[RADIATOR] EAP TLS issues "routines:SSL3_READ_BYTES:tlsv1 alert access denied"

Jeffrey Smith doc at neonova.net
Wed Feb 19 14:08:59 CST 2014


I've been trying to get our Meraki wireless Access Points authenticating
against our RADIATOR server for a while now.  What's odd is the
authentication test that the AP runs completes successfully.  When I try to
connect a client to the AP, however, is where things get weird.

Here is the relevant portion of the config:

<Handler TunnelledByPEAP=1>

        <AuthBy MassGeneric>

                EAPType MSCHAP-V2

                Filename %D/users/ppp/

        </AuthBy>

</Handler>


# Brings up the Secure EAP-TLS Tunnel for for the Radius auth to transport
over

<Handler Realm="neonova.net", NAS-Port-Type = Wireless-IEEE-802-11>

       <AuthBy MassGeneric>

                EAPType PEAP, TTLS

                EAPTLS_CAFile
%D/certificates/wildcard.neonova.net-2048-helper.pem

                EAPTLS_CertificateFile
%D/certificates/wildcard.neonova.net-2048.pem

                EAPTLS_CertificateType PEM

                EAPTLS_PrivateKeyFile
%D/certificates/wildcard.neonova.net-2048.pem

                EAPTLS_MaxFragmentSize 1000

                EAPAnonymous %u

                Filename %D/users/ppp/

        </AuthBy>

</Handler>


Here are debug logs, first for the test from the AP that comes back
successful:

---------------------------------- Begin successful test from AP
----------------------------------------

Wed Feb 19 10:51:55 2014: DEBUG: Packet dump:

Code:       Access-Request

Identifier: 8

Authentic:  M4njOt<141><210><153>W<194><171>E<240><24><179>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

Called-Station-Id = "00-18-0A-22-1A-C6:nns_auth_test"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 11Mbps 802.11b"

EAP-Message = <2><8><0>`<25><0><23><3><1><0>
<141><136>C<218><255>c+<149>n<240>'E<160>S<211><225>z<149><140><169>_<238><184>_<13><214><235>5^X3<184><23><3><1><0>0a<219><133><233><8>]<185><132><143><214><146>9<137>zhJ<226><226><13>z<30>w<205><3>z.<195><23><247><184><141>e<151><244><183><179>v<147>Cs<28>R<8><237>4<239><201><229>

Message-Authenticator =
h<214><7><250>-<181><19>:<248><165><244>(<161><158><139>^


Wed Feb 19 10:51:56 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:51:56 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:56 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:56 2014: DEBUG: Handling with EAP: code 2, 8, 96, 25

Wed Feb 19 10:51:56 2014: DEBUG: Response type 25

Wed Feb 19 10:51:56 2014: DEBUG: EAP PEAP inner authentication request for
testuser at neonova.net

Wed Feb 19 10:51:56 2014: DEBUG: PEAP Tunnelled request Packet dump:

Code:       Access-Request

Identifier: UNDEF

Authentic:  <9><186>T<253>:Z<0><167><141><246><132><141><129>y<12><191>

Attributes:

EAP-Message = <2><8><0><21><1>testuser at neonova.net

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

User-Name = "testuser at neonova.net"


Wed Feb 19 10:51:56 2014: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''

Wed Feb 19 10:51:56 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:56 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:56 2014: DEBUG: Handling with EAP: code 2, 8, 21, 1

Wed Feb 19 10:51:56 2014: DEBUG: Response type 1

Wed Feb 19 10:51:56 2014: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge

Wed Feb 19 10:51:56 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
MSCHAP-V2 Challenge

Wed Feb 19 10:51:56 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP MSCHAP-V2 Challenge

Wed Feb 19 10:51:56 2014: DEBUG: Returned PEAP tunnelled packet dump:

Code:       Access-Challenge

Identifier: UNDEF

Authentic:  <9><186>T<253>:Z<0><167><141><246><132><141><129>y<12><191>

Attributes:

EAP-Message =
<1><9><0>)<26><1><9><0>$<16>LTGs<201>x<13><206>Y<21><14><149>lz<187><195>
mail.kpunet.net

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:56 2014: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32788 ....


Code:       Access-Challenge

Identifier: 8

Authentic:  U<138><184><4>b<181>+<218><243><13><221>\B<176><154>z

Attributes:

EAP-Message =
<1><9><0>K<25><0><23><3><1><0>@<184><139>k<199>&<243>#<215><146><216><18>q<31>C<22><208>X<155><245><174><131>R<134>V)<131><213>-<182><144><180><140>(<241><245><234><198><246><15><139><187>~<162>!<162><216>i<181><201><200><11><253><136><140><164><221>yk<252>m<179><227>K2

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:56 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32788 ....


Code:       Access-Request

Identifier: 9

Authentic:
<182><169><165><130><158><188>v<208><253><14><147><132><195><174>z)

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

Called-Station-Id = "00-18-0A-22-1A-C6:nns_auth_test"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 11Mbps 802.11b"

EAP-Message = <2><9><0><144><25><0><23><3><1><0>
\R<19><198><127>|%A<213><226><231><162><137><157><185>OUE<184><244>F<253><178>=<212>z?qa<207>w<154><23><3><1><0>`<154>b<144><197>5n<250>`<193><20>.]4<23>q<235><225>
<202><11>(<222><236><145>v<159><221><194>L<151><246><170><177>6<155>O<24><236>VI<254><238><24>[*<27><165>CF<155>|<242><17><238><248>.<204><7><176>M&<146>A<5>B#<182><25><175><142><149><224><241><227><249><174>A<212>Q<144><29>f<28>s<18><195><250><137><20><234><168>c<210>=<214><25>

Message-Authenticator =
<167><159><127><31>I<251><254>f<252><219>2<18><180><9>A0


Wed Feb 19 10:51:56 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:51:56 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:56 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:56 2014: DEBUG: Handling with EAP: code 2, 9, 144, 25

Wed Feb 19 10:51:56 2014: DEBUG: Response type 25

Wed Feb 19 10:51:56 2014: DEBUG: EAP PEAP inner authentication request for
testuser at neonova.net

Wed Feb 19 10:51:56 2014: DEBUG: PEAP Tunnelled request Packet dump:

Code:       Access-Request

Identifier: UNDEF

Authentic:  <240><246><246>Y<136><241><207><155>g<193>\<186>I<179><183>~

Attributes:

EAP-Message =
<2><9><0>K<26><2><9><0>J1<190><175>X<173><4><197><191><176><206><21><205><219><23>C<10><29><0><0><0><0><0><0><0><0>a<231>7<134><147><189>$<129><16><156><208><25>q!}<210><209><237>D=<152><158><166>%<0>
testuser at neonova.net

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

User-Name = "testuser at neonova.net"


Wed Feb 19 10:51:56 2014: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''

Wed Feb 19 10:51:56 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:56 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:56 2014: DEBUG: Handling with EAP: code 2, 9, 75, 26

Wed Feb 19 10:51:56 2014: DEBUG: Response type 26

Wed Feb 19 10:51:56 2014: DEBUG: Reading users file
/usr/local/raddb/users/ppp/neonova.net

Wed Feb 19 10:51:56 2014: DEBUG: Radius::AuthMassGeneric looks for match
with testuser at neonova.net [testuser at neonova.net]

Wed Feb 19 10:51:56 2014: DEBUG: Radius::AuthMassGeneric ACCEPT: :
testuser at neonova.net [testuser at neonova.net]

Wed Feb 19 10:51:56 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge:
Success

Wed Feb 19 10:51:56 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
MSCHAP V2 Challenge: Success

Wed Feb 19 10:51:56 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP MSCHAP V2 Challenge: Success

Wed Feb 19 10:51:56 2014: DEBUG: Returned PEAP tunnelled packet dump:

Code:       Access-Challenge

Identifier: UNDEF

Authentic:  <240><246><246>Y<136><241><207><155>g<193>\<186>I<179><183>~

Attributes:

EAP-Message =
<1><10><0>=<26><3><9><0>8S=F8200D229516C69BD374BFC90736253EB395C603
M=success

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:56 2014: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:56 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32788 ....


Code:       Access-Challenge

Identifier: 9

Authentic:  <218><132><202><199><<166><165><169><201>!<217><129><233>5<196>x

Attributes:

EAP-Message =
<1><10><0>[<25><0><23><3><1><0>Py<175><239>\<145><130>]<204><199><214><224>s<251>$<243><211><162><134><154><253><224>8+<133><199><234><239>B<133>3X<10><225><149>,X3<206>k<132>F<142><15><141><229><165>Wt<154><158>"<220>l*<9><140><190><11><248><25>g<173>C<151><207><133><148><251>!<138>Zq<191><30>p^<168><145><5><174>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:57 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32788 ....


Code:       Access-Request

Identifier: 10

Authentic:  <237><182><177><145><227>G<25>: <6>n`(<248>Q<160>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

Called-Station-Id = "00-18-0A-22-1A-C6:nns_auth_test"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 11Mbps 802.11b"

EAP-Message = <2><10><0>P<25><0><23><3><1><0>
%@[<23><229><229><3>><187>e<17><29><197>3<127><222><158><196>W<161>u2N<27>m`k<147>z<152><19>y<23><3><1><0>
1<137><142><219><218><172>"<176><237><186><239><222><160><189>S<239><27>t<23><204><211><212><199><235><149><192><181><i<229><8><241>

Message-Authenticator = <180>3"<240>E<233><214><138>NM<211>ea#=<174>


Wed Feb 19 10:51:57 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:51:57 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:57 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:57 2014: DEBUG: Handling with EAP: code 2, 10, 80, 25

Wed Feb 19 10:51:57 2014: DEBUG: Response type 25

Wed Feb 19 10:51:57 2014: DEBUG: EAP PEAP inner authentication request for
testuser at neonova.net

Wed Feb 19 10:51:57 2014: DEBUG: PEAP Tunnelled request Packet dump:

Code:       Access-Request

Identifier: UNDEF

Authentic:  |<226><228><197>Ad5L<246><184><217><191>}<191><22><178>

Attributes:

EAP-Message = <2><10><0><2><26><3>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

User-Name = "testuser at neonova.net"


Wed Feb 19 10:51:57 2014: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''

Wed Feb 19 10:51:57 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:57 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:57 2014: DEBUG: Handling with EAP: code 2, 10, 2, 26

Wed Feb 19 10:51:57 2014: DEBUG: Response type 26

Wed Feb 19 10:51:57 2014: DEBUG: EAP Success, elapsed time 0.224548

Wed Feb 19 10:51:57 2014: DEBUG: EAP result: 0,

Wed Feb 19 10:51:57 2014: DEBUG: AuthBy MassGeneric result: ACCEPT,

Wed Feb 19 10:51:57 2014: DEBUG: Access accepted for testuser at neonova.net

Wed Feb 19 10:51:57 2014: DEBUG: Returned PEAP tunnelled packet dump:

Code:       Access-Accept

Identifier: UNDEF

Authentic:  |<226><228><197>Ad5L<246><184><217><191>}<191><22><178>

Attributes:

Filter-Id = "8021x"

EAP-Message = <3><10><0><4>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:57 2014: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler

Wed Feb 19 10:51:57 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:57 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP inner authentication redispatched to a Handler

Wed Feb 19 10:51:57 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32788 ....


Code:       Access-Challenge

Identifier: 10

Authentic:
<169><28><142><239>W<192><177><246><229><144><215><159><128><194><232><245>

Attributes:

EAP-Message = <1><11><0>+<25><0><23><3><1><0>
<163><222>CrZ<150>~<143><160><140>Ky<232><196>xx<216><180>JT<20>D<162>E[<12>v"o1+<155>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:51:57 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32788 ....


Code:       Access-Request

Identifier: 11

Authentic:  <168>%<144><30><155><13>0c<140><11><128><138><202><169>v<206>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 6.34.26.198

Calling-Station-Id = "00-00-00-00-00-02"

Called-Station-Id = "00-18-0A-22-1A-C6:nns_auth_test"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 11Mbps 802.11b"

EAP-Message = <2><11><0>P<25><0><23><3><1><0>
'<8><139><202><176><241><159><133><185>E<182>C<151><188><201><224>i-'<182><178><137><196><156><223><232><172>P?<214><200><252><23><3><1><0>
w<255><178>9m<28>F<216><199>w<221><148>}<21>Q=7<212><195>h2e<12><230><147><235><206><210><22><154><188><185>

Message-Authenticator =
<11>d<137><131><166><169><199>W%<165><150><13>%<166>F<159>


Wed Feb 19 10:51:57 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:51:57 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 6.34.26.198,

Wed Feb 19 10:51:57 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:51:57 2014: DEBUG: Handling with EAP: code 2, 11, 80, 25

Wed Feb 19 10:51:57 2014: DEBUG: Response type 25

Wed Feb 19 10:51:57 2014: DEBUG: EAP Success, elapsed time 1.254937

Wed Feb 19 10:51:57 2014: DEBUG: EAP result: 0,

Wed Feb 19 10:51:57 2014: DEBUG: AuthBy MassGeneric result: ACCEPT,

Wed Feb 19 10:51:57 2014: DEBUG: Access accepted for testuser at neonova.net

Wed Feb 19 10:51:57 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32788 ....

Code:       Access-Accept

Identifier: 11

Authentic:  <15>?<243><190><229><229>f<244>%1<173>"<19><164>|m

Attributes:

Filter-Id = "8021x"

EAP-Message = <3><11><0><4>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


----------------------------------------------- End of successful test from
AP ---------------------------------

And now a client that fails:

------------------------------------------------ Begin failure log
-----------------------------------

Wed Feb 19 10:59:57 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 183

Authentic:  <235>2<219><168><228><185><132>6r<177>L<206><146>1<180><154>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><1><0><25><1>testuser at neonova.net

Message-Authenticator =
<<159><136><202>K<152><178><179><178><137>A<251><149><13><12>E


Wed Feb 19 10:59:57 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:57 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:57 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:57 2014: DEBUG: Handling with EAP: code 2, 1, 25, 1

Wed Feb 19 10:59:57 2014: DEBUG: Response type 1

Wed Feb 19 10:59:57 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:57 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:57 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge

Wed Feb 19 10:59:57 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32786 ....


Code:       Access-Challenge

Identifier: 183

Authentic:  )<193><222><175><16><148><222><251>b{<236>*<165><242>$<224>

Attributes:

EAP-Message = <1><2><0><6><25>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 184

Authentic:  ~{S<5<127><18><11>C<216>n<226><153>=<141><221>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message =
<2><2><0>i<25><128><0><0><0>_<22><3><1><0>Z<1><0><0>V<3><1>S<5><13>==<14>{LU<14>&S<17>
<254><133>N<146><20>A<168><139>(<188>k<225><245>1<164><141><211>W<0><0><24><0>/<0>5<0><5><0><10><192><19><192><20><192><9><192><10><0>2<0>8<0><19><0><4><1><0><0><21><255><1><0><1><0><0><10><0><6><0><4><0><23><0><24><0><11><0><2><1><0>

Message-Authenticator = <1>LIIJ<169><30>1od<219><194><2><193><189><248>


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 2, 105, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 185

Authentic:  1<127><27>@`<148><231><184>J<243>j<197><172><177>0<214>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><3><0><6><25><0>

Message-Authenticator =
<148><16><23>1<214><189><175><131>A<240><245>E<134>-<159><186>


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 3, 6, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 186

Authentic:  <21><22>=k<171>-<242><222><185><180><148>'`t<161>(

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><4><0><6><25><0>

Message-Authenticator = G3<169><21><158><211><n<134>W<227><26><4>o)<210>


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 4, 6, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 187

Authentic:  67{<149><255><19>{<174>^<197><226>=<129><130><227>o

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><5><0><6><25><0>

Message-Authenticator =
u1}<152><252><157><227><170><12><213><252><152><142><193><174><254>


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 5, 6, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 188

Authentic:  <15><171>mn<31>e5$<228><6><148><207><221>N<210>/

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><6><0><6><25><0>

Message-Authenticator = ~<142><199><147><30>9=<243><189><166><0><205>uLX<


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 6, 6, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32786 ....


Code:       Access-Challenge

Identifier: 188

Authentic:  <167>W<206><200>|<150><197><228><137>VYOp<205><172><243>

Attributes:

EAP-Message =
<1><7><0><177><25><0><4><13>0<11><27><5>V3.0c<3><2><6><192>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0>X<206>)<234><252><247><222><181><206><2><185><23><181><133><209><185><227><224><149><204>%1<13><0><166><146>n<127><182><146>c<158>P<149><209><154>o<228><17><222>c<133>n<152><238><168><255>Z<200><211>U<178>fqW<222><192>!<235>=*<167>#I<1><4><134>B{<252><238><127><162><22>R<181>gg<211>@<219>;&X<178>(w=<174><20>wa<214><250>*f'<160><13><250><167>s\<234>p<241><148>!eD_<250><252><239>)h<169><162><135>y<239>y<239>O<172><7>w8<22><3><1><0><4><14><0><0><0>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 189

Authentic:  q6<159><8><170>:<248><210><6><0>A8<192><252>m<180>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message =
<2><7><1>P<25><128><0><0><1>F<22><3><1><1><6><16><0><1><2><1><0>i<226><163><168><198><2>u<13>,<19>/<165><175>{W*<164><133>Ms<164>:<208><145><158><174><251><151><16><148>w<224>Jq)<12>D<226><9><166>e^X<185><220>:#<7>F<152>)'<24>I6"<3><129><130><249>D<140><207>a<242>:<233><210><231><27>Q<203><132>o;<7>L#<27>'<208><189><22>k0<252><167>.7>s<212>j<137><145><31>c<7>[@<200>D[<187><197><200>c<185><162><239><1><207><136><208>d<165>F<194>G~<167><184><254><228>:<128><153><205>?<247><24><171><214><250>4<139>w<212>mA<165>o<140><132><158>&<209><185><229><130><142><26><143>q<20>`-<148>l<144>9<137>1<14>k/<227><155><31>Y<29>g,t<133>D<164><219><241>)<159><130><5><236><28>0;<144><141>><205><187><235>I<200>a<6><209><19><219><182><178><182><145>d<11><169><19>><3>5<0><213><149><236><173>n<182><194><170><247><144><156><212><164>j<0><254>M<138>qf

EAP-Message =
<22>N<0><1><213><133><154>r<130><147><245>&<148><26><247>_=?<234>n<129>0Q<2><20><3><1><0><1><1><22><3><1><0>0<164>DIA<194><153>D<141><135>!<157><206><241><196><136><3><228><192>M<238>e<175>_<205>"<3>t<228>oE<141><174><204>v<151>^w<143><214>SV8<1><136><157><159><195><212>

Message-Authenticator = <225><30><132><10>
d;<237><203><255><128><212><142>U<188>K


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 7, 336, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: DEBUG: EAP TLS SSL_accept result: 1, 0, 3

Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 3, EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: CHALLENGE, EAP
PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Access challenged for testuser at neonova.net:
EAP PEAP Challenge

Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32786 ....


Code:       Access-Challenge

Identifier: 189

Authentic:  <197><127>#<136><238><169>W<158>WR<212><162><223><173><219>&

Attributes:

EAP-Message =
<1><8><0>E<25><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>0<175><166>X<182><172>}G?<182><15><15><238>L<188>POP<243>h<165>j<236><220>7<179><149><216><25><223>@<171><196><12><200>V<158><21>EG<<230>(e4<196><249><207><253>

Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Received from 137.118.48.15 port 32786 ....


Code:       Access-Request

Identifier: 190

Authentic:  <0><139><166>MPy<152>C<248><0><246>@<27><135><214><12>

Attributes:

User-Name = "testuser at neonova.net"

NAS-IP-Address = 137.118.48.15

NAS-Port = 0

Called-Station-Id = "0E-18-0A-22-1A-C6:nns_auth_test"

Calling-Station-Id = "60-67-20-C1-7C-D4"

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = <2><8><0>/<25><128><0><0><0>%<21><3><1><0>
<217><246><250><211><137>$<190>{<143><7><158><149><158><155>=<179>*<209><29><17><139><243><148><128><227><227><158>2rU<215>U

Message-Authenticator =
<27><195><137><167>,Y<128><238><218><248><179>Q<246><13><223><4>


Wed Feb 19 10:59:58 2014: DEBUG: Handling request with Handler 'Realm="
neonova.net", NAS-Port-Type = Wireless-IEEE-802-11', Identifier ''

Wed Feb 19 10:59:58 2014: DEBUG: internal Deleting session for
testuser at neonova.net, 137.118.48.15, 0

Wed Feb 19 10:59:58 2014: DEBUG: Handling with Radius::AuthMassGeneric:

Wed Feb 19 10:59:58 2014: DEBUG: Handling with EAP: code 2, 8, 47, 25

Wed Feb 19 10:59:58 2014: DEBUG: Response type 25

Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed:  13601: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied


Wed Feb 19 10:59:58 2014: DEBUG: EAP result: 1, EAP PEAP TLS read failed

Wed Feb 19 10:59:58 2014: DEBUG: AuthBy MassGeneric result: REJECT, EAP
PEAP TLS read failed

Wed Feb 19 10:59:58 2014: INFO: Access rejected for testuser at neonova.net:
EAP PEAP TLS read failed

Wed Feb 19 10:59:58 2014: DEBUG: Packet dump:

*** Sending to 137.118.48.15 port 32786 ....

Code:       Access-Reject

Identifier: 190

Authentic:  Qwi5r_<3><228><150><237><224>T@<17><6><191>

Attributes:

Reply-Message = "Request Denied"


------------------------------------------------ End failure log
-------------------------------------


I'm at a loss to explain what's happening with the TLS read failure when
coming from a client.
Thanks,
Jeff Smith
Network Engineer
Neonova Network Services
(919) 460-3330
doc at neonova.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140219/5d1812bf/attachment-0001.html 


More information about the radiator mailing list