[RADIATOR] EAP service provisioning issues
Prasoon Majumdar
prasoonprince at gmail.com
Wed Jun 12 05:35:09 CDT 2013
Hi All,
This is regarding service provisioning scenario that we observed with EAP
MD5 protocol in radiator configuration, find the details below:
<AuthBy LDAP2>
NoDefault
Identifier user_auth
Host 10.91.118.24
Port 389
AuthDN cn=directory manager
AuthPassword tcpip123
BaseDN %{User-Base}
Scope one
SearchFilter (uid=%U)
UsernameAttr uid
PasswordAttr coltplainpasswd
EAPType MD5-Challenge
AuthAttrDef radius-framed-ip-address,Framed-IP-Address,reply
AuthAttrDef radius-framed-ip-netmask,Framed-IP-Netmask,reply
Debug 255
</AuthBy>
<AuthBy LDAP2>
Identifier service_auth
Host 10.91.118.24
Port 389
AuthDN cn=directory manager
AuthPassword tcpip123
BaseDN %{Service-Dn}
Scope subtree
SearchFilter radiusdomains=%W
PasswordAttr
# EAPType MD5-Challenge
AuthAttrDef radius-cisco-avpair,Cisco-AVPair,reply
AuthAttrDef radius-Framed-Protocol,Framed-Protocol,reply
AuthAttrDef radius-service-type,Service-Type,reply
AuthAttrDef
radius-Tunnel-Client-Auth-ID,Tunnel-Client-Auth-ID,reply
AuthAttrDef
radius-Tunnel-Client-Endpoint,Tunnel-Client-Endpoint,reply
AuthAttrDef radius-Tunnel-Medium-Type,Tunnel-Medium-Type,reply
AuthAttrDef radius-Tunnel-Password,Tunnel-Password,reply
AuthAttrDef
radius-Tunnel-Server-Endpoint,Tunnel-Server-Endpoint,reply
AddToReplyIfNotExist Framed-Protocol=PPP,Service-Type=2
Debug 255
</AuthBy>
In this scenario, we are taking the default hanlders to understand EAP
communication and observed that the userauthentication with EAP is going
fine but the service authentication with EAP is not required but still
radiator is requesting for EAP communication, so how can we disable EAP for
service authentication and if its explicitly required , what are the
parameters need to be taken care of.
Usually by default, service provisioning should be devoid of any such
protocols.
Please find the logs here:
Wed Jun 12 08:21:05 2013: DEBUG: Rewrote user name to bsidhan at coltvpn1.net
Wed Jun 12 08:21:05 2013: DEBUG: Packet dump:
*** Received from 10.91.113.13 port 1645 ....
Code: Access-Request
Identifier: 136
Authentic: `<4>[Wi<147>j<253><21><131><4>3<31><192>2?
Attributes:
Service-Type = Login-User
Calling-Station-Id = "10.91.117.20"
User-Name = "bsidhan at coltvpn1.net"
EAP-Message = "<2>;<0><25><1>bsidhan at coltvpn1.net"
Signature = "<249><165>'<131><4>qp<197>h<217>5<232><229>1G<158>"
NAS-IP-Address = 10.91.113.13
Wed Jun 12 08:21:05 2013: DEBUG: Handling request with Handler '',
Identifier ''
Wed Jun 12 08:21:05 2013: DEBUG: Deleting session for bsidhan at coltvpn1.net,
10.91.113.13,
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: PreAuthHook called...
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Access code: Access-Request
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Proceeding...
Wed Jun 12 08:21:05 2013: INFO: PreAuthHook: Got User-Name: bsidhan and
Realm: coltvpn1.net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP
server
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: ldapsearch with base
ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User search basedn:
ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Group search basedn:
ou=groups,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User subscribes to 0 groups
and 1 services directly.
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Checking service reference
for domain first...
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Searching for radiusdomains=
coltvpn1.net under
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: 1 results found for services
with radiusdomains=coltvpn1.net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User subscribes to
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
directly. Setting
Pre-Auth = 1.
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Service-Dn:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Pre-Auth: 1
Wed Jun 12 08:21:05 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth
Wed Jun 12 08:21:05 2013: DEBUG: Handling with EAP: code 2, 59, 25, 1
Wed Jun 12 08:21:05 2013: DEBUG: Response type 1
Wed Jun 12 08:21:05 2013: DEBUG: EAP result: 3, EAP MD5-Challenge
Wed Jun 12 08:21:05 2013: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
MD5-Challenge
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: PostAuthHook called...
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Access code: Access-Request
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Proceeding...
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Got from PreAuthHook ->
Pre-Auth: 1
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Framed-IP-Address =
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Framed-IP-Netmask =
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Tunnel-Type =
Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type =
Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Stripping Framed-IP-Address
and Framed-IP-Netmask from the REPLY PACKET
Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Stripping Tunnel attributes
from the REPLY PACKET
Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Called-Station-Id not
present: Bypassing accessnumber check with Access-Accept.
Wed Jun 12 08:21:05 2013: DEBUG: Access challenged for bsidhan at coltvpn1.net:
EAP MD5-Challenge
Wed Jun 12 08:21:05 2013: DEBUG: Packet dump:
*** Sending to 10.91.113.13 port 1645 ....
Code: Access-Challenge
Identifier: 136
Authentic: <137>L<224>k<202>Z[<240><29><14>l0<29><236><13><176>
Attributes:
EAP-Message =
"<1><<0>+<4><16><165>9y<230><237>k`<207><226><195><149><198>/}<13><193>
rad1.blr.lab.colt.net"
Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
Wed Jun 12 08:21:06 2013: DEBUG: Rewrote user name to bsidhan at coltvpn1.net
Wed Jun 12 08:21:06 2013: DEBUG: Packet dump:
*** Received from 10.91.113.13 port 1645 ....
Code: Access-Request
Identifier: 137
Authentic: s<133><146>8<222>i<220>\Kt<184><227>r<205><243><132>
Attributes:
Service-Type = Login-User
Calling-Station-Id = "10.91.117.20"
User-Name = "bsidhan at coltvpn1.net"
EAP-Message =
"<2><<0><22><4><16>k2<164><16><251><230>?<142><213><6><212><242>t<218><219><14>"
Signature =
"<133><21><209><159><154><212><186><29>5<9><204><164>jbN<24>"
NAS-IP-Address = 10.91.113.13
Wed Jun 12 08:21:06 2013: DEBUG: Handling request with Handler '',
Identifier ''
Wed Jun 12 08:21:06 2013: DEBUG: Deleting session for bsidhan at coltvpn1.net,
10.91.113.13,
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: PreAuthHook called...
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Access code: Access-Request
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Proceeding...
Wed Jun 12 08:21:06 2013: INFO: PreAuthHook: Got User-Name: bsidhan and
Realm: coltvpn1.net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP
server
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: ldapsearch with base
ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User search basedn:
ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Group search basedn:
ou=groups,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User subscribes to 0 groups
and 1 services directly.
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Checking service reference
for domain first...
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Searching for radiusdomains=
coltvpn1.net under
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: 1 results found for services
with radiusdomains=coltvpn1.net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User subscribes to
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
directly. Setting
Pre-Auth = 1.
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Service-Dn:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Pre-Auth: 1
Wed Jun 12 08:21:06 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth
Wed Jun 12 08:21:06 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4
Wed Jun 12 08:21:06 2013: DEBUG: Response type 4
Wed Jun 12 08:21:06 2013: INFO: Connecting to 10.91.118.24:389
Wed Jun 12 08:21:06 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got result for uid=bsidhan,
ou=people, o=COLT, ou=customers, dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got coltplainpasswd: 123456789
Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 looks for match with
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: :
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 08:21:06 2013: DEBUG: EAP Success, elapsed time 0.198786
Wed Jun 12 08:21:06 2013: DEBUG: EAP result: 0,
Wed Jun 12 08:21:06 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
Wed Jun 12 08:21:06 2013: DEBUG: Handling with Radius::AuthLDAP2:
service_auth
Wed Jun 12 08:21:06 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4
Wed Jun 12 08:21:06 2013: DEBUG: Response type 4
Wed Jun 12 08:21:06 2013: INFO: Connecting to 10.91.118.24:389
Wed Jun 12 08:21:06 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got result for
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-cisco-avpair:
ip:interface-config=vrf forwarding IPC-Perf-1 ip:interface-config=ip
unnumbered Loopback11
ipsec:route-set-interface=1 ipsec:addr-pool=FlexPool ipsec:route-set=prefix
157.54.0.0/16
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-Tunnel-Medium-Type:
colttest at colt.net
Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-Tunnel-Password: tcpip123
Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 looks for match with
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: :
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 08:21:06 2013: DEBUG: EAP Failure, elapsed time 0.205295
Wed Jun 12 08:21:06 2013: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Wed Jun 12 08:21:06 2013: DEBUG: AuthBy LDAP2 result: REJECT, EAP
MD5-Challenge failed
Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: PostAuthHook called...
Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Access code: Access-Request
Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Proceeding...
Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Got from PreAuthHook ->
Pre-Auth: 1
Wed Jun 12 08:21:06 2013: INFO: PostAuthHook: Access already rejected by
Radius: Bypassing accessnumber check.
Wed Jun 12 08:21:06 2013: INFO: Access rejected for bsidhan at coltvpn1.net:
EAP MD5-Challenge failed
Wed Jun 12 08:21:06 2013: DEBUG: Packet dump:
*** Sending to 10.91.113.13 port 1645 ....
Code: Access-Reject
Identifier: 137
Authentic: @Q<143><189><245><198><189><150><238>a<226><195>i}<243>4
Attributes:
EAP-Message = "<4><<0><4>"
Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
Reply-Message = "Request Denied"
Now when we completely neglected the service_auth for our requests (not a
ideal production scenario,), the logs changed to accept modes:
Wed Jun 12 09:06:31 2013: DEBUG: Rewrote user name to bsidhan at coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: Packet dump:
*** Received from 10.91.113.13 port 1645 ....
Code: Access-Request
Identifier: 160
Authentic: /<23><254>-<183>:<218><184><243>b<212><237><29><136>hT
Attributes:
Service-Type = Login-User
Calling-Station-Id = "10.91.117.20"
User-Name = "bsidhan at coltvpn1.net"
EAP-Message = "<2>;<0><25><1>bsidhan at coltvpn1.net"
Signature = "O@<17>5?eI<192>KB<19><214>!<242><210>7"
NAS-IP-Address = 10.91.113.13
Wed Jun 12 09:06:31 2013: DEBUG: Handling request with Handler '',
Identifier ''
Wed Jun 12 09:06:31 2013: DEBUG: Deleting session for bsidhan at coltvpn1.net,
10.91.113.13,
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: PreAuthHook called...
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Access code: Access-Request
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Proceeding...
Wed Jun 12 09:06:31 2013: INFO: PreAuthHook: Got User-Name: bsidhan and
Realm: coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP
server
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ldapsearch with base
ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User search basedn:
ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Group search basedn:
ou=groups,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to 0 groups
and 1 services directly.
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Checking service reference
for domain first...
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Searching for radiusdomains=
coltvpn1.net under
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: 1 results found for services
with radiusdomains=coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
directly. Setting Pre-Auth = 1.
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Service-Dn:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Pre-Auth: 1
Wed Jun 12 09:06:31 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth
Wed Jun 12 09:06:31 2013: DEBUG: Handling with EAP: code 2, 59, 25, 1
Wed Jun 12 09:06:31 2013: DEBUG: Response type 1
Wed Jun 12 09:06:31 2013: DEBUG: EAP result: 3, EAP MD5-Challenge
Wed Jun 12 09:06:31 2013: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
MD5-Challenge
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: PostAuthHook called...
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Access code: Access-Request
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Proceeding...
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Got from PreAuthHook ->
Pre-Auth: 1
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Address =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Netmask =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Type =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type =
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Framed-IP-Address
and Framed-IP-Netmask from the REPLY PACKET
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Tunnel attributes
from the REPLY PACKET
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Called-Station-Id not
present: Bypassing accessnumber check with Access-Accept.
Wed Jun 12 09:06:31 2013: DEBUG: Access challenged for bsidhan at coltvpn1.net:
EAP MD5-Challenge
Wed Jun 12 09:06:31 2013: DEBUG: Packet dump:
*** Sending to 10.91.113.13 port 1645 ....
Code: Access-Challenge
Identifier: 160
Authentic: ;/<184><20><147>v<27><149><185><154><154><7><224><150>3<176>
Attributes:
EAP-Message =
"<1><<0>+<4><16>2<193><195><134><233><179><250>V<231><19>R<204><141><176><207><151>
rad1.blr.lab.colt.net"
Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
Wed Jun 12 09:06:31 2013: DEBUG: Rewrote user name to bsidhan at coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: Packet dump:
*** Received from 10.91.113.13 port 1645 ....
Code: Access-Request
Identifier: 161
Authentic: <28><21><192>uM<1><178>uAp<19>V<235>yGh
Attributes:
Service-Type = Login-User
Calling-Station-Id = "10.91.117.20"
User-Name = "bsidhan at coltvpn1.net"
EAP-Message =
"<2><<0><22><4><16><30><238><175><134><143><224><3><127><128><244><10><31>d`<165><216>"
Signature = "<173><21>&<196><1><24><147>9^&<130>:ZE<164><190>"
NAS-IP-Address = 10.91.113.13
Wed Jun 12 09:06:31 2013: DEBUG: Handling request with Handler '',
Identifier ''
Wed Jun 12 09:06:31 2013: DEBUG: Deleting session for bsidhan at coltvpn1.net,
10.91.113.13,
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: PreAuthHook called...
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Access code: Access-Request
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Proceeding...
Wed Jun 12 09:06:31 2013: INFO: PreAuthHook: Got User-Name: bsidhan and
Realm: coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP
server
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ldapsearch with base
ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User search basedn:
ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Group search basedn:
ou=groups,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to 0 groups
and 1 services directly.
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Checking service reference
for domain first...
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Searching for radiusdomains=
coltvpn1.net under
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: 1 results found for services
with radiusdomains=coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
directly. Setting Pre-Auth = 1.
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Service-Dn:
coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request ->
Pre-Auth: 1
Wed Jun 12 09:06:31 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth
Wed Jun 12 09:06:31 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4
Wed Jun 12 09:06:31 2013: DEBUG: Response type 4
Wed Jun 12 09:06:31 2013: INFO: Connecting to 10.91.118.24:389
Wed Jun 12 09:06:31 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Wed Jun 12 09:06:31 2013: DEBUG: LDAP got result for uid=bsidhan,
ou=people, o=COLT, ou=customers, dc=colt,dc=net
Wed Jun 12 09:06:31 2013: DEBUG: LDAP got coltplainpasswd: 123456789
Wed Jun 12 09:06:31 2013: DEBUG: Radius::AuthLDAP2 looks for match with
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 09:06:31 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: :
bsidhan at coltvpn1.net [bsidhan at coltvpn1.net]
Wed Jun 12 09:06:31 2013: DEBUG: EAP Success, elapsed time 0.018697
Wed Jun 12 09:06:31 2013: DEBUG: EAP result: 0,
Wed Jun 12 09:06:31 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: PostAuthHook called...
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Access code: Access-Request
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Proceeding...
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Got from PreAuthHook ->
Pre-Auth: 1
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Address =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Netmask =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Type =
Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type =
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Framed-IP-Address
and Framed-IP-Netmask from the REPLY PACKET
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Tunnel attributes
from the REPLY PACKET
Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Called-Station-Id not
present: Bypassing accessnumber check with Access-Accept.
Wed Jun 12 09:06:31 2013: DEBUG: Access accepted for bsidhan at coltvpn1.net
Wed Jun 12 09:06:31 2013: DEBUG: Packet dump:
*** Sending to 10.91.113.13 port 1645 ....
Code: Access-Accept
Identifier: 161
Authentic: v<4><218>a2<208><193><175><137>wK<152>i<145><219><254>
Attributes:
EAP-Message = "<3><<0><4>"
Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
Can anyone give us some hand here.
Regards,
Prasoon
--
Regards,
Prasoon Majumdar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130612/7139daa1/attachment-0001.html
More information about the radiator
mailing list