[RADIATOR] WLAN EAP-TLS auth issue

Markus Moeller huaraz at moeller.plus.com
Wed Nov 3 15:15:15 CDT 2010


BTW I use version 4.7.
  ----- Original Message ----- 
  From: Markus Moeller 
  To: radiator at open.com.au 
  Sent: Wednesday, November 03, 2010 8:04 PM
  Subject: WLAN EAP-TLS auth issue


  Hi 

    I am testing EAP-TLS auth with Radiator and came across the following.  I have two SSIDs SSID-1 and SSID-2 and want to restrict access to SSID-1, SSID-2 based on the certificate issue. e.g. on SSID-1 I allow certs from issue COMP-A and on SSID2 from COMP-B. What I notice is that once a user lets say authenticates to SSID-1 successfully and the disconnects and connects to SSID-2 the EAPTLS Hook is not called (see log example).  I also see the the server is not sending the CA to the client. Can it be that it is not seen as a new session ?

    I have the following configuration.


  # EAPTLS authentication
  <AuthBy FILE>
    Identifier EapTLS
    # the file is used to check usernames (assuming EAP-TLS certificate checks pass): just contains DEFAULT
    Filename %D/wlan_users
    EAPType TLS
    # WLAN Additional Certificate Check
    EAPTLS_CertificateVerifyHook file:"%D/cert_check.pl"
    # WLAN root CAs
    EAPTLS_CAFile %D/certs/CAa.pem

    EAPTLS_CertificateType PEM
    # Radiator Cert
    EAPTLS_CertificateFile %D/certs/server_cert.pem
    # Radiator private key
    EAPTLS_PrivateKeyFile %D/certs/server_cert.key

    EAPTLS_MaxFragmentSize 1000

    EAPTLS_CRLCheck
    EAPTLS_CRLFile %D/certs/crls/Root_CA.pem

    AutoMPPEKeys
  </AuthBy>



  sub {

    use Crypt::OpenSSL::X509;
    &main::log($main::LOG_DEBUG,"cert_check: enter hook");

    # Pointer to request structure
    my $p0 = $_[0];    # $matchdn
    my $p1 = $_[1];    # $x509_store_ctx
    my $p2 = $_[2];    # $cert
    my $p3 = $_[3];    # $subject_name
    my $p4 = $_[4];    # $subject
    my $p = $_[5];     # $p Radius Request

    my $issuer_name = &Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($p2)); 
    my $x509 = Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
    my $extensions = &Crypt::OpenSSL::X509::extensions_by_name($x509);

    my @extendedKeyUsage = &Crypt::OpenSSL::X509::Extension::extKeyUsage($extensions->{extendedKeyUsage});

    my $eku_req_client_auth = grep { /clientAuth/ } ( @extendedKeyUsage );
    my $eku_req_client_any = grep { /anyExtendedKeyUsage/ } ( @extendedKeyUsage );


    &main::log($main::LOG_DEBUG,"cert_check: matchDN: $p0");
    &main::log($main::LOG_DEBUG,"cert_check: issuer: $issuer_name");
    &main::log($main::LOG_DEBUG,"cert_check: Extended Key Usage strings found in certificate: " . (join " & ", @extendedKeyUsage) );

    # User certificate CA strings:
    user_CA = 'CN=User CA, OU=Test, C=UK';

    # bail out if cannot determine the extendedKeyUsage for this certificate:
    if ( $eku_req_client_auth == 0 && $eku_req_client_any == 0 ) {
        &main::log($main::LOG_ERR,"cert_check: certificate presented does not have required values present in Extended Key Usage field.");
        return undef;
    }  

    # test each issuer string (which is valid for this ssid) against
    # the issuer string in the certificate in the request:
    my $match = 0;

    if ($issuer_name =~ /^$user_CA$/) {
        $match++;
        &main::log($main::LOG_DEBUG,"cert_check: Successful match for issuer_name [$issuer_name] with issuer_string [$user_CA]");
    }


    if ( $match == 0 ) {
      &main::log($main::LOG_ERR,"cert_check: invalid certificate issuer [$issuer_name] in request.");
      return undef;
    }

  }


  Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 153
  Authentic:  +R<20><209><177><167>5/<246>y%<135><133><134><191><173>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><3><0><18><1>user1 at TEST.UK
          Message-Authenticator = L><159><3>4<221><139>8<214>g<237><153><22>v<200><197>

  Wed Nov  3 09:32:20 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:20 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:20 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:20 2010: DEBUG: Handling with EAP: code 2, 3, 18, 1
  Wed Nov  3 09:32:20 2010: DEBUG: Response type 1
  Wed Nov  3 09:32:20 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:20 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:20 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 153
  Authentic:  <213>o<31><153>j1<190><209>Yu&<238><166><210>_<16>
  Attributes:
          EAP-Message = <1><4><0><6><13> 
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 154
  Authentic:  >k<16>#p<154><1><245><194>d<165><131><189><143><237><142>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><4><0>W<13><128><0><0><0>M<22><3><1><0>H<1><0><0>D<3><1>L<209>,%<239><146><242><12><235><234>.'<3>h<6><31><178>Y3<155><194><158><177>A<142><239><188>T}<202>J&<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
          Message-Authenticator = Pg<184><167>vMr<0><24>D<189><210><248>a<241><191>

  Wed Nov  3 09:32:21 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:21 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:21 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:21 2010: DEBUG: Handling with EAP: code 2, 4, 87, 13
  Wed Nov  3 09:32:21 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:21 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:21 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:21 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 154
  Authentic:  y<241><254>,<218>r_<188>Cx<13><222>|<229>;S
  Attributes:
          EAP-Message = <1><5><3><242><13><192><0><0><19><9><22><3><....
          EAP-Message = Z<23><13>111014083918Z0i1<19>0<17><6><10><9><146>.....
          EAP-Message = <136><11><151><141>_<172>gL<222>)<25><142><186>.....
          EAP-Message = ........
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 155
  Authentic:  <158><174><179>V<16><12><128><213><222>6M<173><201>g?<134>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><5><0><6><13><0>
          Message-Authenticator = <178>[ ,i<24>f<24><<17><176>Dx]g<164>

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 5, 6, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 155
  Authentic:  <155>}<137><8><191><244>P<193>R<235><165><136>rN<139><145>
  Attributes:
          EAP-Message = <1><6><3><238><13>...
          EAP-Message = <29><6><3>U<29><14><4>....
          EAP-Message = B<25>tB<130><186><217><5>.....
          EAP-Message = <12>0<10><6><3>U<4><11><19>......
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 156
  Authentic:  <252>;pf<152>/K<147><193> <239><168><213><237><224>N
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><6><0><6><13><0>
          Message-Authenticator = m<220>y<12><240><226>=<245><212><185><247>n1z<213><20>

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 6, 6, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 156
  Authentic:  <187>t<158><191><143>&<207>t%9<247><215>.<232><159><137>
  Attributes:
          EAP-Message = <1><7><3><238><13>@<171><9><225>......
          EAP-Message = *<6><3>U<29><31><4><130><3>!0<130>.....
          EAP-Message = ..........
          EAP-Message = ..............
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 157
  Authentic:  <150>n<250>];"<13>@X4h<218><185>O'<158>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><7><0><6><13><0>
          Message-Authenticator = <24><6><226>"<229>o<230><170>%<0><199><203><141><217><157>*

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 7, 6, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 157
  Authentic:  <210><207>\<219><218><225>v&~<132><198>+<196><217><3><163>
  Attributes:
          EAP-Message = ........
          EAP-Message = <1><172>.......
          EAP-Message = 0<9><6><3>U<4>.......
          EAP-Message = v<31><142>a<160><183>.....
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 158
  Authentic:  <173><11><15>-<27>p<10><217><141>PpN<249><172><154><162>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><8><0><6><13><0>
          Message-Authenticator = <220><204><217>r<202><202><9>JI<133><136>ft<14><163><163>

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 8, 6, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 158
  Authentic:  <5><l<214><205><214>2<131><19><156>8<147>[n<183>Y
  Attributes:
          EAP-Message = <1><9><3>o<13><0><6>..........
          EAP-Message = l<150>^<127><11><135><162>y<23>..........
          EAP-Message = <0>\0Z1<11>0<9><6><3>U<4><6><19><2>..........
          EAP-Message = <23>.........
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 159
  Authentic:  <17><137><244>k<231><13>N1<234><148><225>Af<170>+<148>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><9><5><210><13><192>..........
          EAP-Message = <23>0<21><6><3>..........
          EAP-Message = ......
          EAP-Message = <1><5><5><7>0<2><134>.........
          EAP-Message = ........
          EAP-Message = .............
          Message-Authenticator = ~<197><172><250><144><231><209><208><153>t<244>a5<138><230>G

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 9, 1490, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 159
  Authentic:  Z<19>D<192><H<140><160><<206>- <134><217><247>5
  Attributes:
          EAP-Message = <1><10><0><6><13><0>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 160
  Authentic:  {.g<138>Z~<3><207><232><157><156><254><179><197><211><156>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><10><5><210><13>..........
          EAP-Message = ..........
          EAP-Message = <29><14><4><22><4><20>........
          EAP-Message = <217><207><202>.......
          EAP-Message = 1<12>0<10><6><3>.........
          EAP-Message = <255><28><161>i<249>S<239>...........
          Message-Authenticator = <127><129><235>f<158><207>2i8<232>jg<127><199><162>r

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 10, 1490, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 160
  Authentic:  <150><166><211>4A\<236>.s<241>(<20><180>=<2><151>
  Attributes:
          EAP-Message = <1><11><0><6><13><0>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 161
  Authentic:  -<246><25><160>x)<170><243>7<141><199>1<157>k31
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><11><5>}........
          EAP-Message = ...........
          EAP-Message = ..........
          EAP-Message = <160>9<134>........
          EAP-Message = <28><193>.....
          EAP-Message = <156><252><251>.......
          Message-Authenticator = <200><142><229><189>*<183><202>iYGOo<213>.e<6>

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 11, 1405, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: Certificate Subject Name is /DC=uk/DC=test/O=TEST/CN=Markus Moeller
  Wed Nov  3 09:32:22 2010: DEBUG: Checking subjectAltName type 1, value test.user at test.uk
  Wed Nov  3 09:32:22 2010: DEBUG: Checking subjectAltName type 0, value user1 at TEST.UK
  Wed Nov  3 09:32:22 2010: DEBUG: Matched certificate subjectAltName user1 at TEST.UK with User-Name user1 at TEST.UK or identity user1 at TEST.UK
  Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE looks for match with user1 at TEST.UK [user1 at TEST.UK]
  Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE REJECT: No such user: user1 at TEST.UK [user1 at TEST.UK]
  Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [user1 at TEST.UK]
  Wed Nov  3 09:32:22 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [user1 at TEST.UK]
  Wed Nov  3 09:32:22 2010: DEBUG: cert_check: enter hook
  Wed Nov  3 09:32:22 2010: DEBUG: cert_check: matchDN: user1 at TEST.UK
  Wed Nov  3 09:32:22 2010: DEBUG: cert_check: issuer: CN=User CA, OU=Test, C=UK
  Wed Nov  3 09:32:22 2010: DEBUG: cert_check: Extended Key Usage strings found in certificate: msSmartcardLogin & clientAuth
  Wed Nov  3 09:32:22 2010: DEBUG: cert_check: Successful match for issuer_name [CN=User CA, OU=Test, C=UK] with issuer_string [CN=User CA, OU=Test, C=UK]
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 161
  Authentic:  <1>P'<188><205><128><136><211><226>R<143><22>HJ<7><16>
  Attributes:
          EAP-Message = <1><12><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> ~<231><163><26><234><180><254><23><238><217><251>!<158>CO<213><145>)l<214>{<205><206><184><224><12>O<200>G<19><<137>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 162
  Authentic:  <201>~8<133><171><210><230><184>{:<209>M<192><19>(<10>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 7
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><12><0><6><13><0>
          Message-Authenticator = <234><143>_<203>-}Hm<244><163>X<15><7><145><23><141>

  Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 12, 6, 13
  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:22 2010: DEBUG: EAP result: 0, 
  Wed Nov  3 09:32:22 2010: DEBUG: AuthBy FILE result: ACCEPT, 
  Wed Nov  3 09:32:22 2010: DEBUG: Access accepted for user1 at TEST.UK
  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Accept
  Identifier: 162
  Authentic:  ;<197><218><9>U<141>8D<213><156><223><212>;Plz
  Attributes:
          EAP-Message = <3><12><0><4>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
          MS-MPPE-Send-Key = r<240>i<221><235><183><224><247><159><161><174>#G<244><23><213><245><220><194><128>K<8><23>!<24>w<204><233><18>i<225>t
          MS-MPPE-Recv-Key = U<172><208>8<23>$]<172><18><136><31><16><175><22><192><<153><198><18>6<210><202><170><190><4>-<148><15><184>@7:










  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 163
  Authentic:  $<194><159><255><245><145>=s<<207><190><216><186><157><218><222>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 1
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><2><0><18><1>user1 at TEST.UK
          Message-Authenticator = cD<134><215><188>f<231><1><139>U<221><172><173><202>3<174>

  Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 2, 18, 1
  Wed Nov  3 09:32:58 2010: DEBUG: Response type 1
  Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 163
  Authentic:  <250>x<237>&L at d<247><187><2><186><197><152>@<194><133>
  Attributes:
          EAP-Message = <1><3><0><6><13> 
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 164
  Authentic:  _<175><14>Q<170>.<218><186><156><179>W<243>w<211>--
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 1
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><3><0>w<13><128><0><0><0>m<22><3><1><0>h<1><0><0>d<3><1>L<209>,I<219>N<144><182><189><200> <131><145><153>d<197>3?<8><6><176>p<208><164>e<227><159><214><186><10>H<3> !<178><192>S<186>~.<4>$[t<14><146><202>k<16>p<158><154>t-<135><244><226>H<172><130>BJ<186><154><127><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
          Message-Authenticator = t<31><193><136>t<223><151><143>><7><177>L<21>9<13>X

  Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 3, 119, 13
  Wed Nov  3 09:32:58 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 3, EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: Access challenged for user1 at TEST.UK: EAP TLS Challenge
  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Challenge
  Identifier: 164
  Authentic:  <130>F<239><213><240>4<144><158><16><10><179><6><22><197><150>P
  Attributes:
          EAP-Message = <1><4><0><132><13><128><0><0><0>z<22><3><1><0>J<2><0><0>F<3><1>L<209>,J<244><247>P<14>L<198><177>"<189><186><11><27><11><176><246><249><238><149><246>6<199>Kz<206><228><201>i<221> !<178><192>S<186>~.<4>$[t<14><146><202>k<16>p<158><154>t-<135><244><226>H<172><130>BJ<186><154><127><0><4><0><20><3><1><0><1><1><22><3><1><0> R<154>j<188><155>/<217><<138><31>c<153><254><225><141>{t<148><138>U<142><29><221><194><26><151>V<219><164>,<185><215>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Received from 191.169.1.21 port 32768 ....
  Code:       Access-Request
  Identifier: 165
  Authentic:  <237><154>`f<221><253>'-S<149><254>e<234>"<218><173>
  Attributes:
          User-Name = "user1 at TEST.UK"
          Calling-Station-Id = "00-22-fa-aa-bb-cc"
          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-2"
          NAS-Port = 29
          NAS-IP-Address = 191.169.1.21
          NAS-Identifier = "Controller1"
          Airespace-WLAN-Id = 1
          Service-Type = Framed-User
          Framed-MTU = 1300
          NAS-Port-Type = Wireless-IEEE-802-11
          Tunnel-Type = 0:VLAN
          Tunnel-Medium-Type = 0:802
          Tunnel-Private-Group-ID = 662
          EAP-Message = <2><4><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> .<215><190><197>sA^<176><195>n6<236>7<199>eq=<194>y/<167><181><187><20><175><180><219><174><211>-tQ
          Message-Authenticator = <133><156><216><160>?<145>t<201><0><197>7i!M<5><0>

  Wed Nov  3 09:32:58 2010: DEBUG: Handling request with Handler 'DeviceClass="WLAN"'
  Wed Nov  3 09:32:58 2010: DEBUG:  Deleting session for user1 at TEST.UK, 191.169.1.21, 29
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
  Wed Nov  3 09:32:58 2010: DEBUG: Handling with EAP: code 2, 4, 53, 13
  Wed Nov  3 09:32:58 2010: DEBUG: Response type 13
  Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE looks for match with user1 at TEST.UK [user1 at TEST.UK]
  Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: user1 at TEST.UK [user1 at TEST.UK]
  Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [user1 at TEST.UK]
  Wed Nov  3 09:32:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [user1 at TEST.UK]
  Wed Nov  3 09:32:58 2010: DEBUG: EAP result: 0, 
  Wed Nov  3 09:32:58 2010: DEBUG: AuthBy FILE result: ACCEPT, 
  Wed Nov  3 09:32:58 2010: DEBUG: Access accepted for user1 at TEST.UK
  Wed Nov  3 09:32:58 2010: DEBUG: Packet dump:
  *** Sending to 191.169.1.21 port 32768 ....
  Code:       Access-Accept
  Identifier: 165
  Authentic:  <165><236>/<144><233><245><243>w<157><157><172>L<217><135><184><249>
  Attributes:
          EAP-Message = <3><4><0><4>
          Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
          MS-MPPE-Send-Key = \f]7<25>0s<155>y<245><187><182>|f[Fs%<158>UM<225><14><23><223>?<254><178><160><20>'<208>
          MS-MPPE-Recv-Key = <13><31>=!<207><18><212>u&<239><228><237><170>@<13>$M<194><0>v<158><195><246>V<243><142>@<140><172>]<178><21>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101103/5fb2dfc7/attachment-0001.html 


More information about the radiator mailing list