[RADIATOR] MSCHAPv2 and LDAP Authentication...

Heikki Vatiainen hvn at open.com.au
Wed Feb 8 06:34:08 CST 2012


On 02/08/2012 12:54 AM, Shay Smith wrote:

Hell Shay,

> I'm currently testing Radiator to see if it would be a fit for our
> organization. I've been working with the included "eap_multi.cfg" file
> in hopes that we could get 802.1x authentication going for our Mac and
> WIndows clients. Our LDAP directory has fields for SHA encrypted user
> passwords as well as NThash passwords, but I can't figure out how to
> make authentication work. I've successfully authenticated with a stock
> LDAP config. Below are my current config and a copy of the log entries
> for an attempted login.

Try the following:
- comment out ServerChecksPassword
- PasswordAttr value is the attribute that has NThashed password
- enable TranslatePasswordHook if the nthash is not prefixed with {nthash}

ServerChecksPassword works only if the authentication protocol uses PAP.
In other words, it works when the plain text password is available. With
e.g. PEAP/EAP-MSCHAP-V2 this is not the case.

You can also simplify the configuration by removing all EAPTLS_* lines
from TunnelledBy handlers. These are only needed when using TLS
tunnelled EAP methods inside PEAP or TTLS.

EAP_Type can also be simplified in TunnelledBy Handlers. 'EAPType
MSCHAP-V2' is probably enough.

The outer Handler probably only needs 'EAPType PEAP,TTLS'.

The AddToReply lines can most likely to be commented out too.

So in summary: after checking ServerChecksPassword, PasswordAttr and
TranslatePasswordHook the authentication should work. The rest is only
for simplifying the configuration.

Please let us know how it goes.

Heikki


> ***********************
> Config File
> ***********************
> Foreground
> LogStdout
> LogDir        /etc/radiator
> DbDir        .
> 
> Trace         4
> 
> AuthPort 1645, 1812
> AcctPort 1646, 1813
> BindAddress 10.51.254.228
> 
> <Client 10.51.254.76>
>     Secret *****
>     DupInterval 0
> </Client>
> 
> <Client localhost>
>     Secret mysecret
>     DupInterval 0
> </Client>
> 
> <Client 10.51.254.228>
>     Secret mysecret
>     DupInterval 0
> </Client>
> 
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
> 
> 
> <Handler TunnelledByPEAP=1>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         Version 3
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>            
>         Version 3
>        
> 
>         EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> <Handler TunnelledByTTLS=1>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>        
>         Version 3
> 
>         EAPType MSCHAP-V2,MD5,TLS
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> <Handler>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>            
>         Version 3
> 
>         EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000.
> 
>         AutoMPPEKeys
> 
>         EAPTLS_PEAPVersion 0
>         EAPTLS_PEAPBrokenV1Label
>         EAPTLS_DHFile /etc/radiator/certificates/dh2048.pem
> 
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> 
> ***********************
> Log Dump
> ***********************
> Tue Feb  7 15:18:22 2012: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Feb  7 15:18:22 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1645 <http://10.51.254.228:1645>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1812 <http://10.51.254.228:1812>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1646 <http://10.51.254.228:1646>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1813 <http://10.51.254.228:1813>
> Tue Feb  7 15:18:22 2012: NOTICE: Server started: Radiator 4.9 on
> localhost.localdomain (LOCKED)
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 238
> Authentic:  /<20><19>:<146>e<195><185><135><5>#U<204><207><234><235>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><1><0><18><1>gitchy_gimbol
>     Message-Authenticator =
> <229><199><134><145><241><197><7>j7<205>%T<1>$<154><156>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 1, 18, 1
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 238
> Authentic:  <155><151>8<243><210>W<219><169><173><254>lxI<199><180><27>
> Attributes:
>     EAP-Message = <1><2><0><6><25>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 239
> Authentic:  <182><185><138><161><238><228>Q<211><236>eA<192>5<209><176><249>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>O1<170><174>VR<229><127><184><qM{<208>-<178><196>R<1><250><180><238><222><27><182><138><31><25><144><26><240>{<0><0>6<0>/<0><5><0><4><0>5<0><10><0><9><0><3><0><8><0><6><0>2<0>3<0>8<0>9<0><22><0><21><0><20><0><19><0><18><0><17><0>4<0>:<0><24><0><27><0><26><0><23><0><25><0><1><1><0>
>     Message-Authenticator = Ez<240><223><21>k<175>8<19>c<22><159>cl<152>*
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 2, 112, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 239
> Authentic:  h<17>L<19>9U-<235>1<182>qb<132><155>U<233>
> Attributes:
>     EAP-Message =
> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>O1<177>oo"<241><153><191><171>><197>v(<239><155><165><183>;Y<137>A<28><211><196><154><29><152><144><147>l'
> <193><6><217><255><170>N<200>&<255><229><178><203><203><222><155>><194><145><195>a at f~<165><29><149>
> ~,5<21>}<0>/<0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>     EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214828Z<23><13>131115214828Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1%0#<6><3>U<4><3><19><28>t
>     EAP-Message =
> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><213>|5<149><252>7<170><164><8><136>w<6><229>,<180><131><28>Q<249>io6<250>5<174><131>}Y<252>P<133><174>Mll<197>8<189>F<197>><18>4<170><221>J<132>0j<160><238>I<214><8>P<180>cl<167><238><5><196><170><142><253>@d;k<163><164><234><146><16><3><24><212><228><245><14><132><154><190><212>:x&7<171><212><247><21>k<215>z(h<10><252><207>G<235><128><152><17>Le<137><130>'<196><182><214><18><180>R"<22>S~<6><164><227><220>f<156><249><235><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><149>J<214><242><222><198>`<209><9>O.<13>b<171><224>%<154><228><221><228>
>     EAP-Message =
> <241>~4<176>J<2><243><12><26>Z{B<137>+<234><0>Nu+P<9><165><244><203><234>912pO<161><165><184><223><200>^<19><167><137><158>W<24><240>T<194><130><8><251><28>0?<179>"<134><180>_<203><20><19><190><173><240>1<255><146>UR<161>g<223>d<7><192>O<27>)<146><248>D<127><145>Yg<242><243><162><192><244>&"<232>d<225>:<30><129>s2;!!<19><202><216>g<213><178>{<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><163>Gw<236><211>F<201><17>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 240
> Authentic:  T<139><160><133><154><205><220><213><149>w<215>kQ<154>DH
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><3><0><6><25><0>
>     Message-Authenticator =
> <154><30>><210><154>r;h<200><190><235><165>iC<177>K
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 3, 6, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 240
> Authentic:  (<175><229><252><253>P<181>{i<156>2<154>M<250><252>^
> Attributes:
>     EAP-Message = <1><4><3><208><25><0>t Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214827Z<23><13>131115214827Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
>     EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
> use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><230>7<155><154>=<154>+<199><137><172>(<31>t<184>v<0>u*<204><248><249><25><249><181><168><172>`s<230>=<211>JB<186>e<2><0><8>I0<179>cV'Qb<196>E<225><228><227><151><215>2q<164>%<28>j<168>!<206><214>,<190><223><133>-<173>.<165><142><127><25><229><15><145>+l<172>K<232>W<202><238><130><232><223><25><148><175><208><137><251><211>n<185><184><174>`<216><149><136><163><128><194>6<211>?rK^w<236><150><143><152>^(<229><28><134><12><193><251>Q<132>!<2><3>
>     EAP-Message =
> <1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
>     EAP-Message = n)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au
> <mailto:mikem at open.com.au><130><9><0><163>Gw<236><211>F<201><17>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><224><155><161><236><140><231><132><11><160>)w<207>O<218>l<3>E'<216><255><169><179>;<171><147>W<239>a<147><31>q<158><199>0q<236><18><28>T<218><248>,<15><1>I<228><178><23><231>Y?<244>z<30><196>@<196><203><152>k=<145><255>]<134><220>@<251>T<210><216><198><187><15><199><155>mMw<208><145>j<244><150><235><170>3$<180><20><31>gS<151><253>f%V<249><166>i<16>f<237>0<147><131>+<193><31><183>'<5><221>|<240><195><181><131><223><28><225><143><165><215><242>&<1><22><3><1><0><4><14><0><0><0>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 241
> Authentic:  Q<196>t<26>K<9>t"<167><214><226><231><182>u<147><156>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><4><0><208><25><128><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>R<253><8><5><148>W<192><18>=<155>|<218>W<251><241>9`+<247><165><192><27>Y<186><205><231><130>c<226><11>Us<227><213><131>y(<241>"<169>C<212>+<14><172><133><164><127>p<23><237>*g<148><254>DI#s<170><24>{<195><131><201>C<237><216><21>!<149><143>;B<158>R<162><148><174><182><211><131><137><234>J<142><217><162>eL<26><14><14><224><151>i<205><169><183><135><162>n=<244><183>O<224><244>z}x.m{<240><142><156>visIg<225>{I<235><171>:<20><3><1><0><1><1><22><3><1><0>0<249><158><12><128><252><129><172><27><239><133><141>A<196>5><9>\<1><173><14><163>~<206>j<219><12><153><25><143><130><231><235><200>n2Vj<196><31><236><155><215><221><195><131>hM<212>
>     Message-Authenticator =
> <155><129>nP<30><189><237><191><132>9<211><23><172><255>"a
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 4, 208, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 241
> Authentic:  <172>8<159><176>t(<2>~<223><173><1><248>{'~<214>
> Attributes:
>     EAP-Message =
> <1><5><0>E<25><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>04z<234>Q<225>8t<195><152>/<208><155>R<201><204>S<162>.Fj<138><169><203><139>e%<178><190><231><203>k<219>yn{Sh<15><23><208><201><215>y<230><167>-[+
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 242
> Authentic:  <178>_<231>RzE<231><222><10><221>#<136><188>mNx
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><5><0><6><25><0>
>     Message-Authenticator =
> <249><178><2><227><157>=<174><143>J<160><127><233><154>~<235><17>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 5, 6, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 242
> Authentic:  p<31><217>R<237>O<168><146><216>@<197><238><17>6<168>p
> Attributes:
>     EAP-Message = <1><6><0>+<25><0><23><3><1><0>
> y3<169><171><169>Ur)<251>sm<172>Q<185><211><248><202><3>8<210><184><180><<201><138><138>D&-<31><30>b
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 243
> Authentic:  @<24><150><225>\<235><196><234>e<167><24>ayL<226><31>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><6><0>;<25><0><23><3><1><0>0<12>@O]<253><176>x<128><137><195><158><236><255>n<9><21><131><227><231>.mr<12><228><237><215><173>3<144><166>@<157>.U<162><152><148><220><133>Z<131>{\(K3<1>3
>     Message-Authenticator =
> }<209><252><171><157><22><196><239><22><3><223>R=<177><203><204>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 59, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
>     EAP-Message = <2><6><0><14><1>gitchy_gimbol
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     NAS-Port = 252
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     User-Name = "anonymous"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 14, 1
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
>     EAP-Message =
> <1><7><0>/<26><1><7><0>*<16><202>g<7><208><27><14>'<208>S<140>j<207><226><187><165>.localhost.localdomain
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 243
> Authentic:  7<173>o<249><19>|<227><195>9*<28><142>-`<255><238>
> Attributes:
>     EAP-Message =
> <1><7><0>K<25><0><23><3><1><0>@v<219>@<224>s4<202>N1<239><184><137>#<137><129><161><'x<141><180><182><254><175><153>S<158>A2S<235><209><17><142><24><221><210><0><182><1><20><253><195><22>!<181>x<207><168>M<191><164>p<206><174>0<166><201><137>F<151><190><166><203>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 244
> Authentic:  <129>j<224>9<234>'[<235><30><15><0>E<197><159><127><147>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><7><0>k<25><0><23><3><1><0>`<165>/Tl<186>h<140><158><16>x}C<128><144><166>3l<127><171><16><16>x+<192><140><141><245>{C<135>J<234><251><250><214><239><249>lE<226><129>N<185><3><237><188><205>.2<127><31><252>y<145><22><200>Xv<243><127><150><212><153><130>+<180>E<206><163>5<19><159>O<203><174><2><167><200><211>y<140><22>5<146><157>>s<224>or<241>.<199><216>`<229>
>     Message-Authenticator =
> <210><249>`<226><24><253><235><228><4><160>hPW<202><214><160>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 107, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
>     EAP-Message =
> <2><7><0>D<26><2><7><0>C19<243>W<19>ZKTq2T<22><218>g<207><223><149><0><0><0><0><0><0><0><0><155>C<0><202><135>%Zh<158><168><209><31><11><240>"N<239>+Z<199>y<148><219><172><0>gitchy_gimbol
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     NAS-Port = 252
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     User-Name = "anonymous"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 68, 26
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 26
> Tue Feb  7 15:19:11 2012: INFO: Connecting to ldap.mesd.k12.or.us:389
> <http://ldap.mesd.k12.or.us:389>
> Tue Feb  7 15:19:11 2012: INFO: Attempting to bind to LDAP server
> ldap.mesd.k12.or.us:389 <http://ldap.mesd.k12.or.us:389>
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got result for
> uid=gitchy_gimbol,ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got cn: Gitchy Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got givenName: Gitchy
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got sn: Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got objectClass: MESDperson
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mail:
> Gitchy_Gimbol at ddouglas.k12.or.us <mailto:Gitchy_Gimbol at ddouglas.k12.or.us>
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got maildrop: gitchy_gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mailacceptinggeneralid:
> Gitchy_Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uid: gitchy_gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got o: David Douglas
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got ou: District Office
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uidNumber: 1031
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got apple-generateduid:
> DBDE2115-9C46-42A5-91D8-8D43DB208D8E
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got gidNumber: 1028
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got employeeNumber: 999999
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got houseIdentifier: West
> Powellhurst District Office
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got telephoneNumber: 5555
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got pwdLastSet: 1328300336
> Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> gitchy_gimbol [anonymous]
> Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> gitchy_gimbol [anonymous]
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Tue Feb  7 15:19:11 2012: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
>     EAP-Message = <4><7><0><4>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     Reply-Message = "Request Denied"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 244
> Authentic:  <167><148>C<22><133><129><248><145><243>)<219><243>7q<147><238>
> Attributes:
>     EAP-Message = <1><8><0>+<25><0><23><3><1><0>
> B<127>IV]<27>r<4><141>Vu<5><188><175><24><233>%<174><175><133><144><230><171><<226>_<217><16>,k<223><155>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 245
> Authentic: 
> <189><143><229><141><217><227><186>C]<176><218><199>6<175><20><151>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><8><0>+<25><0><23><3><1><0>
> X9zfJ<185>2<198><186><232><226><194>vB<163><13>j9}<17><149>$<30><176><234>&<157><226>-V~<223>
>     Message-Authenticator = 4I<139><218><141>B><2><236><24>9(j<12><27>?
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 8, 43, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
> Authentication Failure
> Tue Feb  7 15:19:11 2012: INFO: Access rejected for gitchy_gimbol: PEAP
> Authentication Failure
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Reject
> Identifier: 245
> Authentic:  @<178>#<191>/F<14><204>A<219><188>2<240>o<145>*
> Attributes:
>     EAP-Message = <4><8><0><4>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     Reply-Message = "Request Denied"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Shay Smith
> ----------------------------------------
> 
> Gmail Evangelist
> David Douglas School District
> 503-261-8235
> 
> www.ddouglas.k12.or.us <http://www.ddouglas.k12.or.us>
> <http://shay.ddouglas.k12.or.us>
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list