[RADIATOR] duplicate EAP Responses
David Zych
dmrz at illinois.edu
Wed Nov 18 19:08:43 CST 2015
Suppose we're using PEAP or TTLS, and are in the middle of sending the certificate chain (which is quite large and therefore requires fragmentation into several messages). We've just received a RADIUS Access-Request containing EAP Response with Id=5, and sent back a chunk of bytes in an EAP Request with Id=6.
Now we receive a different RADIUS Access-Request (new Authenticator, so *not* a duplicate RADIUS packet) containing another copy of the same EAP Response with Id=5.
What should Radiator do in this situation?
note: I'm not 100% confident that it's legitimate for us to receive such duplicate EAP Responses, but I _think_ it is; rfc3748#section-4.1 indicates that the NAS is allowed to retransmit an EAP Request, and so with just the right timing it seems plausible for the NAS to receive (and appropriately send on to Radiator) a second EAP Response Id=5 before it has received our new EAP Request Id=6.
Anyway, it seems to me that our best approach would be to remember the EAP Request Id=6 which we previously sent in reply to EAP Response Id=5, and retransmit that *same* EAP Request Id=6 when we get EAP Response Id=5 again. My confidence is somewhat bolstered by rfc3579#section-2.2 which suggests more or less this course of action in the slightly different scenario of dealing with an invalid packet.
What Radiator 4.15 does right now AFAICT is to send back another EAP Request Id=6, but containing a _new_ chunk of the certificate bytes (not the same chunk as before), because the call to sendPending in EAP_21.pm / EAP_25.pm doesn't notice that the EAP identifier is the same as last time. This behavior isn't at all helpful, because no matter which EAP Request Id=6 actually makes it to the peer, the peer will definitely not end up with the full set of bytes needed to reassemble the fragmented data. The end result I've observed is that eventually Radiator believes it has sent all the bytes, but the peer is still waiting for more bytes, so the peer sends another "acknowledgement" EAP Response to which Radiator deliberately does not reply (logging "EAP TTLS Nothing to read or write" or "EAP PEAP Nothing to read or write" at DEBUG level). After that we have to give up and start the authentication all over.
Side note regarding the code branch of EAP_21 and EAP_25 which generates that "Nothing to read or write" message: even if a peer is behaving weirdly, is it really ever a good idea to deliberately not reply to an EAP Response? The NAS is still waiting for a RADIUS reply, and not sending one gives the impression that Radiator simply dropped the RADIUS Access-Request (which is precisely the symptom that led me down this rabbit hole).
And finally, tangential question #3: is EAPTTLS_NoAckRequired still useful/necessary in practice today? I inherited a Radiator configuration written years ago which included this, and never thought to change it, but it seems to create an extra code condition under which we might end up IGNOREing a RADIUS Access-Request.
Thanks,
David
P.S. Here's a trace logging snippet (User-Name replaced by XXX) showing the status quo behavior for PEAP. Two different RADIUS Access-Requests with the same EAP Response (Id=5), two Access-Challenges with different EAP Requests (both Id=6) containing different fragments of my certificate chain. Then we receive Response 6 and reply with Request 7 (the final chunk), and when we receive Response 7 we IGNORE it.
Note that I have a front-end instance using FarmSize and HASHBALANCE (which also adds all the "X-*" attributes); this is the trace log for the _middle_ layer Radiator process which actually handles EAP-PEAP (that's why we're communicating with 127.0.0.1 instead of directly with the NAS).
Tue Nov 17 10:51:44 2015 123831: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50229 ....
Packet length = 254
...
Code: Access-Request
Identifier: 83
Authentic: D<1><237>0sd!<134><149><205><226>;<184>+<229><254>
Attributes:
User-Name = "XXX"
NAS-IP-Address = 172.21.128.215
NAS-Port = 2295
Called-Station-Id = "00-90-0B-2E-CC-33:832i-IllinoisNet"
Calling-Station-Id = "00-21-6A-24-C6-04"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT Unknown radio"
Chargeable-User-Identity = ""
EAP-Message = <2><5><0><6><25><0>
Message-Authenticator = <8>T<170>,lJo<177><217><236>?9<195>a<143><148>
X-CLIENT_MAC = "00216a24c604"
X-SSID = "832i-IllinoisNet"
X-Client-Identifier = "wireless"
X-Client-IP = "172.21.128.215"
X-Timestamp = 1447779100
X-RecvFromPort = 44969
X-Id = 247
X-Proxy-Timestamp = 1447779100
X-Proxy-Timeout = 30
Tue Nov 17 10:51:44 2015 125409: DEBUG: Handling request with Handler 'X-Client-Identifier=wireless, Request-Type=Access-Request', Identifier 'wireless'
Tue Nov 17 10:51:44 2015 126236: DEBUG: Deleting session for XXX, 172.21.128.215, 2295
Tue Nov 17 10:51:44 2015 126931: DEBUG: Handling with Radius::AuthFILE: wireless-mac_block
Tue Nov 17 10:51:44 2015 128106: DEBUG: Radius::AuthFILE looks for match with 00216a24c604 [XXX]
Tue Nov 17 10:51:44 2015 128388: DEBUG: Radius::AuthFILE REJECT: No such user: 00216a24c604 [XXX]
Tue Nov 17 10:51:44 2015 128723: DEBUG: AuthBy FILE result: ACCEPT, No such user
Tue Nov 17 10:51:44 2015 129358: DEBUG: Handling with Radius::AuthFILE: wireless-eapOuter
Tue Nov 17 10:51:44 2015 130572: DEBUG: Handling with EAP: code 2, 5, 6, 25
Tue Nov 17 10:51:44 2015 130894: DEBUG: Response type 25
Tue Nov 17 10:51:44 2015 131500: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Nov 17 10:51:44 2015 132104: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Tue Nov 17 10:51:44 2015 132479: DEBUG: Setting request attribute: inner_identity = 'XXX'
Tue Nov 17 10:51:44 2015 132765: DEBUG: @{$context->{start_time}} is 1447779089.13861
Tue Nov 17 10:51:44 2015 133084: DEBUG: Access challenged for XXX: EAP PEAP Challenge
Tue Nov 17 10:51:44 2015 134421: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50229 ....
Packet length = 1052
...
Code: Access-Challenge
Identifier: 83
Authentic: <171><157><215>x<196><131>6<222>0<162><166><1>'<174><176>!
Attributes:
EAP-Message = <1><6><3><238><25>@}<149><235>-<141><162><169>M<179><156><231><243><25>6<187><167><241>|<230><8><30>a'Dz<150><244><168>4<219><226>B<200><165><219>7<213><181><231><228>Br?<180><19><207><139><7>$E<30><140><145><131>F<185><9><166><252><24><163><6><2><236>4<141>2f<149>'<234><225><151><232><219>5<163>+V<235>W<232><240><16>Y<223>mp<12>fj<208>d<229><168><163><152>1<173><29>b<213><250><146><227><154>C<205>-5<251><217><158>3[E}<196><134>(,f<18><200><219><15><25>0<13>?<233><240><234>J^@<7><199><246> zSx<129>dz~Ej<22>o<244><147>X<201>b<251>)'}<161><127>!<206><231>OG<214><138>V<224><227>f<248><236><221><137><220>&<140><25>h;<141><139><226><251>G#<11><127>7<2><3><1><0><1><163><130><1>n0<130><1>j0<31><6><3>U<29>#<4><24>0<22><128><20>Sy<191>Z<170>+J<207>T<128><225><216><155><192><157><242><178><3>f<203>0<29><6><3>U<29><14><4><22>
EAP-Message = <4><20><30><5><163>w<143>l<150><226>[<135>K<166><180><134><172>q<0><12><231>80<14><6><3>U<29><15><1><1><255><4><4><3><2><1><134>0<18><6><3>U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3><1><6><8>+<6><1><5><5><7><3><2>0<27><6><3>U<29> <4><20>0<18>0<6><6><4>U<29> <0>0<8><6><6>g<129><12><1><2><2>0P<6><3>U<29><31><4>I0G0E<160>C<160>A<134>?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v<6><8>+<6><1><5><5><7><1><1><4>j0h0?<6><8>+<6><1><5><5><7>0<2><134>3http://crt.usertrust.co
EAP-Message = m/USERTrustRSAAddTrustCA.crt0%<6><8>+<6><1><5><5><7>0<1><134><25>http://ocsp.usertrust.com0<13><6><9>*<134>H<134><247><13><1><1><12><5><0><3><130><2><1><0>-<17><6>8<214><219><215>Xh<175><170>8g<23><141><226><19><215><163><20>$<217><6><19><235><235><145>/<223>Og-<200><211><20><215>VeR<158>n<31><152><8><142><154>H<27><193><139>Y<154><163>W<155><219><134><248>Y@<252><25><176>u<17>*<194><18>6<186><142>r<138><6>N'<183><141>X<20><209>o<180><249>h<252><152><221><164><156>%@6<222><189><23>f+<3><127>x<129><177><128>t<158>_:<180>&/jH<132>64<142><167>(<239><135><243>a<231><219>g<245>R<219><215><209><230>0q<187><139><163><212><255><185>d<137><158><155><129><155><143>W<184>dL<213><6><25><142><231><145><133>|<24><209><137><216><246><234><29>
EAP-Message = h<20><17><217><238><23><131><31>Pc<207><14><246><134>*n<227><177><164><201><250><246>4Lw*<128><134>0<176><163><220><27>q<236><4><167><228><152><188><22><133>><132>&<179><192><229>5U~y<152><163><212><212><141><182><231>B<232>D <18>7_<9><201><251><3><228><245>et<150><237><202><185><179><246><9><255>L<166><209>]:<252><209>M<170><228><152>r<190>8K<127><137>N&<143><212><204><190>V<9>q<3>Jl<163><226>5<134><221><30><217><241>1<3><247><19>M<11><17><129>1y<204>z<215><190><220><251><243>v<27>,<189><179><145><15><0>Y<7>* C<220>K<216><181><25><20><143><226>z<132>)<209>C?/<204><223>?<157><187><189>h<196><206><224><205><231><28>12xb<250><240><147><162><30><201><215><159>h<229><168>v<246>c<254>h<153><239><186>6<215><18>q<154><158><179>q<31>;<190><0>c<158>=_!<194><177><134><27><184>N!<195><195>C<9>.c<12><205><255><20><246><246>"<233><253><202><159><245><152>D<182>A<156>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
...
Tue Nov 17 10:51:47 2015 364825: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 37690 ....
Packet length = 254
...
Code: Access-Request
Identifier: 126
Authentic: <245>*<19>Z<206><233>X<29><195>Q<217><11><185><242>:<144>
Attributes:
User-Name = "XXX"
NAS-IP-Address = 172.21.128.215
NAS-Port = 2295
Called-Station-Id = "00-90-0B-2E-CC-33:832i-IllinoisNet"
Calling-Station-Id = "00-21-6A-24-C6-04"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT Unknown radio"
Chargeable-User-Identity = ""
EAP-Message = <2><5><0><6><25><0>
Message-Authenticator = }<21><221><160>c<209><181><3><227>#<201>c<184><202><182><27>
X-CLIENT_MAC = "00216a24c604"
X-SSID = "832i-IllinoisNet"
X-Client-Identifier = "wireless"
X-Client-IP = "172.21.128.215"
X-Timestamp = 1447779104
X-RecvFromPort = 44969
X-Id = 110
X-Proxy-Timestamp = 1447779104
X-Proxy-Timeout = 30
Tue Nov 17 10:51:47 2015 365572: DEBUG: Handling request with Handler 'X-Client-Identifier=wireless, Request-Type=Access-Request', Identifier 'wireless'
Tue Nov 17 10:51:47 2015 365911: DEBUG: Deleting session for XXX, 172.21.128.215, 2295
Tue Nov 17 10:51:47 2015 374242: DEBUG: Handling with Radius::AuthFILE: wireless-mac_block
Tue Nov 17 10:51:47 2015 374586: DEBUG: Radius::AuthFILE looks for match with 00216a24c604 [XXX]
Tue Nov 17 10:51:47 2015 374842: DEBUG: Radius::AuthFILE REJECT: No such user: 00216a24c604 [XXX]
Tue Nov 17 10:51:47 2015 375146: DEBUG: AuthBy FILE result: ACCEPT, No such user
Tue Nov 17 10:51:47 2015 375398: DEBUG: Handling with Radius::AuthFILE: wireless-eapOuter
Tue Nov 17 10:51:47 2015 375737: DEBUG: Handling with EAP: code 2, 5, 6, 25
Tue Nov 17 10:51:47 2015 375996: DEBUG: Response type 25
Tue Nov 17 10:51:47 2015 376352: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Nov 17 10:51:47 2015 376618: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Tue Nov 17 10:51:47 2015 376875: DEBUG: Setting request attribute: inner_identity = 'XXX'
Tue Nov 17 10:51:47 2015 377127: DEBUG: @{$context->{start_time}} is 1447779089.13861
Tue Nov 17 10:51:47 2015 377420: DEBUG: Access challenged for XXX: EAP PEAP Challenge
Tue Nov 17 10:51:47 2015 386691: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 37690 ....
Packet length = 1052
...
Code: Access-Challenge
Identifier: 126
Authentic: QP<230>gR71x<26>6-<0>/<146><206>(
Attributes:
EAP-Message = <1><6><3><238><25>@A<194><8><152>}<219><160><159>"~<192><167>I<187><180><24><31>K<211><166>*<135><185>\<202><242><131>L@<3><178>R<26>y!<8>7<24>N<217><141>_<153><198><5>_<241>j<174><186>uZxG::e^<229><196><208><227><218><210><235>Z(-<185><2><153>`<162>o</f|<152>E<156><201><250><1><239>2<142>|><249><244><3>{$<166>V<9><140>$<0><5>{0<130><5>w0<130><4>_<160><3><2><1><2><2><16><19><234>(p[<244><236><237><12>6c<9><128>aC60<13><6><9>*<134>H<134><247><13><1><1><12><5><0>0o1<11>0<9><6><3>U<4><6><19><2>SE1<20>0<18><6><3>U<4><10><19><11>AddTrust AB1&0$<6><3>U<4><11><19><29>AddTrust External TTP Network1"0 <6><3>U<4><3><19><25>AddTrust Ex
EAP-Message = ternal CA Root0<30><23><13>000530104838Z<23><13>200530104838Z0<129><136>1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>New Jersey1<20>0<18><6><3>U<4><7><19><11>Jersey City1<30>0<28><6><3>U<4><10><19><21>The USERTRUST Network1.0,<6><3>U<4><3><19>%USERTrust RSA Certification Authority0<130><2>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><2><15><0>0<130><2><10><2><130><2><1><0><128><18>e<23>6<14><195><219><8><179><208><172>W<13>v<237><205>'<211>L<173>P<131>a<226><170> M<9>-d<9><220><206><137>
EAP-Message = <159><204>=<169><236><246><207><193><220><241><211><177><214>{7(<17>+G<218>9<198><188>:<25><180>_<166><189>}<157><163>cB<182>v<242><169>;+<145><248><226>o<208><236><22> <144><9>><226><232>t<201><24><180><145><212>bd<219><127><163><6><241><136><24>j<144>"<<188><254><19><240><135><20>{<246><228><31><142><212><228>Q<198><17>gF<8>Q<203><134><20>T?<188>3<254>~l<156><255><22><157><24><189>Q<142>5<166><167>f<200>rg<219>!f<177><212><155>x<3><192>P:<232><204><240><220><188><158>L<254><175><5><150>5<31>WZ<183><255><206><249>=<183>,<182><246>T<221><200><231><18>:M<174>L<138><183>\<154><180><183> =<202><127>"4<174>~;hf<1>D<231><1>NFS<155>3`<247><148><190>S7<144>sC<243>2<195>S<239><219><170><254>tNi<199>k<140>`<147><222><196><199><12><223><225>2<174><204><147>;Qx<149>g<139><238>=V<254><12><208>i<15><27><15><243>%&k3m<247>nG<250>sC<229>~<14>
EAP-Message = <165>f<177>)|2<132>cU<137><196><13><193><147>T0<25><19><172><211>}7<167><235>]:l5\<219>A<215><18><218><169>I<11><223><216><128><138><9><147>b<142><181>f<207>%<136><205><132><184><177>?<164>9<15><217><2><158><235><18>L<149>|<243>k<5><169>^<22><131><204><184>g<226><232><19><157><204>[<130><211>L<179><237>[<255><222><229>s<172>#;-<0><191>5Ut<9>I<216>IX<26><127><146>6<230>Q<146><14><243>&}<28>M<23><188><201><236>C&<208><191>A_@<169>DD<244><153><231>W<135><158>P<31>WT<168>><253>tc/<177>Pe<9><230>XB.C<26>L<180><240>%GY<250><4><30><147><212>&FJP<129><178><222><190>x<183><252>g<21><225><201>W<132><30><15>c<214><233>b<186><214>_U.<234>\<198>(<8><4>%9<184><14>+<169><242>L<151><28><7>?<13>R<245><237><239>/<130><15><2><3><1><0><1><163><129><244>0<129><241>0<31><6><3>U<29>#<4><24>0<22><128>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
...
Tue Nov 17 10:51:51 2015 254737: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50229 ....
Packet length = 254
...
Code: Access-Request
Identifier: 81
Authentic: 1<163><186><187>'<196>Jhqq<241><241>`s<160><169>
Attributes:
User-Name = "XXX"
NAS-IP-Address = 172.21.128.215
NAS-Port = 2295
Called-Station-Id = "00-90-0B-2E-CC-33:832i-IllinoisNet"
Calling-Station-Id = "00-21-6A-24-C6-04"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT Unknown radio"
Chargeable-User-Identity = ""
EAP-Message = <2><6><0><6><25><0>
Message-Authenticator = <171>'<158>&<182><149><200>U<163><23><138><244><155><202>R<146>
X-CLIENT_MAC = "00216a24c604"
X-SSID = "832i-IllinoisNet"
X-Client-Identifier = "wireless"
X-Client-IP = "172.21.128.215"
X-Timestamp = 1447779107
X-RecvFromPort = 44969
X-Id = 252
X-Proxy-Timestamp = 1447779107
X-Proxy-Timeout = 30
Tue Nov 17 10:51:51 2015 256740: DEBUG: Handling request with Handler 'X-Client-Identifier=wireless, Request-Type=Access-Request', Identifier 'wireless'
Tue Nov 17 10:51:51 2015 257473: DEBUG: Deleting session for XXX, 172.21.128.215, 2295
Tue Nov 17 10:51:51 2015 258120: DEBUG: Handling with Radius::AuthFILE: wireless-mac_block
Tue Nov 17 10:51:51 2015 258908: DEBUG: Radius::AuthFILE looks for match with 00216a24c604 [XXX]
Tue Nov 17 10:51:51 2015 259506: DEBUG: Radius::AuthFILE REJECT: No such user: 00216a24c604 [XXX]
Tue Nov 17 10:51:51 2015 260302: DEBUG: AuthBy FILE result: ACCEPT, No such user
Tue Nov 17 10:51:51 2015 260793: DEBUG: Handling with Radius::AuthFILE: wireless-eapOuter
Tue Nov 17 10:51:51 2015 261497: DEBUG: Handling with EAP: code 2, 6, 6, 25
Tue Nov 17 10:51:51 2015 262617: DEBUG: Response type 25
Tue Nov 17 10:51:51 2015 262995: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Nov 17 10:51:51 2015 263695: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Tue Nov 17 10:51:51 2015 264333: DEBUG: Setting request attribute: inner_identity = 'XXX'
Tue Nov 17 10:51:51 2015 265090: DEBUG: @{$context->{start_time}} is 1447779089.13861
Tue Nov 17 10:51:51 2015 265657: DEBUG: Access challenged for XXX: EAP PEAP Challenge
Tue Nov 17 10:51:51 2015 267441: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50229 ....
Packet length = 564
...
Code: Access-Challenge
Identifier: 81
Authentic: <178><147><169><2><237><11>*<162><139><134><217>{A<183>6<194>
Attributes:
EAP-Message = <1><7><2><8><25><0><20><173><189><152>z4<180>&<247><250><196>&T<239><3><189><224>$<203>T<26>0<29><6><3>U<29><14><4><22><4><20>Sy<191>Z<170>+J<207>T<128><225><216><155><192><157><242><178><3>f<203>0<14><6><3>U<29><15><1><1><255><4><4><3><2><1><134>0<15><6><3>U<29><19><1><1><255><4><5>0<3><1><1><255>0<17><6><3>U<29> <4><10>0<8>0<6><6><4>U<29> <0>0D<6><3>U<29><31><4>=0;09<160>7<160>5<134>3http://crl.usertrust.com/AddTrustExternalCARoot.crl05<6><8>+<6><1><5><5><7><1><1><4>)0'0%<6><8>+<6><1><5><5><7>0<1><134><25>http://ocsp.usertrust.com0<13><6><9>*<134>H<134><247><13><1><1><12><5><0><3><130><1>
EAP-Message = <1><0><147>e<246>7<131><149><15>^<195><130><28><31><214>w<231><<138><192><170><9><240><233><11>&<241><224><194>ju<161><199>y<201><185>R`<200>)<18><14><240><173><3><214><9><196>v<223><229><166><129><149><167>F<218><130>W<169><149><146><197><182><143><3>"l3w<193>{2<23>n<7><206>Z<20>A:<5>$<27><246><20><6>;<168>%$<14><187><204>*u<221><185>pA?|<208>c6!<7><31>F<255>`<164><145><225>g<188><222><31>~<25><20><201>cg<145><234>g<7>k<180><143><139><192>nC}<195><161><128>l<178><30><188>S<133>}<220><144><161><164><188>-<239>FrW5<5><191><187>F<187>nm7<153><182><255>#<146><145><198>n@<248><143>)V<234>_<213>_<20>S<172><240>Oa<234><247>"<204><167>V<11><226><184>4<31>&<217>{<25><5>h?<186><<212>8<6><162><211><230><143><14><227><180>qm at B<197><132><180>@<149>+<244>e<160>Hy<246><29><129>c<150><157>Ou<224><248>|<228><142><169><209><242><173><138><179><140>
EAP-Message = <199>!<205><194><239><22><3><1><0><4><14><0><0><0>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
...
Tue Nov 17 10:51:55 2015 381241: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 37690 ....
Packet length = 254
...
Code: Access-Request
Identifier: 133
Authentic: <203>y<198><15>{e<19><196>kB<232>$#~<148><138>
Attributes:
User-Name = "XXX"
NAS-IP-Address = 172.21.128.215
NAS-Port = 2295
Called-Station-Id = "00-90-0B-2E-CC-33:832i-IllinoisNet"
Calling-Station-Id = "00-21-6A-24-C6-04"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT Unknown radio"
Chargeable-User-Identity = ""
EAP-Message = <2><7><0><6><25><0>
Message-Authenticator = <247>d<153><9><136><162>K<129>O<233><173><155><167><134>#<158>
X-CLIENT_MAC = "00216a24c604"
X-SSID = "832i-IllinoisNet"
X-Client-Identifier = "wireless"
X-Client-IP = "172.21.128.215"
X-Timestamp = 1447779111
X-RecvFromPort = 44969
X-Id = 142
X-Proxy-Timestamp = 1447779111
X-Proxy-Timeout = 30
Tue Nov 17 10:51:55 2015 382396: DEBUG: Handling request with Handler 'X-Client-Identifier=wireless, Request-Type=Access-Request', Identifier 'wireless'
Tue Nov 17 10:51:55 2015 384492: DEBUG: Deleting session for XXX, 172.21.128.215, 2295
Tue Nov 17 10:51:55 2015 384803: DEBUG: Handling with Radius::AuthFILE: wireless-mac_block
Tue Nov 17 10:51:55 2015 385151: DEBUG: Radius::AuthFILE looks for match with 00216a24c604 [XXX]
Tue Nov 17 10:51:55 2015 385783: DEBUG: Radius::AuthFILE REJECT: No such user: 00216a24c604 [XXX]
Tue Nov 17 10:51:55 2015 386108: DEBUG: AuthBy FILE result: ACCEPT, No such user
Tue Nov 17 10:51:55 2015 386830: DEBUG: Handling with Radius::AuthFILE: wireless-eapOuter
Tue Nov 17 10:51:55 2015 390230: DEBUG: Handling with EAP: code 2, 7, 6, 25
Tue Nov 17 10:51:55 2015 391290: DEBUG: Response type 25
Tue Nov 17 10:51:55 2015 392116: DEBUG: EAP result: 2, EAP PEAP Nothing to read or write
Tue Nov 17 10:51:55 2015 392412: DEBUG: AuthBy FILE result: IGNORE, EAP PEAP Nothing to read or write
More information about the radiator
mailing list