[RADIATOR] PEAP Issue
Heikki Vatiainen
hvn at open.com.au
Tue Feb 1 09:16:42 CST 2011
On 02/01/2011 03:49 PM, Adam Bishop wrote:
> Encountering an odd issue with MSCHAPv2/PEAP
>
> I have 2 Radiator instances – one based on Debian 5, one on Ubuntu 10.04LTS. They share a config file (barring secrets), and the Debian one works fine. There is a difference in patch level – If I remember correctly, the Debian install is a few patches out of date.
>
> The Ubuntu one accepts PAP, TTLS/PAP and TTLS/MSCHAPv2, but PEAP/MSCHAPv2 fails. The system is authenticated against active directory - ntlm–auth --request-nt-key works.
>
> The only thing that stands out in the proxied trace is the MD5 failure - libdigest–md5-perl is installed (as far as I know) and seems to be used:
>
> root at orps3:/var/log/radiator# lsof -p 1488 | grep -i md5
> radiusd 1488 root mem REG 251,3 18640 525298 /usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
>
> The direct trace is just weird – NTLM_AUTH seems to give the OK, then… Nothing.
>
> Any suggestions anyone has are appreciated.
You should list the EAP types separated by commas, not one per line. If
you have them one per line, I think the last one is the only type
Radiator is told to use.
About MD5 failure, the client does like the suggested EAP type
(MD5-Challenge) and sends a NAK, so that's why there is the failure.
You may want to remove both instances MD5-Challenge EAPType unless you
know you need it. For PEAP, EAPType MSCHAP-V2 is usually enough.
The "then ... Nothing." behaviour after ntlm_auth looks like what was
seen earlier, and the reason was ntlm_auth returning incorrect values,
which make the MSCHAPv2 server authentication fail for the client. In
other words, the client think server failed to authenticate itself and
the client stop the authentication process.
Please see ntlm_auth thread from last September:
http://www.open.com.au/pipermail/radiator/2010-September/thread.html#16658
> Adam Bishop
>
> --- Config ---
>
> AcctPort 1813
> AuthPort 1812
> BindAddress 0.0.0.0
> DbDir /etc/radiator/
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive
> Foreground 0
> Group radiator
> LicenseOwner UKERNA
> LivingstonHole 2
> LivingstonMIB .iso.org.dod.internet.private.enterprises.307
> LivingstonOffs 29
> LogDir /var/log/radiator/
> LogFile %L/logfile
> LogStdout 1
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
>
> <Client 193.63.63.101>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> Secret
> </Client>
>
> <Client 193.63.63.102>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> Secret
> </Client>
>
> <Client 193.63.63.103>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> Identifier HiveAP1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> NoIgnoreDuplicates
> SNMPCommunity public
> Secret
> </Client>
>
> <Client 193.63.63.104>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> Identifier HiveAP1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> NoIgnoreDuplicates
> SNMPCommunity public
> Secret
> </Client>
>
> <Client roaming0.ja.net>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> NoIgnoreDuplicates
> SNMPCommunity public
> Secret
> </Client>
>
> <Client roaming1.ja.net>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> NoIgnoreDuplicates
> SNMPCommunity public
> Secret
> </Client>
>
> <Client roaming2.ja.net>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> NoIgnoreDuplicates
> SNMPCommunity public
> Secret
> </Client>
>
> <Handler TunnelledByPEAP = 1>
> AuthByPolicy ContinueWhileIgnore
> RejectHasReason 1
>
> <AuthBy NTLM>
> AutoMPPEKeys 1
> CachePasswordExpiry 86400
> DomainFormat %0
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PEAPBrokenV1Label 1
> EAPTLS_PEAPVersion 1
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> EAPType PEAP
> EAPType TTLS
> EAPType MSCHAP-V2
> EAPType MD5-Challenge
> NoDefault 1
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> UsernameFormat %0
> UsernameMatchesWithoutRealm 1
> </AuthBy>
> </Handler>
>
> <Handler Realm = dev.ja.net>
> AuthByPolicy ContinueWhileIgnore
> RejectHasReason 1
>
> <AuthBy NTLM>
> AutoMPPEKeys 1
> CachePasswordExpiry 86400
> DomainFormat %0
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PEAPBrokenV1Label 1
> EAPTLS_PEAPVersion 1
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> EAPType PEAP
> EAPType TTLS
> EAPType MSCHAP-V2
> EAPType MD5-Challenge
> NoDefault 1
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> UsernameFormat %0
> UsernameMatchesWithoutRealm 1
> </AuthBy>
> </Handler>
>
> <ServerHTTP >
> AuditTrail %D/audit.txt
> AuthByPolicy ContinueWhileIgnore
> BindAddress 0.0.0.0
> DefaultPrivilegeLevel 15
> LogMaxLines 500
> MaxBufferSize 100000
> Port 9048
> Protocol tcp
> SessionTimeout 3600
> TLS_CAFile ./certificates/demoCA/cacert.pem
> TLS_CertificateFile ./certificates/cert-srv.pem
> TLS_CertificateType PEM
> TLS_ExpectedPeerName .+
> TLS_PrivateKeyFile ./certificates/cert-srv.pem
> TLS_PrivateKeyPassword whatever
> Trace 4
>
> <AuthBy NTLM>
> CachePasswordExpiry 86400
> DomainFormat %0
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 1
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> NoDefault 1
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> UsernameFormat %0
> </AuthBy>
> </ServerHTTP>
>
> <StatsLog FILE>
> Filename %L/statistics
> Interval 600
> </StatsLog>
>
>
> --- Proxied Trace 4 ---
>
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 75
> Authentic: @<225>`?+<22>e<130>K<18><10>e<<183><31>v
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><0><0><19><1>jrs at dev.ja.net<mailto:jrs at dev.ja.net>
> Message-Authenticator = 9<193><130>N<26><173><23><234><183>9<221><239><164>?Yi
> Proxy-State = OSC-Extended-Id=75
>
> Tue Feb 1 11:26:48 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:48 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:48 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:48 2011: DEBUG: Handling with EAP: code 2, 0, 19, 1
> Tue Feb 1 11:26:48 2011: DEBUG: Response type 1
> Tue Feb 1 11:26:48 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:48 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:48 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP Challenge
> Tue Feb 1 11:26:48 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 75
> Authentic: <138>!<13><159><140>A[+Z<210>U<30>A<130><212><199>
> Attributes:
> EAP-Message = <1><1><0><6><25>!
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=75
>
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 76
> Authentic: VU'<198><158><253>P><213><221><29>[<153><9><203>:
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><1><0>l<25><1><22><3><1><0>a<1><0><0>]<3><1>MG<237><148>~<1>v<4><164>p<154><199><175><19>$<31>E<243><hd<4><192><245><11><6>/<228>8E<173><0><0><0>6<0>9<0>8<0>5<0><22><0><19><0><10><0>3<0>2<0>/<0>f<0><5><0><4><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`<0><20><0><17><0><8><0><6><0><3><0><255><1><0>
> Message-Authenticator = <23>G<208><23>Zrk<138>f<195><191>)<164>-<147>X
> Proxy-State = OSC-Extended-Id=76
>
> Tue Feb 1 11:26:49 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:49 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with EAP: code 2, 1, 108, 25
> Tue Feb 1 11:26:49 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:49 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Tue Feb 1 11:26:49 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 76
> Authentic: <168><22><192>Y<0>9<161><178>k<179><186>c^<17><224>$
> Attributes:
> EAP-Message = <1><2><3><242><25><193><0><0><7><185><22><3><1><0>Q<2><0><0>M<3><1>MG<237><249>1<17><150><209><227><23><154>R<143>O<173>h<28><141>C<193><154><138><177><151>#C<187><4><225><140><170>p QSs<184><194>-<31><254><145>Zd<9>+<156><185>J<225><17>\Ac<213><251><195>t0<21><183><134><254>E<154><0>5<0><0><5><255><1><0><1><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
> EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<mailto:mikem at open.com.au0><30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Section1%0#<6>
> EAP-Message = <3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><207><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183>
> EAP-Message = <246><141>'<233>V<198><203><206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=76
>
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 77
> Authentic: <205>|<21><254>x<148>i'a<17><10><131><158>|<178>w
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><2><0><6><25><1>
> Message-Authenticator = <179><128><9><149><215><203>r<154>I<136><239>_<219><247>HW
> Proxy-State = OSC-Extended-Id=77
>
> Tue Feb 1 11:26:49 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:49 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with EAP: code 2, 2, 6, 25
> Tue Feb 1 11:26:49 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:49 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 77
> Authentic: <241>|<17><233><129>ye<255>8y}zrY<14><185>
> Attributes:
> EAP-Message = <1><3><3><215><25><1><4><11><19><24>Test Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<mailto:mikem at open.com.au0><30><23><13>100128213155Z<23><13>120128213155Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test C
> EAP-Message = ertificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<mailto:mikem at open.com.au0><129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><221><135><194>,<1>U3|N'<174><232><18>VB6<20><197>'x<167><242><198>I<253>[<184>:<254><240><168><221>Se><13><130><251><23> <4><29> q#<228><181>#<236>9<182>0Q<253><0><227>eL<190>6K<4>8<240>L<178><255>^IS_T)n<206><147>%<251><255>o<229><128><30><140><14><149><22><21>+Yf<128><155><190><241><153>:<226>;<219><240><182>#<151><209>|<141><223><128>w<213>@<14><206><228> <203><132><0>w<134><255>Q
> EAP-Message = hd<12><190>9<2><3><1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><151>NFk<218><183>Rv/<18>-<225>P<190>E<209><205><183> p0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><151>NFk<218><183>Rv/<18>-<225>P<190>E<209><205><183> p<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in pr
> EAP-Message = oduction)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<mailto:mikem at open.com.au><130><9><0><249><170>@<232><246>7<146>$0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0>y<18>9X<176><<236><203><168><151><202><144><201>Q$<166><217><249><17>|<163>8<129><232>dr<236><211><240>WP<162>B<157><250>9<224><152>JA<213><127>><247>:<227><191><18><232>u,<172><237><188>?<8><239>E<239>m<203><152><10>`<18>V$<184><7><205><137><138>p<139><152><240><20><3>{<150>7<156><193><4><153><190><8><216><173><9><185>9<158><211>^ex<144><208><128><251>+<15><146>KQ<249><234><171><3><14>2<206><9>K<220><201>f<159>f<~<149><21>c<227>V<203><22><3><1><0><4><14><0><0><0>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=77
>
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 78
> Authentic: <185>H<26>y<3><222><157>G<194><132>,w<2><19>3<246>
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><3><0><204><25><1><22><3><1><0><134><16><0><0><130><0><128><195><200>Mk<158><208>h<132>6<227><169><186>if<135>3<142>v/<175><199><203><246><128><129><181>F"NN<159><140>|<184><238>3<18>v<131>=q<171><182><6><145><199><5><29>3sb<20><164>$<247>3<193>g<246>N<201><31><27><135><163>3t<213><29><203>KC<194><222>d|<131><131>P<182><236><21><178><245>i<186><207>Z<128><23><148><184><202><1><144><143><185><182><141><25>g<26><165><171><161>5o<21>({<188><176><190><241>C<174><226><24>:`<164>'\<23>s<232>@L<20><3><1><0><1><1><22><3><1><0>0<217><147><193>5<169>co<235><136>rc<234>>|<<31><134><162>z<20>54<12><21>YX7<132>C5<138><206><14><197>!<12>2<203><178><237><22><25><232><222>Au<215><163>
> Message-Authenticator = <191><166><210>0<230>m<245><192>+<210><132>.<255><171><31><250>
> Proxy-State = OSC-Extended-Id=78
>
> Tue Feb 1 11:26:49 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:49 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:49 2011: DEBUG: Handling with EAP: code 2, 3, 204, 25
> Tue Feb 1 11:26:49 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:49 2011: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Tue Feb 1 11:26:49 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP Challenge
> Tue Feb 1 11:26:49 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 78
> Authentic: <247>r<242>Er<177><136>rV<135><5><249>M_m`
> Attributes:
> EAP-Message = <1><4><0>E<25><129><0><0><0>;<20><3><1><0><1><1><22><3><1><0>0$uLY]<21><134>\<249><243><253><148><135>^<165>6<28><6><229>F<168><252>U<152><183><181>.<219><174>?Qo<160>q<2><184><150><<237><198><14><0><155>U<153>,<240><24>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=78
>
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 79
> Authentic: Pa_ua<7>N<184>8<192>~p?6<29>;
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><4><0><6><25><1>
> Message-Authenticator = <151><11><9><208>f<168><228>]MC<15><128><250><144><223><241>
> Proxy-State = OSC-Extended-Id=79
>
> Tue Feb 1 11:26:50 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:50 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with EAP: code 2, 4, 6, 25
> Tue Feb 1 11:26:50 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:50 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 79
> Authentic: <202>W7t<241><214><201>lq<26><231><236><149><152><146><234>
> Attributes:
> EAP-Message = <1><5><0>+<25><1><23><3><1><0> <4><131><135><207><180>DK<168><212><230>'<183><134><178><202>:<146>K<26><178><194><177><12><203>50<185>F<31>0<201><238>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=79
>
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 80
> Authentic: .<4><220><255><234>X<213>lEB<234><176>Y<228><164>A
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><5><0>`<25><1><23><3><1><0> <154>ut<138>pwf<218>gf:4bm9P<191><128><24><144><240>U<153>I<199><201><224><220><137><185><6>S<23><3><1><0>0<6>Q<27><22>:*<176>@<185><26><143><209><185>_<8><212>|<14><172><138><173><242>q<161><31>QT;&<149>@"<149><3>S<147><244><139><235><133>1<157><211>o<26><220><170><233>
> Message-Authenticator = <221>\#A<169>J<142><192>F<145><164>S<137><154><199><13>
> Proxy-State = OSC-Extended-Id=80
>
> Tue Feb 1 11:26:50 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:50 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with EAP: code 2, 5, 96, 25
> Tue Feb 1 11:26:50 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:50 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Tue Feb 1 11:26:50 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <216><183><31><249><161><145>zv<195><31>bLY<139><23>o
> Attributes:
> EAP-Message = <2><0><0><19><1>jrs at dev.ja.net<mailto:jrs at dev.ja.net>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> User-Name = "anonymous"
>
> Tue Feb 1 11:26:50 2011: DEBUG: Handling request with Handler 'TunnelledByPEAP = 1', Identifier ''
> Tue Feb 1 11:26:50 2011: DEBUG: Deleting session for anonymous, 127.0.0.1,
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with EAP: code 2, 0, 19, 1
> Tue Feb 1 11:26:50 2011: DEBUG: Response type 1
> Tue Feb 1 11:26:50 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: Access challenged for anonymous: EAP PEAP Challenge
> Tue Feb 1 11:26:50 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: <216><183><31><249><161><145>zv<195><31>bLY<139><23>o
> Attributes:
> EAP-Message = <1><1><0><6><25>!
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 1 11:26:50 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 80
> Authentic: (qU<214>X<229>4<192>G<161>e<242><21><179>5\
> Attributes:
> EAP-Message = <1><6><0>+<25><1><23><3><1><0> <150><137><249><202><150><173><229><135>&i<182><169>X<198><15>><177>-`<202>NV/<138>hG|<14><204><207><241><128>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=80
>
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 81
> Authentic: X;w<25><10><162><128>,<2>nJ<21><180><160><177><178>
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><6><0>P<25><1><23><3><1><0> <231><201>o0\<145><8><216>)j<254>|<183><234>&<140><11>B$<174><8>p<221><204><163><239><180><128><191>`<208><245><23><3><1><0> <200><5><11><131><18>U:<232>%gZ<236><25><244><215>+<148><158><200>n<255><147><215><23><201>t2<211>.<149>5<171>
> Message-Authenticator = |<9>:<11><137>$i<221><137>"<135><171><22>$x<21>
> Proxy-State = OSC-Extended-Id=81
>
> Tue Feb 1 11:26:50 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:50 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with EAP: code 2, 6, 80, 25
> Tue Feb 1 11:26:50 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:50 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Tue Feb 1 11:26:50 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: Q<187><20><21>I<198><218>+w<251><149><6><7>K<183>&
> Attributes:
> EAP-Message = <2><1><0><10><3><4><26><6><5><17>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> User-Name = "anonymous"
>
> Tue Feb 1 11:26:50 2011: DEBUG: Handling request with Handler 'TunnelledByPEAP = 1', Identifier ''
> Tue Feb 1 11:26:50 2011: DEBUG: Deleting session for anonymous, 127.0.0.1,
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:50 2011: DEBUG: Handling with EAP: code 2, 1, 10, 3
> Tue Feb 1 11:26:50 2011: DEBUG: Response type 3
> Tue Feb 1 11:26:50 2011: DEBUG: EAP Nak desires type 4
> Tue Feb 1 11:26:50 2011: DEBUG: EAP result: 1, Desired EAP type MD5-Challenge (4) not permitted
> Tue Feb 1 11:26:50 2011: DEBUG: AuthBy NTLM result: REJECT, Desired EAP type MD5-Challenge (4) not permitted
> Tue Feb 1 11:26:50 2011: INFO: Access rejected for anonymous: Desired EAP type MD5-Challenge (4) not permitted
> Tue Feb 1 11:26:50 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: Q<187><20><21>I<198><218>+w<251><149><6><7>K<183>&
> Attributes:
> Reply-Message = "Desired EAP type MD5-Challenge (4) not permitted"
>
> Tue Feb 1 11:26:50 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: Access challenged for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 1 11:26:50 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Challenge
> Identifier: 81
> Authentic: '9<220><197>I<182><29>whiv"@<9>l<191>
> Attributes:
> EAP-Message = <1><7><0>+<25><1><23><3><1><0> <239>'%9t]<3><25><141><177><144><10>U@<195><27><160><227>2<217>'<166><237>J<131>z<134>.4<6><192><154>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Proxy-State = OSC-Extended-Id=81
>
> Tue Feb 1 11:26:51 2011: DEBUG: Packet dump:
> *** Received from 194.82.174.185 port 63780 ....
> Code: Access-Request
> Identifier: 82
> Authentic: <25>j<254>e<198>Ul<17><244><203><197><174><1><166><183><131>
> Attributes:
> User-Name = "jrs at dev.ja.net<mailto:jrs at dev.ja.net>"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Connect-Info = "JANET Roaming test"
> EAP-Message = <2><7><0>P<25><1><23><3><1><0> <224><2>t<159><193><252><178><244>&<247><217><194>Z<15><211><203><4><186><18><170><210>.}<207><160><255><250><20><2><147>n_<23><3><1><0> <138><132><130><191>`[P<237><154>:<<11><239>K<215><3><31><153>u<192><20><244>Z<19>}<8><4>8rA<134><173>
> Message-Authenticator = <169><180><28><188>3<230><153>"<241><220><141><138><19>N<20><144>
> Proxy-State = OSC-Extended-Id=82
>
> Tue Feb 1 11:26:51 2011: DEBUG: Handling request with Handler 'Realm = dev.ja.net', Identifier ''
> Tue Feb 1 11:26:51 2011: DEBUG: Deleting session for jrs at dev.ja.net<mailto:jrs at dev.ja.net>, 127.0.0.1,
> Tue Feb 1 11:26:51 2011: DEBUG: Handling with Radius::AuthNTLM:
> Tue Feb 1 11:26:51 2011: DEBUG: Handling with EAP: code 2, 7, 80, 25
> Tue Feb 1 11:26:51 2011: DEBUG: Response type 25
> Tue Feb 1 11:26:51 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb 1 11:26:51 2011: DEBUG: AuthBy NTLM result: REJECT, PEAP Authentication Failure
> Tue Feb 1 11:26:51 2011: INFO: Access rejected for jrs at dev.ja.net<mailto:jrs at dev.ja.net>: PEAP Authentication Failure
> Tue Feb 1 11:26:51 2011: DEBUG: Packet dump:
> *** Sending to 194.82.174.185 port 63780 ....
> Code: Access-Reject
> Identifier: 82
> Authentic: <24>4<157>i2<12>4s<200>7<1>YdZQ<162>
> Attributes:
> EAP-Message = <4><7><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "PEAP Authentication Failure"
> Proxy-State = OSC-Extended-Id=82
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list