Hi All, This is regarding service provisioning scenario that we observed with EAP MD5 protocol in radiator configuration, find the details below:
<AuthBy LDAP2> NoDefault Identifier user_auth Host 10.91.118.24 Port 389 AuthDN cn=directory manager AuthPassword tcpip123 BaseDN %{User-Base} Scope one SearchFilter (uid=%U) UsernameAttr uid PasswordAttr coltplainpasswd EAPType MD5-Challenge AuthAttrDef radius-framed-ip-address,Framed-IP-Address,reply AuthAttrDef radius-framed-ip-netmask,Framed-IP-Netmask,reply Debug 255 </AuthBy> <AuthBy LDAP2> Identifier service_auth Host 10.91.118.24 Port 389 AuthDN cn=directory manager AuthPassword tcpip123 BaseDN %{Service-Dn} Scope subtree SearchFilter radiusdomains=%W PasswordAttr # EAPType MD5-Challenge AuthAttrDef radius-cisco-avpair,Cisco-AVPair,reply AuthAttrDef radius-Framed-Protocol,Framed-Protocol,reply AuthAttrDef radius-service-type,Service-Type,reply AuthAttrDef radius-Tunnel-Client-Auth-ID,Tunnel-Client-Auth-ID,reply AuthAttrDef radius-Tunnel-Client-Endpoint,Tunnel-Client-Endpoint,reply AuthAttrDef radius-Tunnel-Medium-Type,Tunnel-Medium-Type,reply AuthAttrDef radius-Tunnel-Password,Tunnel-Password,reply AuthAttrDef radius-Tunnel-Server-Endpoint,Tunnel-Server-Endpoint,reply AddToReplyIfNotExist Framed-Protocol=PPP,Service-Type=2 Debug 255 </AuthBy> In this scenario, we are taking the default hanlders to understand EAP communication and observed that the userauthentication with EAP is going fine but the service authentication with EAP is not required but still radiator is requesting for EAP communication, so how can we disable EAP for service authentication and if its explicitly required , what are the parameters need to be taken care of. Usually by default, service provisioning should be devoid of any such protocols. Please find the logs here: Wed Jun 12 08:21:05 2013: DEBUG: Rewrote user name to bsid...@coltvpn1.net Wed Jun 12 08:21:05 2013: DEBUG: Packet dump: *** Received from 10.91.113.13 port 1645 .... Code: Access-Request Identifier: 136 Authentic: `<4>[Wi<147>j<253><21><131><4>3<31><192>2? Attributes: Service-Type = Login-User Calling-Station-Id = "10.91.117.20" User-Name = "bsid...@coltvpn1.net" EAP-Message = "<2>;<0><25><1>bsid...@coltvpn1.net" Signature = "<249><165>'<131><4>qp<197>h<217>5<232><229>1G<158>" NAS-IP-Address = 10.91.113.13 Wed Jun 12 08:21:05 2013: DEBUG: Handling request with Handler '', Identifier '' Wed Jun 12 08:21:05 2013: DEBUG: Deleting session for bsid...@coltvpn1.net, 10.91.113.13, Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: PreAuthHook called... Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Access code: Access-Request Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Proceeding... Wed Jun 12 08:21:05 2013: INFO: PreAuthHook: Got User-Name: bsidhan and Realm: coltvpn1.net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP server Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: ldapsearch with base ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User search basedn: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Group search basedn: ou=groups,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User subscribes to 0 groups and 1 services directly. Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Checking service reference for domain first... Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Searching for radiusdomains= coltvpn1.net under coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: 1 results found for services with radiusdomains=coltvpn1.net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: User subscribes to coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net directly. Setting Pre-Auth = 1. Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Service-Dn: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request -> User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:05 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Pre-Auth: 1 Wed Jun 12 08:21:05 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth Wed Jun 12 08:21:05 2013: DEBUG: Handling with EAP: code 2, 59, 25, 1 Wed Jun 12 08:21:05 2013: DEBUG: Response type 1 Wed Jun 12 08:21:05 2013: DEBUG: EAP result: 3, EAP MD5-Challenge Wed Jun 12 08:21:05 2013: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MD5-Challenge Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: PostAuthHook called... Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Access code: Access-Request Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Proceeding... Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Got from PreAuthHook -> Pre-Auth: 1 Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Framed-IP-Address = Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Framed-IP-Netmask = Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Tunnel-Type = Wed Jun 12 08:21:05 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type = Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Stripping Framed-IP-Address and Framed-IP-Netmask from the REPLY PACKET Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Stripping Tunnel attributes from the REPLY PACKET Wed Jun 12 08:21:05 2013: INFO: PostAuthHook: Called-Station-Id not present: Bypassing accessnumber check with Access-Accept. Wed Jun 12 08:21:05 2013: DEBUG: Access challenged for bsid...@coltvpn1.net: EAP MD5-Challenge Wed Jun 12 08:21:05 2013: DEBUG: Packet dump: *** Sending to 10.91.113.13 port 1645 .... Code: Access-Challenge Identifier: 136 Authentic: <137>L<224>k<202>Z[<240><29><14>l0<29><236><13><176> Attributes: EAP-Message = "<1><<0>+<4><16><165>9y<230><237>k`<207><226><195><149><198>/}<13><193> rad1.blr.lab.colt.net" Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>" Wed Jun 12 08:21:06 2013: DEBUG: Rewrote user name to bsid...@coltvpn1.net Wed Jun 12 08:21:06 2013: DEBUG: Packet dump: *** Received from 10.91.113.13 port 1645 .... Code: Access-Request Identifier: 137 Authentic: s<133><146>8<222>i<220>\Kt<184><227>r<205><243><132> Attributes: Service-Type = Login-User Calling-Station-Id = "10.91.117.20" User-Name = "bsid...@coltvpn1.net" EAP-Message = "<2><<0><22><4><16>k2<164><16><251><230>?<142><213><6><212><242>t<218><219><14>" Signature = "<133><21><209><159><154><212><186><29>5<9><204><164>jbN<24>" NAS-IP-Address = 10.91.113.13 Wed Jun 12 08:21:06 2013: DEBUG: Handling request with Handler '', Identifier '' Wed Jun 12 08:21:06 2013: DEBUG: Deleting session for bsid...@coltvpn1.net, 10.91.113.13, Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: PreAuthHook called... Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Access code: Access-Request Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Proceeding... Wed Jun 12 08:21:06 2013: INFO: PreAuthHook: Got User-Name: bsidhan and Realm: coltvpn1.net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP server Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: ldapsearch with base ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User search basedn: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Group search basedn: ou=groups,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User subscribes to 0 groups and 1 services directly. Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Checking service reference for domain first... Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Searching for radiusdomains= coltvpn1.net under coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: 1 results found for services with radiusdomains=coltvpn1.net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: User subscribes to coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net directly. Setting Pre-Auth = 1. Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Service-Dn: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request -> User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Pre-Auth: 1 Wed Jun 12 08:21:06 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth Wed Jun 12 08:21:06 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4 Wed Jun 12 08:21:06 2013: DEBUG: Response type 4 Wed Jun 12 08:21:06 2013: INFO: Connecting to 10.91.118.24:389 Wed Jun 12 08:21:06 2013: INFO: Attempting to bind to LDAP server 10.91.118.24:389 Wed Jun 12 08:21:06 2013: DEBUG: LDAP got result for uid=bsidhan, ou=people, o=COLT, ou=customers, dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: LDAP got coltplainpasswd: 123456789 Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 looks for match with bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: : bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 08:21:06 2013: DEBUG: EAP Success, elapsed time 0.198786 Wed Jun 12 08:21:06 2013: DEBUG: EAP result: 0, Wed Jun 12 08:21:06 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, Wed Jun 12 08:21:06 2013: DEBUG: Handling with Radius::AuthLDAP2: service_auth Wed Jun 12 08:21:06 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4 Wed Jun 12 08:21:06 2013: DEBUG: Response type 4 Wed Jun 12 08:21:06 2013: INFO: Connecting to 10.91.118.24:389 Wed Jun 12 08:21:06 2013: INFO: Attempting to bind to LDAP server 10.91.118.24:389 Wed Jun 12 08:21:06 2013: DEBUG: LDAP got result for coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-cisco-avpair: ip:interface-config=vrf forwarding IPC-Perf-1 ip:interface-config=ip unnumbered Loopback11 ipsec:route-set-interface=1 ipsec:addr-pool=FlexPool ipsec:route-set=prefix 157.54.0.0/16 Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-Tunnel-Medium-Type: coltt...@colt.net Wed Jun 12 08:21:06 2013: DEBUG: LDAP got radius-Tunnel-Password: tcpip123 Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 looks for match with bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 08:21:06 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: : bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 08:21:06 2013: DEBUG: EAP Failure, elapsed time 0.205295 Wed Jun 12 08:21:06 2013: DEBUG: EAP result: 1, EAP MD5-Challenge failed Wed Jun 12 08:21:06 2013: DEBUG: AuthBy LDAP2 result: REJECT, EAP MD5-Challenge failed Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: PostAuthHook called... Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Access code: Access-Request Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Proceeding... Wed Jun 12 08:21:06 2013: DEBUG: PostAuthHook: Got from PreAuthHook -> Pre-Auth: 1 Wed Jun 12 08:21:06 2013: INFO: PostAuthHook: Access already rejected by Radius: Bypassing accessnumber check. Wed Jun 12 08:21:06 2013: INFO: Access rejected for bsid...@coltvpn1.net: EAP MD5-Challenge failed Wed Jun 12 08:21:06 2013: DEBUG: Packet dump: *** Sending to 10.91.113.13 port 1645 .... Code: Access-Reject Identifier: 137 Authentic: @Q<143><189><245><198><189><150><238>a<226><195>i}<243>4 Attributes: EAP-Message = "<4><<0><4>" Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>" Reply-Message = "Request Denied" Now when we completely neglected the service_auth for our requests (not a ideal production scenario,), the logs changed to accept modes: Wed Jun 12 09:06:31 2013: DEBUG: Rewrote user name to bsid...@coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: Packet dump: *** Received from 10.91.113.13 port 1645 .... Code: Access-Request Identifier: 160 Authentic: /<23><254>-<183>:<218><184><243>b<212><237><29><136>hT Attributes: Service-Type = Login-User Calling-Station-Id = "10.91.117.20" User-Name = "bsid...@coltvpn1.net" EAP-Message = "<2>;<0><25><1>bsid...@coltvpn1.net" Signature = "O@<17>5?eI<192>KB<19><214>!<242><210>7" NAS-IP-Address = 10.91.113.13 Wed Jun 12 09:06:31 2013: DEBUG: Handling request with Handler '', Identifier '' Wed Jun 12 09:06:31 2013: DEBUG: Deleting session for bsid...@coltvpn1.net, 10.91.113.13, Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: PreAuthHook called... Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Access code: Access-Request Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Proceeding... Wed Jun 12 09:06:31 2013: INFO: PreAuthHook: Got User-Name: bsidhan and Realm: coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP server Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ldapsearch with base ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User search basedn: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Group search basedn: ou=groups,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to 0 groups and 1 services directly. Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Checking service reference for domain first... Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Searching for radiusdomains= coltvpn1.net under coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: 1 results found for services with radiusdomains=coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net directly. Setting Pre-Auth = 1. Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Service-Dn: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Pre-Auth: 1 Wed Jun 12 09:06:31 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth Wed Jun 12 09:06:31 2013: DEBUG: Handling with EAP: code 2, 59, 25, 1 Wed Jun 12 09:06:31 2013: DEBUG: Response type 1 Wed Jun 12 09:06:31 2013: DEBUG: EAP result: 3, EAP MD5-Challenge Wed Jun 12 09:06:31 2013: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MD5-Challenge Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: PostAuthHook called... Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Access code: Access-Request Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Proceeding... Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Got from PreAuthHook -> Pre-Auth: 1 Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Address = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Netmask = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Type = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type = Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Framed-IP-Address and Framed-IP-Netmask from the REPLY PACKET Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Tunnel attributes from the REPLY PACKET Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Called-Station-Id not present: Bypassing accessnumber check with Access-Accept. Wed Jun 12 09:06:31 2013: DEBUG: Access challenged for bsid...@coltvpn1.net: EAP MD5-Challenge Wed Jun 12 09:06:31 2013: DEBUG: Packet dump: *** Sending to 10.91.113.13 port 1645 .... Code: Access-Challenge Identifier: 160 Authentic: ;/<184><20><147>v<27><149><185><154><154><7><224><150>3<176> Attributes: EAP-Message = "<1><<0>+<4><16>2<193><195><134><233><179><250>V<231><19>R<204><141><176><207><151> rad1.blr.lab.colt.net" Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>" Wed Jun 12 09:06:31 2013: DEBUG: Rewrote user name to bsid...@coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: Packet dump: *** Received from 10.91.113.13 port 1645 .... Code: Access-Request Identifier: 161 Authentic: <28><21><192>uM<1><178>uAp<19>V<235>yGh Attributes: Service-Type = Login-User Calling-Station-Id = "10.91.117.20" User-Name = "bsid...@coltvpn1.net" EAP-Message = "<2><<0><22><4><16><30><238><175><134><143><224><3><127><128><244><10><31>d`<165><216>" Signature = "<173><21>&<196><1><24><147>9^&<130>:ZE<164><190>" NAS-IP-Address = 10.91.113.13 Wed Jun 12 09:06:31 2013: DEBUG: Handling request with Handler '', Identifier '' Wed Jun 12 09:06:31 2013: DEBUG: Deleting session for bsid...@coltvpn1.net, 10.91.113.13, Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: PreAuthHook called... Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Access code: Access-Request Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Proceeding... Wed Jun 12 09:06:31 2013: INFO: PreAuthHook: Got User-Name: bsidhan and Realm: coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Attempting to bind to LDAP server Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ldapsearch with base ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User search basedn: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Group search basedn: ou=groups,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: ColtServiceSubscriptionRef: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to 0 groups and 1 services directly. Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Checking service reference for domain first... Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Searching for radiusdomains= coltvpn1.net under coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: 1 results found for services with radiusdomains=coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: User subscribes to coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net directly. Setting Pre-Auth = 1. Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Service-Dn: coltserviceid=anyconnect_new,ou=services,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> User-Base: ou=people,o=COLT,ou=customers,dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: PreAuthHook: Adding to Access-Request -> Pre-Auth: 1 Wed Jun 12 09:06:31 2013: DEBUG: Handling with Radius::AuthLDAP2: user_auth Wed Jun 12 09:06:31 2013: DEBUG: Handling with EAP: code 2, 60, 22, 4 Wed Jun 12 09:06:31 2013: DEBUG: Response type 4 Wed Jun 12 09:06:31 2013: INFO: Connecting to 10.91.118.24:389 Wed Jun 12 09:06:31 2013: INFO: Attempting to bind to LDAP server 10.91.118.24:389 Wed Jun 12 09:06:31 2013: DEBUG: LDAP got result for uid=bsidhan, ou=people, o=COLT, ou=customers, dc=colt,dc=net Wed Jun 12 09:06:31 2013: DEBUG: LDAP got coltplainpasswd: 123456789 Wed Jun 12 09:06:31 2013: DEBUG: Radius::AuthLDAP2 looks for match with bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 09:06:31 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: : bsid...@coltvpn1.net [bsid...@coltvpn1.net] Wed Jun 12 09:06:31 2013: DEBUG: EAP Success, elapsed time 0.018697 Wed Jun 12 09:06:31 2013: DEBUG: EAP result: 0, Wed Jun 12 09:06:31 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: PostAuthHook called... Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Access code: Access-Request Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Proceeding... Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Got from PreAuthHook -> Pre-Auth: 1 Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Address = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Framed-IP-Netmask = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Type = Wed Jun 12 09:06:31 2013: DEBUG: PostAuthHook: Tunnel-Medium-Type = Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Framed-IP-Address and Framed-IP-Netmask from the REPLY PACKET Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Stripping Tunnel attributes from the REPLY PACKET Wed Jun 12 09:06:31 2013: INFO: PostAuthHook: Called-Station-Id not present: Bypassing accessnumber check with Access-Accept. Wed Jun 12 09:06:31 2013: DEBUG: Access accepted for bsid...@coltvpn1.net Wed Jun 12 09:06:31 2013: DEBUG: Packet dump: *** Sending to 10.91.113.13 port 1645 .... Code: Access-Accept Identifier: 161 Authentic: v<4><218>a2<208><193><175><137>wK<152>i<145><219><254> Attributes: EAP-Message = "<3><<0><4>" Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>" Can anyone give us some hand here. Regards, Prasoon -- Regards, Prasoon Majumdar
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator