret
>         DupInterval 2
>         NasType unknown
>         IgnoreAcctSignature 1
> </Client>
>
> PreClientHook file:"%D/scripts/acct_adjustment.pl"
>
> <Client 10.24.70.11>
>         IdenticalClients  
> 10.24.70.12,10.24.70.21,10.24.70.22,10.24.70.31,10.24.70.32,10.24.70.4 
> 1,10.24.70.42,10.24.70.13,10.24.70.14,10.24.70.23,10.24.70.24,10.24.70 
> .15,10.24.70.16,10.24.70.25,10.24.70.26,10.24.238.41,10.24.238.42
>         Secret                  nosecret
>         Identifier                      airespace
>         DupInterval                     2
>         NasType                 Cisco
>         SNMPCommunity           nosecret
>         IgnoreAcctSignature      1
> </Client>
>
> #<Log FILE>
> #       Identifier debugging
> #       Trace 4
> #       LogMicroseconds
> #       Filename %L/%m%d%y.debug.log
> #</Log>
>
> <Handler Request-Type = Accounting-Request>
>         AddToRequest Connect-Info=%{Client:Identifier},Ascend- 
> Authen-Alias=%h
>         StripFromRequest Class
>         <AuthBy RADIUS>
>                 Host radacct.mdc.musc.edu
>                 Secret nosecret
>                 AcctPort 1813
>                 Retries 10
>                 AcctFailedLogFileName %L/%{Client:Identifier}/%m%d% 
> y.log.missed
>         </AuthBy>
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <AuthBy INTERNAL>
>         Identifier                      AcctStartStopOnly
>         AcctStartResult                 ACCEPT
>         AcctStopResult                  ACCEPT
>         AcctAliveResult                 IGNORE
> </AuthBy>
>
> <Handler TunnelledByPEAP=1, Client-Identifier=airespace>
>         AuthByPolicy ContinueUntilAccept
>         RewriteUsername s/(.*)\\(.*)/$2/
>         <AuthBy LSA>
>                 Domain clinlan
>                 #Group Domain Users
>                 #DomainController zulu
>                 EAPType MSCHAP-V2
>         </AuthBy>
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>         PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
>         PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler TunnelledByTTLS=1, Client-Identifier=airespace>
>         AuthByPolicy ContinueUntilAccept
>
>       # Strip realm if in MSN format
>       RewriteUsername s/(.*)\\(.*)/$2/
>
>         #AuthBy LDAPAuthentication
>
>         <AuthBy LSA>
>                 Domain clinlan
>                 #Group Domain Users
>                 #DomainController zulu
>                 EAPType MSCHAP-V2
>         </AuthBy>
>
>       <AuthBy UNIX>
>                 GroupFilename %D/group
>                 # anonymous-PEAP must be in here:
>                 Filename %D/radauth_pass.wlan
>         </AuthBy>
>
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>         PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
>         PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/muscwep/i>
>         AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType TTLS, PEAP
>                 EAPTLS_CAFile %D/certificates/production/ca-bundle.crt
>                 EAPTLS_CertificateFile %D/certificates/production/% 
> h_ips.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/% 
> h_ips.pem
>                 EAPTLS_PrivateKeyPassword nosecret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>         PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/c3wep/i>
>         AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,TTLS
>                 EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
>                 EAPTLS_CertificateFile %D/certificates/production/% 
> h_dc1.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/% 
> h_dc1.pem
>                 EAPTLS_PrivateKeyPassword nosecret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>         PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/muscsecure/i>
>         AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,TTLS
>                 EAPTLS_CAFile %D/certificates/production/verisign- 
> combo.crt
>                 EAPTLS_CertificateFile %D/certificates/production/% 
> h.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/% 
> h.pem
>                 EAPTLS_PrivateKeyPassword nosecret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>
>         PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=airespace,Called-Station-Id=/devnet/i>
>         AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,TTLS
>                 EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
>                 EAPTLS_CertificateFile %D/certificates/production/% 
> h_dc1.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/% 
> h_dc1.pem
>                 EAPTLS_PrivateKeyPassword nosecret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>
>         PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> <Handler Client-Identifier=airespace>
>         AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>         <AuthBy UNIX>
>                 # anonymous-PEAP must be in here:
>                 GroupFilename %D/group
>                 Filename %D/radauth_pass.wlan
>                 NoEAP
>         </AuthBy>
> </Handler>
>
> <Handler Client-Identifier=ppp>
>         AuthByPolicy ContinueAlways
>         #AuthByPolicy ContinueWhileIgnore      # Default
>         <AuthBy UNIX>
>                 GroupFilename %D/group
>                 Filename %D/radauth_pass.ppp
>         </AuthBy>
>         #syslog functions not available on win32
>         #AuthLog authlogger
>         # Log accounting to a detail file
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=vpn>
>         AuthByPolicy ContinueAlways
>         # AuthByPolicy ContinueWhileIgnore      # Default
>
>         AddToRequestIfNotExist Calling-Station-Id=%{Tunnel-Client- 
> Endpoint}
>
>         <AuthBy UNIX>
>                 GroupFilename %D/group
>                 Filename %D/radauth_pass.vpn
>         </AuthBy>
>
>         #syslog functions not available on win32
>         #AuthLog authlogger
>
>         # Log accounting to a detail file
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=hal>
>         AuthByPolicy ContinueUntilAccept
>         <AuthBy UNIX>
>                 GroupFilename %D/group
>                 Filename %D/passwd.nagios
>         </AuthBy>
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code:       Access-Request
> Identifier: 182
> Authentic:  <17>z<206><5><223><224>_<158>'<178><225><185>z<20><137>+
> Attributes:
>         User-Name = "testuser"
>         Calling-Station-Id = "00-80-92-3B-3B-A2"
>         Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
>         NAS-Port = 29
>         NAS-IP-Address = 10.24.70.26
>         NAS-Identifier = "c2wism6"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 256
>         EAP-Message = <2><19><0><13><1>testuser
>         Message-Authenticator =  
> <157><172><141><137><138>2<235><127><167>Q<163>qGa<254>i
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =  
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler  
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG:  Deleting session for testuser,  
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 19, 13, 1
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 1
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:  
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code:       Access-Challenge
> Identifier: 182
> Authentic:  <17>z<206><5><223><224>_<158>'<178><225><185>z<20><137>+
> Attributes:
>         EAP-Message = <1><20><0><6><25>!
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code:       Access-Request
> Identifier: 183
> Authentic:  <1><201>g6u<191>>/&<211><25><194><31><132>j<143>
> Attributes:
>         User-Name = "testuser"
>         Calling-Station-Id = "00-80-92-3B-3B-A2"
>         Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
>         NAS-Port = 29
>         NAS-IP-Address = 10.24.70.26
>         NAS-Identifier = "c2wism6"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 256
>         EAP-Message = <2><20><0><<25><129><0><0><0>2<22><3><1><0>- 
> <1><0><0>)<3><1>_<127><200><129><192><226><203>8<2><210><127>  
> <4>v<201><220><176>INt- 
> <178>Ap<221>L<221>V<220>ka<21><0><0><2><0><4><1><0>
>         Message-Authenticator = Y<30><145><249><201><251>.<153>} 
> Y<158><182><163><242>,<172>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =  
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler  
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG:  Deleting session for testuser,  
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 20, 60, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP TLS SSL_accept result: -1, 2,  
> 8576
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:  
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code:       Access-Challenge
> Identifier: 183
> Authentic:  <1><201>g6u<191>>/&<211><25><194><31><132>j<143>
> Attributes:
>         EAP-Message =  
> <1><21><3><242><25><193><0><0><10>n<22><3><1><0>J<2><0><0>F<3><1>Hwj<1 
> 50><5><238><246>(<163><25>8gQ<254><233>P<155>&<4>GS<27>:  
> E<147>S6<239><136><166><156>  
> h<193><211><190>;<193><231><144>#<188><195>w<15>/n<142>p<231><154>T9 
> \[<170><15><175><162> 
> {<195>X<21><10><0><4><0><22><3><1><10><17><11><0><10><13><0><10><10><0 
> ><5><161>0<130><5><157>0<130><4><133><160><3><2><1><2><2><10>] 
> <244>z<248><0><0><0><0>b<210>0<13><6><9>*<134>H<134><247><13><1><1><5> 
> <5><0>0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><22><5>local 
> 1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>clinlan1<12>0 
> <10><6><3>U<4><3><19><3>DC10<30><23><13>080521171318Z<23><13>100521171 
> 318Z0<129><152>1<11>0<9><6><3>U<4><6><19>
>         EAP-Message = <2>US1<23>0<21><6><3>U<4><8><19><14>South  
> Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1-0 
> +<6><3>U<4><10><19>$Medical University of South  
> Carolina1<16>0<14><6><3>U<4><11><19><7>OCIO- 
> IS1<26>0<24><6><3>U<4><3><19><17>radauth4.musc.edu0<129><159>0<13><6>< 
> 9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><1 
> 29><129><0><202>(<208>g$<252>;<137>Y<29><248>h<31><190><143><202> 
> [<127>b<25>=<156><142><26><221>"<233><20>E<224><246><194><235><240><20 
> 5><136><157><168>~Y>`<26><203><187>8<23>}<172><197><185>6% 
> <215>M,<211><162><184><230><216>TW<226>N<187><204><131>2? 
> (<150><18>&<220><240><4><208><147>!<144>*
>         EAP-Message = Jb<235>6}<28>| 
> <19>*<z<219><250><147><236><148>,<2><191>D<193>e<184><25><237>^<235><3 
> ><131>K<0><240><178><227>s<196>8<10><169>Cv<190>I<246><252><185><2><3> 
> <1><0><1><163><130><2><196>0<130><2><192>0<11><6><3>U<29><15><4><4><3> 
> <2><5><160>0D<6><9>*<134>H<134><247><13><1><9><15><4>7050<14><6><8>*<1 
> 34>H<134><247><13><3><2><2><2><0><128>0<14><6><8>*<134>H<134><247><13> 
> <3><4><2><2><0><128>0<7><6><5> 
> +<14><3><2><7>0<10><6><8>*<134>H<134><247><13><3><7>0<19><6><3>U<29> 
> %<4><12>0<10><6><8> 
> +<6><1><5><5><7><3><1>0<29><6><3>U<29><14><4><22><4><20>K<242><16><218 
> >2<228>_Y<222><161>`- 
> <128><130><234><254><235><232>CR0<31><6><3>U<29>#<4><24>0<22><128><20> 
> <142><176><22>_ 
> \k<234>t<22><155><238><238>d<22>@<251>C<171><169><232>0<129><236><6><3 
> >U<29><31><4><129><228>0<129><225>0<129><222><160><129><219><160><129> 
> <216><134><129><168>
>         EAP-Message = ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key% 
> 20Services,CN=Services,CN=Configuration,DC=clinlan,DC=local? 
> certificateRevocationList?base?objectClass=cRLDistributionPoint<134> 
> +http://dc1.clinlan.local/CertEnroll/DC1.crl0<130><1><2><6><8> 
> +<6><1><5><5><7><1><1><4><129><245>0<129><242>0<129><164><6><8> 
> +<6><1><5><5><7>0<2><134><129><151>ld
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code:       Access-Request
> Identifier: 184
> Authentic:  <151><160>|<204>'h<135>)<181><241>!<189><140>T<17><130>
> Attributes:
>         User-Name = "testuser"
>         Calling-Station-Id = "00-80-92-3B-3B-A2"
>         Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
>         NAS-Port = 29
>         NAS-IP-Address = 10.24.70.26
>         NAS-Identifier = "c2wism6"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 256
>         EAP-Message = <2><21><0><6><25><0>
>         Message-Authenticator = <154><240><197><186> 
> (<24>1hg<8>a<30><5><161><1><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =  
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler  
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG:  Deleting session for testuser,  
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 21, 6, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:  
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code:       Access-Challenge
> Identifier: 184
> Authentic:  <151><160>|<204>'h<135>)<181><241>!<189><140>T<17><130>
> Attributes:
>         EAP-Message = <1><22><3><238><25>Aap:/// 
> CN=DC1,CN=AIA,CN=Public%20Key% 
> 20Services,CN=Services,CN=Configuration,DC=clinlan,DC=local? 
> cACertificate?base?objectClass=certificationAuthority0I<6><8> 
> +<6><1><5><5><7>0<2><134>=http://dc1.clinlan.local/CertEnroll/ 
> dc1.clinlan.local_DC1.crt0!<6><9> 
> +<6><1><4><1><130>7<20><2><4><20><30><18><0>W<0>e<0>b
>         EAP-Message =  
> <0>S<0>e<0>r<0>v<0>e<0>r0<13><6><9>*<134>H<134><247><13><1><1><5><5><0 
> ><3><130><1><1><0>T<144><130><10><254><254>=<12><178>V<214>OA6<135><16 
> 4><189><167><196><249><149>g<154><163><149><146><17>} 
> <28>`^<139><166><178>S?sC(G<230>6y<249>? 
> <25>@<176><7>4q<174><203><191>2D<170><203><231><18><17><15><1><195><20 
> 8>ad<28><9><11>Ew<9><170><135><29>2<12><129>I<158><198><252><20><215>t 
> <161>'<181><29>v(<161><155>)/i| 
> <151><149><191>wM<209>,<26><223>B<19>Z*<164><145>] 
> <254>_<188><202><13><11>j<190><15>aM@<247>% 
> <188><236><155><163><187>.<186><5>F<208><181><222><5><138><213><242>Z( 
> <217><176>0{<139>j<166><190><237>F<170> 
> \u<21><175><232>CZ<6><148><193>_<245>$<170>>  
> <156>O<187><222><193>Y2<201><243><129><165><207><200>E<253><240><181>< 
> 178>><173>V=<220>v<180>G<172>E'<15>c<14>ec<21>mQx<9><171>E%| 
> q<2><148><1><15>
>         EAP-Message = <15>gY<238><175>7rw<6><151><3><208>;<30>b6<24> 
> \<129><195><225><161>j<211><150><132><131><166><176><171><133>H<128>s< 
> 158><0><4>c0<130><4>_0<130><3>G<160><3><2><1><2><2><16>*<210><251><131 
> > 
> (<28>l<134>L<219><130><219>B<155><220>t0<13><6><9>*<134>H<134><247><13 
> ><1><1><5><5><0>0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><2 
> 2><5>local1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>cli 
> nlan1<12>0<10><6><3>U<4><3><19><3>DC10<30><23><13>060110204917Z<23><13 
> >160110205855Z0>1<21>0<19><6><10><9><146>&<137><147><242>,d<1><25><22> 
> <5>local1<23>0<21><6><10><9><146>&<137><147><242>,d<1><25><22><7>clinl 
> an1<12>0<10><6><3>U<4><3><19><3>DC10<130><1>"0<13><6><9>*
>         EAP-Message =  
> <134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2>< 
> 130><1><1><0><176><1>a<213><134>S<191>~ 
> $<150>U<251>W<143><193><129><195><20>7A<171><7>nH<0>v<207><220>"<221>< 
> 164>M<4><234><232><151>I<216> 
> \<153><205><217><25><215><146><229><194>Q<135><170><166><158><249><26> 
> <5>n<6><139><251>HZ<204><230><186><235><175><212>`<180><178> 
> {<197><170><251>vA<0>X<234><175><148><0>A<<10>E<170><214><202><7><246> 
> <127><220>j<21>[<184>- 
> <234>=<174>><252>&<189><215><173>=<1><245><185><227><181><136>U<255>V; 
> <131>]<225>Nn<1>(<188> <249>R/ 
> <195><186><234>ORet=<204><240><227><0><8>q<6>2<11>b<22><3>S<156>B<167> 
> <228><136><19><234><155>Ro0T<140><152><15>e<15><235>'<241>c<1>9<<164>< 
> 250><189> y<219><230><192><4><196><214>Q<162><211><27>IC*<212> 
> \<242><156><200>=<27>3<0> 
> $lL<192><152><3><150><254>F<149><30><242>c#U<246><207>9f0X
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code:       Access-Request
> Identifier: 185
> Authentic:  =<179><31>L<248>H<207><226>M0<165><194><145><210>g;
> Attributes:
>         User-Name = "testuser"
>         Calling-Station-Id = "00-80-92-3B-3B-A2"
>         Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
>         NAS-Port = 29
>         NAS-IP-Address = 10.24.70.26
>         NAS-Identifier = "c2wism6"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 256
>         EAP-Message = <2><22><0><6><25><0>
>         Message-Authenticator = <213><221>c<197>=c<206><255>| 
> <190><158>E<210><129><137>:
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =  
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler  
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG:  Deleting session for testuser,  
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 22, 6, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Access challenged for testuser:  
> EAP PEAP Challenge
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code:       Access-Challenge
> Identifier: 185
> Authentic:  =<179><31>L<248>H<207><226>M0<165><194><145><210>g;
> Attributes:
>         EAP-Message = <1><23><2><164><25><1><130><240>8 
> \<188><236><27>vEL<212><161>F<31><210>eo<219><131>cr<190>a<254><131><2 
> >4k<0> 
> (<236><180><201><2><3><1><0><1><163><130><1>W0<130><1>S0<19><6><9> 
> +<6><1><4><1><130>7<20><2><4><6><30><4><0>C<0>A0<11><6><3>U<29><15><4> 
> <4><3><2><1><134>0<15><6><3>U<29><19><1><1><255><4><5>0<3><1><1><255>0 
> <29><6><3>U<29><14><4><22><4><20><142><176><22>_ 
> \k<234>t<22><155><238><238>d<22>@<251>C<171><169><232>0<129><236><6><3 
> >U<29><31><4><129><228>0<129><225>0<129><222><160><129><219><160><129> 
> <216><134><129><168>ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key% 
> 20Services,CN=Services,CN=Configuration,DC=clinl
>         EAP-Message = an,DC=local?certificateRevocationList?base? 
> objectClass=cRLDistributionPoint<134>+http://dc1.clinlan.local/ 
> CertEnroll/DC1.crl0<16><6><9> 
> +<6><1><4><1><130>7<21><1><4><3><2><1><0>0<13><6><9>*<134>H<134><247>< 
> 13><1><1><5><5><0><3><130><1><1><0>W<140><171>;<255><163><28><7>j<178> 
> F<163><201>X<143><237>l<4>*<Z<136><147><149>Q<234> <231><227>} 
> <153><246><143>H<129><156>sn#<134>:<7>~<192><142>0<242>t 
> $<224><171><166><25><171><211><187>z<127><232><250>6N<158><197>&Qgh<24 
> 2><225><130><205><187><255><236>'<180><253><129>c<242>Xf.<157><16><3>< 
> 153>;<149><168><223><172>>U
>         EAP-Message = v<185><8><161> 
> $<192>5<225><248><224>Bb<143><31><217><1><249><15><230>q.dGE<211> 
> \<15><179><24><127>,<249><185>"<200>Cd! 
> <253>h<246><30><158><146><218><196><181>s<17>| 
> 6<13><145><245>U<231>j<207><138>AZ*<224>-'<249><9><149><140>HT<148><20 
> 2><7>xA<203><10>aC<127>QMw<166>@<232>F<23><129><167><178><21><3>N<157> 
> <133>9<187><240><10>r<19>5<217><195>O<0><129>p} 
> <167><176><206>s<27><192>}X<216>|N|<128>,<155>4? 
> <230><169><188>g90<29><155>bS<28><207><135><6><162>u<167><204>S<196>9< 
> 226>AX<233><222><13>m<211><197><231><163>? 
> <22><3><1><0><4><14><0><0><0>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Received from 10.24.70.26 port 32770 ....
> Code:       Access-Request
> Identifier: 186
> Authentic:  <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
> Attributes:
>         User-Name = "testuser"
>         Calling-Station-Id = "00-80-92-3B-3B-A2"
>         Called-Station-Id = "00-1D-A2-83-D0-E0:devnet"
>         NAS-Port = 29
>         NAS-IP-Address = 10.24.70.26
>         NAS-Identifier = "c2wism6"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 256
>         EAP-Message =  
> <2><23><0><17><25><129><0><0><0><7><21><3><1><0><2><2>*
>         Message-Authenticator = <17>}<<146>) 
> <212><251><11><26>,<227><152><219>L<193><207>
>
> Fri Jul 11 10:13:42 2008: DEBUG: Calling-Station-Id = 0080.923b.3ba2
> Fri Jul 11 10:13:42 2008: DEBUG: Called-Station-Id =  
> 001d.a283.d0e0:devnet
> Fri Jul 11 10:13:42 2008: DEBUG: Handling request with Handler  
> 'Client-Identifier=airespace,Called-Station-Id=/devnet/i'
> Fri Jul 11 10:13:42 2008: DEBUG:  Deleting session for testuser,  
> 10.24.70.26, 29
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 10:13:42 2008: DEBUG: Handling with EAP: code 2, 23, 17, 25
> Fri Jul 11 10:13:42 2008: DEBUG: Response type 25
> Fri Jul 11 10:13:42 2008: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
> Fri Jul 11 10:13:42 2008: ERR: EAP PEAP TLS Handshake  
> unsuccessful:  2556: 1 - error:14094412:SSL  
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
> Fri Jul 11 10:13:42 2008: DEBUG: EAP result: 1, EAP PEAP TLS  
> Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: DEBUG: AuthBy FILE result: REJECT, EAP  
> PEAP TLS Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: INFO: Access rejected for testuser: EAP  
> PEAP TLS Handshake unsuccessful
> Fri Jul 11 10:13:42 2008: DEBUG: Packet dump:
> *** Sending to 10.24.70.26 port 32770 ....
> Code:       Access-Reject
> Identifier: 186
> Authentic:  <148><165><130><196>Rr58<155>%wZ<246><11>3<149>
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list