[RADIATOR] eap + apple products - failed auth
Heikki Vatiainen
hvn at open.com.au
Mon Mar 5 16:58:58 CST 2012
On 03/01/2012 06:35 PM, Amândio Antunes Gomes Silva wrote:
> I'm struggling to solve a problem similar to this one for a while, but
> the scenario is a little bit different: in our wireless network (eduroam
> with WPA/Enterprise) we support TTLS/PAP, TTLS/MSCHAPv2 and PEAP
> authentication methods, which works fine for all kind of devices, but
> Apple one's, which work fine with all of this, but TTLS/MSCHAPv2. The
> Apple clients get authenticated, the connections last for 5 to 10
> seconds and then it drops, never getting the IP address. Analyzing the
> logs, I see an Access-Accept just followed by a Challenge which, I
> think, makes the connection to not succeed.
Yes, the client would need to reply so that Access-Accept could be sent
back to the NAS.
The problem here might with the attributes that get tunnlled back to the
client. If you search the log for "Returned TTLS tunnelled", there are
e.g. Framed-IP-Address, MS-MPPE-* and Tunnel-* attributes that are sent
to the client.
I would try changing this by adding StripFromRequest to the inner
Handler to strip Framed-IP-Address and MS-MPPE-* attributes. The
MS-MPPE-* attributes will be added by the outer Handler for
Access-Accept. If they are received over the tunnelled request, they
could just confuse the client.
Thanks!
Heikki
> Once TTLS/MSCHAPv2 is the default authentication method in Apple
> devices, it's impossible for our new users to connect to the eduroam
> for the first time (by simply enter their username/password when
> prompted) without edit the connection properties, what can be tricky,
> especially now that Mac OSX Lion don't let you do this manually,
> unless you have a mobile.config configuration file with the proper
> parameters. Anyone have some idea on how to solve this?
>
>
>
> Some important notes:
>
> 1. The PEAP and TTLS/MSCHAPV2 requests, as you can see, are
> proxied to an ISA server, which I don’t have admin rights on.
>
> 2. The TTLS/PAP requests are handled by an <AuthBy LDAP>, with the
> ServerChecksPassword enabled (that’s why it doesn’t handle MSCHAPV2).
>
> 3. There is a ReplyHook used to correct some attributes that are
> sent by the ISA server, mainly the Tunnel-Private-Group-ID, used to put
> each user in his VLAN, according to his type.
>
> 4. Mac OSX 10.6.8 (Snow Leopard) with TTLS/MSCHAP, PEAP and
> TTLS/PAP works fine.
>
> 5. Mac OSX 10.6.8 doesn’t work with TTLS/MSCHAPV2 (mac syslog
> reports “TTLS: authentication failed with status 1”).
>
>
>
>
>
> Our config is:
>
>
>
> The authenticator for PEAP/MSCHAPV2:
>
>
>
> <AuthBy RADIUS>
>
> NoEAP
>
> # RewriteUsername s/^([^@]+).*/$1\@%{W}/
>
> Identifier PEAPnoSAPIA
>
> Host ***.***.***.***
>
> Secret ********
>
> AuthPort 1812
>
> AcctPort 1813
>
> EAPType PEAP,TTLS,TLS,MSCHAP-V2,MSCHAPV2
>
> Description PEAP no SAPIA
>
> Retries 5
>
> RetryTimeout 30
>
> ReplyHook file:"/etc/radiator/rh-postauth.pl"
>
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
>
>
> The Handlers
>
> ...
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
>
> AuthByPolicy ContinueUntilAcceptOrChallenge
>
> AuthLog peaplog
>
> StripFromRequest ConvertedFromEAPMSCHAPV2
>
> AuthBy PEAPnoSAPIA
>
> </Handler>
>
>
>
> <Handler TunnelledByPEAP=1>
>
> AuthByPolicy ContinueUntilAcceptOrChallenge
>
> <AuthBy FILE>
>
> # Dont really need this
>
> Filename %D/users
>
>
>
> # This tells the PEAP client what types of inner EAP requests
>
> # we will honour
>
> EAPType MSCHAP-V2
>
>
>
> # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
> # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
>
> # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
>
> EAP_PEAP_MSCHAP_Convert 1
>
> </AuthBy>
>
> PostProcessingHook file:"/etc/radiator/eap_acct_username_orig.pl"
>
> </Handler>
>
>
>
> <Handler TunnelledByTTLS=1, MS-CHAP-Challenge =/.+$/>
>
> AcctLogFileName /var/log/radius/radacct/%Y%m
>
> AuthByPolicy ContinueUntilAcceptOrChallenge
>
> AuthBy PEAPnoSAPIA
>
> PostProcessingHook file:"/etc/radiator/eap_acct_username_orig.pl"
>
> </Handler>
>
>
>
> <Handler TunnelledByTTLS=1>
>
> AcctLogFileName /var/log/radius/radacct/%Y%m
>
> AuthByPolicy ContinueUntilAcceptOrChallenge
>
> AuthBy Auth-SAPIA
>
> PostProcessingHook file:"/etc/radiator/eap_acct_username_orig.pl"
>
> </Handler>
>
>
>
> <Handler Realm=/uminho.pt$/ >
>
> AcctLogFileName /var/log/radius/radacct/%Y%m
>
> AuthBy SQLAccounting
>
> Description SSID eduroam para utilizadores uminho.pt
>
> Identifier REALM-UMINHO
>
> RejectHasReason
>
> <AuthBy FILE>
>
> # the %D/users file can be empty, its there for normal PAP
>
> # authentication. This can however be used for the WEB captive
>
> # portals.
>
> Filename %D/users
>
> EAPTLS_CAFile /etc/radiator/certs/8675909-usertrust.ca-bundle
>
> EAPTLS_CertificateFile /etc/radiator/certs/server.crt
>
> EAPTLS_CertificateType PEM
>
> EAPTLS_MaxFragmentSize 1024
>
> EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key
>
> EAPType TTLS, PEAP
>
> AutoMPPEKeys
>
> </AuthBy FILE>
>
> PreProcessingHook file:"/etc/radiator/radius.rewriteMAC.pl"
>
> </Handler>
>
>
>
> The Logs:
>
> See attached file.
>
>
>
>
>
> Best regards,
>
>
>
> *Amândio Antunes Gomes da Silva*
>
> -----------------------------------------------------------------------------------------------------------------------------------
>
> Serviços de Comunicações da Universidade do Minho
>
> Campus de Gualtar, 4710-057 Braga - Portugal
>
> Tel.: + 351 253 60 40 20, Fax: +351 253 60 40 21
>
> VoIP: amandio at scom.uminho.pt <sip:amandio at scom.uminho.pt>
>
> email: amandio at scom.uminho.pt <mailto:amandio at scom.uminho.pt> |
> http://www.scom.uminho.pt <http://www.scom.uminho.pt/>
>
> -----------------------------------------------------------------------------------------------------------------------------------
>
> This email is confidential. If you are not the intended recipient,
>
> you must not disclose or use the information contained in it.
>
> If you have received this mail in error, please tell us immediately
>
> by return email and delete the document.
>
>
>
>
>
> -----Mensagem original-----
> De: James [mailto:jtp at nc.rr.com]
> Enviada: terça-feira, 28 de Fevereiro de 2012 18:11
> Para: chema
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] eap + apple products - failed auth
>
>
>
> Yes, setting the EAPTLS_PEAPVersion set to '0' seems to work.
>
>
>
> Does this result in any sort of "less secure" communications? What is
>
> the difference between the two PEAP draft versions?
>
>
>
> -james
>
>
>
>
>
> On Tue, Feb 28, 2012 at 13:06, chema <chema at uniovi.es
> <mailto:chema at uniovi.es>> wrote:
>
>> Hi,
>
>>
>
>> Sometime ago, we had the same problem, and our solution was making this
>
>> change (EAPTLS_PEAPVersion to 0). We had no previous problems using
>
>> PAP/TTLS.
>
>> Hope you can solve this. Regards
>
>>
>
>> On Tue, 28 Feb 2012 17:48:53 +0000, Adam Bishop wrote:
>
>>> Hi,
>
>>>
>
>>> Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while since
>
>>> I wrote my configuration but I think that was the value that made OS
>
>>> X
>
>>> and iOS clients work for me.
>
>>>
>
>>> Regards,
>
>>>
>
>>> Adam Bishop
>
>>>
>
>>> On 28 Feb 2012, at 17:38, James wrote:
>
>>>
>
>>>> All,
>
>>>>
>
>>>> I'm facing a pretty weird problem while trying to set up EAP
>
>>>> authentication. Windows and Linux devices seem to work fine without
>
>>>> issues -- the clients are prompted to authenticate, accept the
>
>>>> certificate, and then they're successfully auth'ed and hop onto the
>
>>>> wireless network.
>
>>>>
>
>>>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>
>>>> however: Radiator sends an Access-Accept, the client sees that
>
>>>> authentication was successful, but the client will disconnect and
>
>>>> then
>
>>>> reconnect ensuing in an authentication loop. Logs on OS X indicate
>
>>>> that authentication *IS* successful, but the operating system
>
>>>> eventually reports a timeout in the 4-way handshake.
>
>>>>
>
>>>> Here's the Radiator configuration:
>
>>>>
>
>>>> -->8--
>
>>>>
>
>>>> DefineFormattedGlobalVar ConfigDir /opt/radiator/config
>
>>>> LogDir /opt/radiator/logs
>
>>>> DbDir /opt/radiator/db
>
>>>> Trace 4
>
>>>> AuthPort 1645
>
>>>> AcctPort 1646
>
>>>> PidFile %L/wireless.pid
>
>>>> LogFile
>
>>>> <Log FILE>
>
>>>> Identifier radiatorLog
>
>>>> Filename %L/%d.%v.%Y/wireless.log
>
>>>> Trace 4
>
>>>> LogMicroseconds
>
>>>> </Log>
>
>>>> <Client DEFAULT>
>
>>>> Secret whatever
>
>>>> DupInterval 0
>
>>>> </Client>
>
>>>> <SessionDatabase NULL>
>
>>>> Identifier Null
>
>>>> </SessionDatabase>
>
>>>> <AuthLog FILE>
>
>>>> Identifier authLogger
>
>>>> Filename %L/%d.%v.%Y/wireless.auth
>
>>>> LogSuccess 1
>
>>>> LogFailure 1
>
>>>> SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED
>
>>>> %T
>
>>>> request from %c (nas = %N) for user %U
>
>>>> FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
>
>>>> request from %c (nas = %N) for user %U
>
>>>> </AuthLog>
>
>>>> include %{GlobalVar:ConfigDir}/auth.wireless
>
>>>> <Handler TunnelledByPEAP=1>
>
>>>> AuthBy dm-wifi
>
>>>> AuthLog authLogger
>
>>>> Log radiatorLog
>
>>>> AcctLogFileName %L/%d.%v.%Y/wireless.log
>
>>>> </Handler>
>
>>>> <Handler>
>
>>>> AuthBy eap-outer
>
>>>> AuthLog authLogger
>
>>>> Log radiatorLog
>
>>>> AcctLogFileName %L/%d.%v.%Y/wireless.log
>
>>>> </Handler>
>
>>>> <AuthBy NTLM>
>
>>>> Identifier dm-wifi
>
>>>> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>
>>>> DefaultDomain DHE
>
>>>> EAPType MSCHAP-V2
>
>>>> </AuthBy>
>
>>>> <AuthBy FILE>
>
>>>> Identifier eap-outer
>
>>>> Filename %D/users
>
>>>> EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>
>>>> EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>
>>>> EAPTLS_CertificateFile
>
>>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>
>>>> EAPTLS_CertificateType PEM
>
>>>> EAPTLS_PrivateKeyFile
>
>>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>
>>>> EAPTLS_PrivateKeyPassword whatever
>
>>>> EAPTLS_MaxFragmentSize 1000
>
>>>> AutoMPPEKeys
>
>>>> EAPTLS_PEAPVersion 1
>
>>>> </AuthBy>
>
>>>>
>
>>>> --8<--
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>
>>>> *** Received from 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Request
>
>>>> Identifier: 145
>
>>>> Authentic: ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>
>>>> Attributes:
>
>>>> User-Name = "testUser"
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>
>>>> NAS-Port = 29
>
>>>> cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> Airespace-WLAN-Id = 7
>
>>>> Service-Type = Framed-User
>
>>>> Framed-MTU = 1300
>
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>
>>>> Tunnel-Type = 0:VLAN
>
>>>> Tunnel-Medium-Type = 0:802
>
>>>> Tunnel-Private-Group-ID = 924
>
>>>> EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>
>>>>
>
>>>>
> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
>
>>>> Message-Authenticator =
>
>>>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>
>>>> Radius::AuthFILE: eap-outer
>
>>>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2,
>
>>>> 9, 43, 25
>
>>>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
>
>>>> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner
>
>>>> authentication
>
>>>> request for anonymous
>
>>>> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request
>
>>>> Packet dump:
>
>>>> Code: Access-Request
>
>>>> Identifier: UNDEF
>
>>>> Authentic: <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>
>>>> Attributes:
>
>>>> EAP-Message = <2><0><0><10><1>testUser
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> NAS-Port = 29
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> User-Name = "anonymous"
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with
>
>>>> Radius::AuthNTLM: dm-wifi
>
>>>> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2,
>
>>>> 0, 10, 1
>
>>>> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
>
>>>> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2
>
>>>> Challenge
>
>>>> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result:
>
>>>> CHALLENGE,
>
>>>> EAP MSCHAP-V2 Challenge
>
>>>> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result:
>
>>>> CHALLENGE,
>
>>>> EAP MSCHAP-V2 Challenge
>
>>>> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
>
>>>> anonymous: EAP MSCHAP-V2 Challenge
>
>>>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>
>>>> anonymous: EAP MSCHAP-V2 Challenge
>
>>>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled
>
>>>> packet dump:
>
>>>> Code: Access-Challenge
>
>>>> Identifier: UNDEF
>
>>>> Authentic: <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>
>>>> Attributes:
>
>>>> EAP-Message =
>
>>>>
> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP
>
>>>> inner
>
>>>> authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
>
>>>> *** Sending to 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Challenge
>
>>>> Identifier: 145
>
>>>> Authentic: +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>
>>>> Attributes:
>
>>>> EAP-Message =
>
>>>>
> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>
>>>> *** Received from 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Request
>
>>>> Identifier: 146
>
>>>> Authentic:
>
>>>> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>
>>>> Attributes:
>
>>>> User-Name = "testUser"
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>
>>>> NAS-Port = 29
>
>>>> cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> Airespace-WLAN-Id = 7
>
>>>> Service-Type = Framed-User
>
>>>> Framed-MTU = 1300
>
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>
>>>> Tunnel-Type = 0:VLAN
>
>>>> Tunnel-Medium-Type = 0:802
>
>>>> Tunnel-Private-Group-ID = 924
>
>>>> EAP-Message =
>
>>>>
> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
>
>>>>
>
>>>>
> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
>
>>>> Message-Authenticator =
>
>>>> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>
>>>> Radius::AuthFILE: eap-outer
>
>>>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2,
>
>>>> 10, 107, 25
>
>>>> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
>
>>>> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner
>
>>>> authentication
>
>>>> request for anonymous
>
>>>> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request
>
>>>> Packet dump:
>
>>>> Code: Access-Request
>
>>>> Identifier: UNDEF
>
>>>> Authentic: <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>
>>>> Attributes:
>
>>>> EAP-Message =
>
>>>>
> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> NAS-Port = 29
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> User-Name = "anonymous"
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with
>
>>>> Radius::AuthNTLM: dm-wifi
>
>>>> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2,
>
>>>> 1, 64, 26
>
>>>> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
>
>>>> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
>
>>>> match with testUser [anonymous]
>
>>>> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
>
>>>> testUser [anonymous]
>
>>>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>
>>>> Request-User-Session-Key: Yes
>
>>>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>
>>>> Request-LanMan-Session-Key: Yes
>
>>>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>
>>>> LANMAN-Challenge: some-challenge
>
>>>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute
>
>>>> NT-Response:
>
>>>> some-response
>
>>>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute
>
>>>> NT-Domain::
>
>>>> some-domain
>
>>>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
>
>>>> some-username
>
>>>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute:
>
>>>> Authenticated: Yes
>
>>>> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>
>>>> User-Session-Key: session-key
>
>>>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>
>>>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
>
>>>> Challenge: Success
>
>>>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result:
>
>>>> CHALLENGE,
>
>>>> EAP MSCHAP V2 Challenge: Success
>
>>>> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result:
>
>>>> CHALLENGE,
>
>>>> EAP MSCHAP V2 Challenge: Success
>
>>>> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
>
>>>> anonymous: EAP MSCHAP V2 Challenge: Success
>
>>>> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
>
>>>> anonymous: EAP MSCHAP V2 Challenge: Success
>
>>>> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled
>
>>>> packet dump:
>
>>>> Code: Access-Challenge
>
>>>> Identifier: UNDEF
>
>>>> Authentic: <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>
>>>> Attributes:
>
>>>> EAP-Message =
>
>>>> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>
>>>> M=success
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP
>
>>>> inner
>
>>>> authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
>
>>>> *** Sending to 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Challenge
>
>>>> Identifier: 146
>
>>>> Authentic: .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>
>>>> Attributes:
>
>>>> EAP-Message =
>
>>>>
> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>
>>>> *** Received from 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Request
>
>>>> Identifier: 147
>
>>>> Authentic:
>
>>>> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>
>>>> Attributes:
>
>>>> User-Name = "testUser"
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>
>>>> NAS-Port = 29
>
>>>> cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> Airespace-WLAN-Id = 7
>
>>>> Service-Type = Framed-User
>
>>>> Framed-MTU = 1300
>
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>
>>>> Tunnel-Type = 0:VLAN
>
>>>> Tunnel-Medium-Type = 0:802
>
>>>> Tunnel-Private-Group-ID = 924
>
>>>> EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>
>>>>
>
>>>>
> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
>
>>>> Message-Authenticator =
>
>>>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>
>>>> Radius::AuthFILE: eap-outer
>
>>>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2,
>
>>>> 11, 43, 25
>
>>>> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
>
>>>> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner
>
>>>> authentication
>
>>>> request for anonymous
>
>>>> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request
>
>>>> Packet dump:
>
>>>> Code: Access-Request
>
>>>> Identifier: UNDEF
>
>>>> Authentic:
>
>>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>
>>>> Attributes:
>
>>>> EAP-Message = <2><2><0><6><26><3>
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> NAS-Port = 29
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> User-Name = "anonymous"
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with
>
>>>> Handler
>
>>>> 'TunnelledByPEAP=1', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with
>
>>>> Radius::AuthNTLM: dm-wifi
>
>>>> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2,
>
>>>> 2, 6, 26
>
>>>> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
>
>>>> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
>
>>>> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
>
>>>> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
>
>>>> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for
>
>>>> anonymous
>
>>>> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for
>
>>>> anonymous
>
>>>> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled
>
>>>> packet dump:
>
>>>> Code: Access-Accept
>
>>>> Identifier: UNDEF
>
>>>> Authentic:
>
>>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>
>>>> Attributes:
>
>>>> EAP-Message = <3><2><0><4>
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP
>
>>>> inner
>
>>>> authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result:
>
>>>> CHALLENGE,
>
>>>> EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
>
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>
>>>> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
>
>>>> *** Sending to 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Challenge
>
>>>> Identifier: 147
>
>>>> Authentic:
>
>>>> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>
>>>> Attributes:
>
>>>> EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>
>>>>
>
>>>>
> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>
>>>> *** Received from 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Request
>
>>>> Identifier: 148
>
>>>> Authentic: <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>
>>>> Attributes:
>
>>>> User-Name = "testUser"
>
>>>> Calling-Station-Id = "b3-dd-ae-87-22-b3"
>
>>>> Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>
>>>> NAS-Port = 29
>
>>>> cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>
>>>> NAS-IP-Address = 10.11.55.232
>
>>>> NAS-Identifier = "cisco-wism"
>
>>>> Airespace-WLAN-Id = 7
>
>>>> Service-Type = Framed-User
>
>>>> Framed-MTU = 1300
>
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>
>>>> Tunnel-Type = 0:VLAN
>
>>>> Tunnel-Medium-Type = 0:802
>
>>>> Tunnel-Private-Group-ID = 924
>
>>>> EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>
>>>>
>
>>>>
> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
>
>>>> Message-Authenticator =
>
>>>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>
>>>>
>
>>>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with
>
>>>> Handler
>
>>>> '', Identifier ''
>
>>>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>
>>>> Radius::AuthFILE: eap-outer
>
>>>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2,
>
>>>> 12, 43, 25
>
>>>> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
>
>>>> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
>
>>>> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
>
>>>> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
>
>>>> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
>
>>>> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
>
>>>> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>
>>>> *** Sending to 10.11.55.232 port 32768 ....
>
>>>> Code: Access-Accept
>
>>>> Identifier: 148
>
>>>> Authentic: C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>
>>>> Attributes:
>
>>>> EAP-Message = <3><12><0><4>
>
>>>> Message-Authenticator =
>
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>>>> MS-MPPE-Send-Key =
>
>>>>
>
>>>>
> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
>
>>>> MS-MPPE-Recv-Key =
>
>>>>
>
>>>>
> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
>
>>>>
>
>>>> -->8--
>
>>>>
>
>>>> Thoughts on what may be happening? I can't seem to find anything on
>
>>>> the web about this, but I'm also hard-pressed to believe we're the
>
>>>> only folks that have run into this. The client simply refuses to
>
>>>> connect. It's worth noting that OS X indicates the client is
>
>>>> "connected" with a self-assigned 169.x.x.x IP address, but the logs
>
>>>> really indicate that en1 (the wireless interface) continues to go
>
>>>> up/down and re-attempt authentication.
>
>>>>
>
>>>> Any help would be greatly appreciated.
>
>>>>
>
>>>> -james
>
>>>> _______________________________________________
>
>>>> radiator mailing list
>
>>>> radiator at open.com.au <mailto:radiator at open.com.au>
>
>>>> http://www.open.com.au/mailman/listinfo/radiator
>
>>>
>
>>>
>
>>> JANET(UK) is a trading name of The JNT Association, a company limited
>
>>> by guarantee which is registered in England under No. 2881024
>
>>> and whose Registered Office is at Lumen House, Library Avenue,
>
>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
>>>
>
>>> _______________________________________________
>
>>> radiator mailing list
>
>>> radiator at open.com.au <mailto:radiator at open.com.au>
>
>>> http://www.open.com.au/mailman/listinfo/radiator
>
>>
>
>> _______________________________________________
>
>> radiator mailing list
>
>> radiator at open.com.au <mailto:radiator at open.com.au>
>
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list