[RADIATOR] WLAN EAP-TLS auth issue

Markus Moeller huaraz at moeller.plus.com
Wed Nov 3 15:04:19 CDT 2010


Hi 

  I am testing EAP-TLS auth with Radiator and came across the following.  I have two SSIDs SSID-1 and SSID-2 and want to restrict access to SSID-1, SSID-2 based on the certificate issue. e.g. on SSID-1 I allow certs from issue COMP-A and on SSID2 from COMP-B. What I notice is that once a user lets say authenticates to SSID-1 successfully and the disconnects and connects to SSID-2 the EAPTLS Hook is not called (see log example).  I also see the the server is not sending the CA to the client. Can it be that it is not seen as a new session ?

  I have the following configuration.

 
# EAPTLS authentication
<AuthBy FILE>
  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks pass): just contains DEFAULT
  Filename %D/wlan_users
  EAPType TLS
  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/cert_check.pl"
  # WLAN root CAs
  EAPTLS_CAFile %D/certs/CAa.pem

  EAPTLS_CertificateType PEM
  # Radiator Cert
  EAPTLS_CertificateFile %D/certs/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %D/certs/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %D/certs/crls/Root_CA.pem

  AutoMPPEKeys
</AuthBy>



sub {

  use Crypt::OpenSSL::X509;
  &main::log($main::LOG_DEBUG,"cert_check: enter hook");

  # Pointer to request structure
  my $p0 = $_[0];    # $matchdn
  my $p1 = $_[1];    # $x509_store_ctx
  my $p2 = $_[2];    # $cert
  my $p3 = $_[3];    # $subject_name
  my $p4 = $_[4];    # $subject
  my $p = $_[5];     # $p Radius Request

  my $issuer_name = &Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($p2)); 
  my $x509 = Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
  my $extensions = &Crypt::OpenSSL::X509::extensions_by_name($x509);

  my @extendedKeyUsage = &Crypt::OpenSSL::X509::Extension::extKeyUsage($extensions->{extendedKeyUsage});

  my $eku_req_client_auth = grep { /clientAuth/ } ( @extendedKeyUsage );
  my $eku_req_client_any = grep { /anyExtendedKeyUsage/ } ( @extendedKeyUsage );


  &main::log($main::LOG_DEBUG,"cert_check: matchDN: $p0");
  &main::log($main::LOG_DEBUG,"cert_check: issuer: $issuer_name");
  &main::log($main::LOG_DEBUG,"cert_check: Extended Key Usage strings found in certificate: " . (join " & ", @extendedKeyUsage) );

  # User certificate CA strings:
  user_CA = 'CN=User CA, OU=Test, C=UK';

  # bail out if cannot determine the extendedKeyUsage for this certificate:
  if ( $eku_req_client_auth == 0 && $eku_req_client_any == 0 ) {
      &main::log($main::LOG_ERR,"cert_check: certificate presented does not have required values present in Extended Key Usage field.");
      return undef;
  }  

  # test each issuer string (which is valid for this ssid) against
  # the issuer string in the certificate in the request:
  my $match = 0;

  if ($issuer_name =~ /^$user_CA$/) {
      $match++;
      &main::log($main::LOG_DEBUG,"cert_check: Successful match for issuer_name [$issuer_name] with issuer_string [$user_CA]");
  }


  if ( $match == 0 ) {
    &main::log($main::LOG_ERR,"cert_check: invalid certificate issuer [$issuer_name] in request.");
    return undef;
  }

}


Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 153
Authentic:  +R<20><209><177><167>5/<246>y%<135><133><134><191><173>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><3><0><18><1>user1 at TEST.UK
        Message-Authenticator = L><159><3>4<221><139>8<214>g<237><153><22>v<200><197>

Wed Nov  3 09:32:20 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:20 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:20 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:20 2010: DEBUG: Handling with EAP: code 2, 3, 18, 1
Wed Nov  3 09:32:20 2010: DEBUG: Response type 1
Wed Nov  3 09:32:20 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:20 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:20 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 153
Authentic:  <213>o<31><153>j1<190><209>Yu&<238><166><210>_<16>
Attributes:
        EAP-Message = <1><4><0><6><13> 
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 154
Authentic:  >k<16>#p<154><1><245><194>d<165><131><189><143><237><142>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><4><0>W<13><128><0><0><0>M<22><3><1><0>H<1><0><0>D<3><1>L<209>,%<239><146><242><12><235><234>.'<3>h<6><31><178>Y3<155><194><158><177>A<142><239><188>T}<202>J&<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
        Message-Authenticator = Pg<184><167>vMr<0><24>D<189><210><248>a<241><191>

Wed Nov  3 09:32:21 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:21 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:21 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:21 2010: DEBUG: Handling with EAP: code 2, 4, 87, 13
Wed Nov  3 09:32:21 2010: DEBUG: Response type 13
Wed Nov  3 09:32:21 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:21 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:21 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 154
Authentic:  y<241><254>,<218>r_<188>Cx<13><222>|<229>;S
Attributes:
        EAP-Message = <1><5><3><242><13><192><0><0><19><9><22><3><....
        EAP-Message = Z<23><13>111014083918Z0i1<19>0<17><6><10><9><146>.....
        EAP-Message = <136><11><151><141>_<172>gL<222>)<25><142><186>.....
        EAP-Message = ........
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 155
Authentic:  <158><174><179>V<16><12><128><213><222>6M<173><201>g?<134>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><5><0><6><13><0>
        Message-Authenticator = <178>[ ,i<24>f<24><<17><176>Dx]g<164>

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 5, 6, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 155
Authentic:  <155>}<137><8><191><244>P<193>R<235><165><136>rN<139><145>
Attributes:
        EAP-Message = <1><6><3><238><13>...
        EAP-Message = <29><6><3>U<29><14><4>....
        EAP-Message = B<25>tB<130><186><217><5>.....
        EAP-Message = <12>0<10><6><3>U<4><11><19>......
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 156
Authentic:  <252>;pf<152>/K<147><193> <239><168><213><237><224>N
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><6><0><6><13><0>
        Message-Authenticator = m<220>y<12><240><226>=<245><212><185><247>n1z<213><20>

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 6, 6, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 156
Authentic:  <187>t<158><191><143>&<207>t%9<247><215>.<232><159><137>
Attributes:
        EAP-Message = <1><7><3><238><13>@<171><9><225>......
        EAP-Message = *<6><3>U<29><31><4><130><3>!0<130>.....
        EAP-Message = ..........
        EAP-Message = ..............
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 157
Authentic:  <150>n<250>];"<13>@X4h<218><185>O'<158>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><7><0><6><13><0>
        Message-Authenticator = <24><6><226>"<229>o<230><170>%<0><199><203><141><217><157>*

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 7, 6, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 157
Authentic:  <210><207>\<219><218><225>v&~<132><198>+<196><217><3><163>
Attributes:
        EAP-Message = ........
        EAP-Message = <1><172>.......
        EAP-Message = 0<9><6><3>U<4>.......
        EAP-Message = v<31><142>a<160><183>.....
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 158
Authentic:  <173><11><15>-<27>p<10><217><141>PpN<249><172><154><162>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><8><0><6><13><0>
        Message-Authenticator = <220><204><217>r<202><202><9>JI<133><136>ft<14><163><163>

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 8, 6, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 158
Authentic:  <5><l<214><205><214>2<131><19><156>8<147>[n<183>Y
Attributes:
        EAP-Message = <1><9><3>o<13><0><6>..........
        EAP-Message = l<150>^<127><11><135><162>y<23>..........
        EAP-Message = <0>\0Z1<11>0<9><6><3>U<4><6><19><2>..........
        EAP-Message = <23>.........
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 159
Authentic:  <17><137><244>k<231><13>N1<234><148><225>Af<170>+<148>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><9><5><210><13><192>..........
        EAP-Message = <23>0<21><6><3>..........
        EAP-Message = ......
        EAP-Message = <1><5><5><7>0<2><134>.........
        EAP-Message = ........
        EAP-Message = .............
        Message-Authenticator = ~<197><172><250><144><231><209><208><153>t<244>a5<138><230>G

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 9, 1490, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 159
Authentic:  Z<19>D<192><H<140><160><<206>- <134><217><247>5
Attributes:
        EAP-Message = <1><10><0><6><13><0>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 160
Authentic:  {.g<138>Z~<3><207><232><157><156><254><179><197><211><156>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><10><5><210><13>..........
        EAP-Message = ..........
        EAP-Message = <29><14><4><22><4><20>........
        EAP-Message = <217><207><202>.......
        EAP-Message = 1<12>0<10><6><3>.........
        EAP-Message = <255><28><161>i<249>S<239>...........
        Message-Authenticator = <127><129><235>f<158><207>2i8<232>jg<127><199><162>r

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 10, 1490, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 160
Authentic:  <150><166><211>4A\<236>.s<241>(<20><180>=<2><151>
Attributes:
        EAP-Message = <1><11><0><6><13><0>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 161
Authentic:  -<246><25><160>x)<170><243>7<141><199>1<157>k31
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><11><5>}........
        EAP-Message = ...........
        EAP-Message = ..........
        EAP-Message = <160>9<134>........
        EAP-Message = <28><193>.....
        EAP-Message = <156><252><251>.......
        Message-Authenticator = <200><142><229><189>*<183><202>iYGOo<213>.e<6>

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 11, 1405, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: Certificate Subject Name is /DC=uk/DC=test/O=TEST/CN=Markus Moeller
Wed Nov  3 09:32:22 2010: DEBUG: Checking subjectAltName type 1, value test.user at test.uk
Wed Nov  3 09:32:22 2010: DEBUG: Checking subjectAltName type 0, value user1 at TEST.UK
Wed Nov  3 09:32:22 2010: DEBUG: Matched certificate subjectAltName user1 at TEST.UK with User-Name user1 at TEST.UK or identity user1 at TEST.UK
Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE looks for match with user1 at TEST.UK [user1 at TEST.UK]
Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE REJECT: No such user: user1 at TEST.UK [user1 at TEST.UK]
Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [user1 at TEST.UK]
Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [user1 at TEST.UK]
Wed Nov  3 09:32:22 2010: DEBUG: cert_check: enter hook
Wed Nov  3 09:32:22 2010: DEBUG: cert_check: matchDN: user1 at TEST.UK
Wed Nov  3 09:32:22 2010: DEBUG: cert_check: issuer: CN=User CA, OU=Test, C=UK
Wed Nov  3 09:32:22 2010: DEBUG: cert_check: Extended Key Usage strings found in certificate: msSmartcardLogin & clientAuth
Wed Nov  3 09:32:22 2010: DEBUG: cert_check: Successful match for issuer_name [CN=User CA, OU=Test, C=UK] with issuer_string [CN=User CA, OU=Test, C=UK]
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 161
Authentic:  <1>P'<188><205><128><136><211><226>R<143><22>HJ<7><16>
Attributes:
        EAP-Message = <1><12><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> ~<231><163><26><234><180><254><23><238><217><251>!<158>CO<213><145>)l<214>{<205><206><184><224><12>O<200>G<19><<137>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 162
Authentic:  <201>~8<133><171><210><230><184>{:<209>M<192><19>(<10>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 7
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><12><0><6><13><0>
        Message-Authenticator = <234><143>_<203>-}Hm<244><163>X<15><7><145><23><141>

Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 12, 6, 13
Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 0, 
Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: ACCEPT, 
Wed Nov  3 09:32:22 2010: DEBUG: Access accepted for user1 at TEST.UK
Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Accept
Identifier: 162
Authentic:  ;<197><218><9>U<141>8D<213><156><223><212>;Plz
Attributes:
        EAP-Message = <3><12><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        MS-MPPE-Send-Key = r<240>i<221><235><183><224><247><159><161><174>#G<244><23><213><245><220><194><128>K<8><23>!<24>w<204><233><18>i<225>t
        MS-MPPE-Recv-Key = U<172><208>8<23>$]<172><18><136><31><16><175><22><192><<153><198><18>6<210><202><170><190><4>-<148><15><184>@7:










Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 163
Authentic:  $<194><159><255><245><145>=s<<207><190><216><186><157><218><222>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><2><0><18><1>user1 at TEST.UK
        Message-Authenticator = cD<134><215><188>f<231><1><139>U<221><172><173><202>3<174>

Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 2, 18, 1
Wed Nov  3 09:32:58 2010: DEBUG: Response type 1
Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 163
Authentic:  <250>x<237>&L at d<247><187><2><186><197><152>@<194><133>
Attributes:
        EAP-Message = <1><3><0><6><13> 
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 164
Authentic:  _<175><14>Q<170>.<218><186><156><179>W<243>w<211>--
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><3><0>w<13><128><0><0><0>m<22><3><1><0>h<1><0><0>d<3><1>L<209>,I<219>N<144><182><189><200> <131><145><153>d<197>3?<8><6><176>p<208><164>e<227><159><214><186><10>H<3> !<178><192>S<186>~.<4>$[t<14><146><202>k<16>p<158><154>t-<135><244><226>H<172><130>BJ<186><154><127><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
        Message-Authenticator = t<31><193><136>t<223><151><143>><7><177>L<21>9<13>X

Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 3, 119, 13
Wed Nov  3 09:32:58 2010: DEBUG: Response type 13
Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Challenge
Identifier: 164
Authentic:  <130>F<239><213><240>4<144><158><16><10><179><6><22><197><150>P
Attributes:
        EAP-Message = <1><4><0><132><13><128><0><0><0>z<22><3><1><0>J<2><0><0>F<3><1>L<209>,J<244><247>P<14>L<198><177>"<189><186><11><27><11><176><246><249><238><149><246>6<199>Kz<206><228><201>i<221> !<178><192>S<186>~.<4>$[t<14><146><202>k<16>p<158><154>t-<135><244><226>H<172><130>BJ<186><154><127><0><4><0><20><3><1><0><1><1><22><3><1><0> R<154>j<188><155>/<217><<138><31>c<153><254><225><141>{t<148><138>U<142><29><221><194><26><151>V<219><164>,<185><215>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Received from 191.169.1.21 port 32768 ....
Code:       Access-Request
Identifier: 165
Authentic:  <237><154>`f<221><253>'-S<149><254>e<234>"<218><173>
Attributes:
        User-Name = "user1 at TEST.UK"
        Calling-Station-Id = "00-22-fa-aa-bb-cc"
        Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
        NAS-Port = 29
        NAS-IP-Address = 191.169.1.21
        NAS-Identifier = "Controller1"
        Airespace-WLAN-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message = <2><4><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> .<215><190><197>sA^<176><195>n6<236>7<199>eq=<194>y/<167><181><187><20><175><180><219><174><211>-tQ
        Message-Authenticator = <133><156><216><160>?<145>t<201><0><197>7i!M<5><0>

Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 4, 53, 13
Wed Nov  3 09:32:58 2010: DEBUG: Response type 13
Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE looks for match with user1 at TEST.UK [user1 at TEST.UK]
Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: user1 at TEST.UK [user1 at TEST.UK]
Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [user1 at TEST.UK]
Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [user1 at TEST.UK]
Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 0, 
Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: ACCEPT, 
Wed Nov  3 09:32:58 2010: DEBUG: Access accepted for user1 at TEST.UK
Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
*** Sending to 191.169.1.21 port 32768 ....
Code:       Access-Accept
Identifier: 165
Authentic:  <165><236>/<144><233><245><243>w<157><157><172>L<217><135><184><249>
Attributes:
        EAP-Message = <3><4><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        MS-MPPE-Send-Key = \f]7<25>0s<155>y<245><187><182>|f[Fs%<158>UM<225><14><23><223>?<254><178><160><20>'<208>
        MS-MPPE-Recv-Key = <13><31>=!<207><18><212>u&<239><228><237><170>@<13>$M<194><0>v<158><195><246>V<243><142>@<140><172>]<178><21>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101103/ee2d8667/attachment-0001.html 


More information about the radiator mailing list