[RADIATOR] Set Realm
Hugh Irvine
hugh at open.com.au
Tue Dec 15 19:04:40 CST 2009
Hello Zod -
I did not say to use a PreAuthHook.
I did say to use a PreHandlerHook in the outer AuthBy clause.
.....
<Handler Called-Station-Id = /rltechops/>
<AuthBy FILE>
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
EAPAnonymous %0 at RLTECHOPS
AutoMPPEKeys
PreHandlerHook .......
# If you want to disable rltechops comment out above and uncomment below
# <AuthBy INTERNAL>
# DefaultResult Reject
# </AuthBy>
</AuthBy>
</Handler>
.....
regards
Hugh
On 16 Dec 2009, at 09:38, Zod Mansour wrote:
>
> On Dec 15, 2009, at 11:55 AM, Hugh Irvine wrote:
>
>>
>> Hello Zod -
>>
>> The Realm is the "@some.suffix" part of a username.
>>
>> You just need to get the User-Name attribute, add the suffix and put it back in the packet:
>>
>> .....
>> my $username = $p->get_attr('User-Name');
>>
>> $username = ......;
>>
>> $p->changeUserName($username);
>>
>> .....
>>
>> regards
>>
>> Hugh
>>
>
> I changed the config to include the preauthhook. I see the username changed per what you had recommended. I still see that the inner handler is not being chosen correctly. I have tacked on @RLTECHOPS, so I am expecting the inner handler with that qualifier to be chosen. But its not:
>
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
> #Foreground
> #LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
>
> #RewriteUsername s/(.*)\\(.*)/$1/
> # Listen for RADIUS requests from the Cisco WLAN controller @ 10.10.19.35
>
> <Client 10.10.19.35>
> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
> DupInterval 10
> # Identifier rlwlc1
> </Client>
>
> <Handler Called-Station-Id = /rlwireless/>
> # RewriteUsername s/(.*)\@(.*)/$1\@RLWIRELESS/
> RewriteUsername s/(.*)/$1\@RLWIRELESS/
> <AuthBy FILE>
> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> EAPTLS_CAFile %D/cert/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> EAPTLS_PrivateKeyFile %D/cert/radius.key
> EAPTLS_CertificateType PEM
> AutoMPPEKeys
> </AuthBy>
> </Handler>
> <Handler Called-Station-Id = /rltechops/>
> # RewriteUsername s/(.*)\\(.*)/$2/
> # RewriteUsername s/(.*)\@(.*)/$1\@RLTECHOPS/
> # RewriteUsername s/(.*)/$1\@RLTECHOPS/
> PreAuthHook sub { my $p=${$_[0]};my $username=$p->get_attr('User-Name'); $username = $username . "\@RLTECHOPS"; $p->changeUserName($username); }
> <AuthBy FILE>
> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> EAPTLS_CAFile %D/cert/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> EAPTLS_PrivateKeyFile %D/cert/radius.key
> EAPTLS_CertificateType PEM
> EAPAnonymous %0 at RLTECHOPS
> AutoMPPEKeys
>
> # If you want to disable rltechops comment out above and uncomment below
> # <AuthBy INTERNAL>
> # DefaultResult Reject
> # </AuthBy>
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1, Realm=RLTECHOPS>
> # RewriteUsername s/(.*)\\(.*)/$2/
> RewriteUsername s/(.*)\@(.*)/$1/
> <AuthBy LDAP2>
> Debug 255
> ServerChecksPassword
> NoDefault
> Host localhost
> Port 389
> BaseDN dc=domain,dc=com
> # see /etc/openldap/slapd.conf
> AuthDN cn=Manager, dc=domain, dc=com
> AuthPassword xxxxxx
> UsernameAttr uid
> PasswordAttr userPassword
> # AuthAttrDef destinationIndicator, groupID, request
> # SearchFilter (&(%0=%1) (destinationIndicator=techops))
> # SearchFilter (&(%0=%1) (shadowMax=99998))
> # SearchFilter (&(%0=%1) (gidNumber=1030))
> AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,Tunnel-Type = 0:VLAN,Tunnel-Medium-Type = 0:802,Tunnel-Private-Group-ID = 30
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/(.*)\\(.*)/$2/
> RewriteUsername s/(.*)\@(.*)/$1/
> <AuthBy LDAP2>
> Debug 255
> ServerChecksPassword
> NoDefault
> Host localhost
> Port 389
> BaseDN dc=domain,dc=com
> # see /etc/openldap/slapd.conf
> AuthDN cn=Manager, dc=domain, dc=com
> AuthPassword xxxxxx
> UsernameAttr uid
> PasswordAttr userPassword
> AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,Tunnel-Type = 0:VLAN,Tunnel-Medium-Type = 0:802,Tunnel-Private-Group-ID = 28
> AutoMPPEKeys
> </AuthBy>
> </Handler>
>
>
>
>
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 83
> Authentic: <132><229>r#t<178><168><24><31><175><216><143><146>mc<214>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><4><0><6><21><0>
> Message-Authenticator = s<244><254>f at _\<216>O<193>D<160><232>l<245><199>
>
> Tue Dec 15 14:24:41 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:41 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:41 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:41 2009: DEBUG: Handling with EAP: code 2, 4, 6, 21
> Tue Dec 15 14:24:41 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:41 2009: DEBUG: EAP result: 2, EAP TTLS Nothing to read or write
> Tue Dec 15 14:24:41 2009: DEBUG: AuthBy FILE result: IGNORE, EAP TTLS Nothing to read or write
> Tue Dec 15 14:24:43 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 83
> Authentic: <132><229>r#t<178><168><24><31><175><216><143><146>mc<214>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><4><0><6><21><0>
> Message-Authenticator = s<244><254>f at _\<216>O<193>D<160><232>l<245><199>
>
> Tue Dec 15 14:24:43 2009: INFO: Duplicate request id 83 received from 10.10.19.35(32769): ignored
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 84
> Authentic: `<254>[X<179><(<204>o.Ll<235><242><184><176>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><1><0><20><1>zod
> Message-Authenticator = +<144>36<154><132><135>pB<194>V<146><158><202><163><251>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 1, 20, 1
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 1
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP PEAP Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 84
> Authentic: <163>p<7><19>F<246><209>J<159>*<139><135>P<185><199><159>
> Attributes:
> EAP-Message = <1><2><0><6><25>!
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 85
> Authentic: <166>`[<187>7<242><252><13><244><254><191>@WD<142><134>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><2><0><6><3><21>
> Message-Authenticator = _<150>%<227>/<12><152>kNMM<182>Y<158>]<155>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 2, 6, 3
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 3
> Tue Dec 15 14:24:45 2009: INFO: EAP Nak desires type 21
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 85
> Authentic: <223><28>*<13>>}vH<247>O<195><174><199>g<27><159>
> Attributes:
> EAP-Message = <1><3><0><6><21>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 86
> Authentic: <162><166><204><254><230><191>p<250>8<198><203><28><176><198><243><216>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><3><0>p<21><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>K(<12><207>b<213><167>=<164>x<164><195>+<131>XK<255>Buq<199>g<214><149><202><16><160><251><202><233><203><17><0><0>6<0>9<0>8<0>5<0><22><0><19><0><10><0>3<0>2<0>/<0><7><0>f<0><5><0><4><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`<0><20><0><17><0><8><0><6><0><3><1><0>
> Message-Authenticator = <137><214>4<170>!<165>S.%<255><162>Z<152><2><244><250>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 3, 112, 21
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:45 2009: DEBUG: EAP TTLS data, 24576, 3, -1
> Tue Dec 15 14:24:45 2009: DEBUG: EAP TTLS SSL_accept result: -1, 2, 8576
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 86
> Authentic: <232>h<226><23>2)[<160>;J&<175>G<238>D)
> Attributes:
> EAP-Message = <1><4><5><30><21><192><0><0><12><131><22><3><1><0>J<2><0><0>F<3><1>K(<12><173><28><185>Y><253><193>~+Ba<147>S<158><170><137><199>hK<29><178>@<194><179>d(<26><214><132> s<194><245><0>9<152><29>:<148><227><9>#g<144><199>I<134><163><161><139><182><233><170><127><250>" <183><210>\<198>(<0>5<0><22><3><1><12>&<11><0><12>"<0><12><31><0><6>P0<130><6>L0<130><4>4<160><3><2><1><2><2><1><15>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><152>1<26>0<24><6><3>U<4><3><19><17>Reach Local, Inc.1<30>0<28><6><3>U<4><10><19><21>Certificate Authority1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>California1<20>0<18><6><3>U<4><7><19><11>Los Angele
> EAP-Message = s1"0 <6><9>*<134>H<134><247><13><1><9><1><22><19>root at mydomain.com0<30><23><13>091103190303Z<23><13>101103190303Z0<129><162>1!0<31><6><3>U<4><3><19><24>admin2.wh.mydomain.com1<26>0<24><6><3>U<4><10><19><17>Reach Local, Inc.1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>California1<20>0<18><6><3>U<4><7><19><11>Los Angeles1)0'<6><9>*<134>H<134><247><13><1><9><1><22><26>servicedesk at mydomain.com0<130><2>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0>
> EAP-Message = <3><130><2><15><0>0<130><2><10><2><130><2><1><0><206><158><139><253><221>l<221>82*<26><149>1(<20><184>N<254>g<129>N<147>(<152>$<244><150><227>4<217><215><205><228><239>zL<229>K6<174>r<1>&<173>1i<25><162>Yb<215><27><221><216>F'E<187><221><149><159><254><211>p<28>=\<132><230><185><151>_<219>cN<168><235>5<131><196><143>]<217><209><173>{<162><200>Y<137>/<221>0<178><194><253><31>N<240><243><188><6><140><199><24>,<198><228>V<171><217><165><197>%<203><182>*<172><210><129><204>X<6>^<205>QP<225><192><9><202><167>C<5><132><239><195><223>[M<8><141><9><236>R$<183><180><237><217><10><5>hL<235>Q<242><232>9<14><159><19><135><232><216><146>d<15><150><185><214>D<10>/"Lac<182><3><210><178><255>H<20>TV<203>H<153><29>F<220><212><23><z<217><203><1><10>k<170>IQ<175><208>F.<127><135><240><6><226><214><169><233>g<23>~<240><188>=<202><173><244><30><248><246>NBM<254><165>%<246>A%h
> EAP-Message = <20><127><238><230><207><2><210>4<156><127><187>X<16><178>}<229><192><23>]U<148><163><230><218><219>><199><245>t(r<14>Ai<236>h<145>?:<143><195><200><211><255><181>D<155><9> <172><198>E<4>_\<142>{*<<131>'<172><23><5><172>`<141><145>|<175><27><249><9>J]:<0><14>N<232><154><219>6<181><207>E<242><22>=TQ<136><161>F!<157><8>cc<227><217><13><11><151><211><237><234>r<160><165>/<201><183><223><17><238>I=<136>{<251><138>]<175><225><148>N<130>0p<7>OP.g[<204>b<207>"<16><199>V<215><205><185>z<127>3o6&b<186>)f<182><13><171><226>75{r at u<242><238><245>FbZFC<136><203><249><184><248>:-<244>V<163>\<183>^<210>+8O<29><198>%<231>yd<187><0>6<228><25>@<234><216>?Q<227><150>Q<27><6><4>=<6>3<227><146>2<149><2>A<253><31><195><149>2o<1>IZ<254>%<27>tM<180>f|h<25><7>*<138><245><231><0><213><144><178><207><171><146>
> EAP-Message = <235>CM=<245><130>O<165>L?<24><132><146><145><153>aW<134><217>-<2><3><1><0><1><163><129><148>0<129><145>0<9><6><3>U<29><19><4><2>0<0>0<11><6><3>U<29><15><4><4><3><2><5><160>0w<6><3>U<29><17><4>p0n<130><6>admin2<130><9>admin2.wh<130><21>admin2.mydomain.com<130><6>radius<130><24>radius.wh.mydomain.com<130><21>radius.mydomain.com<130><9>radius.wh0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><130><2><1><0><187>ThMI}<28><26><149><199><211><1><0><211>(N<153>`<197><143>0<228><181>H<215><212><165>CQ<9><140>V<234><199><198>c4<155>W$-<213>UXV<191><183><194><212><179><180><187><165>"<173><215>r
> EAP-Message = <182><146>^<196><163><163><29><18><210><133><20>9<243><232><147><29>P<19><189><13>hh<223><3><200><210><238>M<225>V<160><6><127><180><187><199><225><137>2<26>F<239><190><216><170>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 87
> Authentic: <175>)<174><15><129><229>S<190>(Z<26><220><5><144><129><18>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><4><0><6><21><0>
> Message-Authenticator = <227><146><177><142><236><252>_<249>u^<238><148><6>m]2
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 4, 6, 21
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 87
> Authentic: ><227><179><246><228><16> <217><23><31>0\<214>F<144>|
> Attributes:
> EAP-Message = <1><5><5><26><21>@bJAV<173><253><16><141><196>=6<231>Gd<220>B<204><214><192>o<212><246>NM<183><138><228>d<155><22>C{<18>#<202><220><200><218>.u<180>=<228><187><237><<30><248><245>p<228><180>eP<219><26><187>AQ<10><150>4<228><188>@<19><7><160>n<30>!<136>`<20><19>G$-<24><239><204><163><197><234><30>e<163><223><198>iN<195><249><254>T<186><146><30>r<175><239>iK<191><196><166><195><200><154>7<172><206><216><216><135><227><212><1><27><160>TZ<239>:<182><141><131><0><132><189><145><220>!<24><27><28>Hz<228>@<203><192>p<1><243><189>eQ<5>y<171><197>[<15>u/<156>N<14><205><200><185>c<213>_vs`n<30><165><159>N<173><184><142><188>|SPLi<239><197><186><200>T'L<154><153>u<165><136><159>/G<152><188>-6<221><17><0>_<241>r<219><18><21><251><205><25>@<196><1><234><211><130><193>@\<198><145><152><159><147><244><194><160>+nLS<3><202>2&<169>Z<158>F<223>!3<136><15>
> EAP-Message = <253>m<226>N0<25>Ggvq<3>}0<198><178><139><227><182><175>)w,<3>E/<147><180><8><204><250>3<183><238><135>S<216><22><139><209><136>l<187><151>qlK<134><208><247><225><180><157><202>f%<153><184>E<176><167>N<9><240><142><212><189><195><29><130><140><139>#M<0><188>)ow<164><6><232><194><21><228>/<1><174>4<145><228><248>y<237>g<154>s.,<162>6#<156><228><179><177>s0<131><195>c=<236>@<197>^Rn3<235>p<201><1><22><6><20><208>/<2><252><18>7<204><26><207><217><176><156><188><30><246>!<154>{<130><174>ZS<23><165>6^v<28>jD}<212>;<230>^r<209><18><0><5><201>0<130><5><197>0<130><3><173><160><3><2><1><2><2><9><0><221><177><152><150><226><29>8[0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><152>1<26>0<24><6><3>U<4><3><19><17>Reach Local, Inc.1<30>0<28><6><3>U<4><10><19><21>Certif
> EAP-Message = icate Authority1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>California1<20>0<18><6><3>U<4><7><19><11>Los Angeles1"0 <6><9>*<134>H<134><247><13><1><9><1><22><19>root at mydomain.com0<30><23><13>090205195741Z<23><13>380622195741Z0<129><152>1<26>0<24><6><3>U<4><3><19><17>Reach Local, Inc.1<30>0<28><6><3>U<4><10><19><21>Certificate Authority1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>California1<20>0<18><6><3>U<4><7><19><11>Los An
> EAP-Message = geles1"0 <6><9>*<134>H<134><247><13><1><9><1><22><19>root at mydomain.com0<130><2>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><2><15><0>0<130><2><10><2><130><2><1><0><201><205><205><229><163><254><192>#<26>2q)<127>A<147><148><251>jF<16><151><215><145>O<155><186><172><253><176><151>o(<202><243>U<213>3gr<205><210>80<157>i<207><29>o<20>))$"<J<176><252><175>j<172><217><13><183><9><11><148>k<228><187>^S<166><127><191>'<127><205><192><201>m<211>]<233>W<148>s<156><158><190><208>}<208><231>9<232><127><186>~<24><156>,<142>G$<165>Ao<190>~<193>J<183><218>\<168><201><204><200><14><199>`<173>A<8><168><192><203>bM <22><164><159><221><255><15><237>`&<150><150><24><5><166><145><230><5><185><214><187><160><176><158><198><202><251><146><250><221><215>U>{W<189><255>R<201><134><17>2x<149>s<26><134>j'q
> EAP-Message = <177><18><185><31>&2<237><170><206><231><144><<138><195>{:=<21><149><199>w<11>mi80<3><23><184><27>5<176><194>{)<254>war><5><8>(<235><172><250><25>i<246>Kq<28><233>|<144><252>k{4<248>5<158><233>P<197><3>`<179><154>F#<178>h~<245>K:1_~.g<147>jL<30>:<212>aO<168><137><207>s<228>)<14><135><161><165>H<155>]<213>O<132>Q+<165><229>sl<247><217><218><205>(<246>J<128>s&%<149>9<245>$fy<249>Ys<222><139>;~<173><226>eW<12>)<250><197><201>l<224>S<250><25><159>eQx<167><6><149><187>U<179><240><9>><173><0>f<185><194><234>7<194>B<160><146>}<153><250><135><216><187>P<230><142><209><14>7]Y2<240>4<185>ua&<253><132><192><171>H<244><9>#7<137><220><237><163>&3<249><12><213>.<186>"w<190><139><154><7>h;0L<23><254>C~<21><19><211><240><5>(~t<190><198>y{g0hU<222>X<246><178><202><195><11><234>
> EAP-Message = <237><160>q<227>:8<173><143><0><160><206>}e!<132><232>l<222><135>&<130><7><188><249><168><145><168>>;jP<166><196>&(C*<163>O<141><157>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 88
> Authentic: ^<238><144><198>Y<226><145>(<174><<156><147><236><174><152><222>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><5><0><6><21><0>
> Message-Authenticator = <147>8<152><201><178><171><28>s<166>xc<246>:k<159>/
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 5, 6, 21
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 88
> Authentic: M<147><240>g<200><233><189><149><150><204><158>DX`v
> Attributes:
> EAP-Message = <1><6><2>a<21><0><205>S<1><220><4><208>X<227><240>i<135><161> <167>D8<0>uP<191><193>y<189><24><177>T3<234><164><208><255>4M<143><138><155><129><236><255><2><3><1><0><1><163><16>0<14>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><130><2><1><0><198>"<187><198>;<221><181><134>lN<170><11>M<<207><247><213>:/syC<237><197><133><161>s<152><14><151><1>R<218>"<223><206><221>"H<219>8<170><14>K<227><253>j<251><171>`<17><190><136><229>TIq<221>0A<9><219><183><166>=<12><135><20>\<160>]<179><17>X<238>]<251><195><211><187><30>5!<240><157><2><18><131>jZ<172>|<6><183>i<181><230><245><191>Q<215>3<197><136>t<140>-<24><223><129>#<204>6<241><199><133>><23>W<236><143>x<157>f<176>G<155><166><158>#<222><183><153>@I`<205><145><158><184>r<218><197><246><17><237><223><16><187><132>d<149>+]<214><236><202>o<9><15><184><139>k}&
> EAP-Message = <195><174><144>_<28>1<248>i<189><235><229>X9<8><203>}}z<248><28><155><7><255><192><253><252>s<183><145><239>+#<178><177><26><20>r<186>p<230>)<189>gG<205><190>#<226>h<219>xe<235><161><190>7<145><145><151>Q<133><199><158><193><197><172>@<16><165><191>DE9<222><171><199>-<6><224><132>\<18>!<134><7><184>-.<241>4<210><162><29><207>0<177>N<24>rp<171><163><10><10>$<134>u"<133>-<4><157><240><210>2<30><163><18><161><246>4nnbI<11><164><197><216><253>Gd<171>;<185><229><237><242>7E<182>-Q.<194><179>%<163>o\<143><186>a<199>hO;[b<202><172><132>"<17><197><25><5>^!w<227><228><148><12><16><230>M<231>!<255>T<236>R<17><145><171>wj<188>S<163><240><24><202><239><167>I~<22><243>\f#<234>~#<231><208><214><130><158>k<212><248>g<151><198><181>3<196>*n<195><7>t<232><18>><151><254>R<27>'<191><134>DZ<217><132> <8><184><31><223>8<254><195><232><203>o<195><134><16>
> EAP-Message = <161><159><11>^<239><162><166><131><209><199><252><252><236>S<201>,<3><203><1><212><148>r<208>7<166>d<170><169>j<252><191><171><208>v@<208><139>A<170><176><224><238><187>@_<155><3><167><205><232><159><14><241>= <2><167><232>%,<224>H<151><221><14><183><213><131>Vk<26><248>Ys<167><173><8><136>,<177><162><179><180>D{<244><224><15><170>t<215><1><26><<22><3><1><0><4><14><0><0><0>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 89
> Authentic: <10><245><234>=<130> <129><149>\<247><241><198><245>V*<9>
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><6><2>P<21><128><0><0><2>F<22><3><1><2><6><16><0><2><2><2><0>\<130><224><168><227><230><249><132>~C<4><156><241><217><140><135>3*<176><186><163>h<237>;<246>6I<205><172><255>T<140>~<16><195><240><245><137><159>d!vw`<224>%<13>f<243>1<215>S)o<4><169><13><238><229>K<171><221><139><242><137><211>E<136>2<199>P<135><217><142><165><132>D<178>V<233>N<220><255><161>5S<208>+zj$c<4>ae<251><248>\<148><203><162><192><205> <31><234><224><248>><237><248>GH#q|.VD=<184>Y<128>C<160><16><188>r<239><186><233><179><171><16><144><11><H<218>J<178><193>*<157>3<7><178><201><12><15><207><215>qFw<158><16>O<165>`%C0*Fs<25><146><130><253>tx<190><236><157>s8<252><253>/<218><221><14><220><2><236><191>D<217>,<23>x<251><141>;<131><1><138><231><11><2><243><181><9><214><151><248><189><27>~1`<180>@<139><3>`_<229>V<7>,<20>f<168><226><139>X<177><160><201><212>
> EAP-Message = <136><151><139><129><128><188>|<152><12><247>dA<146>Fn<183><223><228><205><5><187>^s<195><226><228>X<170><139><210>><218><229><252><141><198><136>zi<139><168>P<250><20>u<146><162><144>R<13>^<135>}<247><152><216><200>><167><128><136><225><214><224>EF<21>I<180><147><2><139>Vt<230><191><21>CU<160>>?G<14><160>j"<183><134><245><245><230><221>{<236><207>Z<23><178><131><25><233><245>-h<28>zj<199><27><169><163><230>L<244><172><248>de<196><3><15>s(<217>+H<163>'z<228>5<1>s<183><210><9>4<248><10>?<127>2g<23><199><181>}Z<0>|H<153><129><21><215><214><154><203><231>4<175><2>Ld<23><204>&T<3><209><168><224>nv<14>8<<212>S<133><155>B<202><131><<172>G<180><206><212><2>b3<6>-<246>)<22><22> 8<158><158><14>9<168><212><168><254><228><22>2[s<28>l<171><217><234>I:<17>P<<188>#<23><197>P<146>b<254><127><192><172><151><29><136>{<14><1>N<161><128><170><254>"2<19><253><251>j
> EAP-Message = n<184><28><181>Y<232><235><15><185>iB"<201><143>w<11><183><145><163>L<238><128>n<204>s#<31><20><3><1><0><1><1><22><3><1><0>0~}<249><186>w7<17>A<30><163><220>s<174>+!<12><229><172>P<223>5'><180><233><3>&g<201><163>-TT<146><10>#<200><230><130>+1*<31><217>G<10><138><223>
> Message-Authenticator = <160><30>I<237><194><174><203><255><0>@<144><24><133><207><241><215>
>
> Tue Dec 15 14:24:45 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:45 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:45 2009: DEBUG: Handling with EAP: code 2, 6, 592, 21
> Tue Dec 15 14:24:45 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:45 2009: DEBUG: EAP TTLS data, 8576, 6, 3
> Tue Dec 15 14:24:45 2009: DEBUG: EAP TTLS SSL_accept result: 1, 0, 3
> Tue Dec 15 14:24:45 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Access challenged for zod at RLTECHOPS: EAP TTLS Challenge
> Tue Dec 15 14:24:45 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Challenge
> Identifier: 89
> Authentic: <231><239><142><20><225><247><133>5iW<11>O<1><164><179>|
> Attributes:
> EAP-Message = <1><7><0>E<21><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>0&<175><27>]ER7<206><213>9<236><142><162><199>%<239>=<151>q<181><168><218><239>m<143><139><201><28>k,<11>f<222><27><6>T<246><174><170>K<169>~<177>e<180><222><156>a
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:46 2009: DEBUG: Packet dump:
> *** Received from 10.10.19.35 port 32769 ....
> Code: Access-Request
> Identifier: 90
> Authentic: ucF<240><9><148><226><191>ds<220><2>%<162>b$
> Attributes:
> User-Name = "zod"
> Calling-Station-Id = "0c-60-76-58-73-bb"
> Called-Station-Id = "00-26-cb-b8-ae-30:rltechops"
> NAS-Port = 4
> NAS-IP-Address = 10.10.19.35
> NAS-Identifier = "rlwlc1"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 30
> EAP-Message = <2><7><0><128><21><0><23><3><1><0> <185>t<200><247><8>S2Lg<178><17>I<5><136><255><193><22><241><22><148>yl<30><237>T<247>`<155>P<246><234>`<23><3><1><0>PDpk|K<225><17><250>S<248><128><134><185>Nq<235><138>6<241>Y<129><16><153><236><20><251><236>}M}<252><194>v<148><149><226><142><192><231>w<207>.<215><11><170><234><194>mU<149><216><144><201><174><236><180><2>gv<203>L<23><154>I<13>ud<255><11><190><24>?~<251><188>9%`<137>Z
> Message-Authenticator = <181><2><137><28>H<198><15><138>m<8>$W<1><187>3<224>
>
> Tue Dec 15 14:24:46 2009: DEBUG: Handling request with Handler 'Called-Station-Id = /rltechops/'
> Tue Dec 15 14:24:46 2009: DEBUG: Deleting session for zod, 10.10.19.35, 4
> Tue Dec 15 14:24:46 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 15 14:24:46 2009: DEBUG: Handling with EAP: code 2, 7, 128, 21
> Tue Dec 15 14:24:46 2009: DEBUG: Response type 21
> Tue Dec 15 14:24:46 2009: DEBUG: EAP TTLS data, 3, 7, 6
> Tue Dec 15 14:24:46 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "zod"
> User-Password = mypassd0m!<0><0><0><0><0><0><0><0>
>
> Tue Dec 15 14:24:46 2009: DEBUG: EAP TTLS inner authentication request for zod
> Tue Dec 15 14:24:46 2009: DEBUG: Handling request with Handler 'TunnelledByTTLS=1'
> Tue Dec 15 14:24:46 2009: DEBUG: Rewrote user name to zod
> Tue Dec 15 14:24:46 2009: DEBUG: Rewrote user name to zod
> Tue Dec 15 14:24:46 2009: DEBUG: Deleting session for zod, 10.10.19.35,
> Tue Dec 15 14:24:46 2009: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Dec 15 14:24:46 2009: INFO: Connecting to localhost:389
> Tue Dec 15 14:24:46 2009: INFO: Attempting to bind to LDAP server localhost:389
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got result for uid=zod,ou=People,dc=mydomain,dc=com
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got uid: zod
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got cn: Anthony Trummer
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got givenName: Anthony
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got sn: Trummer
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got mail: zod at mydomain.com
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got objectClass: person organizationalPerson inetOrgPerson posixAccount top shadowAccount
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got shadowLastChange: 14547
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got shadowMax: 99999
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got shadowWarning: 7
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got loginShell: /bin/bash
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got uidNumber: 1488
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got homeDirectory: /home/zod
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got gecos: Anthony Trummer
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got userPassword: {CRYPT}$1$qVMD76qE$bbI8uLg1K5x.pK9QRF7e5.
> Tue Dec 15 14:24:46 2009: DEBUG: LDAP got gidNumber: 1488
> Tue Dec 15 14:24:46 2009: DEBUG: Radius::AuthLDAP2 looks for match with zod [zod]
> Tue Dec 15 14:24:46 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : zod [zod]
> Tue Dec 15 14:24:46 2009: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Tue Dec 15 14:24:46 2009: DEBUG: Access accepted for zod
> Tue Dec 15 14:24:46 2009: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <20>X8<167><174>W<232><193>M<204><206>Z<210><137><162><132>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 28
>
> Tue Dec 15 14:24:46 2009: DEBUG: EAP result: 0, EAP TTLS inner authentication redispatched to a Handler
> Tue Dec 15 14:24:46 2009: DEBUG: AuthBy FILE result: ACCEPT, EAP TTLS inner authentication redispatched to a Handler
> Tue Dec 15 14:24:46 2009: DEBUG: Access accepted for zod at RLTECHOPS
> Tue Dec 15 14:24:46 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32769 ....
> Code: Access-Accept
> Identifier: 90
> Authentic: <202><200>y<241>'<6>X<146>?<188><146><253>1?<142><193>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 28
> MS-MPPE-Send-Key = <143><20><16>@<195><195>T+<163>;<230>V<134><247><220>@<218><174><235>.(<16><21><235><164>Lu<167>m<176>g6
> MS-MPPE-Recv-Key = 8<196><175><247><179>-r<249>%<179><28>Kt2<172><187><220><146><255><244><247><196>*<243><138><216><3><141><142>-<23><198>
> EAP-Message = <3><7><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list