Hello Steve -
Your configuration file is incorrect.
You cannot have Realms inside Handlers. If you are using Handlers, you must use only Handlers and they cannot be placed inside other Handlers. You cannot have <Log ...> clauses inside <AuthBy ...> clauses either.
regards
Hugh
On Thursday, Jul 31, 2003, at 02:29 Australia/Melbourne, Steve Caporossi wrote:
Hugh,
Layers 8 & 9 prevent me from running Radiator on anything but a Linux box, I have no bias. :-)
I am not very familiar with AD. My understanding is that policies can be managed for users, machines, etc. In our environment, we are mapping drives and limiting machines/user rights to resources. We would like for these policies to be passed down from the AD server.
In the meantime...I have been trying to get it working via LDAP2.
Unfortunately, I must be missing something because it does not look like AuthBy LDAP 2 is ever being used.
I attached my config and a debug of an attempt to connect from a machine logging into the domain. Can you tell me what I am missing?
Notice that I have the Tunnelled by TTLS and PEAP commented out, *do not* have an anonymous user in my password file, but, I can authenticate wireless users via TTLS sucessfully. Am I mistaken or should this be happening? - Just not those trying to authenticate to the domain.
Thanks, Steve
Hugh Irvine wrote:
Hello Steve -
You can use the AuthBy RADIUS clause to forward radius requests to a remote radius server. The exact configuration will depend on what else you are already doing in your configuration file. I am not sure I understand what you mean by "domain policies" - can you give me a bit more detail?
BTW - Radiator runs just fine on W2K server.
regards
Hugh
On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi wrote:Running radiator on a W2K server does not appear to be an option for us...I need to forward any domain logins ie, domain\username to a Windows radius server, but only if they try to login to the domain. Has anyone done this and be willing to share their methodology?
Can the domain policies be passed down to the machine as well using AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or disadvantages, between these?
Thanks, Steve
Hugh Irvine wrote:
Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual ("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote:
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 <AuthBy ADSI> it has the statement,NB: have you included a copy of your configuration file (no secrets),
<snip>
It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm"
</snip>
I am a little confused...does this mean that radiator needs to be running on W2K?
Thanks,
-- Steve
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
together with a trace 4 debug showing what is happening?
-- Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#
#Foreground #LogStdout LogFile /var/log/radius/%m%d%y.log LogDir /var/log/radius DbDir /etc/radiusserver PidFile /var/run/radius.pid DictionaryFile /etc/radiusserver/dictionary
# Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4
AuthPort 1645,1812 AcctPort 1646,1813
# Add Clients below...
<Client xxx.xxx.xxx.1> Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private </Client>
<Client xxx.xxx.xxx.2> Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private </Client>
<Client xxx.xxx.xxx.1> Identifier vpn Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private </Client>
<Client DEFAULT> Identifier wlan Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private IgnoreAcctSignature </Client>
# # ################ PPP Config ##########################
<Handler Client-Identifier=ppp>
# AuthByPolicy ContinueAlways AuthByPolicy ContinueWhileIgnore # Default
<AuthBy SQL>
DBSource dbi:mysql:radius DBUsername dbuser DBAuth password
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
</AuthBy>
<AuthBy UNIX> DefaultSimultaneousUse 1 Filename /etc/passwd.ppp </AuthBy>
# Log accounting to a detail file AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
################ VPN Config ##########################
<Handler Client-Identifier=vpn>
# AuthByPolicy ContinueAlways AuthByPolicy ContinueWhileIgnore # Default
<AuthBy SQL>
DBSource dbi:mysql:radius DBUsername dbuser DBAuth password
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef CLASS,Class
AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
</AuthBy>
<AuthBy UNIX> DefaultSimultaneousUse 1 Filename /etc/passwd.vpn </AuthBy>
# Log accounting to a detail file AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
################ WIRELESS Config ########################
#<Handler TunnelledByPEAP=1>
# # Windows XP when configured for a workgroup might send tunnelled user names
# # in the format COMPUTERNAME\username (eg BAKER\mikem). This
# # will strip the computer name leaving just the user name
# RewriteUsername s/(.*)\\(.*)/$2/
#
# <AuthBy FILE>
#
# # anonymous-PEAP must be in here:
# Filename %D/users
#
# # This tells the PEAP client what types of inner EAP requests
# # we will honour
# EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge
# # Need these for TTLS:
# EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CertificateFile %D/certificates/cert-srv.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
# EAPTLS_PrivateKeyPassword whatever
# EAPTLS_MaxFragmentSize 500
# </AuthBy>
#</Handler>
# <Handler TunnelledByTTLS=1>
# <AuthBy FILE>
# # anonymous-PEAP must be in here:
# Filename %D/users
#
# # This tells the PEAP client what types of inner EAP requests
# # we will honour
# EAPType TTLS,MSCHAP-V2,MD5,TLS
# # Need these for TLS
# EAPTLS_CAFile /usr/local/ssl/certs/radiusserver.pem
# EAPTLS_CertificateFile /usr/local/ssl/certs/radiusserver.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile /usr/local/ssl/certs/radiusserver.pem
# EAPTLS_PrivateKeyPassword password
# </AuthBy>
# </Handler>
<Handler Client-Identifier=wlan>
# AuthByPolicy ContinueAlways AuthByPolicy ContinueWhileIgnore # Default
<AuthBy SQL>
DBSource dbi:mysql:radius DBUsername dbuser DBAuth password
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccountin.log
</AuthBy>
<Realm DOMAIN> # Strip realm RewriteUsername s/(.*)\\(.*)/$2/ <AuthBy LDAP2> Host xxx.xxx.xxx.1 AuthDN cn=radiusserver,dc=DOMAIN,dc=local AuthPassword password AuthPassword password BaseDN ou=MUSC Users,dc=DOMAIN,dc=local ServerChecksPassword UsernameAttr cn
<Log FILE> Filename %L/debug-AD Trace 4 </Log FILE>
</AuthBy> </Realm>
<AuthBy UNIX>
Filename /etc/passwd.ppp
EAPType TTLS
EAPTLS_CAFile /usr/local/ssl/certs/radiusserver.pem
EAPTLS_CertificateFile /usr/local/ssl/certs/radiusserver.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /usr/local/ssl/certs/radiusserver.pem
EAPTLS_PrivateKeyPassword password
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
</AuthBy>
PreProcessingHook file:"/etc/radiusserver/eap_anon_hook.pl" PostAuthHook file:"/etc/radiusserver/eap_anon_hook.pl"
# Log accounting to a detail file AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
##Session Management RADONLINE
<SessionDatabase SQL>
DBSource dbi:mysql:radius DBUsername dbuser DBAuth password
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, CONNTYPE, TUNNELCLIENTENDPOINT) values ('%U','%N',0%{NAS-Port},'%{Acct-Session-Id}', \
%{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}', \
'%{Service-Type}','%{Client:Identifier}', '%{Tunnel-Client-Endpoint}')
DeleteQuery delete from RADONLINE where \ NASIDENTIFIER='%N' and NASPORT=0%{NAS-Port}
</SessionDatabase>
<SessionDatabase SQL>
DBSource dbi:mysql:database=radius;host=radiusserver2.musc.edu
DBUsername dbuser
DBAuth password
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, CONNTYPE, TUNNELCLIENTENDPOINT) values ('%U','%N',0%{NAS-Port},'%{Acct-Session-Id}', \
%{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}', \
'%{Service-Type}','%{Client:Identifier}', '%{Tunnel-Client-Endpoint}')
DeleteQuery delete from RADONLINE where \ NASIDENTIFIER='%N' and NASPORT=0%{NAS-Port}
</SessionDatabase>
*********************************DEBUG********************************* ***************
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx..156 port 2157 ....
Code: Access-Request
Identifier: 16
Authentic: <14><18>"-<161><137>\eX<17><231><170><140><164>k<135>
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=myssid"
NAS-IP-Address = xxx.xxx.xxx..156
Called-Station-Id = "004096585a95"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><13><0><14><1>anonymous
Message-Authenticator = <153><129><23>T<204>C<140>t<185>>e<147>t<6><204>o
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for anonymous, xxx.xxx.xxx..156, 38
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 13, 14
Wed Jul 30 11:48:26 2003: DEBUG: Response type 1
Wed Jul 30 11:48:26 2003: DEBUG: Resuming session for Radius::Context=HASH(0x85a5f90)
Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP TTLS Challenge
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx..156 port 2157 ....
Code: Access-Challenge
Identifier: 16
Authentic: <14><18>"-<161><137>\eX<17><231><170><140><164>k<135>
Attributes:
EAP-Message = <1><14><0><6><21>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx..156 port 2158 ....
Code: Access-Request
Identifier: 17
Authentic: <212><180><160>3Be<145>CR-<191><222><236><163><237><252>
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=myssid"
NAS-IP-Address = xxx.xxx.xxx..156
Called-Station-Id = "004096585a95"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><14><0>b<21><128><0><0><0>X<22><3><1><0>S<1><0><0>O<3><1>?'<232><202 ><161><238>J<229>d<8><204>8<135>?<188><230><127><167><235><8>0<155>iB;V <196>a<146><179>#<177><0><0>(<0><22><0><19><0>f<0><21><0><18><0><10><0> <5><0><4><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0><17><0><3><0><6><0><8> <1><0>
Message-Authenticator = <215><206><30>D<142><214><12><136>7<186><175><207>C&V<12>
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for anonymous, xxx.xxx.xxx..156, 38
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 14, 98
Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
Wed Jul 30 11:48:26 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP TTLS Challenge
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx..156 port 2158 ....
Code: Access-Challenge
Identifier: 17
Authentic: <212><180><160>3Be<145>CR-<191><222><236><163><237><252>
Attributes:
EAP-Message = <1><15><4><10><21><192><0><0><5><0><22><3><1><0>J<2><0><0>F<3><1>?'<232 ><202><140><232>(kE<200><236><205><165><4>k<244><146><3><0><30>P<144>J< 197><133><234>r<158>^cc<6> <252>F<21><210><174><153><2><186><206><208><211><175>Z(YE<226>[EMAIL PROTECTED]<224>< 237><201><196><198>J<170><211><149>oA<3><0><10><0><22><3><1><3><234><11 ><0><3><230><0><3><227><0><3><224>0<130><3><220>0<130><3>E<160><3><2><1 ><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><171> 1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21><6><3>U<4><8><19><14>South Carolina1<19>0<17><6><3>U<4><7><19><10>mcbanks0<31><6><3>U<4><10><19><2 4>Medical University of SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>
EAP-Message = U<4><3><19><17>radiator.musc.edu1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>[EMAIL PROTECTED]<30> <23><13>030303203707Z<23><13>040302203707Z0<129><171>1<11>0<9><6><3>U<4 ><6><19><2>US1<23>0<21><6><3>U<4><8><19><14>South Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 19><24>Medical University of SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad iator.musc.edu1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>username
EAP-Message = @musc.edu0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3>< 129><141><0>0<129><137><2><129><129><0><171>8<134><175><148>p<9>K<181>< 221><14><170><246><4><208>xLl<182><195>=<163><153><165>@<202><4><20><13 3><19>9<178><<179><134><12><229><249><10><127><176><165><149><187>t<237 ><237><244><238><184><249><184><9>jO2<160><250>'<1><245><219>v<239>3K~< 5> &<154><223><235><248>Y<167><249><210><200><174><198><15><145><146><238> <190><143><5>.x6<159>`<189>L<20>\<247>j<142>/ <238><184><14><142><6>u<194><147><130><26><165><23>\<151>%<185><28>Z<16 7><185><165><205><176><202><18>|<135><2><3><1><0><1><163><130><1><12>0< 130><1><8>0<29><6><3>U<29><14><4><22><4><20><227>ks|N<178><252><22><5>t Z<212><175>l<198><2>1;6w0<129><216><6><3>U<29>#<4><129><208>0<129><205> <128><20><227>ks|N<178><252><22><5>tZ<212><175>l<198><2>1;6w<161><129>< 177><164><129><174>0
EAP-Message = <129><171>1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21><6><3>U<4><8><19><14 >South Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 19><24>Medical University of SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad iator.musc.edu1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>[EMAIL PROTECTED]<130> <1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134>< 247><13><1><1><4><5><0><3><129><129><0>1\<206><157><219><233>w<206>]<<1 4><227>\}<221>go<181>O<250><232><174><21><252>'<162>Jg<166><152><247><1 6><242><222>><248><211><204><213><2>PF<30><234>
EAP-Message = <16><161><156>#I<169><217>%<128><25><151><241>F<21>f<25><128><252>iqb/
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx..156 port 2159 ....
Code: Access-Request
Identifier: 18
Authentic: a<249><155>@<133><30><252><254>FfoD<173><159><241><229>
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=myssid"
NAS-IP-Address = xxx.xxx.xxx..156
Called-Station-Id = "004096585a95"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><15><0><6><21><0>
Message-Authenticator = o<242><215><6>:<190><235><167><220><202><225><233>VZp{
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for anonymous, xxx.xxx.xxx..156, 38
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 15, 6
Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP TTLS Challenge
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx..156 port 2159 ....
Code: Access-Challenge
Identifier: 18
Authentic: a<249><155>@<133><30><252><254>FfoD<173><159><241><229>
Attributes:
EAP-Message = <1><16><1><6><21><0><132><255>&6(<137>3<247>V<169>k<187><158>C<167><207 ><190><193><147><153><19><250><17><168><213><233>g<172><30><178><169>(< 140><153><25><177><11><183><147><226>r<7>f<5><203>F<199><203>r<5><237>k \s- <224><211>J<253><138><208><227><22><3><1><0><189><13><0><0><181><2><1>< 2><0><176><0><174>0<129><171>1<11>0<9><6><3>U<4><6><19><2>US1<23>0<21>< 6><3>U<4><8><19><14>South Carolina1<19>0<17><6><3>U<4><7><19><10>Charleston1!0<31><6><3>U<4><10>< 19><24>Medical University of SC1<13>0<11><6><3>U<4><11><19><4>CCIT1<26>0<24><6><3>U<4><3><19><17>rad iator.musc.edu1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>[EMAIL PROTECTED]
EAP-Message = c.edu<14><0><0><0>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx..156 port 2160 ....
Code: Access-Request
Identifier: 19
Authentic: '<156><25>G&<250>1<220>@<131>Gw<14><157>sY
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=myssid"
NAS-IP-Address = xxx.xxx.xxx..156
Called-Station-Id = "004096585a95"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><16><0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0>< 0><0><22><3><1><0><134><16><0><0><130><0><128>]weJ{,<222><29><9> S0}5<244><249><191>H<195><149>D<241>H<251>:<162><177>=<193>Y<223><28><2 02>Y<198><16><172><164>J<231><180><175><217><134>2U<7><153><28>@<15><16 6>BP<130>)<180><21>?<166><150>B<199><137>9<148><154>_<198>J<8><11><6><1 69><25><7>t,<191><247><188><17><172>ru<235><255><147>"Q<190>k<129>p<243 ><235><165>F<247><160><169><189><16><172><203><255><220>N<211>i- I<177>c<146><206>l<227>4/ <31>L<187>,QZ<23><219><20><3><1><0><1><1><22><3><1><0>(<170><8><137>7<7 ><132><164><219><164>d_<18>4<221><170><10><156><12><153><166><154>Z<157 ><173><134><20><132><148>j<173><148><26><247>q<164><233><245><243>u<246 >
Message-Authenticator = ~X<161><215><179><183><26><30>1<160><247>B<2><195><246>N
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for anonymous, xxx.xxx.xxx..156, 38
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 16, 212
Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
Wed Jul 30 11:48:26 2003: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Wed Jul 30 11:48:26 2003: DEBUG: Access challenged for anonymous: EAP TTLS Challenge
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx..156 port 2160 ....
Code: Access-Challenge
Identifier: 19
Authentic: '<156><25>G&<250>1<220>@<131>Gw<14><157>sY
Attributes:
EAP-Message = <1><17><0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(<212><19 0><131><211>SL<185><136><229><183><161>8D<2><232><202><237>0I<9><242>*< 216><152>E<191><193><4>gR<237>9<162><212><182><27><183><155>q<131>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx..156 port 2161 ....
Code: Access-Request
Identifier: 20
Authentic: <180><225><21>Ti<179><155><152>4<187><247><222><207><154>wB
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=myssid"
NAS-IP-Address = xxx.xxx.xxx..156
Called-Station-Id = "004096585a95"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><17><0>O<21><128><0><0><0>E<23><3><1><0>@<158><187><237><248>N<2><16 2>PN<148><241><9><136>:R<21><128><148>oW<153><206>_<158><3><23><206><15 8><12><222><9><252>2L<215>/'P<209><142>1<157> <191>E<171><229><225><193><26><194>s<155>%q<150>VMZ<198><15>r`<24>
Message-Authenticator = <163><238><171><248>C<229>*<176>{<14><148>K<202><172><178>`
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for anonymous, xxx.xxx.xxx..156, 38
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=038':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Handling with EAP: code 2, 17, 79
Wed Jul 30 11:48:26 2003: DEBUG: Response type 21
Wed Jul 30 11:48:26 2003: DEBUG: EAP TTLS inner authentication request for DOMAIN\username
Wed Jul 30 11:48:26 2003: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <243>{<176><14>X<183><196><251><240>}<251>H<221><172><142><234>
Attributes:
User-Name = "DOMAIN\username"
User-Password = "password"
Wed Jul 30 11:48:26 2003: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Wed Jul 30 11:48:26 2003: DEBUG: Deleting session for , xxx.xxx.xxx..156,
Wed Jul 30 11:48:26 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx..156' and NASPORT=0':
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthSQL
Wed Jul 30 11:48:26 2003: DEBUG: Handling with Radius::AuthUNIX:
Wed Jul 30 11:48:26 2003: DEBUG: Radius::AuthUNIX looks for match with DOMAIN\username
Wed Jul 30 11:48:26 2003: INFO: Access rejected for DOMAIN\username: No such user
Wed Jul 30 11:48:26 2003: INFO: Access rejected for anonymous: EAP TTLS inner authentication redespatched to a Handler
Wed Jul 30 11:48:26 2003: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx..156 port 2161 ....
Code: Access-Reject
Identifier: 20
Authentic: <180><225><21>Ti<179><155><152>4<187><247><222><207><154>wB
Attributes:
EAP-Message = <4><17><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
