[RADIATOR] eap + apple products - failed auth

Martin Bérubé mberube at jeancoutu.com
Tue Feb 28 12:16:44 CST 2012


Well,

The problem we had was for TLS. Our PKI infrastructure had a hashed signature whit MD5. The hashing used should be at least SHA-1 for iOS 5 devices.

In Microsoft Windows, if you start certmgr.msc, and look at a Root CA certificate, in Details, you can find the hashing algorythm used for the signature.

We had to change our infrastructure, so we took SHA-256. The only certificate that kept the MD5 hashing is our Root CA.

It works fine, since then.  But, as I wrote, it is for TLS authentication.


Martin Bérubé
Analyste Technique
Architecture Et Sécurité
Tél. : (450) 463-1890 poste 3362
Avant d'imprimer, pensez à l'environnement.




> -----Message d'origine-----
> De : jz.penguin at gmail.com [mailto:jz.penguin at gmail.com] De la part de James
> Envoyé : 28 février 2012 12:56
> À : Martin Bérubé
> Cc : radiator at open.com.au
> Objet : Re: [RADIATOR] eap + apple products - failed auth
>
> Thanks for the response.
>
> I'm not sure how to determine that; can you give me a nudge in the right
> direction?
>
> -james
>
>
> On Tue, Feb 28, 2012 at 12:49, Martin Bérubé <mberube at jeancoutu.com> wrote:
> > Hello James,
> >
> > Are you using MD5 hashing for the issuer certificate ?
> > Apple dropped support for MD5 hashing for all certificates, except the CA
> (root) ones, starting with iOS 5.
> >
> >
> > Martin Bérubé
> > Analyste Technique
> > Architecture Et Sécurité
> > Tél. : (450) 463-1890 poste 3362
> > Avant d'imprimer, pensez à l'environnement.
> >
> >
> >
> >> -----Message d'origine-----
> >> De : radiator-bounces at open.com.au
> >> [mailto:radiator-bounces at open.com.au] De la part de James Envoyé : 28
> >> février 2012 12:38 À : radiator at open.com.au Objet : [RADIATOR] eap +
> >> apple products - failed auth
> >>
> >> All,
> >>
> >> I'm facing a pretty weird problem while trying to set up EAP
> authentication.
> >> Windows and Linux devices seem to work fine without issues -- the
> >> clients are prompted to authenticate, accept the certificate, and
> >> then they're successfully auth'ed and hop onto the wireless network.
> >>
> >> Apple products (OS X, iPad and iPod) seem to have a strange issue,
> >> however: Radiator sends an Access-Accept, the client sees that
> >> authentication was successful, but the client will disconnect and
> >> then reconnect ensuing in an authentication loop. Logs on OS X
> >> indicate that authentication *IS* successful, but the operating
> >> system eventually reports a timeout in the 4-way handshake.
> >>
> >> Here's the Radiator configuration:
> >>
> >> -->8--
> >>
> >> DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config LogDir
> >> /opt/radiator/logs DbDir   /opt/radiator/db Trace   4 AuthPort 1645
> >> AcctPort 1646 PidFile  %L/wireless.pid LogFile <Log FILE>
> >>     Identifier radiatorLog
> >>     Filename %L/%d.%v.%Y/wireless.log
> >>     Trace   4
> >>     LogMicroseconds
> >> </Log>
> >> <Client DEFAULT>
> >>     Secret whatever
> >>     DupInterval 0
> >> </Client>
> >> <SessionDatabase NULL>
> >>     Identifier Null
> >> </SessionDatabase>
> >> <AuthLog FILE>
> >>     Identifier authLogger
> >>     Filename %L/%d.%v.%Y/wireless.auth
> >>     LogSuccess 1
> >>     LogFailure 1
> >>     SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED
> >> %T request from %c (nas = %N) for user %U
> >>     FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
> >> request from %c (nas = %N) for user %U </AuthLog> include
> >> %{GlobalVar:ConfigDir}/auth.wireless
> >> <Handler TunnelledByPEAP=1>
> >>     AuthBy dm-wifi
> >>     AuthLog authLogger
> >>     Log radiatorLog
> >>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <Handler>
> >>     AuthBy eap-outer
> >>     AuthLog authLogger
> >>     Log radiatorLog
> >>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <AuthBy NTLM>
> >>     Identifier dm-wifi
> >>     NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
> >>     DefaultDomain DHE
> >>     EAPType MSCHAP-V2
> >> </AuthBy>
> >> <AuthBy FILE>
> >>     Identifier eap-outer
> >>     Filename %D/users
> >>     EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
> >>     EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
> >>     EAPTLS_CertificateFile
> >> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
> >>     EAPTLS_CertificateType PEM
> >>     EAPTLS_PrivateKeyFile
> >> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
> >>     EAPTLS_PrivateKeyPassword whatever
> >>     EAPTLS_MaxFragmentSize 1000
> >>     AutoMPPEKeys
> >>     EAPTLS_PEAPVersion 1
> >> </AuthBy>
> >>
> >> --8<--
> >>
> >> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 145
> >> Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><9><0>+<25><1><23><3><1><0>
> >> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183>
> >> |<22
> >> |7><2>6rs<166>f<144><141><244><3><150>
> >>       Message-Authenticator =
> >> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
> >>
> >> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9,
> >> 43, 25 Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25 Tue
> >> Feb 28 12:27:59
> >> 2012 739078: DEBUG: EAP PEAP inner authentication request for
> >> anonymous Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request
> Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> >> Attributes:
> >>       EAP-Message = <2><0><0><10><1>testUser
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 739910: DEBUG:
> >> Handling with EAP: code 2, 0, 10, 1 Tue Feb 28 12:27:59 2012 740035:
> >> DEBUG: Response type 1 Tue Feb 28
> >> 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> >> Tue Feb
> >> 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE, EAP
> >> MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM
> result:
> >> CHALLENGE, EAP MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740560:
> DEBUG:
> >> Access challenged for
> >> anonymous: EAP MSCHAP-V2 Challenge
> >> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP-V2 Challenge
> >> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet
> dump:
> >> Code:       Access-Challenge
> >> Identifier: UNDEF
> >> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> >> Attributes:
> >>       EAP-Message =
> >> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<1
> >> 62><12>
> >> <128>ywifi-radius-temp
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 741267:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 741377: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 741504: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 741619: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 741984: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 145
> >> Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
> >> Attributes:
> >>       EAP-Message =
> >> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18>
> >> <188>[<
> >> 218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196
> >> 218>>"o<242
> >> ><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><18
> >> >3>W<170
> >> >)<129>T
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 146
> >> Authentic:
> >> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message =
> >> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145>
> >> <2>v<14
> >> 0>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<22
> >> 0>4>D<160
> >> ><202><131>
> >> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><21
> >> 0><161>
> >> <133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t
> >> <237>5<
> >> 7><f<189>QY<195><209>D<141>
> >>       Message-Authenticator =
> >> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
> >>
> >> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2,
> >> 10, 107,
> >> 25 Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication request
> >> for anonymous Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled
> >> request Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> >> Attributes:
> >>       EAP-Message =
> >> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l
> >> <16><22
> >> 3><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><
> >> 3>227>7<1
> >> 32><241>x<145>HE<217>=vu<21><233><0>testUser
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 748362: DEBUG:
> >> Handling with EAP: code 2, 1, 64, 26 Tue Feb 28 12:27:59 2012 748490:
> >> DEBUG: Response type 26 Tue Feb 28
> >> 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for match with
> >> testUser [anonymous] Tue Feb 28 12:27:59 2012 748801: DEBUG:
> Radius::AuthNTLM ACCEPT:
> >> :
> >> testUser [anonymous]
> >> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
> >> Request-User-Session-Key: Yes
> >> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
> >> Request-LanMan-Session-Key: Yes
> >> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
> >> LANMAN-Challenge: some-challenge
> >> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
> >> some-response
> >> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
> >> some-domain
> >> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
> >> some-username
> >> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute:
> Authenticated:
> >> Yes Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
> >> User-Session-Key: session-key
> >> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
> >> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
> >> Challenge: Success
> >> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result:
> >> CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> >> 755351: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2
> >> Challenge: Success Tue Feb 28 12:27:59
> >> 2012 755478: DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> 755588:
> >> DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> 755815:
> >> DEBUG: Returned PEAP tunnelled packet dump:
> >> Code:       Access-Challenge
> >> Identifier: UNDEF
> >> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> >> Attributes:
> >>       EAP-Message =
> >> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
> >> M=success
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 756137:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 756247: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 756374: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 756485: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 756882: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 146
> >> Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
> >> Attributes:
> >>       EAP-Message =
> >> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y>
> >> <178><1
> >> 37><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25>
> >> 37><237>%*
> >> <151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207
> >> ><147><
> >> 237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180
> >> 237>><150><
> >> 184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 147
> >> Authentic:
> >> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><11><0>+<25><1><23><3><1><0>
> >> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<24
> >> 5><167>
> >> >/<27><134><201>v1<128>
> >>       Message-Authenticator =
> >> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
> >>
> >> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2,
> >> 11, 43,
> >> 25 Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication request
> >> for anonymous Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled
> >> request Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:
> >> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> >> Attributes:
> >>       EAP-Message = <2><2><0><6><26><3>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 762984: DEBUG:
> >> Handling with EAP: code 2, 2, 6, 26 Tue Feb 28 12:27:59 2012 763143:
> >> DEBUG: Response type 26 Tue Feb 28
> >> 12:27:59 2012 763319: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012
> 763440:
> >> DEBUG: AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763548:
> DEBUG:
> >> AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763677: DEBUG:
> >> Access accepted for anonymous Tue Feb 28 12:27:59 2012 763788: DEBUG:
> >> Access accepted for anonymous Tue Feb 28 12:27:59 2012 764183: DEBUG:
> >> Returned PEAP tunnelled packet dump:
> >> Code:       Access-Accept
> >> Identifier: UNDEF
> >> Authentic:
> >> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> >> Attributes:
> >>       EAP-Message = <3><2><0><4>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 764535:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 764659: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 764791: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 764905: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 765255: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 147
> >> Authentic:
> >> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
> >> Attributes:
> >>       EAP-Message = <1><12><0>+<25><1><23><3><1><0>
> >> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160
> >> ><213>-
> >> <8>].s<148><226><245><217><26>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 148
> >> Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><12><0>+<25><1><23><3><1><0>
> >> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>
> >> I<253><
> >> 145><173>)<226>B<22><29>G<222>`6<183>
> >>       Message-Authenticator =
> >> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
> >>
> >> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2,
> >> 12, 43,
> >> 25 Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 771782: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012
> 771975:
> >> DEBUG: AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772145:
> DEBUG:
> >> AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772338: DEBUG:
> >> Access accepted for testUser Tue Feb 28 12:27:59 2012 772508: DEBUG:
> >> Access accepted for testUser Tue Feb 28 12:27:59 2012 773368: DEBUG:
> Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Accept
> >> Identifier: 148
> >> Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
> >> Attributes:
> >>       EAP-Message = <3><12><0><4>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       MS-MPPE-Send-Key =
> >> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><14
> >> 3>t<217
> >> ><26><245><14>;<167>%;W<200>
> >>       MS-MPPE-Recv-Key =
> >> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|
> >> ^<230><
> >> 218>G)<175>
> >>
> >> -->8--
> >>
> >> Thoughts on what may be happening? I can't seem to find anything on
> >> the web about this, but I'm also hard-pressed to believe we're the
> >> only folks that have run into this. The client simply refuses to
> >> connect. It's worth noting that OS X indicates the client is
> >> "connected" with a self-assigned 169.x.x.x IP address, but the logs
> >> really indicate that en1 (the wireless interface) continues to go up/down
> and re-attempt authentication.
> >>
> >> Any help would be greatly appreciated.
> >>
> >> -james
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> > AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE
> >
> > Ce message, incluant ses pieces jointes, est strictement reserve a
> > l'usage de l'individu ou de l'entite a qui il est adresse et contient
> > de l'information privilegiee et confidentielle. La dissemination,
> > distribution ou copie de cette communication est strictement prohibee.  Si
> vous n'etes pas le destinataire projete veuillez retourner immediatement un
> courrier electronique a l'expediteur et effacez toutes les copies.
> >
> >
> > CONFIDENTIALITY WARNING
> >
> > This message, including its attachments, is strictly intended for the
> > use of the individual or the entity to which it is addressed and
> > contains privileged and confidential information. Disclosure,
> > distribution or copy of this communication is strictly prohibited. If you
> are not the intended recipient please notify us immediately by returning the
> e-mail to the originator and deleting all copies.
> >


More information about the radiator mailing list