Hi Hugh, I have tried using "AuthByPolicy ContinueUntilAccept" but it does not seem to work as expected. I attatched the following.
1) config file without secrets 2) trace 4 file called ttls_hangs.txt that shows that instead of executing "AuthBy CheckFILEthenPAM" Radiator moves on to "AuthBy ForwardToIAS" and results in hanging, when received eap-ttls authentication request. 3) trace 4 file called ttls_pam_success.txt that shows eap-ttls successful authentication when "AuthByPolicy ContinueUntilAccept" and "AuthBy ForwardToIAS" are commented out. Also, the strange thing is that when I use "AuthByPolicy ContinueUntilAccept" peap-mschapv2 authentication also fails. It just keep on sending proxy packets without any authentication. Again, if I comment out "AuthByPolicy ContinueUntilAccept" and "AuthBy CheckFILEthenPAM" then it succeeds. I am wondering if the failure of "AuthByPolicy" may have something to do with the hander "Handler TunnelledByTTLS=1" using the actual pam authentication "AuthBy CheckPAM-EAP-TTLS" which is not part of "AuthByPolicy". Regards, Ken Kawakubo -----Original Message----- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 6:12 PM To: Kawakubo, Ken Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) How to differentiate PEAP-EAP-CHAPV2 and EAP-TTLS radius packets Hello Ken - On thinking about this a bit more, you should be able to do what you need like this (note the AuthBy RADIUS must be last): # define AuthBy clauses <AuthBy PAM> Identifier CheckPAM ..... </AuthBy> <AuthBy RADIUS> Identifier ForwardToIAS ..... </AuthBy> ..... # define Realms or Handlers <Handler ...> AuthByPolicy ContinueUntilAccept AuthBy CheckPAM AuthBy ForwardToIAS .... </Handler> Note that the AuthBy RADIUS clause operates asynchronously, so it must be last in any list of AuthBy clauses. regards Hugh On Thursday, Mar 20, 2003, at 11:11 Australia/Melbourne, Kawakubo, Ken wrote: > All, > > I would like Radiator to do the following. > > When Radiator gets PEAP-EAP-CHAPv2 radius packets, Radiator proxies to > IAS > on Windows 2003 server. When Radiator gets EAP-TTLS-PAP packets, > Radiator > authenticate via Authby PAM using pam_smb. I have to do this setup > because > we need to authenticate against NTLM. I can do NTLM authentication with > EAP-TTLS since I can use plaintext PAP, but I cannot do NTLM > authentication > with PEAP-EAP-CHAPv2 since it uses encrypted passwords. > > I got working both Radius proxy with PEAP-EAP-CHAPv2 and AuthBy PAM > with > EAP-TTLS-PAP separately. But when I try to combine both packets > together, I > am not getting it to work. Either one or the other fails > authentication. I > have tried using AuthByPolicy and list both AuthBy clauses but it does > not > seem to work. > > I am wondering if there is a way to check radius packets beforehand > and send > them to the appropriate AuthBy clause. The first request packet uses > code 1 > instead of 25 (PEAP) or 21 (EAP-TTLS) and it seems to make it > difficult to > differenticate. > > I appreciate any help. Thank you. > > Ken Kawakubo > > > > > > > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
<AuthBy FILE> Filename /etc/radiator/users Identifier CheckFILEthenPAM EAPType TTLS EAPTLS_CAFile /usr/share/ssl/misc/demoCA/cacert.pem EAPTLS_CertificateFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_PrivateKeyPassword everwhat EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys SSLeayTrace 4 </AuthBy> <AuthBy RADIUS> Identifier ForwardToIAS Host 140.107.50.89 Secret xxxxxx EAPType PEAP EAPTLS_CAFile /usr/share/ssl/misc/demoCA/cacert.pem EAPTLS_CertificateFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_PrivateKeyPassword everwhat EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys SSLeayTrace 4 </AuthBy> <AuthBy PAM> Identifier CheckPAM-EAP-TTLS Service radiator EAPType MSCHAP-V2,TTLS,MD5,TLS EAPTLS_CAFile /usr/share/ssl/misc/demoCA/cacert.pem EAPTLS_CertificateFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /usr/share/ssl/misc/rad-lu.pem EAPTLS_PrivateKeyPassword everwhat EAPTLS_MaxFragmentSize 500 </AuthBy> <Handler TunnelledByTTLS=1> AuthBy CheckPAM-EAP-TTLS </Handler> <Handler> AuthByPolicy ContinueUntilAccept AuthBy CheckFILEthenPAM AuthBy ForwardToIAS </Realm>
Thu Mar 20 10:58:08 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 33 Authentic: <12>7|<221><167><181>=<190><251>L<249><234><180><164><143><137> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0002.2d65.c9e3" NAS-Port-Type = 19 Message-Authenticator = <245>iEf<11><239><17><245>b<183><199><<177>I<26><250> EAP-Message = <2><3><0><13><1>kkawakub NAS-Port-Type = Virtual NAS-Port = 81 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 10:58:08 2003: DEBUG: Handling request with Handler '' Thu Mar 20 10:58:08 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 81 Thu Mar 20 10:58:08 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 10:58:08 2003: DEBUG: Handling with EAP: code 2, 3, 13 Thu Mar 20 10:58:08 2003: DEBUG: Response type 1 Thu Mar 20 10:58:09 2003: DEBUG: Handling with Radius::AuthRADIUS Thu Mar 20 10:58:09 2003: DEBUG: Packet dump: *** Sending to 140.107.50.89 port 1645 .... Code: Access-Request Identifier: 1 Authentic: <12>7|<221><167><181>=<190><251>L<249><234><180><164><143><137> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0002.2d65.c9e3" NAS-Port-Type = 19 Message-Authenticator = <245>iEf<11><239><17><245>b<183><199><<177>I<26><250> EAP-Message = <2><3><0><13><1>kkawakub NAS-Port-Type = Virtual NAS-Port = 81 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 10:58:09 2003: DEBUG: Packet dump: *** Received from 140.107.50.89 port 1645 .... Code: Access-Challenge Identifier: 1 Authentic: <209><144><218><247>R<147>K<252><2><137><19><243><156><176><142>B Attributes: Session-Timeout = 30 EAP-Message = <1><4><0><6><25> State = "<23><241><3><128><0><0><1>7<0><1><140>k2Y<0><0><0><3>L<131><145>a" Message-Authenticator = <133>I&<5><182><185><164><183><240><250>1Qq<177><184><228> Thu Mar 20 10:58:09 2003: DEBUG: Received reply in AuthRADIUS for req 1 from 140.107.50.89:1645 Thu Mar 20 10:58:09 2003: DEBUG: Access challenged for kkawakub: Proxied Thu Mar 20 10:58:09 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 33 Authentic: <12>7|<221><167><181>=<190><251>L<249><234><180><164><143><137> Attributes: EAP-Message = <1><4><0><6><21> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Session-Timeout = 30 EAP-Message = <1><4><0><6><25> State = "<23><241><3><128><0><0><1>7<0><1><140>k2Y<0><0><0><3>L<131><145>a" Message-Authenticator = <133>I&<5><182><185><164><183><240><250>1Qq<177><184><228> Thu Mar 20 10:58:13 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 33 Authentic: -<157><185><22><137><221>3<242><243>E<252>$n.<25><28> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0002.2d65.c9e3" NAS-Port-Type = 19 Message-Authenticator = <184><185><244><2><233>I<174><182><25>n<7>xF<3><142>u EAP-Message = <2><3><0><13><1>kkawakub NAS-Port-Type = Virtual NAS-Port = 81 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 10:58:14 2003: DEBUG: Handling request with Handler '' Thu Mar 20 10:58:14 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 81 Thu Mar 20 10:58:14 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 10:58:14 2003: DEBUG: Handling with EAP: code 2, 3, 13 Thu Mar 20 10:58:14 2003: DEBUG: Response type 1 Thu Mar 20 10:58:14 2003: DEBUG: Handling with Radius::AuthRADIUS Thu Mar 20 10:58:14 2003: DEBUG: Packet dump: *** Sending to 140.107.50.89 port 1645 .... Code: Access-Request Identifier: 2 Authentic: -<157><185><22><137><221>3<242><243>E<252>$n.<25><28> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0002.2d65.c9e3" NAS-Port-Type = 19 Message-Authenticator = <184><185><244><2><233>I<174><182><25>n<7>xF<3><142>u EAP-Message = <2><3><0><13><1>kkawakub NAS-Port-Type = Virtual NAS-Port = 81 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 10:58:14 2003: DEBUG: Packet dump: *** Received from 140.107.50.89 port 1645 .... Code: Access-Challenge Identifier: 2 Authentic: <196>F<2>{<252><228><129><139><140><208><133><185><27>[<253><194> Attributes: Session-Timeout = 30 EAP-Message = <1><4><0><6><25> State = "<23><242><3><129><0><0><1>7<0><1><140>k2Y<0><0><0><3>L<131><145>b" Message-Authenticator = <236><14><3><163><130><181><15>^7<217><127>2<247><135>HU Thu Mar 20 10:58:14 2003: DEBUG: Received reply in AuthRADIUS for req 2 from 140.107.50.89:1645 Thu Mar 20 10:58:14 2003: DEBUG: Access challenged for kkawakub: Proxied Thu Mar 20 10:58:14 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 33 Authentic: -<157><185><22><137><221>3<242><243>E<252>$n.<25><28> Attributes: EAP-Message = <1><4><0><6><21> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Session-Timeout = 30 EAP-Message = <1><4><0><6><25> State = "<23><242><3><129><0><0><1>7<0><1><140>k2Y<0><0><0><3>L<131><145>b" Message-Authenticator = <236><14><3><163><130><181><15>^7<217><127>2<247><135>HU
Thu Mar 20 09:24:44 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 197 Authentic: f<201><193>=<211>^<216>W<167>>$<206>Y<227>\<173> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0030.6506.d287" NAS-Port-Type = 19 Message-Authenticator = n<20><237>><173><206><170>tK<206><226>g<239>UH<203> EAP-Message = <2><2><0><13><1>kkawakub NAS-Port-Type = Virtual NAS-Port = 51 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 09:24:44 2003: DEBUG: Handling request with Handler '' Thu Mar 20 09:24:44 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 51 Thu Mar 20 09:24:44 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 09:24:44 2003: DEBUG: Handling with EAP: code 2, 2, 13 Thu Mar 20 09:24:44 2003: DEBUG: Response type 1 Thu Mar 20 09:24:45 2003: DEBUG: Access challenged for kkawakub: EAP TTLS Challenge Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 197 Authentic: f<201><193>=<211>^<216>W<167>>$<206>Y<227>\<173> Attributes: EAP-Message = <1><3><0><6><21> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 198 Authentic: g<208>D<133><173><131>l<13><174><206><186><233><238><194><154>C Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0030.6506.d287" NAS-Port-Type = 19 Message-Authenticator = <29>=r"<8><200><205><208><214>q<165><195><250><198><140><145> EAP-Message = <2><3><0>d<21><128><0><0><0>Z<22><3><1><0>U<1><0><0>Q<3><1>>y<249><240>q<203>s92H<134><195><241>Z<168><15>8<19 1>o{J<17><208><153>z<160><214><197><28>~Rm<0><0>*<0><22><0><19><0><10><0>f<0><7><0><5><0><4><0>e<0>d<0>c<0>b<0>a<0>`<0><21><0><18><0 ><9><0><20><0><17><0><8><0><6><0><3><1><0> NAS-Port-Type = Virtual NAS-Port = 51 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 09:24:45 2003: DEBUG: Handling request with Handler '' Thu Mar 20 09:24:45 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 51 Thu Mar 20 09:24:45 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 09:24:45 2003: DEBUG: Handling with EAP: code 2, 3, 100 Thu Mar 20 09:24:45 2003: DEBUG: Response type 21 Thu Mar 20 09:24:45 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576 Thu Mar 20 09:24:45 2003: DEBUG: Access challenged for kkawakub: EAP TTLS Challenge Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 198 Authentic: g<208>D<133><173><131>l<13><174><206><186><233><238><194><154>C Attributes: EAP-Message = <1><4><4><10><21><192><0><0><7><21><22><3><1><0>J<2><0><0>F<3><1>>y<249>].b <174><234><172><198><198>2<235>z<1 80><0><8><135>-<205>s(<216>LFmI<244> n2<135><215><154><245>;o*r<232>2<168><152>g<131><197><209>[EMAIL PROTECTED]<229><198><30><254>Q<15>zE<211> <177><4><0><10><0><22><3><1><6>"<11><0><6><30><0><6><27><0><2><160>0<130><2><156>0<130><2><5><160><3><2><1><2><2><1><1>0<13><6><9>*< 134>H<134><247><13><1><1><4><5><0>0<129><136>1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>Washington1<16>0<14><6><3 >U<4><7><19><7>Seattle1<16>0<14><6><3>U<4><10><19><7>FHCRCIT1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>FHCRCIT1!0 <31><6><9>*<134>H<134><247><13><1><9> EAP-Message = <1><22><18>[EMAIL PROTECTED]<30><23><13>030318185101Z<23><13>040317185101Z0<129><133>1<11>0<9><6><3>U<4><6>< 19><2>US1<19>0<17><6><3>U<4><8><19><10>Washington1<16>0<14><6><3>U<4><7><19><7>Seattle1<14>0<12><6><3>U<4><10><19><5>FHCRC1<11>0<9>< 6><3>U<4><11><19><2>IT1<15>0<13><6><3>U<4><3><19><6>rad-lu1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>[EMAIL PROTECTED]<129 ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><210>)<16><241><156>q/U<17>D5R<175>< 200><219>eP)m*Z<29><152>K7<150><201>"I<159><192>g<6><146><241> EAP-Message = <208><161>wu<242><137>y"l=<194><0><242><159><214><18>l<251><216>-<136>=;v<232> <204>j<158>9<160><29><142><181> <186><146>b<165><132><210><232>]<140><139><197>T<214><195><241>Jov<2><201>Q<174><237>P<191><240>]<186><243><178><201><203><133><19>< 134><134>X<227>L<208><253>4<127>M<156><190>KhG<19><238>i<234><249><249><203><172>L<223><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29> %<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>V,<185><133>c<156>K*<5><235> <184><133><9>f<160><252><137><202>~2<232><22><221><146><208><180><135>x<214> <3><173>xI<13><0><150>nsr%<29><254>;<202><166><185><149 ><192><143>^<208><237><236><<220><143><30><173><24><187><172>L<194><161>x<221>o<16><167><174><226>4<183><171><226><180><4><161><185> '<228><155><145><16><222><219><150><149><12><151><203><149><142>@<175>`<141><0>k<247><18>a<235>w<221><152><134><188>j EAP-Message = y:<208><234><149><167><129><30>5<21><180><228><239><216><1><232>R<0><3>u0<130><3>q0<130><2><218><160><3><2><1> <2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><136>1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10> Washington1<16>0<14><6><3>U<4><7><19><7>Seattle1<16>0<14><6><3>U<4><10><19><7>FHCRCIT1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3 >U<4><3><19><7>FHCRCIT1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>[EMAIL >PROTECTED]<30><23><13>030318185024Z<23><13>0503171 85024Z0<129><136>1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>Wash EAP-Message = ington1<16>0<14><6><3>U<4><7><19><7>Seatt Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 199 Authentic: \I<174><249><2><226>5:s<192><143><254>{<245><203><142> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0030.6506.d287" NAS-Port-Type = 19 Message-Authenticator = HD<1>l<214>\F<251>JMK(2U<1><240> EAP-Message = <2><4><0><6><21><0> NAS-Port-Type = Virtual NAS-Port = 51 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 09:24:45 2003: DEBUG: Handling request with Handler '' Thu Mar 20 09:24:45 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 51 Thu Mar 20 09:24:45 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 09:24:45 2003: DEBUG: Handling with EAP: code 2, 4, 6 Thu Mar 20 09:24:45 2003: DEBUG: Response type 21 Thu Mar 20 09:24:45 2003: DEBUG: Access challenged for kkawakub: EAP TTLS Challenge Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 199 Authentic: \I<174><249><2><226>5:s<192><143><254>{<245><203><142> Attributes: EAP-Message = <1><5><3><27><21><0>le1<16>0<14><6><3>U<4><10><19><7>FHCRCIT1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U< 4><3><19><7>FHCRCIT1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>[EMAIL PROTECTED]<129><159>0<13><6><9>*<134>H<134><247><13>< 1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><170>d<198>(i<251>$<229><1><2>EH<6>T<134><128><203><168>a|0<210><154><150> ]n<6>6<206><11><184><186>`s<213><22><211><217><255><30><188><229><6><141><253><131><4><22><8>id<227>F<156><166>~<167>3<232><149><206 >b<140>P<207><254><196>%<228><226><163><4><150><183><255><137><191><5>7M<135><201><216><16><242>'<190><178><30><135><26><253><5><191 >+<252><132><246><205><199><225>x<247><142><127>&W?<178><148>9<179>?]A<157>/g<169><225><222><219><28><146>V<211><5><2><3><1><0> EAP-Message = <1><163><129><232>0<129><229>0<29><6><3>U<29><14><4><22><4><20><141><200>\<231>W<246><236><157><131>=r<243><13 ><181><9><210><144><245><226><231>0<129><181><6><3>U<29>#<4><129><173>0<129><170><128><20><141><200>\<231>W<246><236><157><131>=r<24 3><13><181><9><210><144><245><226><231><161><129><142><164><129><139>0<129><136>1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4>< 8><19><10>Washington1<16>0<14><6><3>U<4><7><19><7>Seattle1<16>0<14><6><3>U<4><10><19><7>FHCRCIT1<11>0<9><6><3>U<4><11><19><2>IT1<16> 0<14><6><3>U<4><3><19><7>FHCRCIT1!0<31><6><9>*<134>H<134><247><13><1><9><1><22><18>[EMAIL PROTECTED]<130><1><0>0<12><6><3>U<29><19> <4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129> EAP-Message = <129><0>A<4><155><194><211><166>`<230><203><254>"<252><136><21><133><228><168>N(<159><199><220>o<144><175> <15 7><255>8;<4>b<1>,<224><8>:t<227><172><136>Tp<203><253><152>?<137><24><148>X<218>z<254><10>j<215>9<21><225>:S<230><4>%0|iV<145>;<218> k7<212><219><238><2><243>F<11>CS<127><199><180><136><246><5>^ <170>9Um<230><227><26><4>{<236><171><207><210><201>s<194><174><236><20 ><152>3<234>q<181><200><146><129>)h1<154><248><131>P.<130><252><22><3><1><0><154><13><0><0><146><2><1><2><0><141><0><139>0<129><136> 1<11>0<9><6><3>U<4><6><19><2>US1<19>0<17><6><3>U<4><8><19><10>Washington1<16>0<14><6><3>U<4><7><19><7>Seattle1<16>0<14><6><3>U<4><10 ><19><7>FHCRCIT1<11>0<9><6><3>U<4><11><19><2>IT1<16>0<14><6><3>U<4><3><19><7>FHCRCIT1!0 EAP-Message = <31><6><9>*<134>H<134><247><13><1><9><1><22><18>[EMAIL PROTECTED]<14><0><0><0> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 200 Authentic: <176><177>Mt0v<9><246><174>2a6<215><161><158><204> Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0030.6506.d287" NAS-Port-Type = 19 Message-Authenticator = P<7><154><6><177>L<14><18><141><193><185>b<171>{<178>P EAP-Message = <2><5><0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0><0><0><22><3><1><0><134><16><0><0><130><0 ><128>be-<129><139>N<128><170>Z<135><150><218>]<173>C<149><175><242>?<147>f<214><30><156><237>5<243><15>.Ii<212><207><152><204>T<225 ><217><208><221><179>&<175><14>|&<252><200><127><184><133><248>]<200><198><187><253>#<248><240><191>|S<190><161><4><241><232><201>b} -<167><175><241><133><174><217>q7<164><134><29><172><242>9U<250>R<232><127><205><236><131><194><242><8><238><158><250><238><217>wP<2 0>[FU<162><235><195><174>pU<14>#<13>v<147><129>.<157><159><20>k<210><25><165><20><3><1><0><1><1><22><3><1><0>(d<136><244><231><228>< 130><156><236><213>p<227>pz<145><144>_+<204><220><211><227><156><24><12><134>;l\)Gr)<187>g<176><180><136>L<237>5 NAS-Port-Type = Virtual NAS-Port = 51 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 09:24:45 2003: DEBUG: Handling request with Handler '' Thu Mar 20 09:24:45 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 51 Thu Mar 20 09:24:45 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 09:24:45 2003: DEBUG: Handling with EAP: code 2, 5, 212 Thu Mar 20 09:24:45 2003: DEBUG: Response type 21 Thu Mar 20 09:24:45 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3 Thu Mar 20 09:24:45 2003: DEBUG: Access challenged for kkawakub: EAP TTLS Challenge Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Challenge Identifier: 200 Authentic: <176><177>Mt0v<9><246><174>2a6<215><161><158><204> Attributes: EAP-Message = <1><6><0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(2z<169><27><19><237><193>^<137>4_<131>;<208><149 ><31>k<191>8<187><131>_r<136><202>2<253><210>G'53)q<141>K<187><9><214><165> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Received from 140.107.50.90 port 1645 .... Code: Access-Request Identifier: 201 Authentic: <230>T<128><154>v<161><18><233><199>{T<177>uQ8C Attributes: User-Name = "kkawakub" Framed-MTU = 1400 Called-Station-Id = "0002.8a21.8f18" Calling-Station-Id = "0030.6506.d287" NAS-Port-Type = 19 Message-Authenticator = +<211><213><9><132><252><215><248>3<245>M |<197><180>c EAP-Message = <2><6><0>h<21><0><23><3><1><0><24><137>3-3K<234>;W<216>83<180>-<17><197><174>G<241><248><23><230><230>HD<23><3 ><1><0>@<173>O*#<23><234><200><157>N5<175><135> >!-<9>N1<146>}<191><199><178><145><148>{<3><221><216>D<207><156>2<1>R,R<10>d<177><130 ><186>[<157><160><26><165>H<218><223><145><2><236><236><251><165>#<236><238><195>D><128><211> NAS-Port-Type = Virtual NAS-Port = 51 Service-Type = Login-User NAS-IP-Address = 140.107.50.90 NAS-Identifier = "test-eap " Thu Mar 20 09:24:45 2003: DEBUG: Handling request with Handler '' Thu Mar 20 09:24:45 2003: DEBUG: Deleting session for kkawakub, 140.107.50.90, 51 Thu Mar 20 09:24:45 2003: DEBUG: Handling with Radius::AuthFILE: CheckFILEthenPAM Thu Mar 20 09:24:45 2003: DEBUG: Handling with EAP: code 2, 6, 104 Thu Mar 20 09:24:45 2003: DEBUG: Response type 21 Thu Mar 20 09:24:45 2003: DEBUG: EAP TTLS inner authentication request for kkawakub Thu Mar 20 09:24:45 2003: DEBUG: TTLS Tunnelled Diameter Packet dump: Code: Access-Request Identifier: UNDEF Authentic: <220><248>Z7<179>hT-<145><22>0<229><140><9><0><241> Attributes: User-Name = "kkawakub" User-Password = "xxxxxx" Thu Mar 20 09:24:45 2003: DEBUG: Handling request with Handler 'TunnelledByTTLS=1' Thu Mar 20 09:24:45 2003: DEBUG: Deleting session for , 140.107.50.90, Thu Mar 20 09:24:45 2003: DEBUG: Handling with PAM service radiator Thu Mar 20 09:24:45 2003: DEBUG: PAM is asking for 1: 'Password' Thu Mar 20 09:24:45 2003: DEBUG: Access accepted for kkawakub Thu Mar 20 09:24:45 2003: DEBUG: Access accepted for kkawakub Thu Mar 20 09:24:45 2003: DEBUG: Packet dump: *** Sending to 140.107.50.90 port 1645 .... Code: Access-Accept Identifier: 201 Authentic: <230>T<128><154>v<161><18><233><199>{T<177>uQ8C Attributes: MS-MPPE-Send-Key = "<177><155><247><213><15>^<172>/"4_<237><15><234>8k<211><243>Mwa<235><28><138><251><186>e<18><181>iy<198> #<150><184><22>2n<17>uA<240>_<255>_k<208>7O<233>" MS-MPPE-Recv-Key = "<202><20><233><160><<180><16><212>O,<200><127><249>w<137>I<209><175>3u<11>0<145><211><235><255>k<193>_@< 27><11><164><1>.<145><240>B(<253><137>N<22><153>!<21><231>+<160>s" EAP-Message = <3><6><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>