On 02/08/2012 12:54 AM, Shay Smith wrote:
Hell Shay,
> I'm currently testing Radiator to see if it would be a fit for our
> organization. I've been working with the included "eap_multi.cfg" file
> in hopes that we could get 802.1x authentication going for our Mac and
> WIndows clients. Our LDAP directory has fields for SHA encrypted user
> passwords as well as NThash passwords, but I can't figure out how to
> make authentication work. I've successfully authenticated with a stock
> LDAP config. Below are my current config and a copy of the log entries
> for an attempted login.
Try the following:
- comment out ServerChecksPassword
- PasswordAttr value is the attribute that has NThashed password
- enable TranslatePasswordHook if the nthash is not prefixed with {nthash}
ServerChecksPassword works only if the authentication protocol uses PAP.
In other words, it works when the plain text password is available. With
e.g. PEAP/EAP-MSCHAP-V2 this is not the case.
You can also simplify the configuration by removing all EAPTLS_* lines
from TunnelledBy handlers. These are only needed when using TLS
tunnelled EAP methods inside PEAP or TTLS.
EAP_Type can also be simplified in TunnelledBy Handlers. 'EAPType
MSCHAP-V2' is probably enough.
The outer Handler probably only needs 'EAPType PEAP,TTLS'.
The AddToReply lines can most likely to be commented out too.
So in summary: after checking ServerChecksPassword, PasswordAttr and
TranslatePasswordHook the authentication should work. The rest is only
for simplifying the configuration.
Please let us know how it goes.
Heikki
> ***********************
> Config File
> ***********************
> Foreground
> LogStdout
> LogDir /etc/radiator
> DbDir .
>
> Trace 4
>
> AuthPort 1645, 1812
> AcctPort 1646, 1813
> BindAddress 10.51.254.228
>
> <Client 10.51.254.76>
> Secret *****
> DupInterval 0
> </Client>
>
> <Client localhost>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client 10.51.254.228>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy LDAP2>
> NoDefault
> #TranslatePasswordHook sub {return "{nthash}$_[0]";}
>
> Host ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
> Port 389
> AuthDN *****
> AuthPassword *****
> BaseDN ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> Version 3
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> HoldServerConnection
>
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Version 3
>
>
> EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
> EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> Debug 255
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy LDAP2>
> NoDefault
> #TranslatePasswordHook sub {return "{nthash}$_[0]";}
>
> Host ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
> Port 389
> AuthDN *****
> AuthPassword *****
> BaseDN ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> HoldServerConnection
>
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Version 3
>
> EAPType MSCHAP-V2,MD5,TLS
> EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> Debug 255
> </AuthBy>
> </Handler>
>
> <Handler>
> <AuthBy LDAP2>
> NoDefault
> #TranslatePasswordHook sub {return "{nthash}$_[0]";}
>
> Host ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
> Port 389
> AuthDN *****
> AuthPassword *****
> BaseDN ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> HoldServerConnection
>
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Version 3
>
> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000.
>
> AutoMPPEKeys
>
> EAPTLS_PEAPVersion 0
> EAPTLS_PEAPBrokenV1Label
> EAPTLS_DHFile /etc/radiator/certificates/dh2048.pem
>
> Debug 255
> </AuthBy>
> </Handler>
>
>
> ***********************
> Log Dump
> ***********************
> Tue Feb 7 15:18:22 2012: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Feb 7 15:18:22 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Feb 7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1645 <http://10.51.254.228:1645>
> Tue Feb 7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1812 <http://10.51.254.228:1812>
> Tue Feb 7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1646 <http://10.51.254.228:1646>
> Tue Feb 7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1813 <http://10.51.254.228:1813>
> Tue Feb 7 15:18:22 2012: NOTICE: Server started: Radiator 4.9 on
> localhost.localdomain (LOCKED)
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 238
> Authentic: /<20><19>:<146>e<195><185><135><5>#U<204><207><234><235>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message = <2><1><0><18><1>gitchy_gimbol
> Message-Authenticator =
> <229><199><134><145><241><197><7>j7<205>%T<1>$<154><156>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 1, 18, 1
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 238
> Authentic: <155><151>8<243><210>W<219><169><173><254>lxI<199><180><27>
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 239
> Authentic: <182><185><138><161><238><228>Q<211><236>eA<192>5<209><176><249>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>O1<170><174>VR<229><127><184><qM{<208>-<178><196>R<1><250><180><238><222><27><182><138><31><25><144><26><240>{<0><0>6<0>/<0><5><0><4><0>5<0><10><0><9><0><3><0><8><0><6><0>2<0>3<0>8<0>9<0><22><0><21><0><20><0><19><0><18><0><17><0>4<0>:<0><24><0><27><0><26><0><23><0><25><0><1><1><0>
> Message-Authenticator = Ez<240><223><21>k<175>8<19>c<22><159>cl<152>*
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 2, 112, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 239
> Authentic: h<17>L<19>9U-<235>1<182>qb<132><155>U<233>
> Attributes:
> EAP-Message =
> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>O1<177>oo"<241><153><191><171>><197>v(<239><155><165><183>;Y<137>A<28><211><196><154><29><152><144><147>l'
> <193><6><217><255><170>N<200>&<255><229><178><203><203><222><155>><194><145><195>a@f~<165><29><149>
> ~,5<21>}<0>/<0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<30><23><13>111116214828Z<23><13>131115214828Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1%0#<6><3>U<4><3><19><28>t
> EAP-Message =
> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><213>|5<149><252>7<170><164><8><136>w<6><229>,<180><131><28>Q<249>io6<250>5<174><131>}Y<252>P<133><174>Mll<197>8<189>F<197>><18>4<170><221>J<132>0j<160><238>I<214><8>P<180>cl<167><238><5><196><170><142><253>@d;k<163><164><234><146><16><3><24><212><228><245><14><132><154><190><212>:x&7<171><212><247><21>k<215>z(h<10><252><207>G<235><128><152><17>Le<137><130>'<196><182><214><18><180>R"<22>S~<6><164><227><220>f<156><249><235><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><149>J<214><242><222><198>`<209><9>O.<13>b<171><224>%<154><228><221><228>
> EAP-Message =
> <241>~4<176>J<2><243><12><26>Z{B<137>+<234><0>Nu+P<9><165><244><203><234>912pO<161><165><184><223><200>^<19><167><137><158>W<24><240>T<194><130><8><251><28>0?<179>"<134><180>_<203><20><19><190><173><240>1<255><146>UR<161>g<223>d<7><192>O<27>)<146><248>D<127><145>Yg<242><243><162><192><244>&"<232>d<225>:<30><129>s2;!!<19><202><216>g<213><178>{<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><163>Gw<236><211>F<201><17>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 240
> Authentic: T<139><160><133><154><205><220><213><149>w<215>kQ<154>DH
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message = <2><3><0><6><25><0>
> Message-Authenticator =
> <154><30>><210><154>r;h<200><190><235><165>iC<177>K
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 3, 6, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 240
> Authentic: (<175><229><252><253>P<181>{i<156>2<154>M<250><252>^
> Attributes:
> EAP-Message = <1><4><3><208><25><0>t Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<30><23><13>111116214827Z<23><13>131115214827Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
> EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
> use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><230>7<155><154>=<154>+<199><137><172>(<31>t<184>v<0>u*<204><248><249><25><249><181><168><172>`s<230>=<211>JB<186>e<2><0><8>I0<179>cV'Qb<196>E<225><228><227><151><215>2q<164>%<28>j<168>!<206><214>,<190><223><133>-<173>.<165><142><127><25><229><15><145>+l<172>K<232>W<202><238><130><232><223><25><148><175><208><137><251><211>n<185><184><174>`<216><149><136><163><128><194>6<211>?rK^w<236><150><143><152>^(<229><28><134><12><193><251>Q<132>!<2><3>
> EAP-Message =
> <1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
> EAP-Message = n)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au
> <mailto:mi...@open.com.au><130><9><0><163>Gw<236><211>F<201><17>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><224><155><161><236><140><231><132><11><160>)w<207>O<218>l<3>E'<216><255><169><179>;<171><147>W<239>a<147><31>q<158><199>0q<236><18><28>T<218><248>,<15><1>I<228><178><23><231>Y?<244>z<30><196>@<196><203><152>k=<145><255>]<134><220>@<251>T<210><216><198><187><15><199><155>mMw<208><145>j<244><150><235><170>3$<180><20><31>gS<151><253>f%V<249><166>i<16>f<237>0<147><131>+<193><31><183>'<5><221>|<240><195><181><131><223><28><225><143><165><215><242>&<1><22><3><1><0><4><14><0><0><0>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 241
> Authentic: Q<196>t<26>K<9>t"<167><214><226><231><182>u<147><156>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><4><0><208><25><128><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>R<253><8><5><148>W<192><18>=<155>|<218>W<251><241>9`+<247><165><192><27>Y<186><205><231><130>c<226><11>Us<227><213><131>y(<241>"<169>C<212>+<14><172><133><164><127>p<23><237>*g<148><254>DI#s<170><24>{<195><131><201>C<237><216><21>!<149><143>;B<158>R<162><148><174><182><211><131><137><234>J<142><217><162>eL<26><14><14><224><151>i<205><169><183><135><162>n=<244><183>O<224><244>z}x.m{<240><142><156>visIg<225>{I<235><171>:<20><3><1><0><1><1><22><3><1><0>0<249><158><12><128><252><129><172><27><239><133><141>A<196>5><9>\<1><173><14><163>~<206>j<219><12><153><25><143><130><231><235><200>n2Vj<196><31><236><155><215><221><195><131>hM<212>
> Message-Authenticator =
> <155><129>nP<30><189><237><191><132>9<211><23><172><255>"a
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 4, 208, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 241
> Authentic: <172>8<159><176>t(<2>~<223><173><1><248>{'~<214>
> Attributes:
> EAP-Message =
> <1><5><0>E<25><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>04z<234>Q<225>8t<195><152>/<208><155>R<201><204>S<162>.Fj<138><169><203><139>e%<178><190><231><203>k<219>yn{Sh<15><23><208><201><215>y<230><167>-[+
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 242
> Authentic: <178>_<231>RzE<231><222><10><221>#<136><188>mNx
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message = <2><5><0><6><25><0>
> Message-Authenticator =
> <249><178><2><227><157>=<174><143>J<160><127><233><154>~<235><17>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 5, 6, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 242
> Authentic: p<31><217>R<237>O<168><146><216>@<197><238><17>6<168>p
> Attributes:
> EAP-Message = <1><6><0>+<25><0><23><3><1><0>
> y3<169><171><169>Ur)<251>sm<172>Q<185><211><248><202><3>8<210><184><180><<201><138><138>D&-<31><30>b
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 243
> Authentic: @<24><150><225>\<235><196><234>e<167><24>ayL<226><31>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><6><0>;<25><0><23><3><1><0>0<12>@O]<253><176>x<128><137><195><158><236><255>n<9><21><131><227><231>.mr<12><228><237><215><173>3<144><166>@<157>.U<162><152><148><220><133>Z<131>{\(K3<1>3
> Message-Authenticator =
> }<209><252><171><157><22><196><239><22><3><223>R=<177><203><204>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 59, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb 7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
> EAP-Message = <2><6><0><14><1>gitchy_gimbol
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> NAS-Port = 252
> Calling-Station-Id = "00-0d-93-84-a4-11"
> User-Name = "anonymous"
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 14, 1
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Tue Feb 7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
> EAP-Message =
> <1><7><0>/<26><1><7><0>*<16><202>g<7><208><27><14>'<208>S<140>j<207><226><187><165>.localhost.localdomain
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 243
> Authentic: 7<173>o<249><19>|<227><195>9*<28><142>-`<255><238>
> Attributes:
> EAP-Message =
> <1><7><0>K<25><0><23><3><1><0>@v<219>@<224>s4<202>N1<239><184><137>#<137><129><161><'x<141><180><182><254><175><153>S<158>A2S<235><209><17><142><24><221><210><0><182><1><20><253><195><22>!<181>x<207><168>M<191><164>p<206><174>0<166><201><137>F<151><190><166><203>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 244
> Authentic: <129>j<224>9<234>'[<235><30><15><0>E<197><159><127><147>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><7><0>k<25><0><23><3><1><0>`<165>/Tl<186>h<140><158><16>x}C<128><144><166>3l<127><171><16><16>x+<192><140><141><245>{C<135>J<234><251><250><214><239><249>lE<226><129>N<185><3><237><188><205>.2<127><31><252>y<145><22><200>Xv<243><127><150><212><153><130>+<180>E<206><163>5<19><159>O<203><174><2><167><200><211>y<140><22>5<146><157>>s<224>or<241>.<199><216>`<229>
> Message-Authenticator =
> <210><249>`<226><24><253><235><228><4><160>hPW<202><214><160>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 107, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb 7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
> EAP-Message =
> <2><7><0>D<26><2><7><0>C19<243>W<19>ZKTq2T<22><218>g<207><223><149><0><0><0><0><0><0><0><0><155>C<0><202><135>%Zh<158><168><209><31><11><240>"N<239>+Z<199>y<148><219><172><0>gitchy_gimbol
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> NAS-Port = 252
> Calling-Station-Id = "00-0d-93-84-a4-11"
> User-Name = "anonymous"
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 68, 26
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 26
> Tue Feb 7 15:19:11 2012: INFO: Connecting to ldap.mesd.k12.or.us:389
> <http://ldap.mesd.k12.or.us:389>
> Tue Feb 7 15:19:11 2012: INFO: Attempting to bind to LDAP server
> ldap.mesd.k12.or.us:389 <http://ldap.mesd.k12.or.us:389>
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got result for
> uid=gitchy_gimbol,ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got cn: Gitchy Gimbol
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got givenName: Gitchy
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got sn: Gimbol
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got objectClass: MESDperson
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got mail:
> gitchy_gim...@ddouglas.k12.or.us <mailto:gitchy_gim...@ddouglas.k12.or.us>
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got maildrop: gitchy_gimbol
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got mailacceptinggeneralid:
> Gitchy_Gimbol
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got uid: gitchy_gimbol
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got o: David Douglas
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got ou: District Office
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got uidNumber: 1031
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got apple-generateduid:
> DBDE2115-9C46-42A5-91D8-8D43DB208D8E
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got gidNumber: 1028
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got employeeNumber: 999999
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got houseIdentifier: West
> Powellhurst District Office
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got telephoneNumber: 5555
> Tue Feb 7 15:19:11 2012: DEBUG: LDAP got pwdLastSet: 1328300336
> Tue Feb 7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> gitchy_gimbol [anonymous]
> Tue Feb 7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> gitchy_gimbol [anonymous]
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Tue Feb 7 15:19:11 2012: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Tue Feb 7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
> EAP-Message = <4><7><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Challenge
> Identifier: 244
> Authentic: <167><148>C<22><133><129><248><145><243>)<219><243>7q<147><238>
> Attributes:
> EAP-Message = <1><8><0>+<25><0><23><3><1><0>
> B<127>IV]<27>r<4><141>Vu<5><188><175><24><233>%<174><175><133><144><230><171><<226>_<217><16>,k<223><155>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code: Access-Request
> Identifier: 245
> Authentic:
> <189><143><229><141><217><227><186>C]<176><218><199>6<175><20><151>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.51.254.76
> NAS-Identifier = "RADIUS TEST"
> User-Name = "gitchy_gimbol"
> Service-Type = Framed-User
> NAS-Port = 252
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-a9-7f-88"
> Calling-Station-Id = "00-0d-93-84-a4-11"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message = <2><8><0>+<25><0><23><3><1><0>
> X9zfJ<185>2<198><186><232><226><194>vB<163><13>j9}<17><149>$<30><176><234>&<157><226>-V~<223>
> Message-Authenticator = 4I<139><218><141>B><2><236><24>9(j<12><27>?
>
> Tue Feb 7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 7 15:19:11 2012: DEBUG: Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb 7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 8, 43, 25
> Tue Feb 7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb 7 15:19:11 2012: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb 7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
> Authentication Failure
> Tue Feb 7 15:19:11 2012: INFO: Access rejected for gitchy_gimbol: PEAP
> Authentication Failure
> Tue Feb 7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code: Access-Reject
> Identifier: 245
> Authentic: @<178>#<191>/F<14><204>A<219><188>2<240>o<145>*
> Attributes:
> EAP-Message = <4><8><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
>
>
>
>
>
>
> --
> Shay Smith
> ----------------------------------------
>
> Gmail Evangelist
> David Douglas School District
> 503-261-8235
>
> www.ddouglas.k12.or.us <http://www.ddouglas.k12.or.us>
> <http://shay.ddouglas.k12.or.us>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
