[RADIATOR] EAP-PEAP problem

Colin Byelong c.byelong at ucl.ac.uk
Thu Nov 12 05:39:37 CST 2009


Hello,

I have been trying to test EAP-PEAP access with AuthbyNTLM this is on a 
ubuntu box running radiator 4.5
We currently use EAP-TTLS with a pap innner and this still works but 
PEAP is failing and im not sure why, heres the config:

#
Foreground
LogStdout
LogDir /var/log/radius
DbDir .
#
#Logfiles
#
<Log FILE>
  Filename %L/radiator.%Y_%m_%d.log
  LogIdent  log-file
  Trace     4
</Log>
#
#
#
#
#Use port 1812 for Authentication
AuthPort 1812,1645
#Use port 1813 for accounting
AcctPort 1813,1646
Trace  4
#
#
#
#
#Logging for users with no realm
#
AcctLogFileName %L/detail
#
<Client localhost>
       Secret <REMOVED>
       DupInterval 0
</Client>
#
#
#
#
#
#
#
<Client DEFAULT>
       Secret <REMOVED>
        DupInterval 2
       StatusServerShowClientDetails
       IgnoreAcctSignature
</Client>
### This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.

#
<Handler TunnelledByPEAP=1>
        <AuthBy NTLM>
                # The name of the ntlm_auth program, supplied with
                # Samba. Defaults to '/usr/bin/ntlm_auth  
--helper-protocol=ntlm-server-1'
                # You can require that authenticated users belong to a 
certain group with:
                #NtlmAuthProg /usr/bin/ntlm_auth  
--helper-protocol=ntlm-server-1 --require-membership-of=MyGroupName
                # or you can specify that the NTLM authenticaiton 
requests appear to come from a workstation with
                # a specified name. This can be used to restrict 
authentication for certain users by setting
                # workstation requirements in their Windows user 
configuration.
                #NtlmAuthProg /usr/bin/ntlm_auth  
--helper-protocol=ntlm-server-1 --workstation=MyWorkstationName

                # Specifies which Windows Domain is ALWAYS to be used to 
authenticate
                # users (even if they specify a different domain in 
their username).
                # Special characters are supported. Can be an Active
                # directory domain or a Windows NT domain controller
                # domain name
                Domain UCLUSERS

                # Specifies the Windows Domain to use if the user does not
                # specify a domain in their username.
                # Special characters are supported. Can be an Active
                # directory domain or a Windows NT domain controller
                # domain name
                #DefaultDomain
                UsernameMatchesWithoutRealm

                # This tells the PEAP client what types of inner EAP 
requests
                # we will honour
                EAPType MSCHAP-V2

        </AuthBy>
</Handler>
#
#Handlers with authentication
<Handler TunnelledByTTLS=1>
   RewriteUsername   s/^([^@]+).*/$1/
      RewriteUsername   tr/A-Z/a-z/

        <AuthBy LDAP2>
#               Identifier  UCL
               Host   uclusers-dc1.uclusers.ucl.ac.uk

               # Microsoft AD also listens on port 3268, and
               # requests received on that port are reported to be
               # more compliant with standfard LDAP, so you may want to use:
               # Port 3268

               AuthDN cn=locindnet,ou=System 
Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
#               AuthPassword    yourADadminpasswordhere
               AuthPassword    <REMOVED>
               BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
               ServerChecksPassword
              EAPType MSCHAP-V2,TTLS,PAP,PEAP
               UsernameAttr sAMAccountName
              # EncryptedPasswordAttr sn
#
#                AuthAttrDef logonHours,MS-Login-Hours,check


</AuthBy>
#
#
AcctLogFileName   %L/ucl-detail.%m%y
#
  </Handler>
#
#EAPOUTER
<Handler Realm=ucl.ac.uk, EAP-Message = /.+/>
RewriteUsername   s/^([^@]+).*/$1/
      RewriteUsername   tr/A-Z/a-z/
          <AuthBy FILE>
             Filename %D/users
              EAPType TTLS,pap,PEAP,MSCHAP-V2
              EAPTLS_CAFile %D/certs/sureserverEDU.pem
              EAPTLS_CertificateFile %D/certs/orps.pem
              EAPTLS_CertificateType PEM
              EAPTLS_PrivateKeyFile %D/certs/server.key
              EAPTLS_MaxFragmentSize 1500
              AutoMPPEKeys
              EAPTLS_PEAPVersion 0
              EAPTLS_PEAPBrokenV1Label
              EAPAnonymous anonymous
            </AuthBy>

AcctLogFileName %L/eapout
AccountingHandled
</Handler>
#
<Handler Request-Type=Accounting-Request>
    AcctLogFileName %L/accttest.log
    AccountingHandled
</Handler>
#


root at nwgdev-desktop:/var/log/radius# more radiator.2009_11_12.log
Thu Nov 12 11:28:25 2009: ERR: Unknown keyword 'LogIdent' in 
./eduroam.cfg line 12
Thu Nov 12 11:28:25 2009: ERR: Unknown keyword 'AcctLogFileName' in 
./eduroam.cfg line 30
Thu Nov 12 11:28:25 2009: DEBUG: Finished reading configuration file 
'./eduroam.cfg'
Thu Nov 12 11:28:25 2009: DEBUG: Reading dictionary file './dictionary'
Thu Nov 12 11:28:25 2009: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Nov 12 11:28:25 2009: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 12 11:28:25 2009: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Nov 12 11:28:25 2009: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 12 11:28:25 2009: NOTICE: Server started: Radiator 4.5 on 
nwgdev-desktop
Thu Nov 12 11:35:24 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 213
Authentic:  <151>9<187>.<154><155>.&<160><240><229>|d<176><156>D
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
<20><27><24><194><239><158>`<148><192><236><169><250>(<138>.<185>
        EAP-Message = <2><3><0><22><1>ccaacrb at ucl.ac.uk
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:24 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:24 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:24 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:24 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:24 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:24 2009: DEBUG: Handling with EAP: code 2, 3, 22, 1
Thu Nov 12 11:35:24 2009: DEBUG: Response type 1
Thu Nov 12 11:35:24 2009: DEBUG: EAP result: 3, EAP TTLS Challenge
Thu Nov 12 11:35:24 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS 
Challenge
Thu Nov 12 11:35:24 2009: DEBUG: Access challenged for ccaacrb: EAP TTLS 
Challenge
Thu Nov 12 11:35:24 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 213
Authentic:  
<214><236><215><225><13><183>g<157><244><205><143>.<163>E<3><191>
Attributes:
        EAP-Message = <1><4><0><6><21>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:24 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 214
Authentic:  p<161>y<25><28><216><150><236>'A<31>+{<248><177>`
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
I<158><17><2><179><12><134>!<141><167><4>=z9t<26>
        EAP-Message = <2><4><0><6><3><25>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:24 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:24 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:24 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:24 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:24 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:24 2009: DEBUG: Handling with EAP: code 2, 4, 6, 3
Thu Nov 12 11:35:24 2009: DEBUG: Response type 3
Thu Nov 12 11:35:24 2009: INFO: EAP Nak desires type 25
Thu Nov 12 11:35:24 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:24 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:24 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:24 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 214
Authentic:  9<163><174>+<161><222>?A<24>/4<203><23><127><213><222>
Attributes:
        EAP-Message = <1><5><0><6><25>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 216
Authentic:  <216>n<197><175>_<224>C<137>8/<220>'<246><206><188><22>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
<198><170><165><251>I<136><174>A<132>tA&:<11><148><6>
        EAP-Message = 
<2><5><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>J<251><243><16><178><231><233><185><155>}<181><10><232>?ZN<18>6<1><238>.N<211><245>
 ><189>l<190><173>7<244><186> 
tR<163>s<22>t<198><237><148><226>1<1><149><128>m<156><4>?vy<181>~i<135><16>q! 
<227><4>h<185><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0>
<3><0><6><0><19><0><18><0>c<1><0>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 5, 112, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 216
Authentic:  <221><215><19>z<221><182>`<14><192><235><147>K<182>_Z^
Attributes:
        EAP-Message = 
<1><6><5><130><25><192><0><0><11>6<22><3><1><0>J<2><0><0>F<3><1>J<251><242><253><1>7<184><21><200><11><233><212>/o<128><219><130><202>~<127><1
29>~<145>jeQ<29><148>/<151><172><14> 
<156>E<202><131>:<250>r<177>P<10><222>B<148><228><253>f/G<247><143><157><196><220><199><238><2><234>Loe<212>d<0><4><0><22><3><1
 ><10><217><11><0><10><213><0><10><210><0><4>%0<130><4>!0<130><3><9><160><3><2><1><2><2><11><1><0><0><0><0><1><27>2<5><158><181>0<13><6><9>*<134>H<134><247><13><1><1
 ><5><5><0>0_1<11>0<9><6><3>U<4><6><19><2>BE1<19>0<17><6><3>U<4><10><19><10>Cybertrust1<23>0<21><6><3>U<4><11><19><14>Educational 
CA1"0 <6><3>U<4><3><19><25>Cybertru
st Educational CA0<30><23><13>0807171
        EAP-Message = 
71601Z<23><13>110717171601Z0N1<11>0<9><6><3>U<4><6><19><2>GB1"0 
<6><3>U<4><10><19><25>University College 
London1<27>0<25><6><3>U<4><3><19><18>
orps.jrs.ucl.ac.uk0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><194><171>:B<129>[<175><194>.Y<148><187><233>
:<169>-<171>2^<11><158><231><1>IGD<211>hA<179><22>YP>v<175><187><10><168>3,<204>h<234>8<170>4O<214><247>=<234><139>8<165><157><249><199>l<220><253>)<155><167>E<133>
<24><233><220><172><21><250><156>z<199>S<231><231><3><2><222><129><171>H<218>QT<253>E%<223>4<248><250><144><23><7><217>lN<233><22><0>W<237><223>`<210>]<153><7><161>
<180>9<215>lG<231><183><1>O<211>m
        EAP-Message = 
t<217>H<141><133><2><3><1><0><1><163><130><1>q0<130><1>m0P<6><3>U<29> 
<4>I0G0E<6><7>*<134>H<177>><1><0>0:08<6><8>+<6><1><5><5><7><2><1><22>,ht
tp://www.globalsign.net/repository/cps.cfm0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<31><6><3>U<29>#<4><24>0<22><128><20>ee<163>=<215>;<17><163><10><7>%7<
201>BJ[vwP<225>0<29><6><3>U<29><14><4><22><4><20>hT<230><199><27>#<6><250>(vS<8><180>s"F<192><226><17><157>0:<6><3>U<29><31><4>3010/<160>-<160>+<134>)http://crl.glo
balsign.net/educational.crl0O<6><8>+<6><1><5><5><7><1><1><4>
        EAP-Message = 
C0A0?<6><8>+<6><1><5><5><7>0<2><134>3http://secure.globalsign.net/cacert/educational.crt0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3>
<1><6><8>+<6><1><5><5><7><3><2>0<29><6><3>U<29><17><4><22>0<20><130><18>orps.jrs.ucl.ac.uk0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><130><1><1><0>(z)N<157><
187><211><160>.<4>m<0><22><14><27><244>G<195><237><11>0<191><206><180><170><147><250><162><171><214>&<128><240><210>=<214><166>!<12><225><242><253><172><158><234><2
46><142><161><25><165><201><232><238>UV<162>h~F<185><205>q\Z<148>#<137><136><179><198><174><193><5>|5q<189>Q5<171><28>n<139>k<199>iG<199><130><199><27>M<182>v<174><
163><148><226><240><223>r<148>A
        EAP-Message = 
<143>&<145><10>j<200><7><246><<174>3#<156><225><8>~(}o 
<250><148><4><242><163><242><196>X<221><9>co<213><25><23><222><216><24><240>[<147>[<181
 >q<248>}<179><181>w<205><<128>9>7<128><8><235><160>x*<206><182>%<220><240><12><19>_<179><167><234>!<202>+<199>F<31><252>a<226>+<156><178>X<167><225>n;<209><230><252
 >T<25>^/(<246><226>$<160>.<172>To<175>9<168><3><160>5pPa<13><169><144>Z<136><164>C<240>5Nc<17><205>jc<9><248>$5<187><4>H|<239>q<179><241>mfNi!\<210>i)b<178><203><0>
<4>F0<130><4>B0<130><3><171><160><3><2><1><2><2><4><4><0><3><251>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0u1<11>0<9><6><3>U<4><6><19><2>US1<24>0<22><6><3>U<4
 ><10><19><15>GTE Corporation1'0%<6><3>U<4><11><19><30>GTE CyberTr
        EAP-Message = ust Solutions, Inc.1#0!<6><3>U<4><3><19><26>GTE 
CyberTrust Global 
Root0<30><23><13>060314203000Z<23><13>130314235900Z0_1<11>0<9><6><3>U<4><6><
19><2>BE1<19>0<17><6><3>U<4><10><19><10>Cybertrust1<23>0<21><6><3>U<4><11><19><14>Educationa
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 220
Authentic:  }<140><239><252><30><155><140><27>IZ<216>_k56<232>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = ]KkUf<176>L<194><175><234>)+-<139><0>D
        EAP-Message = <2><6><0><6><25><0>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 6, 6, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 220
Authentic:  QT<203>#<165><252>Y<230>a<164><154>7<193><28>p<165>
Attributes:
        EAP-Message = <1><7><5>~<25>@l CA1"0 
<6><3>U<4><3><19><25>Cybertrust Educational 
CA0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><
0>0<130><1><10><2><130><1><1><0><149>"<161><16><29>JF`n<5><145><155><223><131><194><237><18><178>Z|<248><171><225><248>P\(,~~<0>8<147><176><139>J<241><194>L<<16>,<<
239><176><236><161>i/<185><252><204><8><20>k<141>O<24><243><131><210><250><169>7<8> 
<170>\<170><128>`<162><213><165>"<0><207>Z<229><180><151><223><186><30><190>\<14
2><23><25>f<253><175><159>|{<137><178><14>$<216><199><171>c<196><149>2<141>H<230>cY}<4><184>3<168><189><215>]d<188>c<181><247>M(<253><249><6>r1\<186>E<148>e<163><21
0><180>X<236>;aXD<163>/b<179><155><128><180><130><253><213><199><204>Q%<229><149>?G/0{<172><200>xn<226><225>m'
        EAP-Message = 
<235>=<204><1><130><232>5w<141><171>X<187>U<209><213><164><129>V<141><28><208><20><177><176><6><222><160><145>"<243><240><168>4<23>G<198><224>
 ><246><12>Z<172>~PK<205><225>in<6><252><6>~jM<180><149><153><160>Y\5f<236><217>I<212><23><224>`<176>]<165><215><26><226>*nf<242><175><29><2><3><1><0><1><163><130><1
 >o0<130><1>k0E<6><3>U<29><31><4>>0<0:<160>8<160>6<134>4http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0<29><6><3>U<29><14><4><22><4><20>ee<163>=<215>;<17><163>
<10><7>%7<201>BJ[vwP<225>0S<6><3>U<29> 
<4>L0J0H<6><9>+<6><1><4><1><177>><1><0>0;09<6><8>+<6><1><5><5><7><2><1><22>-http://www.publi
        EAP-Message = 
c-trust.com/CPS/OmniRoot.html0<129><137><6><3>U<29>#<4><129><129>0<127><161>y<164>w0u1<11>0<9><6><3>U<4><6><19><2>US1<24>0<22><6><3>U<4><10><1
9><15>GTE Corporation1'0%<6><3>U<4><11><19><30>GTE CyberTrust Solutions, 
Inc.1#0!<6><3>U<4><3><19><26>GTE CyberTrust Global 
Root<130><2><1><165>0<14><6><3>U<29><15>
<1><1><255><4><4><3><2><1><6>0<18><6><3>U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0>C<179>E<131
 >Tq<196><31><220><178><kN<191>&<242>N<242><173><154>[<250><134>7<136><232><20>lA
        EAP-Message = 
<24>B_<239>e><235><3>w<160><183><158>uzQ|<187><21>[<184><175><145><160>4<146>S<237><127>*I<132><172><185><128>K<181><199><178>#"<251><235><216
 ><251>n<201><<243><210><209><187><190><201><28><255>m<1><219>i<128><14><153><165><234><158>{<151><152><143><183><207>"<156><179><184>]<229><169>3<23>t<198><151>7<15
 ><180><233>&<130>_a<11>?<30>=d<233>+<155><0><2>^0<130><2>Z0<130><1><195><2><2><1><165>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0u1<11>0<9><6><3>U<4><6><19><2>
US1<24>0<22><6><3>U<4><10><19><15>GTE 
Corporation1'0%<6><3>U<4><11><19><30>GTE CyberTrust Solutions, 
Inc.1#0!<6><3>U<4><3><19><26>GTE CyberTrust Global Root0<30><23
 ><13>9
        EAP-Message = 
80813002900Z<23><13>180813235900Z0u1<11>0<9><6><3>U<4><6><19><2>US1<24>0<22><6><3>U<4><10><19><15>GTE 
Corporation1'0%<6><3>U<4><11><19><30>GTE
 CyberTrust Solutions, Inc.1#0!<6><3>U<4><3><19><26>GTE CyberTrust 
Global 
Root0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><
2><129><129><0><149><15><160><182><240>P<156><232>z<199><136><205><221><23><14>.<176><148><208><27>=<14><246><148><192><138><148><199><6><200><144><151><200><184>d<
26>z~l<S<225>7(s`<127><178><151>S<7><159>S<249>mX<148><210><175><141>m<136>g<128><230><237><178><149><207>r1<202><165><28>r<186>\<2>
        EAP-Message = 
<231>dB<231><249><169>,<214>:<13><172><141>B<170>$<1>9<230><156>?<1><133>W<13>X<135>E<248><211><133><170><147>i&<133>pH<128>?<18><21><199>y<18
0><31><5>/;b<153><2><3><1><0><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>m<235><27><9><233>^<217>Q<219>g"a<164>*<Hw<227><160>|<166><222>s<162>
<20><3><133>=<251><171><14>0<197><131><22>3<129><19><8><158>{4N<223>@<200>t<215><185>}<220><244>vU}<155>cT<24><233><240><234><243>\<177><217><139>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 221
Authentic:  
<171><253><25><130><137><247><159>9<241><13><200><28><163>Rz<134>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
<130><2><219>0<10>Cu<130><160><24><160>c<155><194><146><185>
        EAP-Message = <2><7><0><6><25><0>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 7, 6, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 221
Authentic:  <235><24><151><11>7<8><231>f<1><175><151>"<170><220><181><227>
Attributes:
        EAP-Message = 
<1><8><0>L<25><0>B<30><185><192><149>N<186><250><213><226>|<245>ha<191><142><236><5><151>_[<176><215><163><133>4<196>$<167><13><15><149><147><
239><203><148><216><158><31><157>\<133>m<199><170><174>O<31>"<181><205><149><173><186><167><204><249><171><11>z<127><22><3><1><0><4><14><0><0><0>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 223
Authentic:  }<150><<212><169><232><129><183>4J<163><133><214><165><140><225>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = <193><137><192>Z<191><193>qx<249>c+q<|,$
        EAP-Message = 
<2><8><0><192><25><128><0><0><0><182><22><3><1><0><134><16><0><0><130><0><128>/<139><242><169><132>q<16>q<127><224><146>J<183>$<12>Kp<249>9&<4
 ><237>P<155><142><254><209>Q<<3>><12><222>}<146><212><222>?<175><244>s<19>F<24>mk<205><198><19>$<<231><228><138>g<131><252><163><211><230><192><2><221><184>b<8><242
 ><5><13>s<180><219><241><16>{<142><146><23>%8<189><242><uX<247><209><211><210><220><246><216>}g<206><162>_<159><248>3<7>9<235><220><220>B*<24>@<153><237><221>d<2>BD
J<226>x<17><165>*<164><193>A<198>{<148><20><3><1><0><1><1><22><3><1><0> 
<218>M<148><12>Saz>](;<29>HI<31><198><170>2<128><223><190><11><21><157>Y<230><236><29><218>(
<216><26>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 8, 192, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 223
Authentic:  <10><144><14>)<161>t<163><221>|<221><26><231>?<28><135><236>
Attributes:
        EAP-Message = 
<1><9><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> 
U9<168><252>=adB<161><254><10><191><7><227><239><228>y<195>@<221><146><134>vK<23
8>kR<181>F<219>s7
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 226
Authentic:  <180>P<143>.<234>z?<160>~G<151><192><202><144><214><23>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
qE[<211><23><142><155><158><0><185><210>{<5><13><131>c
        EAP-Message = <2><9><0><6><25><0>
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 9, 6, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 226
Authentic:  <174>_'<171><202><176>TB<138><224><184><223><169>H<252>?
Attributes:
        EAP-Message = 
<1><10><0><28><25><0><23><3><1><0><17>m8<128><222><169><187><159><29><133>S<167><174><137><214><171><14>R
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 227
Authentic:  C<233>k<127>B<181>5M<16><10>f8<208><154>J<194>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
<208><220>+Vn7<146>4<188><233><226>~<193><169><130><235>
        EAP-Message = 
<2><10><0>-<25><0><23><3><1><0>"<204>H<247><191><157><134><204><9>f<237>cc<134>1/<220><183>-<152><166><27><23>I<152><140><235>F@<9>><234><246>
!0
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 10, 45, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP PEAP inner authentication request 
for anonymous
Thu Nov 12 11:35:25 2009: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <181><136><11>3a<209><155><144>zC<221>5WQ<152>d
Attributes:
        EAP-Message = <2><10><0><18><1>ccaacrb at ucl.ac.uk
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        NAS-IP-Address = 10.101.1.11
        NAS-Port = 7565083
        Calling-Station-Id = "0015.afa6.0d8d"
        User-Name = "anonymous"

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1'
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for anonymous, 
10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthNTLM:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 10, 18, 1
Thu Nov 12 11:35:25 2009: DEBUG: Response type 1
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy NTLM result: CHALLENGE, EAP 
MSCHAP-V2 Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for anonymous: EAP 
MSCHAP-V2 Challenge
Thu Nov 12 11:35:25 2009: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  <181><136><11>3a<209><155><144>zC<221>5WQ<152>d
Attributes:
        EAP-Message = 
<1><11><0>(<26><1><11><0>#<16><18><157><231>Q<227>T<216><145>!<172><163><144><165><174>Fsnwgdev-desktop
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP inner 
authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
inner authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
inner authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 227
Authentic:  <187><128>ot<179>9M<200><13>6|<14>X<202><161>c
Attributes:
        EAP-Message = 
<1><11><0>?<25><0><23><3><1><0>4<162><235><231><243><5><7>qF.<168><i<7>F<170>g<29><255><217><174><9><199>6<214><188><233><23><212><128><157>z<
151><22>0B$<26><150>f<13>N<172><237><207><230>y#<224><145><184><248>C
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code:       Access-Request
Identifier: 230
Authentic:  <16>r<5>nZ`Up=<144><10><225><28><13>J<9>
Attributes:
        User-Name = "ccaacrb at ucl.ac.uk"
        Framed-MTU = 1400
        Called-Station-Id = "0000.0c07.ac00"
        Calling-Station-Id = "0015.afa6.0d8d"
        Service-Type = Login-User
        Message-Authenticator = 
<13><136><159><235>7~<196>X<180><206><245>)|0`~
        EAP-Message = 
<2><11><0>c<25><0><23><3><1><0>X<225><151><233><205><244><16><248><214>[<164><137>t<233><144>b<207><249><149>u<234><167><243><176><143><205>&<
249><218><212><156>><208>u0C.<206><241><25><174><175><177>R_!<198><175>9<147>:P<21>#<213><227><8><188><211><240><244><128>[<9><185> 
<169><29>s<207><136>04C<196>O`<2
8><171><157><165><254>s<198>U<22><25><134>i
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Port = 7565083
        NAS-IP-Address = 10.101.1.11

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'Realm=ucl.ac.uk, EAP-Message = /.+/'
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG: Rewrote user name to ccaacrb
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for 
ccaacrb at ucl.ac.uk, 10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 11, 99, 25
Thu Nov 12 11:35:25 2009: DEBUG: Response type 25
Thu Nov 12 11:35:25 2009: DEBUG: EAP PEAP inner authentication request 
for anonymous
Thu Nov 12 11:35:25 2009: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <237><12><173><229><218><226><19>v<28><232>{<194><154>;<156>P
Attributes:
        EAP-Message = 
<2><11><0>H<26><2><11><0>G1<215><253><194><234>:!<151><154><143><213>{<147><255>"<177><131><0><0><0><0><0><0><0><0><0><18>&<11><21><250><173><
195>g<139><209>9b@<251>h<232><240><5>cW<235>cR<0>ccaacrb at ucl.ac.uk
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        NAS-IP-Address = 10.101.1.11
        NAS-Port = 7565083
        Calling-Station-Id = "0015.afa6.0d8d"
        User-Name = "anonymous"

Thu Nov 12 11:35:25 2009: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1'
Thu Nov 12 11:35:25 2009: DEBUG:  Deleting session for anonymous, 
10.101.1.11, 7565083
Thu Nov 12 11:35:25 2009: DEBUG: Handling with Radius::AuthNTLM:
Thu Nov 12 11:35:25 2009: DEBUG: Handling with EAP: code 2, 11, 72, 26
Thu Nov 12 11:35:25 2009: DEBUG: Response type 26
Thu Nov 12 11:35:25 2009: DEBUG: Radius::AuthNTLM looks for match with 
ccaacrb [anonymous]
Thu Nov 12 11:35:25 2009: DEBUG: Radius::AuthNTLM ACCEPT: : ccaacrb 
[anonymous]
Thu Nov 12 11:35:25 2009: INFO: Starting NtlmAuthProg: 
/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute 
Request-User-Session-Key: Yes
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute 
Request-LanMan-Session-Key: Yes
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute LANMAN-Challenge: 
8a03d805dce6b2df
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute NT-Response: 
0012260b15faadc3678bd1396240fb68e8f0056357eb6352
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute NT-Domain:: VUNMVVNFUlM=
Thu Nov 12 11:35:25 2009: DEBUG: Passing attribute Username:: Y2NhYWNyYg==
Thu Nov 12 11:35:25 2009: DEBUG: Received attribute: Authenticated: Yes
Thu Nov 12 11:35:25 2009: DEBUG: Received attribute: LANMAN-Session-Key: 
E928F849BA704AB3
Thu Nov 12 11:35:25 2009: DEBUG: Received attribute: User-Session-Key: 
A223F0B2DD3F19A3F4C41D9C7EAB80B5
Thu Nov 12 11:35:25 2009: DEBUG: Received attribute: .
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
Success
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy NTLM result: CHALLENGE, EAP 
MSCHAP V2 Challenge: Success
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for anonymous: EAP 
MSCHAP V2 Challenge: Success
Thu Nov 12 11:35:25 2009: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  <237><12><173><229><218><226><19>v<28><232>{<194><154>;<156>P
Attributes:
        EAP-Message = 
<1><12><0>=<26><3><11><0>8S=50CD2DE6C1810F6C092C4BADD9C0E567567D077C 
M=success
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Nov 12 11:35:25 2009: DEBUG: EAP result: 3, EAP PEAP inner 
authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
inner authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: Access challenged for ccaacrb: EAP PEAP 
inner authentication redispatched to a Handler
Thu Nov 12 11:35:25 2009: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code:       Access-Challenge
Identifier: 230
Authentic:  B<220><27><243><174>Lb<139>hT<150>c<175><172><230><0>
Attributes:
        EAP-Message = 
<1><12><0>T<25><0><23><3><1><0>I<141><186>3<217><21><173><255><173>c<216><169><242><221><223><23><128><127><140>x<6><233><196><148>5<228><135>
<185>N<231>r<6><218><15>X4a<4>u<186>A<219>rB[<13>I<152>lp<25>.<223><255><168>.<177><211><141>4<159>!F<241><21>X<240><137><210>O<153>(&<230>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

This is where it stops.


Thanks for any help

Colin

-- 
-----------------------------------------------------------------------


Colin Byelong                             Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street                              Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------



More information about the radiator mailing list