[RADIATOR] Issues with AuthbyNTLM (LONG)

Hugh Irvine hugh at open.com.au
Wed Sep 22 16:24:46 CDT 2010


Hello Todd -

Thanks for sending the relevant information with your question - it certainly helps.

From what I can see, as do you, Radiator appears to be operating correctly - the final MSCHAP-V2 challenge is sent to the client, and presumably the client just starts the negotiation again?

This is usually due to a misconfiguration of the client supplicant, or possibly missing reply attributes (however we don's see the final access accept in debug, so not likely).

I think you will need to do some debugging on the client supplicant side to see what is happening there and why it restarts the negotiation.

regards

Hugh


On 23 Sep 2010, at 02:23, Smith, Todd wrote:

> Hello,
> 
> I have just purchased Radiator to replace some elderly Steel-Belted RADIUS and I am still in test mode but after looking at the documentation and testing a single client; I am still having problems with an endless loop of authentication requests.
> 
> My environment is a Ubuntu 10.04.1 LTS server fully patched running the latest version of Samba from the Ubuntu distribution.  The Samba services are configured as a member server to a Windows 2003 Active Directory and klist successfully authenticated a username and password and ntlm_auth reports OK after a successful username and password.  Radiator was downloaded as the tarball and was installed into a /usr/src source directory.
> 
> 1) A clear description of the problem
> 
> Client does not complete the authentication process even though the Accept message seems to indicate a successful authentication.  The client then attempts to reauthenticate and the loop doesn't end.
> 
> 2) Copy of the Radiator configuration file (no secrets)
> 
> (default file found in goodies)
> 
> # ntlm_eap_multi.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PAP, EAP-TTLS and EAP-PEAP authentication as used by Windows XP
> # (starting with SP1) using AuthBy NTLM and Microsoft domain controller
> #
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows
> # Domain when Radiator runs on a Linux or Unix host, with the
> # assistance of utilities from the Samba suite (www.samba.org).
> #
> # AuthBy NTLM requires that ntlm_auth (and winbindd), both part of Samba,
> # are installed and configured
> # correctly. See goodies/smb.conf.winbindd for sample configuration and installa
> tion hints.
> #
> # AuthBy NTLM runs the Samba utility ntlm_auth as a child process in order to au
> thenticate
> # requests. It keeps ntlm_auth running between requests and passes it authentica
> tion
> # information on stdin, and gets back the authentication results from stdout.
> # Caution:  AuthBy NTLM blocks while waiting for the result output of ntlm_auth.
> #
> # Because AuthBy NTLM requires that ntlm_auth be properly installed and configur
> ed with winbindd,
> # it is vitally important that you confirm that ntlm_auth is working properly be
> fore trying
> # to use AuthBy NTLM. You can test ntlm_auth like this:
> #  ntlm_auth --username=yourusername --domain=yourdomain --password=yourpassword
> # if that does not work for a valid username and password, there is no way that
> # AuthBy NTLM will work. Make sure  ntlm_auth works first!
> #
> # Works with PAP, MSCHAP, MSCHAPV2
> # Radiator must be run as root in order to do MSCHAP or MSCHAPV2 via ntlm_auth
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: ntlm_eap_multi.cfg,v 1.2 2007/12/18 21:23:50 mikem Exp $
> 
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> # User a lower trace level in production systems:
> Trace           4
> AuthPort 1645,1812
> 
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>        Secret  mysecret
>        DupInterval 0
> </Client>
> 
> # This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
> # handles the outer and inner requests for TTSL and PEAP. You can use
> # it to authenticate almost anything against Microsoft Active Directory
> <Handler>
>        <AuthBy NTLM>
>                # The name of the ntlm_auth program, supplied with
>                # Samba. Defaults to '/usr/bin/ntlm_auth  --helper-protocol=ntlm
> -server-1'
>                # You can require that authenticated users belong to a certain g
> roup with:
>                #NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-
> 1 --require-membership-of=MyGroupName
>                # or you can specify that the NTLM authenticaiton requests appea
> r to come from a workstation with
>                # a specified name. This can be used to restrict authentication
> for certain users by setting
>                # workstation requirements in their Windows user configuration.
>                #NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-
> 1 --workstation=MyWorkstationName
> 
>                # Specifies which Windows Domain is ALWAYS to be used to authent
> icate
>                # users (even if they specify a different domain in their userna
> me).
>                # Special characters are supported. Can be an Active
>                # directory domain or a Windows NT domain controller
>                # domain name
>                #Domain OPEN
> 
>                # Specifies the Windows Domain to use if the user does not
>                # specify a domain in their username.
>                # Special characters are supported. Can be an Active
>                # directory domain or a Windows NT domain controller
>                # domain name
>                # DefaultDomain CAMC
> 
>                # EAPType sets the EAP type(s) that Radiator will honour.
>                # Options are: MD5-Challenge, One-Time-Password
>                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>                # Multiple types can be comma separated. With the default (most
>                # preferred) type given first
>                EAPType PEAP, TTLS, MSCHAP-V2, LEAP
> 
>                # EAPTLS_CAFile is the name of a file of CA certificates
>                # in PEM format. The file can contain several CA certificates
>                # Radiator will first look in EAPTLS_CAFile then in
>                # EAPTLS_CAPath, so there usually is no need to set both
>                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> 
>                # EAPTLS_CAPath is the name of a directory containing CA
>                # certificates in PEM format. The files each contain one
>                # CA certificate. The files are looked up by the CA
>                # subject name hash value
> #               EAPTLS_CAPath
> 
>                # EAPTLS_CertificateFile is the name of a file containing
>                # the servers certificate. EAPTLS_CertificateType
>                # specifies the type of the file. Can be PEM or ASN1
>                # defaults to ASN1
>                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                EAPTLS_CertificateType PEM
> 
>                # EAPTLS_PrivateKeyFile is the name of the file containing
>                # the servers private key. It is sometimes in the same file
>                # as the server certificate (EAPTLS_CertificateFile)
>                # If the private key is encrypted (usually the case)
>                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
>                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                EAPTLS_PrivateKeyPassword whatever
> 
>                # EAPTLS_RandomFile is an optional file containing
>                # randdomness
> #               EAPTLS_RandomFile %D/certificates/random
> 
>                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>                # size that will be replied by Radiator. It must be small
>                # enough to fit in a single Radius request (ie less than 4096)
>                # and still leave enough space for other attributes
>                # Aironet APs seem to need a smaller MaxFragmentSize
>                # (eg 1024) than the default of 2048. Others need even smaller s
> izes.
>                EAPTLS_MaxFragmentSize 1000
> 
>                # EAPTLS_DHFile if set specifies the DH group file. It
>                # may be required if you need to use ephemeral DH keys.
> #               EAPTLS_DHFile %D/certificates/cert/dh
> 
> 
>                # If EAPTLS_CRLCheck is set  and the client presents a certifica
> te
>                # then Radiator will look for a certificate revocation list (CRL
> )
>                # for the certificate issuer
>                # when authenticating each client. If a CRL file is not found, o
> r
>                # if the CRL says the certificate has neen revoked, the authenti
> cation will
>                # fail with an error:
>                #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>                # One or more CRLs can be named with the EAPTLS_CRLFile paramete
> r.
>                # Alternatively, CRLs may follow a file naming convention:
>                #  the hash of the issuer subject name
>                # and a suffix that depends on the serial number.
>                # eg ab1331b2.r0, ab1331b2.r1 etc.
>                # You can find out the hash of the issuer name in a CRL with
>                #  openssl crl -in crl.pem -hash -noout
>                # CRLs with tis name convention
>                # will be searched in EAPTLS_CAPath, else in the openssl
>                # certificates directory typically /usr/local/openssl/certs/
>                # CRLs are expected to be in PEM format.
>                # A CRL files can be generated with openssl like this:
>                #  openssl ca -gencrl -revoke cert-clt.pem
>                #  openssl ca -gencrl -out crl.pem
>                # Use of these flags requires Net_SSLeay-1.21 or later
>                #EAPTLS_CRLCheck
>                #EAPTLS_CRLFile %D/certificates/crl.pem
>                #EAPTLS_CRLFile %D/certificates/revocations.pem
> 
>                # Some clients, depending on their configuration, may require yo
> u to specify
>                # MPPE send and receive keys. This _will_ be required if you sel
> ect
>                # 'Keys will be generated automatically for data privacy' in the
> Funk Odyssey
>                # client Network Properties dialog.
>                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
>                # in the final Access-Accept
>                AutoMPPEKeys
> 
>                # You can configure the User-Name that will be used for the inne
> r
>                # authentication. Defaults to 'anonymous'. This can be useful
>                # when proxying the inner authentication. If tehre is a realm, i
> t can
>                # be used to choose a local Realm to handle the inner authentica
> tion.
>                # %0 is replaced with the EAP identitiy
>                # EAPAnonymous anonymous at some.other.realm
> 
>                # You can enable or disable support for TTLS Session Resumption
> and
>                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
>                # Default is enabled
>                #EAPTLS_SessionResumption 0
> 
>                # You can limit how long after the initial session that a sessio
> n can be resumed
>                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
> to 43200
>                # (12 hours)
>                #EAPTLS_SessionResumptionLimit 10
>        </AuthBy>
> </Handler>
> 
> 3) A trace 4 debug from Radiator showing what is happening
> 
>        Message-Authenticator = <238>g<212><250><<186><196>?<236>v<207>zd<171><128><223>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 1, 17, 1
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 1
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1104 ....
> Code:       Access-Challenge
> Identifier: 38
> Authentic:  <197><141>l|<151><228>~<136><144>Lr<198><251>Fa<208>
> Attributes:
>        EAP-Message = <1><2><0><6><25>!
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1105 ....
> Code:       Access-Request
> Identifier: 39
> Authentic:  <127>y<127>y<127>y<127>y<127>y<127>y<127>y<127>y
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><2><0>w<25><128><0><0><0>m<22><3><1><0>h<1><0><0>d<3><1>L<154>*[<24><188><195><198><223><158>VD<154><205>[<205>CWi<149><176>+{<164><20><5>(<181>|UiR <224>vA\n<202>p<238><19> c<167><129>x<19><26><173><0><4>8<180><226><158><147><26>'<147>]<130><31><168><145><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
>        Message-Authenticator = c<167><205>V<156><203><248>o<9>W<165>A<169>-<201>k
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 2, 119, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1105 ....
> Code:       Access-Challenge
> Identifier: 39
> Authentic:  d<180><1><161><202><190>OA<153><4><236><176><20><136><172><148>
> Attributes:
>        EAP-Message = <1><3><3><242><25><192><0><0><7><185><22><3><1><0>Q<2><0><0>M<3><1>L<154>)g.*(`<229><14>_`<19>m<217>m<10><185><181>/<7><135><198><31><187>+<23><197><169>i_<188> <195>Nrl,<188><188>VxP>^<191>~<224><212>g<223>b<155><167>|<247>3}<145>)<144>F<11><144>]<0><4><0><0><5><255><1><0><1><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
>        EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Section1%0#<6>
>        EAP-Message = <3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><207><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183>
>        EAP-Message = <246><141>'<233>V<198><203><206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1106 ....
> Code:       Access-Request
> Identifier: 40
> Authentic:  K<229>K<229>K<229>K<229>K<229>K<229>K<229>K<229>
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><3><0><6><25><0>
>        Message-Authenticator = D)!<30>(<236><27>y<255><7><192>hm<202><192><161>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 3, 6, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1106 ....
> Code:       Access-Challenge
> Identifier: 40
> Authentic:  <165><142><8>&<163><216><215><17>kR1<192>|w%<228>
> Attributes:
>        EAP-Message = <1><4><3><215><25><0><4><11><19><24>Test Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test C
>        EAP-Message = ertificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><221><135><194>,<1>U3|N'<174><232><18>VB6<20><197>'x<167><242><198>I<253>[<184>:<254><240><168><221>Se><13><130><251><23> <4><29> q#<228><181>#<236>9<182>0Q<253><0><227>eL<190>6K<4>8<240>L<178><255>^IS_T)n<206><147>%<251><255>o<229><128><30><140><14><149><22><21>+Yf<128><155><190><241><153>:<226>;<219><240><182>#<151><209>|<141><223><128>w<213>@<14><206><228> <203><132><0>w<134><255>Q
>        EAP-Message = hd<12><190>9<2><3><1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><151>NFk<218><183>Rv/<18>-<225>P<190>E<209><205><183> p0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><151>NFk<218><183>Rv/<18>-<225>P<190>E<209><205><183> p<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in pr
>        EAP-Message = oduction)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130><9><0><249><170>@<232><246>7<146>$0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0>y<18>9X<176><<236><203><168><151><202><144><201>Q$<166><217><249><17>|<163>8<129><232>dr<236><211><240>WP<162>B<157><250>9<224><152>JA<213><127>><247>:<227><191><18><232>u,<172><237><188>?<8><239>E<239>m<203><152><10>`<18>V$<184><7><205><137><138>p<139><152><240><20><3>{<150>7<156><193><4><153><190><8><216><173><9><185>9<158><211>^ex<144><208><128><251>+<15><146>KQ<249><234><171><3><14>2<206><9>K<220><201>f<159>f<~<149><21>c<227>V<203><22><3><1><0><4><14><0><0><0>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1107 ....
> Code:       Access-Request
> Identifier: 41
> Authentic:  <24>R<24>R<24>R<24>R<24>R<24>R<24>R<24>R
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><4><0><192><25><128><0><0><0><182><22><3><1><0><134><16><0><0><130><0><128>=<255><244>3<239><211><207>D<162>><172>g<127>D<160>t <226><7>U<149><238><127><24><165>,<238><177>2vL5F<11>K<135>L<166><9><207>|#5&j<246>my<237><162><210><177>~<26><223>:<176><160><212><189><184>a*<189>/<26>a<178><30><173>#<215><195>u<137><181>m<179>'<150><152><196><191>E/<156><138><214><7><242><18>x^}zj<161><8><19><142>F<169><14><192><170>2<218><166><184>N<207><141><201>c<24><231><182><152>L<180>'<23><166>QS<229>83<20><3><1><0><1><1><22><3><1><0> <196>I<130>:s<215><141><237><25><192>}s<185>UK<155><191>M9:<233><1>|<132><188><204><248><173>21<175><176>
>        Message-Authenticator = <192><128><128>J.<130>!<182>$<184><0><176><17><185><170><19>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 4, 192, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1107 ....
> Code:       Access-Challenge
> Identifier: 41
> Authentic:  <205><230><168><179><4><133><20><254>|<5><153><174>V<216><225>Q
> Attributes:
>        EAP-Message = <1><5><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0> JL<224><252><128><198>UX<217><156>H<131><204><175>Y<173>+X)<242><169>\<220><187>uhqNz<188>Y<17>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1108 ....
> Code:       Access-Request
> Identifier: 42
> Authentic:  d<190>d<190>d<190>d<190>d<190>d<190>d<190>d<190>
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><5><0><6><25><0>
>        Message-Authenticator = <227>V$Y<137>u<230>4<182>n&<200>P<254><155><175>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 5, 6, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1108 ....
> Code:       Access-Challenge
> Identifier: 42
> Authentic:  d<206><224><139><187>K<187>~<247><156>BZ<235><160><136><209>
> Attributes:
>        EAP-Message = <1><6><0><28><25><0><23><3><1><0><17><187>W<161>6O<160>;D<144>?<184><219>!<205>H<0><255>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1109 ....
> Code:       Access-Request
> Identifier: 43
> Authentic:  1*1*1*1*1*1*1*1*
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><6><0>(<25><0><23><3><1><0><29><230><164>y<21>D<217><136>><151>y<229><191><13><191><164><12><161><201><228><15>o<203><224>z<239><155>5<182>9
>        Message-Authenticator = <27><21><229><196>v<17><144><191>Y<242><171><148><189>T6<182>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 6, 40, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP PEAP inner authentication request for anonymous
> Wed Sep 22 12:05:59 2010: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  \<244><12><206><192><245><15><132><225><248>84@@<235><162>
> Attributes:
>        EAP-Message = <2><6><0><13><1>CAMC\tssmith
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>        NAS-IP-Address = 10.2.96.19
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        NAS-Port = 16973824
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        User-Name = "anonymous"
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for anonymous, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 6, 13, 1
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 1
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for anonymous: EAP PEAP Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  \<244><12><206><192><245><15><132><225><248>84@@<235><162>
> Attributes:
>        EAP-Message = <1><7><0><6><25>!
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1109 ....
> Code:       Access-Challenge
> Identifier: 43
> Authentic:  <140><194><223><200><<135>d<196>%pi<10><2><229><251><251>
> Attributes:
>        EAP-Message = <1><7><0><29><25><0><23><3><1><0><18>!Q\<209>P--<253><182>fW<156><217>:<192>\<246><190>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1110 ....
> Code:       Access-Request
> Identifier: 44
> Authentic:  ?\?\?\?\?\?\?\?\
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><7><0><29><25><0><23><3><1><0><18><190>!<240><195><180><10><246>'d<185><220><227>WC<15><226>RW
>        Message-Authenticator = <239><173><209><142><22>~eQ<216>=<208><240>YJ+7
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 7, 29, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP PEAP inner authentication request for anonymous
> Wed Sep 22 12:05:59 2010: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  r1<240>-1<135>M)<167>d[<132><154><212><178>9
> Attributes:
>        EAP-Message = <2><7><0><2><3><26>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>        NAS-IP-Address = 10.2.96.19
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        NAS-Port = 16973824
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        User-Name = "anonymous"
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for anonymous, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 7, 2, 3
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 3
> Wed Sep 22 12:05:59 2010: DEBUG: EAP Nak desires type 26
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for anonymous: EAP MSCHAP-V2 Challenge
> Wed Sep 22 12:05:59 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  r1<240>-1<135>M)<167>d[<132><154><212><178>9
> Attributes:
>        EAP-Message = <1><8><0>*<26><1><8><0>%<16>2<234>Tp<242>,E<237><219><143><19><176>T<158><222><137>weiland.camc.hsi
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1110 ....
> Code:       Access-Challenge
> Identifier: 44
> Authentic:  ><128><164><252>ii<202>x4<13><4>20<197><12>(
> Attributes:
>        EAP-Message = <1><8><0>A<25><0><23><3><1><0>6a~<155><3><148><250><154>[<210>U<13>D<138><5>t#"<227><230>"A<23><215><27><247><191><222><162><21><248><14><184>6<236><153>~A<160><131>tG<130><132>K<205><130>Vy.<175><161><213><182><210>
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Received from 10.2.96.19 port 1111 ....
> Code:       Access-Request
> Identifier: 45
> Authentic:  M<143>M<143>M<143>M<143>M<143>M<143>M<143>M<143>
> Attributes:
>        NAS-IP-Address = 10.2.96.19
>        NAS-Port-Type = Wireless-IEEE-802-11
>        NAS-Port = 16973824
>        Framed-MTU = 1400
>        User-Name = "CAMC\tssmith"
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        Called-Station-Id = "00-11-88-06-ff-36:WPA-TestB"
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        EAP-Message = <2><8><0>^<25><0><23><3><1><0>S<200>Z<189><210><157><181><224>k<206><150><183>@S<4><167><217><129><157><242><220>`<24><161><153><3><147><3>f&<0><165>F<208><24>X}<28>$i<166>Q.<165><217><230><247><218><156>V$<134><239><152><171><223><185>[<243><147>M<145>+<166>s<244><143><180><154><9><193>t<10><252><218><142><130>=3<15><252>B<248>}
>        Message-Authenticator = <189><230>.z<186><151><7><174><6><181><132><26><156>|<212>&
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for CAMC\tssmith, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 8, 94, 25
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 25
> Wed Sep 22 12:05:59 2010: DEBUG: EAP PEAP inner authentication request for anonymous
> Wed Sep 22 12:05:59 2010: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <232><180><135>ho<23><1><169><169><10><215>4<199><184><149>I
> Attributes:
>        EAP-Message = <2><8><0>C<26><2><8><0>B1Wh<5>^<141><175><213><249><149><254>Wn"<180><27>U<0><0><0><0><0><0><0><0><218><235><166><31><10><133><229>AFD<<226><221><135><189>b<229>q<163><11><248>-"<4><0>CAMC\tssmith
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>        NAS-IP-Address = 10.2.96.19
>        NAS-Identifier = "Dover Standalone (Thick) AP"
>        NAS-Port = 16973824
>        Calling-Station-Id = "00-13-ce-69-43-2c"
>        User-Name = "anonymous"
> 
> Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '', Identifier ''
> Wed Sep 22 12:05:59 2010: DEBUG:  Deleting session for anonymous, 10.2.96.19, 16973824
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM:
> Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 8, 67, 26
> Wed Sep 22 12:05:59 2010: DEBUG: Response type 26
> Wed Sep 22 12:05:59 2010: DEBUG: Radius::AuthNTLM looks for match with CAMC\tssmith [anonymous]
> Wed Sep 22 12:05:59 2010: DEBUG: Radius::AuthNTLM ACCEPT: : CAMC\tssmith [anonymous]
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute LANMAN-Challenge: 179b1eda2032ef41
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute NT-Response: daeba61f0a85e54146443ce2dd87bd62e571a30bf82d2204
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute NT-Domain:: Q0FNQw==
> Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Username:: dHNzbWl0aA==
> Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: Authenticated: Yes
> Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: LANMAN-Session-Key: 55FC5F8DFAA3A58D
> Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: User-Session-Key: B48DFF252D4FAB7CBEA3207E1A5C51BE
> Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: .
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for anonymous: EAP MSCHAP V2 Challenge: Success
> Wed Sep 22 12:05:59 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <232><180><135>ho<23><1><169><169><10><215>4<199><184><149>I
> Attributes:
>        EAP-Message = <1><9><0>=<26><3><8><0>8S=AD59BE8E0A96165332AEEBF926A4002E20868CDB M=success
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP inner authentication redispatched to a Handler
> Wed Sep 22 12:05:59 2010: DEBUG: Packet dump:
> *** Sending to 10.2.96.19 port 1111 ....
> Code:       Access-Challenge
> Identifier: 45
> Authentic:  <155><216><173><221>2<245><196><238><211>w\<24><174>m<245>3
> Attributes:
>        EAP-Message = <1><9><0>T<25><0><23><3><1><0>I<10><160><227><173><198>N<190>HO<14><186><171><197><251>Z<154><195>g<232><147><254>#<238><129>7x^6'S\<134>A`qL<203><253><14><28>p<190><232>%M<224>w<148><215><176><170>UW<22><193><168>6<147><25><249><255><7><3><137><22><192><193><190>M<202><236><153>[
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> ^C
> 
> 
> Confidentiality Note: The information contained in this message 
> may be privileged and confidential. If this e-mail contains 
> protected health information, you are hereby notified that any 
> dissemination, distribution or copying of this communication is 
> strictly prohibited,except as permitted by law. If you have 
> received this communication in error, please notify the sender 
> immediately by replying to this message and deleting it from your 
> computer.  Thank you.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list