From alexander.hartmaier at t-systems.at  Wed Feb  1 07:42:28 2012
From: alexander.hartmaier at t-systems.at (Alexander Hartmaier)
Date: Wed, 1 Feb 2012 14:42:28 +0100
Subject: [RADIATOR] CRL reload error
In-Reply-To: <4E40F148.8050104@open.com.au>
References: <200911291038.59399.mikem@open.com.au>
	<4E37D89E.7090806@t-systems.at> <4E3F9316.5080809@open.com.au>
	<4E3FF9EC.2090103@t-systems.at> <4E40F148.8050104@open.com.au>
Message-ID: <4F294144.8060808@t-systems.at>

Hi,
I've encountered another problem.
I've written a bash script that downloads the crl once a day at one
o'clock in the morning local time and restarts radiator afterwards
because of the openssl crl caching.
The CRL lifetime ends about 30 minutes later and radiator rejects all
auths after that time because the crl isn't up2date any more.
Do you have a solution for downloading the crl in sync with its lifetime?

Best regards, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

From alexander.hartmaier at t-systems.at  Wed Feb  1 08:01:11 2012
From: alexander.hartmaier at t-systems.at (Alexander Hartmaier)
Date: Wed, 1 Feb 2012 15:01:11 +0100
Subject: [RADIATOR] two factor authentication
In-Reply-To: <E89C57E2-75E5-4551-862A-FBEE7A817AF0@open.com.au>
References: <4F15BA5B.5090102@t-systems.at> <4F15CE6F.4080207@open.com.au>
	<4828240.9mNHphb8fR@zulu> <4F169C14.1070401@t-systems.at>
	<E89C57E2-75E5-4551-862A-FBEE7A817AF0@open.com.au>
Message-ID: <4F2945A7.2080107@t-systems.at>

Hi Hugh,
should I use an AuthHook within the AuthBy INTERNAL?
Documentation for the list of passed parameters for the hooks would be 
nice so you don't have to look in the source code, if you're a Perl 
developer :)

That's what replaced the AuthBy HANDLER:

<AuthBy INTERNAL>
         DefaultResult ACCEPT

         # clear the password to force AuthOTP to always generate a OTP
         AuthHook sub { \
             my $p = ${$_[0]}; \
             $p->{DecodedPassword} = ''; \
             return $main::ACCEPT; \
         }
</AuthBy>

     AuthBy otp_sms

I hope the ACCEPT doesn't trigger a hidden security problem, the handler 
is configured with ContinueUntilChallenge.

Best regards, Alex

Am 2012-01-19 00:28, schrieb Hugh Irvine:
> Hello Alex -
>
> You can use an AuthBy INTERNAL between the other two clauses.
>
> See section 5.50 in the Radiator 4.9 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 18 Jan 2012, at 21:16, Alexander Hartmaier wrote:
>
>> Hi Heikki and Mike,
>> I'm already using AuthBy OTP with my own ChallengeHook.
>> I've read RFC2865 yesterday but missed the State attribute, thanks for
>> the great pointer!
>>
>> Thats the working config I came up with:
>>
>> <AuthLog FILE>
>>      Identifier tsa-otp-client-vpn
>>
>>      Filename %L/tsa-otp-client-vpn.authlog
>>      LogSuccess 1
>>      LogFailure 1
>>     # log the Handler Identifier to be able to distinguish between AD
>> and OTP auth failures
>>      SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
>>      FailureFormat
>> %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL
>> </AuthLog>
>>
>> <Handler Callback-Number=/.+/>
>>      Identifier otp_sms_challenge
>>
>>      AuthByPolicy    ContinueUntilChallenge
>>
>>      #StripFromRequest Password
>>
>>      # clear the password to force AuthOTP to always generate a OTP
>>      PreAuthHook sub { \
>>          my $p = ${$_[0]}; \
>>          my $rp = ${$_[1]}; \
>>          $p->{DecodedPassword} = ''; \
>>      }
>>      AuthBy otp_sms
>>      #AddToReply State="otp-challenge"
>> </Handler>
>>
>> <Handler Client-Identifier="tsa-tc-flod|localhost"
>> Request-Type="Access-Request" State="otp-challenge">
>>      Identifier tsa-otp-client-vpn-otp
>>
>>      AuthLog tsa-otp-client-vpn
>>      # Show any rejection reason to the end user
>>      RejectHasReason
>>
>>      AuthBy otp_sms
>> </Handler>
>>
>> <Handler Client-Identifier="tsa-tc-flod|localhost"
>> Request-Type="Access-Request">
>>      Identifier tsa-otp-client-vpn-ad
>>
>>      AuthByPolicy    ContinueUntilChallenge
>>
>>      # Show any rejection reason to the end user
>>      RejectHasReason
>>
>>      AuthLog tsa-otp-client-vpn
>>
>> <AuthBy LDAP2>
>>          # Save time by never looking for a default
>>          NoDefault
>>
>>          Host ip1 ip2 ip3
>>          Port 389
>>          Version 3
>>
>>          # request timeout in seconds
>>          Timeout 2
>>
>>          # don't try to reach the ldap for this amount of seconds after
>> failure
>>          FailureBackoffTime 0
>>
>>          UsernameAttr samaccountname
>>          # don't check the password, just for phone number lookup
>>          #PasswordAttr
>>          ServerChecksPassword
>>
>>          # store the users mobile phone number in the Callback-Number
>> radius attribute
>>          AuthAttrDef mobile,Callback-Number,request
>> </AuthBy>
>>
>> <AuthBy HANDLER>
>>          HandlerId otp_sms_challenge
>> </AuthBy>
>> </Handler>
>>
>> I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
>> by using PreAuthHook to delete the DecodedPassword.
>> As you see I've tried StripFromRequest Password which didn't work.
>> I was looking for a way to clear the password between the AuthBy LDAP
>> and AuthBy OTP.
>> Is there a way to do this?
>>
>> Cheers, Alex
>>
>> Am 2012-01-17 21:12, schrieb Mike McCauley:
>>> Hi Heikki,
>>>
>>> I wonder if he should also look at  AuthBy OTP?
>>> Cheers.
>>>
>>> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>>>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>>>
>>>> Hello Alexander,
>>>>
>>>>> I'm trying to implement a two factor auth where the user has to enter
>>>>> his Active Directory credentials.
>>>>> Radiator checks those against the AD, if successful creates an OTP and
>>>>> sends that to the mobile phone number fetched from the AD.
>>>> Add State attribute to the challenge at this point.
>>>>
>>>>> A challenge is returned to the NAS.
>>>> See this for how NAS should react to challenge.
>>>> http://tools.ietf.org/html/rfc2865#section-5.24
>>>>
>>>>> My problem is that I can't distinguish the initial request and the
>>>>> challenge response which should skip the AD auth because this time the
>>>>> password field holds the OTP response.
>>>> State should be echoed back in the challenge response unless the NAS is
>>>> badly broken.
>>>>
>>>>> By looking at the radius packets with tcpdump I couldn't find a
>>>>> difference in the radius attributes sent that let me write two different
>>>>> handlers.
>>>>>
>>>>> Ideas?
>>>> Try something like this. Note that I have used a fixed value for
>>>> challenge, but you could make it generic to protect against replay
>>>> attacks or some other information that might be useful for selecting the
>>>> correct handler for verifying the challenge.
>>>>
>>>> <Handler attribute=value,...,State=whatever>
>>>>     # Check challenge here
>>>> </Handler>
>>>>
>>>> <Handler attribute=value,...>
>>>>     # Generate OTP here and send challenge
>>>>     <AuthBy ...>
>>>>        # AD auth happens here
>>>>        AddToReply State=whatever
>>>>     </AuthBy>
>>>> </Handler>
>>>>
>>>>
>>>>
>>>> Please let us know how it goes.
>>>> Heikki
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>

From lists at alzaid.com  Wed Feb  1 10:45:00 2012
From: lists at alzaid.com (Rami AlZaid)
Date: Wed, 1 Feb 2012 19:45:00 +0300
Subject: [RADIATOR] EAP-SIM Not Proceeding After EAP SIM/Start
Message-ID: <942FC7D1-F063-459A-9D02-A3DEB868DE9F@alzaid.com>

Hello,

I've been trying to configure EAP-SIM after getting an evaluation but with no success. I'm seeing an initial request from the mobile phone but isn't responding back with the nonce value to the Access-Challenge from the RADIUS. Instead the mobile phone is sending the initial request over and over. I've tried Nokia E71 and iOS 5.0.1 with no use. The AP is D-Link DWL-8600AP configured to use IEEE802.1x but tried with WPA Enterprise as well with the same results.

Does anyone know what could be the problem?


The following is the log from the RADIUS:

*** Received from 10.10.5.13 port 32878 ....
Code:       Access-Request
Identifier: 20
Authentic:  <0>,<197><136>T<199><136>|<22>/{,<10><178><201>D
Attributes:
        User-Name = "1419032609953058 at wlan.mnc000.mcc000.3gppnetwork.org"
        NAS-IP-Address = 10.10.5.13
        NAS-Port = 0
        Called-Station-Id = "00-25-B5-35-B5-D5:EAP"
        Calling-Station-Id = "D5-25-D5-65-F5-C5"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Connect-Info = "CONNECT 0Mbps 802.11g"
        EAP-Message = <2><1><0>8<1> 1419032609953058 at wlan.mnc000.mcc000.3gppnetwork.org
        Message-Authenticator = <189><11><228><18><193><215><254><230><200><167><247>*<196><12>xN


*** Sending to 10.10.5.13 port 32878 ....
Code:       Access-Challenge
Identifier: 20
Authentic:  <242>@<150>\<198><155><135><1>GJ<212><132><177><13>"6
Attributes:
        EAP-Message = <1><2><0><16><18><10><0><0><15><2><0><4><0><0><0><1>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


My configuration file is as follows, which I got from eap_simoperator.cfg:

Foreground
LogStdout
LogDir          /var/log/radiator
DbDir           /etc/radiator
AuthPort 1645,1812
AcctPort 1646,1813
Trace 5

DictionaryFile %D/dictionary,%D/dictionary.sim

<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

<Realm DEFAULT>
        <AuthBy SIMOPERATOR>
                Host localhost
                AuthPort 1647
                Secret mysecret
                EAPType SIM
                NumTriplets 2
                SGSN MYSGSN
                DBSource        dbi:mysql:radius
                DBUsername      radius
                DBAuth          abcabc
                AutoMPPEKeys
                SupportVersions 1,0
                UseTMSI
                UseReauthentication
                UseResultInd
                ReauthenticationRealm @xyz.com
        </AuthBy>
</Realm>


Thanks,

--
R
~
~
:wq!


From hvn at open.com.au  Wed Feb  1 15:37:44 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 01 Feb 2012 23:37:44 +0200
Subject: [RADIATOR] two factor authentication
In-Reply-To: <4F2945A7.2080107@t-systems.at>
References: <4F15BA5B.5090102@t-systems.at> <4F15CE6F.4080207@open.com.au>
	<4828240.9mNHphb8fR@zulu> <4F169C14.1070401@t-systems.at>
	<E89C57E2-75E5-4551-862A-FBEE7A817AF0@open.com.au>
	<4F2945A7.2080107@t-systems.at>
Message-ID: <4F29B0A8.9000103@open.com.au>

On 02/01/2012 04:01 PM, Alexander Hartmaier wrote:

> should I use an AuthHook within the AuthBy INTERNAL?
> Documentation for the list of passed parameters for the hooks would be 
> nice so you don't have to look in the source code, if you're a Perl 
> developer :)

The hook parameters for INTERNAL are described in section "5.50 <AuthBy
INTERNAL>". The hooks themselves are mentioned in subsections, but they
all have the same parameters. Now that you mentioned, this seems to be
an exception to normal documentation where the parameters are described
together with the hook.

> That's what replaced the AuthBy HANDLER:
> 
> <AuthBy INTERNAL>
>          DefaultResult ACCEPT
> 
>          # clear the password to force AuthOTP to always generate a OTP
>          AuthHook sub { \
>              my $p = ${$_[0]}; \
>              $p->{DecodedPassword} = ''; \
>              return $main::ACCEPT; \
>          }
> </AuthBy>
> 
>      AuthBy otp_sms
> 
> I hope the ACCEPT doesn't trigger a hidden security problem, the handler 
> is configured with ContinueUntilChallenge.

If you are worried about AuthBy INTERNAL's ACCEPT being used as the
return value from the Handler, use AuthByPolicy ContinueAlways. If there
are other AuthBys in the hook, you could put the above in an AuthBy
GROUP to make sure both are always executed without affecting any other
authbys.

Thanks!
Heikki


> Best regards, Alex
> 
> Am 2012-01-19 00:28, schrieb Hugh Irvine:
>> Hello Alex -
>>
>> You can use an AuthBy INTERNAL between the other two clauses.
>>
>> See section 5.50 in the Radiator 4.9 reference manual ("doc/ref.pdf").
>>
>> regards
>>
>> Hugh
>>
>>
>> On 18 Jan 2012, at 21:16, Alexander Hartmaier wrote:
>>
>>> Hi Heikki and Mike,
>>> I'm already using AuthBy OTP with my own ChallengeHook.
>>> I've read RFC2865 yesterday but missed the State attribute, thanks for
>>> the great pointer!
>>>
>>> Thats the working config I came up with:
>>>
>>> <AuthLog FILE>
>>>      Identifier tsa-otp-client-vpn
>>>
>>>      Filename %L/tsa-otp-client-vpn.authlog
>>>      LogSuccess 1
>>>      LogFailure 1
>>>     # log the Handler Identifier to be able to distinguish between AD
>>> and OTP auth failures
>>>      SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
>>>      FailureFormat
>>> %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL
>>> </AuthLog>
>>>
>>> <Handler Callback-Number=/.+/>
>>>      Identifier otp_sms_challenge
>>>
>>>      AuthByPolicy    ContinueUntilChallenge
>>>
>>>      #StripFromRequest Password
>>>
>>>      # clear the password to force AuthOTP to always generate a OTP
>>>      PreAuthHook sub { \
>>>          my $p = ${$_[0]}; \
>>>          my $rp = ${$_[1]}; \
>>>          $p->{DecodedPassword} = ''; \
>>>      }
>>>      AuthBy otp_sms
>>>      #AddToReply State="otp-challenge"
>>> </Handler>
>>>
>>> <Handler Client-Identifier="tsa-tc-flod|localhost"
>>> Request-Type="Access-Request" State="otp-challenge">
>>>      Identifier tsa-otp-client-vpn-otp
>>>
>>>      AuthLog tsa-otp-client-vpn
>>>      # Show any rejection reason to the end user
>>>      RejectHasReason
>>>
>>>      AuthBy otp_sms
>>> </Handler>
>>>
>>> <Handler Client-Identifier="tsa-tc-flod|localhost"
>>> Request-Type="Access-Request">
>>>      Identifier tsa-otp-client-vpn-ad
>>>
>>>      AuthByPolicy    ContinueUntilChallenge
>>>
>>>      # Show any rejection reason to the end user
>>>      RejectHasReason
>>>
>>>      AuthLog tsa-otp-client-vpn
>>>
>>> <AuthBy LDAP2>
>>>          # Save time by never looking for a default
>>>          NoDefault
>>>
>>>          Host ip1 ip2 ip3
>>>          Port 389
>>>          Version 3
>>>
>>>          # request timeout in seconds
>>>          Timeout 2
>>>
>>>          # don't try to reach the ldap for this amount of seconds after
>>> failure
>>>          FailureBackoffTime 0
>>>
>>>          UsernameAttr samaccountname
>>>          # don't check the password, just for phone number lookup
>>>          #PasswordAttr
>>>          ServerChecksPassword
>>>
>>>          # store the users mobile phone number in the Callback-Number
>>> radius attribute
>>>          AuthAttrDef mobile,Callback-Number,request
>>> </AuthBy>
>>>
>>> <AuthBy HANDLER>
>>>          HandlerId otp_sms_challenge
>>> </AuthBy>
>>> </Handler>
>>>
>>> I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
>>> by using PreAuthHook to delete the DecodedPassword.
>>> As you see I've tried StripFromRequest Password which didn't work.
>>> I was looking for a way to clear the password between the AuthBy LDAP
>>> and AuthBy OTP.
>>> Is there a way to do this?
>>>
>>> Cheers, Alex
>>>
>>> Am 2012-01-17 21:12, schrieb Mike McCauley:
>>>> Hi Heikki,
>>>>
>>>> I wonder if he should also look at  AuthBy OTP?
>>>> Cheers.
>>>>
>>>> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>>>>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>>>>
>>>>> Hello Alexander,
>>>>>
>>>>>> I'm trying to implement a two factor auth where the user has to enter
>>>>>> his Active Directory credentials.
>>>>>> Radiator checks those against the AD, if successful creates an OTP and
>>>>>> sends that to the mobile phone number fetched from the AD.
>>>>> Add State attribute to the challenge at this point.
>>>>>
>>>>>> A challenge is returned to the NAS.
>>>>> See this for how NAS should react to challenge.
>>>>> http://tools.ietf.org/html/rfc2865#section-5.24
>>>>>
>>>>>> My problem is that I can't distinguish the initial request and the
>>>>>> challenge response which should skip the AD auth because this time the
>>>>>> password field holds the OTP response.
>>>>> State should be echoed back in the challenge response unless the NAS is
>>>>> badly broken.
>>>>>
>>>>>> By looking at the radius packets with tcpdump I couldn't find a
>>>>>> difference in the radius attributes sent that let me write two different
>>>>>> handlers.
>>>>>>
>>>>>> Ideas?
>>>>> Try something like this. Note that I have used a fixed value for
>>>>> challenge, but you could make it generic to protect against replay
>>>>> attacks or some other information that might be useful for selecting the
>>>>> correct handler for verifying the challenge.
>>>>>
>>>>> <Handler attribute=value,...,State=whatever>
>>>>>     # Check challenge here
>>>>> </Handler>
>>>>>
>>>>> <Handler attribute=value,...>
>>>>>     # Generate OTP here and send challenge
>>>>>     <AuthBy ...>
>>>>>        # AD auth happens here
>>>>>        AddToReply State=whatever
>>>>>     </AuthBy>
>>>>> </Handler>
>>>>>
>>>>>
>>>>>
>>>>> Please let us know how it goes.
>>>>> Heikki
>>>
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Wed Feb  1 16:07:32 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 02 Feb 2012 00:07:32 +0200
Subject: [RADIATOR] CRL reload error
In-Reply-To: <4F294144.8060808@t-systems.at>
References: <200911291038.59399.mikem@open.com.au>
	<4E37D89E.7090806@t-systems.at> <4E3F9316.5080809@open.com.au>
	<4E3FF9EC.2090103@t-systems.at> <4E40F148.8050104@open.com.au>
	<4F294144.8060808@t-systems.at>
Message-ID: <4F29B7A4.1070805@open.com.au>

On 02/01/2012 03:42 PM, Alexander Hartmaier wrote:

Hello Alexander,

> I've encountered another problem.
> I've written a bash script that downloads the crl once a day at one
> o'clock in the morning local time and restarts radiator afterwards
> because of the openssl crl caching.
> The CRL lifetime ends about 30 minutes later and radiator rejects all
> auths after that time because the crl isn't up2date any more.
> Do you have a solution for downloading the crl in sync with its lifetime?

There's nothing in goodies for this. If required, I would probably do
this by checking the output from openssl crl -nextupdate command and
then scheduling update based on that.

A quick search for possible scripts found this candidate. Maybe it might
be useful for ideas of how to do this?

http://www.id.ee/11051

See 'Sample script for automatic renewal ...'.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From Traiano.Welcome at mtnbusiness.co.za  Mon Feb  6 09:20:37 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Mon, 6 Feb 2012 15:20:37 +0000
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
Message-ID: <CB55BC64.5DCA%traiano.welcome@mtnbusiness.co.za>

Hi List

I've configured my radius servers to send a copy of radius accounting
packets to a receiving radius server at  third party vendor, who will then
process radius accounting packets for billing purposes. I'm doing this
using an "AuthBy RADIUS" clause placed after an "AuthBy SQL" clause:

My configuration  is as follows (Thanks to, Heikki and Hugh!):

---------
<AuthBy RADIUS>
        Identifier Accounting_Packet_Feed
        Host 196.181.13.1
        Secret  s3cr3t
        RetryTimeout 30
        AuthPort        1812
        AcctPort        1813
        NoForwardAuthentication
</AuthBy>

---------

This is then used in a Handler, right after <AuthBy SQL> as follows (
Identifier Accounting_Packet_Feed):

---------------
<Handler NAS-Identifier=/^MyNAS-.*$/>

        AuthByPolicy ContinueWhileAccept

        <AuthBy SQL>
                DBSource        dbi:Pg:dbname=acctrecords;host=localhost
                DBUsername      logmonkey
                DBAuth          y34hr1ght
                AuthSelect
                AccountingTable acctrecords
                AcctColumnDef nasidentifier,NAS-Identifier
                AcctColumnDef timestamp,Timestamp

                .
                .
                .
        </AuthBy>
        AuthBy Accounting_Packet_Feed
 </Handler>.
-------------------

In my AuthBy SQL statement, there are around 200 attributes defined,
however not all of them are being proxy'ed by the "AuthBy RADIUS" module,
especially, we're not seeing all the attributes being exported in the
accounting stop packets proxied to the third party vendor's radius server.

We see a lot of the following type of error in our logs associated with
our destination radius server:

---
.
WARNING: Bad authenticator received in reply to ID 153
.
WARNING: Unknown reply received in AuthRADIUS for request 153 from
196.181.13.1:1813 
.
---

I've confirmed the secret is the same between the proxying radius servers
and the destination radius server, so this doesn't look like the issue.


In addition, when I do a verbose tcpdump of packets received from my
proxying radius servers, I notice a lot  of this type of error:

----
          Vendor Specific Attribute (26), length: 8 (bogus, goes past end
of packet)
          Vendor Specific Attribute (26), length: 12 (bogus, goes past end
of packet)
----



My questions are as follows:


1. Is there any configuration that  must be applied to the <AuthBy RADIUS>
module to ensure all the available  radius attributes in the original
accounting packet from the NASes are proxied in their exact state to the
final destination radius server ?
2. Are the  "(bogus, goes past end of packet)" messages anything to be
concerned about ?


Any help would be much appreciated!

Thanks in Advance,
Traiano















From A.L.M.Buxey at lboro.ac.uk  Mon Feb  6 10:02:49 2012
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Mon, 6 Feb 2012 16:02:49 +0000
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <CB55BC64.5DCA%traiano.welcome@mtnbusiness.co.za>
References: <CB55BC64.5DCA%traiano.welcome@mtnbusiness.co.za>
Message-ID: <20120206160249.GE18379@lboro.ac.uk>

Hi,

> WARNING: Bad authenticator received in reply to ID 153

incorrect shared secret or badly munged UDP packets, or packets
received after your local RADIUS server has already decided to forget
about them (timeout)

> I've confirmed the secret is the same between the proxying radius servers
> and the destination radius server, so this doesn't look like the issue.

Secret "whatever the secret is"


..then you never get undone by trailing spaces etc

>           Vendor Specific Attribute (26), length: 8 (bogus, goes past end
> of packet)
>           Vendor Specific Attribute (26), length: 12 (bogus, goes past end
> of packet)

big big packets - larger than the MTU - change the size of your RADIUS packets
to eg 1280 or so - the default in RADIATOR is big ...too big.  then the RADIUS
will break the packets up nicely.

hmm, theres EAPTLS_MaxFragmentSize to deal with EAP - not sure about what you tweak
with plain RADIUS accounting packets that are big. maybe change the host MTU size?

alan

From Traiano.Welcome at mtnbusiness.co.za  Tue Feb  7 09:13:02 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Tue, 7 Feb 2012 15:13:02 +0000
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <20120206160249.GE18379@lboro.ac.uk>
Message-ID: <CB5709C7.6275%traiano.welcome@mtnbusiness.co.za>

Thanks, Alan! This seems to have worked. I've just had an ida though, for
"mirroring" radius accounting packets to an upstream radius system, which
might be easier than using  radiator  as a proxy, as follows: (On
FreeBSD), using packet mirroring functionality (e.g the pf mirroring
feature) to make a copy of the incoming radius accounting packets and
mirror them to an upstream radius server which requires a feed.

Would this be an advisable alternative way of sending a radius packet feed
to a third party, in this case ? What would be the gotchas?

Many Thanks,
Traiano



On 2012/02/06 6:02 PM, "Alan Buxey" <A.L.M.Buxey at lboro.ac.uk> wrote:

>Hi,
>
>> WARNING: Bad authenticator received in reply to ID 153
>
>incorrect shared secret or badly munged UDP packets, or packets
>received after your local RADIUS server has already decided to forget
>about them (timeout)
>
>> I've confirmed the secret is the same between the proxying radius
>>servers
>> and the destination radius server, so this doesn't look like the issue.
>
>Secret "whatever the secret is"
>
>
>..then you never get undone by trailing spaces etc
>
>>           Vendor Specific Attribute (26), length: 8 (bogus, goes past
>>end
>> of packet)
>>           Vendor Specific Attribute (26), length: 12 (bogus, goes past
>>end
>> of packet)
>
>big big packets - larger than the MTU - change the size of your RADIUS
>packets
>to eg 1280 or so - the default in RADIATOR is big ...too big.  then the
>RADIUS
>will break the packets up nicely.
>
>hmm, theres EAPTLS_MaxFragmentSize to deal with EAP - not sure about what
>you tweak
>with plain RADIUS accounting packets that are big. maybe change the host
>MTU size?
>
>alan


From ck-lists at cksoft.de  Tue Feb  7 09:41:05 2012
From: ck-lists at cksoft.de (Christian Kratzer)
Date: Tue, 7 Feb 2012 16:41:05 +0100 (CET)
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <CB5709C7.6275%traiano.welcome@mtnbusiness.co.za>
References: <CB5709C7.6275%traiano.welcome@mtnbusiness.co.za>
Message-ID: <alpine.BSF.2.00.1202071636310.92947@tapio.cksoft.de>

Hi,

On Tue, 7 Feb 2012, Traiano Welcome wrote:

> Thanks, Alan! This seems to have worked. I've just had an ida though, for
> "mirroring" radius accounting packets to an upstream radius system, which
> might be easier than using  radiator  as a proxy, as follows: (On
> FreeBSD), using packet mirroring functionality (e.g the pf mirroring
> feature) to make a copy of the incoming radius accounting packets and
> mirror them to an upstream radius server which requires a feed.
>
> Would this be an advisable alternative way of sending a radius packet feed
> to a third party, in this case ? What would be the gotchas?

You would have to decode the packets with the secret they were encoded
with and reencode them with the secret required by your other radius
server.

You would also have to weed to duplicates resulting from resendes to
your first radius server and you would need to handle resends for
packets that got dropped and not acked by your destination radius
server.

All this makes a packet capture solution a whole lot harder than
just using radius.

Under high request load having a further radius to forward to and having
to handle resends and acks for that other target might cause issues.

I would consider spooling the radius requests into a separate file and
use a script to send the spooled requests to the other radius from a
separate process. This would isolate any issues you have with forwarding
from you production setup.

Greetings
Christian Kratzer
CK Software GmbH


>
> Many Thanks,
> Traiano
>
>
>
> On 2012/02/06 6:02 PM, "Alan Buxey" <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> Hi,
>>
>>> WARNING: Bad authenticator received in reply to ID 153
>>
>> incorrect shared secret or badly munged UDP packets, or packets
>> received after your local RADIUS server has already decided to forget
>> about them (timeout)
>>
>>> I've confirmed the secret is the same between the proxying radius
>>> servers
>>> and the destination radius server, so this doesn't look like the issue.
>>
>> Secret "whatever the secret is"
>>
>>
>> ..then you never get undone by trailing spaces etc
>>
>>>           Vendor Specific Attribute (26), length: 8 (bogus, goes past
>>> end
>>> of packet)
>>>           Vendor Specific Attribute (26), length: 12 (bogus, goes past
>>> end
>>> of packet)
>>
>> big big packets - larger than the MTU - change the size of your RADIUS
>> packets
>> to eg 1280 or so - the default in RADIATOR is big ...too big.  then the
>> RADIUS
>> will break the packets up nicely.
>>
>> hmm, theres EAPTLS_MaxFragmentSize to deal with EAP - not sure about what
>> you tweak
>> with plain RADIUS accounting packets that are big. maybe change the host
>> MTU size?
>>
>> alan
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

From shay_smith at ddouglas.k12.or.us  Tue Feb  7 16:54:23 2012
From: shay_smith at ddouglas.k12.or.us (Shay Smith)
Date: Tue, 7 Feb 2012 14:54:23 -0800
Subject: [RADIATOR] MSCHAPv2 and LDAP Authentication...
Message-ID: <CAAM=0pCXZpqBQ3QM+tY7wm8Ln85oU_TfPKbJgbieQEhhCtb4FA@mail.gmail.com>

Hello,

I'm currently testing Radiator to see if it would be a fit for our
organization. I've been working with the included "eap_multi.cfg" file in
hopes that we could get 802.1x authentication going for our Mac and WIndows
clients. Our LDAP directory has fields for SHA encrypted user passwords as
well as NThash passwords, but I can't figure out how to make authentication
work. I've successfully authenticated with a stock LDAP config. Below are
my current config and a copy of the log entries for an attempted login.



***********************
Config File
***********************
Foreground
LogStdout
LogDir        /etc/radiator
DbDir        .

Trace         4

AuthPort 1645, 1812
AcctPort 1646, 1813
BindAddress 10.51.254.228

<Client 10.51.254.76>
    Secret *****
    DupInterval 0
</Client>

<Client localhost>
    Secret mysecret
    DupInterval 0
</Client>

<Client 10.51.254.228>
    Secret mysecret
    DupInterval 0
</Client>

<Client DEFAULT>
    Secret    mysecret
    DupInterval 0
</Client>


<Handler TunnelledByPEAP=1>
    <AuthBy LDAP2>
        NoDefault
        #TranslatePasswordHook sub {return "{nthash}$_[0]";}

        Host    ldap.mesd.k12.or.us
        Port    389
        AuthDN        *****
        AuthPassword    *****
        BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
        Version 3
        UsernameAttr    uid
        PasswordAttr    userPassword
        ServerChecksPassword
        HoldServerConnection

        AddToReply Framed-Protocol = PPP,\
                Framed-IP-Netmask = 255.255.255.255,\
                Framed-Routing = None,\
                Framed-MTU = 1500,\
            Framed-Compression = Van-Jacobson-TCP-IP

        Version 3


        EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
        EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1000
        Debug 255
    </AuthBy>
</Handler>

<Handler TunnelledByTTLS=1>
    <AuthBy LDAP2>
        NoDefault
        #TranslatePasswordHook sub {return "{nthash}$_[0]";}

        Host    ldap.mesd.k12.or.us
        Port    389
        AuthDN        *****
        AuthPassword    *****
        BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
        UsernameAttr    uid
        PasswordAttr    userPassword
        ServerChecksPassword
        HoldServerConnection

        AddToReply Framed-Protocol = PPP,\
                Framed-IP-Netmask = 255.255.255.255,\
                Framed-Routing = None,\
                Framed-MTU = 1500,\
            Framed-Compression = Van-Jacobson-TCP-IP

        Version 3

        EAPType MSCHAP-V2,MD5,TLS
        EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1000
        Debug 255
    </AuthBy>
</Handler>

<Handler>
    <AuthBy LDAP2>
        NoDefault
        #TranslatePasswordHook sub {return "{nthash}$_[0]";}

        Host    ldap.mesd.k12.or.us
        Port    389
        AuthDN        *****
        AuthPassword    *****
        BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
        UsernameAttr    uid
        PasswordAttr    userPassword
        ServerChecksPassword
        HoldServerConnection

        AddToReply Framed-Protocol = PPP,\
                Framed-IP-Netmask = 255.255.255.255,\
                Framed-Routing = None,\
                Framed-MTU = 1500,\
            Framed-Compression = Van-Jacobson-TCP-IP

        Version 3

        EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
        EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1000.

        AutoMPPEKeys

        EAPTLS_PEAPVersion 0
        EAPTLS_PEAPBrokenV1Label
        EAPTLS_DHFile /etc/radiator/certificates/dh2048.pem

        Debug 255
    </AuthBy>
</Handler>


***********************
Log Dump
***********************
Tue Feb  7 15:18:22 2012: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Tue Feb  7 15:18:22 2012: DEBUG: Reading dictionary file './dictionary'
Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
10.51.254.228:1645
Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
10.51.254.228:1812
Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port 10.51.254.228:1646
Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port 10.51.254.228:1813
Tue Feb  7 15:18:22 2012: NOTICE: Server started: Radiator 4.9 on
localhost.localdomain (LOCKED)
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 238
Authentic:  /<20><19>:<146>e<195><185><135><5>#U<204><207><234><235>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message = <2><1><0><18><1>gitchy_gimbol
    Message-Authenticator =
<229><199><134><145><241><197><7>j7<205>%T<1>$<154><156>

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 1, 18, 1
Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 238
Authentic:  <155><151>8<243><210>W<219><169><173><254>lxI<199><180><27>
Attributes:
    EAP-Message = <1><2><0><6><25>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 239
Authentic:  <182><185><138><161><238><228>Q<211><236>eA<192>5<209><176><249>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message =
<2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>O1<170><174>VR<229><127><184><qM{<208>-<178><196>R<1><250><180><238><222><27><182><138><31><25><144><26><240>{<0><0>6<0>/<0><5><0><4><0>5<0><10><0><9><0><3><0><8><0><6><0>2<0>3<0>8<0>9<0><22><0><21><0><20><0><19><0><18><0><17><0>4<0>:<0><24><0><27><0><26><0><23><0><25><0><1><1><0>
    Message-Authenticator = Ez<240><223><21>k<175>8<19>c<22><159>cl<152>*

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 2, 112, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 239
Authentic:  h<17>L<19>9U-<235>1<182>qb<132><155>U<233>
Attributes:
    EAP-Message =
<1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>O1<177>oo"<241><153><191><171>><197>v(<239><155><165><183>;Y<137>A<28><211><196><154><29><152><144><147>l'
<193><6><217><255><170>N<200>&<255><229><178><203><203><222><155>><194><145><195>a at f~<165><29><149>
~,5<21>}<0>/<0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
    EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214828Z<23><13>131115214828Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1%0#<6><3>U<4><3><19><28>t
    EAP-Message =
est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><213>|5<149><252>7<170><164><8><136>w<6><229>,<180><131><28>Q<249>io6<250>5<174><131>}Y<252>P<133><174>Mll<197>8<189>F<197>><18>4<170><221>J<132>0j<160><238>I<214><8>P<180>cl<167><238><5><196><170><142><253>@d;k<163><164><234><146><16><3><24><212><228><245><14><132><154><190><212>:x&7<171><212><247><21>k<215>z(h<10><252><207>G<235><128><152><17>Le<137><130>'<196><182><214><18><180>R"<22>S~<6><164><227><220>f<156><249><235><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><149>J<214><242><222><198>`<209><9>O.<13>b<171><224>%<154><228><221><228>
    EAP-Message =
<241>~4<176>J<2><243><12><26>Z{B<137>+<234><0>Nu+P<9><165><244><203><234>912pO<161><165><184><223><200>^<19><167><137><158>W<24><240>T<194><130><8><251><28>0?<179>"<134><180>_<203><20><19><190><173><240>1<255><146>UR<161>g<223>d<7><192>O<27>)<146><248>D<127><145>Yg<242><243><162><192><244>&"<232>d<225>:<30><129>s2;!!<19><202><216>g<213><178>{<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><163>Gw<236><211>F<201><17>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 240
Authentic:  T<139><160><133><154><205><220><213><149>w<215>kQ<154>DH
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message = <2><3><0><6><25><0>
    Message-Authenticator =
<154><30>><210><154>r;h<200><190><235><165>iC<177>K

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 3, 6, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 240
Authentic:  (<175><229><252><253>P<181>{i<156>2<154>M<250><252>^
Attributes:
    EAP-Message = <1><4><3><208><25><0>t Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214827Z<23><13>131115214827Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
    EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0
<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><230>7<155><154>=<154>+<199><137><172>(<31>t<184>v<0>u*<204><248><249><25><249><181><168><172>`s<230>=<211>JB<186>e<2><0><8>I0<179>cV'Qb<196>E<225><228><227><151><215>2q<164>%<28>j<168>!<206><214>,<190><223><133>-<173>.<165><142><127><25><229><15><145>+l<172>K<232>W<202><238><130><232><223><25><148><175><208><137><251><211>n<185><184><174>`<216><149><136><163><128><194>6<211>?rK^w<236><150><143><152>^(<229><28><134><12><193><251>Q<132>!<2><3>
    EAP-Message =
<1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
    EAP-Message = n)1 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>
mikem at open.com.au
<130><9><0><163>Gw<236><211>F<201><17>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><224><155><161><236><140><231><132><11><160>)w<207>O<218>l<3>E'<216><255><169><179>;<171><147>W<239>a<147><31>q<158><199>0q<236><18><28>T<218><248>,<15><1>I<228><178><23><231>Y?<244>z<30><196>@<196><203><152>k=<145><255>]<134><220>@<251>T<210><216><198><187><15><199><155>mMw<208><145>j<244><150><235><170>3$<180><20><31>gS<151><253>f%V<249><166>i<16>f<237>0<147><131>+<193><31><183>'<5><221>|<240><195><181><131><223><28><225><143><165><215><242>&<1><22><3><1><0><4><14><0><0><0>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 241
Authentic:  Q<196>t<26>K<9>t"<167><214><226><231><182>u<147><156>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message =
<2><4><0><208><25><128><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>R<253><8><5><148>W<192><18>=<155>|<218>W<251><241>9`+<247><165><192><27>Y<186><205><231><130>c<226><11>Us<227><213><131>y(<241>"<169>C<212>+<14><172><133><164><127>p<23><237>*g<148><254>DI#s<170><24>{<195><131><201>C<237><216><21>!<149><143>;B<158>R<162><148><174><182><211><131><137><234>J<142><217><162>eL<26><14><14><224><151>i<205><169><183><135><162>n=<244><183>O<224><244>z}x.m{<240><142><156>visIg<225>{I<235><171>:<20><3><1><0><1><1><22><3><1><0>0<249><158><12><128><252><129><172><27><239><133><141>A<196>5><9>\<1><173><14><163>~<206>j<219><12><153><25><143><130><231><235><200>n2Vj<196><31><236><155><215><221><195><131>hM<212>
    Message-Authenticator =
<155><129>nP<30><189><237><191><132>9<211><23><172><255>"a

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 4, 208, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 241
Authentic:  <172>8<159><176>t(<2>~<223><173><1><248>{'~<214>
Attributes:
    EAP-Message =
<1><5><0>E<25><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>04z<234>Q<225>8t<195><152>/<208><155>R<201><204>S<162>.Fj<138><169><203><139>e%<178><190><231><203>k<219>yn{Sh<15><23><208><201><215>y<230><167>-[+
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 242
Authentic:  <178>_<231>RzE<231><222><10><221>#<136><188>mNx
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message = <2><5><0><6><25><0>
    Message-Authenticator =
<249><178><2><227><157>=<174><143>J<160><127><233><154>~<235><17>

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 5, 6, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 242
Authentic:  p<31><217>R<237>O<168><146><216>@<197><238><17>6<168>p
Attributes:
    EAP-Message = <1><6><0>+<25><0><23><3><1><0>
y3<169><171><169>Ur)<251>sm<172>Q<185><211><248><202><3>8<210><184><180><<201><138><138>D&-<31><30>b
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 243
Authentic:  @<24><150><225>\<235><196><234>e<167><24>ayL<226><31>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message =
<2><6><0>;<25><0><23><3><1><0>0<12>@O]<253><176>x<128><137><195><158><236><255>n<9><21><131><227><231>.mr<12><228><237><215><173>3<144><166>@<157>.U<162><152><148><220><133>Z<131>{\(K3<1>3
    Message-Authenticator =
}<209><252><171><157><22><196><239><22><3><223>R=<177><203><204>

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 59, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request for
anonymous
Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
Attributes:
    EAP-Message = <2><6><0><14><1>gitchy_gimbol
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    NAS-Port = 252
    Calling-Station-Id = "00-0d-93-84-a4-11"
    User-Name = "anonymous"

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 14, 1
Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
MSCHAP-V2 Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for anonymous: EAP
MSCHAP-V2 Challenge
Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
Attributes:
    EAP-Message =
<1><7><0>/<26><1><7><0>*<16><202>g<7><208><27><14>'<208>S<140>j<207><226><187><165>.localhost.localdomain
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
inner authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP inner authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 243
Authentic:  7<173>o<249><19>|<227><195>9*<28><142>-`<255><238>
Attributes:
    EAP-Message =
<1><7><0>K<25><0><23><3><1><0>@v<219>@<224>s4<202>N1<239><184><137>#<137><129><161><'x<141><180><182><254><175><153>S<158>A2S<235><209><17><142><24><221><210><0><182><1><20><253><195><22>!<181>x<207><168>M<191><164>p<206><174>0<166><201><137>F<151><190><166><203>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 244
Authentic:  <129>j<224>9<234>'[<235><30><15><0>E<197><159><127><147>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message =
<2><7><0>k<25><0><23><3><1><0>`<165>/Tl<186>h<140><158><16>x}C<128><144><166>3l<127><171><16><16>x+<192><140><141><245>{C<135>J<234><251><250><214><239><249>lE<226><129>N<185><3><237><188><205>.2<127><31><252>y<145><22><200>Xv<243><127><150><212><153><130>+<180>E<206><163>5<19><159>O<203><174><2><167><200><211>y<140><22>5<146><157>>s<224>or<241>.<199><216>`<229>
    Message-Authenticator =
<210><249>`<226><24><253><235><228><4><160>hPW<202><214><160>

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 107, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request for
anonymous
Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
Attributes:
    EAP-Message =
<2><7><0>D<26><2><7><0>C19<243>W<19>ZKTq2T<22><218>g<207><223><149><0><0><0><0><0><0><0><0><155>C<0><202><135>%Zh<158><168><209><31><11><240>"N<239>+Z<199>y<148><219><172><0>gitchy_gimbol
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    NAS-Port = 252
    Calling-Station-Id = "00-0d-93-84-a4-11"
    User-Name = "anonymous"

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 68, 26
Tue Feb  7 15:19:11 2012: DEBUG: Response type 26
Tue Feb  7 15:19:11 2012: INFO: Connecting to ldap.mesd.k12.or.us:389
Tue Feb  7 15:19:11 2012: INFO: Attempting to bind to LDAP server
ldap.mesd.k12.or.us:389
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got result for
uid=gitchy_gimbol,ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got cn: Gitchy Gimbol
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got givenName: Gitchy
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got sn: Gimbol
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got objectClass: MESDperson
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mail:
Gitchy_Gimbol at ddouglas.k12.or.us
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got maildrop: gitchy_gimbol
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mailacceptinggeneralid:
Gitchy_Gimbol
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uid: gitchy_gimbol
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got o: David Douglas
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got ou: District Office
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uidNumber: 1031
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got apple-generateduid:
DBDE2115-9C46-42A5-91D8-8D43DB208D8E
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got gidNumber: 1028
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got employeeNumber: 999999
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got houseIdentifier: West Powellhurst
District Office
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got telephoneNumber: 5555
Tue Feb  7 15:19:11 2012: DEBUG: LDAP got pwdLastSet: 1328300336
Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 looks for match with
gitchy_gimbol [anonymous]
Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : gitchy_gimbol
[anonymous]
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2
Authentication failure
Tue Feb  7 15:19:11 2012: INFO: Access rejected for anonymous: EAP
MSCHAP-V2 Authentication failure
Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
Attributes:
    EAP-Message = <4><7><0><4>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
    Reply-Message = "Request Denied"

Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
inner authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol: EAP
PEAP inner authentication redispatched to a Handler
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Challenge
Identifier: 244
Authentic:  <167><148>C<22><133><129><248><145><243>)<219><243>7q<147><238>
Attributes:
    EAP-Message = <1><8><0>+<25><0><23><3><1><0>
B<127>IV]<27>r<4><141>Vu<5><188><175><24><233>%<174><175><133><144><230><171><<226>_<217><16>,k<223><155>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Received from 10.51.254.76 port 1024 ....
Code:       Access-Request
Identifier: 245
Authentic:
<189><143><229><141><217><227><186>C]<176><218><199>6<175><20><151>
Attributes:
    Framed-MTU = 1466
    NAS-IP-Address = 10.51.254.76
    NAS-Identifier = "RADIUS TEST"
    User-Name = "gitchy_gimbol"
    Service-Type = Framed-User
    NAS-Port = 252
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "wl0"
    Called-Station-Id = "00-11-24-a9-7f-88"
    Calling-Station-Id = "00-0d-93-84-a4-11"
    Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
    EAP-Message = <2><8><0>+<25><0><23><3><1><0>
X9zfJ<185>2<198><186><232><226><194>vB<163><13>j9}<17><149>$<30><176><234>&<157><226>-V~<223>
    Message-Authenticator = 4I<139><218><141>B><2><236><24>9(j<12><27>?

Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
10.51.254.76, 252
Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 8, 43, 25
Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, PEAP Authentication Failure
Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
Authentication Failure
Tue Feb  7 15:19:11 2012: INFO: Access rejected for gitchy_gimbol: PEAP
Authentication Failure
Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
*** Sending to 10.51.254.76 port 1024 ....
Code:       Access-Reject
Identifier: 245
Authentic:  @<178>#<191>/F<14><204>A<219><188>2<240>o<145>*
Attributes:
    EAP-Message = <4><8><0><4>
    Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
    Reply-Message = "Request Denied"









-- 
Shay Smith
----------------------------------------

Gmail Evangelist
David Douglas School District
503-261-8235

www.ddouglas.k12.or.us
<http://shay.ddouglas.k12.or.us>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120207/d56f2370/attachment-0001.html 

From Traiano.Welcome at mtnbusiness.co.za  Wed Feb  8 02:51:13 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Wed, 8 Feb 2012 08:51:13 +0000
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <alpine.BSF.2.00.1202071636310.92947@tapio.cksoft.de>
Message-ID: <CB580270.6353%traiano.welcome@mtnbusiness.co.za>

Hi Christian


On 2012/02/07 5:41 PM, "Christian Kratzer" <ck-lists at cksoft.de> wrote:

>Hi,
>
>On Tue, 7 Feb 2012, Traiano Welcome wrote:
>
>> Thanks, Alan! This seems to have worked. I've just had an ida though,
>>for
>> "mirroring" radius accounting packets to an upstream radius system,
>>which
>> might be easier than using  radiator  as a proxy, as follows: (On
>> FreeBSD), using packet mirroring functionality (e.g the pf mirroring
>> feature) to make a copy of the incoming radius accounting packets and
>> mirror them to an upstream radius server which requires a feed.
>>
>> Would this be an advisable alternative way of sending a radius packet
>>feed
>> to a third party, in this case ? What would be the gotchas?
>
>You would have to decode the packets with the secret they were encoded
>with and reencode them with the secret required by your other radius
>server.



Quite right, but if you used the same secret on the other (final
destination) radius server, I suppose this could be avoided ? Granted
you'll have to keep the secrets I synch across three points in this path
and this would make for a rather ugly setup ?




>
>You would also have to weed to duplicates resulting from resendes to
>your first radius server and you would need to handle resends for
>packets that got dropped and not acked by your destination radius
>server.


Indeed. This is exactly what would make this mechanism un-viable.


>
>All this makes a packet capture solution a whole lot harder than
>just using radius.
>
>Under high request load having a further radius to forward to and having
>to handle resends and acks for that other target might cause issues.


Of course, if you're proxying via radius, you also have additional load
issues to handle anyhow, whereas, from a load perspective mirroring
packets would be less resource intensive.


>
>I would consider spooling the radius requests into a separate file and
>use a script to send the spooled requests to the other radius from a
>separate process. This would isolate any issues you have with forwarding
>from you production setup.


This sounds very much like FreeRADIUS' "radrelay" concept, which
essentially the same thing. Does Radiator come with a standard script that
does this, or would I have to write my own?


>
>Greetings
>Christian Kratzer
>CK Software GmbH
>

>
>>
>> Many Thanks,
>> Traiano
>>
>>
>>
>> On 2012/02/06 6:02 PM, "Alan Buxey" <A.L.M.Buxey at lboro.ac.uk> wrote:
>>
>>> Hi,
>>>
>>>> WARNING: Bad authenticator received in reply to ID 153
>>>
>>> incorrect shared secret or badly munged UDP packets, or packets
>>> received after your local RADIUS server has already decided to forget
>>> about them (timeout)
>>>
>>>> I've confirmed the secret is the same between the proxying radius
>>>> servers
>>>> and the destination radius server, so this doesn't look like the
>>>>issue.
>>>
>>> Secret "whatever the secret is"
>>>
>>>
>>> ..then you never get undone by trailing spaces etc
>>>
>>>>           Vendor Specific Attribute (26), length: 8 (bogus, goes past
>>>> end
>>>> of packet)
>>>>           Vendor Specific Attribute (26), length: 12 (bogus, goes past
>>>> end
>>>> of packet)
>>>
>>> big big packets - larger than the MTU - change the size of your RADIUS
>>> packets
>>> to eg 1280 or so - the default in RADIATOR is big ...too big.  then the
>>> RADIUS
>>> will break the packets up nicely.
>>>
>>> hmm, theres EAPTLS_MaxFragmentSize to deal with EAP - not sure about
>>>what
>>> you tweak
>>> with plain RADIUS accounting packets that are big. maybe change the
>>>host
>>> MTU size?
>>>
>>> alan
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>-- 
>Christian Kratzer                      CK Software GmbH
>Email:   ck at cksoft.de                  Wildberger Weg 24/2
>Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
>Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
>Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian
>Kratzer


From ck-lists at cksoft.de  Wed Feb  8 03:58:50 2012
From: ck-lists at cksoft.de (Christian Kratzer)
Date: Wed, 8 Feb 2012 10:58:50 +0100 (CET)
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <CB580270.6353%traiano.welcome@mtnbusiness.co.za>
References: <CB580270.6353%traiano.welcome@mtnbusiness.co.za>
Message-ID: <alpine.BSF.2.00.1202081056010.92947@tapio.cksoft.de>

Hi,

On Wed, 8 Feb 2012, Traiano Welcome wrote:
<snipp/>
>> I would consider spooling the radius requests into a separate file and
>> use a script to send the spooled requests to the other radius from a
>> separate process. This would isolate any issues you have with forwarding
>> from you production setup.
>
>
> This sounds very much like FreeRADIUS' "radrelay" concept, which
> essentially the same thing. Does Radiator come with a standard script that
> does this, or would I have to write my own?

Not that I am aware of.   It is not that hard though considering that if you use perl you can use all the radius parsing, encoding, sending logic from radiator.

Radpwtest would be a good starting point for seeing how to get all this working together.

Greetings
Christian

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

From Traiano.Welcome at mtnbusiness.co.za  Wed Feb  8 04:49:23 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Wed, 8 Feb 2012 10:49:23 +0000
Subject: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party
 Vendor: Not all Attributes proxied
In-Reply-To: <alpine.BSF.2.00.1202081056010.92947@tapio.cksoft.de>
Message-ID: <CB58147E.6382%traiano.welcome@mtnbusiness.co.za>

Thanks, Christian!


On 2012/02/08 11:58 AM, "Christian Kratzer" <ck-lists at cksoft.de> wrote:

>Hi,
>
>On Wed, 8 Feb 2012, Traiano Welcome wrote:
><snipp/>
>>> I would consider spooling the radius requests into a separate file and
>>> use a script to send the spooled requests to the other radius from a
>>> separate process. This would isolate any issues you have with
>>>forwarding
>>> from you production setup.
>>
>>
>> This sounds very much like FreeRADIUS' "radrelay" concept, which
>> essentially the same thing. Does Radiator come with a standard script
>>that
>> does this, or would I have to write my own?
>
>Not that I am aware of.   It is not that hard though considering that if
>you use perl you can use all the radius parsing, encoding, sending logic
>from radiator.
>
>Radpwtest would be a good starting point for seeing how to get all this
>working together.
>
>Greetings
>Christian
>
>-- 
>Christian Kratzer                      CK Software GmbH
>Email:   ck at cksoft.de                  Wildberger Weg 24/2
>Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
>Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
>Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian
>Kratzer


From hvn at open.com.au  Wed Feb  8 06:34:08 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 08 Feb 2012 14:34:08 +0200
Subject: [RADIATOR] MSCHAPv2 and LDAP Authentication...
In-Reply-To: <CAAM=0pCXZpqBQ3QM+tY7wm8Ln85oU_TfPKbJgbieQEhhCtb4FA@mail.gmail.com>
References: <CAAM=0pCXZpqBQ3QM+tY7wm8Ln85oU_TfPKbJgbieQEhhCtb4FA@mail.gmail.com>
Message-ID: <4F326BC0.5000602@open.com.au>

On 02/08/2012 12:54 AM, Shay Smith wrote:

Hell Shay,

> I'm currently testing Radiator to see if it would be a fit for our
> organization. I've been working with the included "eap_multi.cfg" file
> in hopes that we could get 802.1x authentication going for our Mac and
> WIndows clients. Our LDAP directory has fields for SHA encrypted user
> passwords as well as NThash passwords, but I can't figure out how to
> make authentication work. I've successfully authenticated with a stock
> LDAP config. Below are my current config and a copy of the log entries
> for an attempted login.

Try the following:
- comment out ServerChecksPassword
- PasswordAttr value is the attribute that has NThashed password
- enable TranslatePasswordHook if the nthash is not prefixed with {nthash}

ServerChecksPassword works only if the authentication protocol uses PAP.
In other words, it works when the plain text password is available. With
e.g. PEAP/EAP-MSCHAP-V2 this is not the case.

You can also simplify the configuration by removing all EAPTLS_* lines
from TunnelledBy handlers. These are only needed when using TLS
tunnelled EAP methods inside PEAP or TTLS.

EAP_Type can also be simplified in TunnelledBy Handlers. 'EAPType
MSCHAP-V2' is probably enough.

The outer Handler probably only needs 'EAPType PEAP,TTLS'.

The AddToReply lines can most likely to be commented out too.

So in summary: after checking ServerChecksPassword, PasswordAttr and
TranslatePasswordHook the authentication should work. The rest is only
for simplifying the configuration.

Please let us know how it goes.

Heikki


> ***********************
> Config File
> ***********************
> Foreground
> LogStdout
> LogDir        /etc/radiator
> DbDir        .
> 
> Trace         4
> 
> AuthPort 1645, 1812
> AcctPort 1646, 1813
> BindAddress 10.51.254.228
> 
> <Client 10.51.254.76>
>     Secret *****
>     DupInterval 0
> </Client>
> 
> <Client localhost>
>     Secret mysecret
>     DupInterval 0
> </Client>
> 
> <Client 10.51.254.228>
>     Secret mysecret
>     DupInterval 0
> </Client>
> 
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
> 
> 
> <Handler TunnelledByPEAP=1>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         Version 3
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>            
>         Version 3
>        
> 
>         EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> <Handler TunnelledByTTLS=1>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>        
>         Version 3
> 
>         EAPType MSCHAP-V2,MD5,TLS
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> <Handler>
>     <AuthBy LDAP2>
>         NoDefault
>         #TranslatePasswordHook sub {return "{nthash}$_[0]";}
> 
>         Host    ldap.mesd.k12.or.us <http://ldap.mesd.k12.or.us>
>         Port    389
>         AuthDN        *****
>         AuthPassword    *****
>         BaseDN        ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         HoldServerConnection
>    
>         AddToReply Framed-Protocol = PPP,\
>                 Framed-IP-Netmask = 255.255.255.255,\
>                 Framed-Routing = None,\
>                 Framed-MTU = 1500,\
>             Framed-Compression = Van-Jacobson-TCP-IP
>            
>         Version 3
> 
>         EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>         EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000.
> 
>         AutoMPPEKeys
> 
>         EAPTLS_PEAPVersion 0
>         EAPTLS_PEAPBrokenV1Label
>         EAPTLS_DHFile /etc/radiator/certificates/dh2048.pem
> 
>         Debug 255
>     </AuthBy>
> </Handler>
> 
> 
> ***********************
> Log Dump
> ***********************
> Tue Feb  7 15:18:22 2012: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Feb  7 15:18:22 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1645 <http://10.51.254.228:1645>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating authentication port
> 10.51.254.228:1812 <http://10.51.254.228:1812>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1646 <http://10.51.254.228:1646>
> Tue Feb  7 15:18:22 2012: DEBUG: Creating accounting port
> 10.51.254.228:1813 <http://10.51.254.228:1813>
> Tue Feb  7 15:18:22 2012: NOTICE: Server started: Radiator 4.9 on
> localhost.localdomain (LOCKED)
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 238
> Authentic:  /<20><19>:<146>e<195><185><135><5>#U<204><207><234><235>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><1><0><18><1>gitchy_gimbol
>     Message-Authenticator =
> <229><199><134><145><241><197><7>j7<205>%T<1>$<154><156>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 1, 18, 1
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 238
> Authentic:  <155><151>8<243><210>W<219><169><173><254>lxI<199><180><27>
> Attributes:
>     EAP-Message = <1><2><0><6><25>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 239
> Authentic:  <182><185><138><161><238><228>Q<211><236>eA<192>5<209><176><249>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>O1<170><174>VR<229><127><184><qM{<208>-<178><196>R<1><250><180><238><222><27><182><138><31><25><144><26><240>{<0><0>6<0>/<0><5><0><4><0>5<0><10><0><9><0><3><0><8><0><6><0>2<0>3<0>8<0>9<0><22><0><21><0><20><0><19><0><18><0><17><0>4<0>:<0><24><0><27><0><26><0><23><0><25><0><1><1><0>
>     Message-Authenticator = Ez<240><223><21>k<175>8<19>c<22><159>cl<152>*
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 2, 112, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 239
> Authentic:  h<17>L<19>9U-<235>1<182>qb<132><155>U<233>
> Attributes:
>     EAP-Message =
> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>O1<177>oo"<241><153><191><171>><197>v(<239><155><165><183>;Y<137>A<28><211><196><154><29><152><144><147>l'
> <193><6><217><255><170>N<200>&<255><229><178><203><203><222><155>><194><145><195>a at f~<165><29><149>
> ~,5<21>}<0>/<0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>     EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
> production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214828Z<23><13>131115214828Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1%0#<6><3>U<4><3><19><28>t
>     EAP-Message =
> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><213>|5<149><252>7<170><164><8><136>w<6><229>,<180><131><28>Q<249>io6<250>5<174><131>}Y<252>P<133><174>Mll<197>8<189>F<197>><18>4<170><221>J<132>0j<160><238>I<214><8>P<180>cl<167><238><5><196><170><142><253>@d;k<163><164><234><146><16><3><24><212><228><245><14><132><154><190><212>:x&7<171><212><247><21>k<215>z(h<10><252><207>G<235><128><152><17>Le<137><130>'<196><182><214><18><180>R"<22>S~<6><164><227><220>f<156><249><235><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><149>J<214><242><222><198>`<209><9>O.<13>b<171><224>%<154><228><221><228>
>     EAP-Message =
> <241>~4<176>J<2><243><12><26>Z{B<137>+<234><0>Nu+P<9><165><244><203><234>912pO<161><165><184><223><200>^<19><167><137><158>W<24><240>T<194><130><8><251><28>0?<179>"<134><180>_<203><20><19><190><173><240>1<255><146>UR<161>g<223>d<7><192>O<27>)<146><248>D<127><145>Yg<242><243><162><192><244>&"<232>d<225>:<30><129>s2;!!<19><202><216>g<213><178>{<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><163>Gw<236><211>F<201><17>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 240
> Authentic:  T<139><160><133><154><205><220><213><149>w<215>kQ<154>DH
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><3><0><6><25><0>
>     Message-Authenticator =
> <154><30>><210><154>r;h<200><190><235><165>iC<177>K
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 3, 6, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 240
> Authentic:  (<175><229><252><253>P<181>{i<156>2<154>M<250><252>^
> Attributes:
>     EAP-Message = <1><4><3><208><25><0>t Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>111116214827Z<23><13>131115214827Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certific
>     EAP-Message = ate Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
> use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><230>7<155><154>=<154>+<199><137><172>(<31>t<184>v<0>u*<204><248><249><25><249><181><168><172>`s<230>=<211>JB<186>e<2><0><8>I0<179>cV'Qb<196>E<225><228><227><151><215>2q<164>%<28>j<168>!<206><214>,<190><223><133>-<173>.<165><142><127><25><229><15><145>+l<172>K<232>W<202><238><130><232><223><25><148><175><208><137><251><211>n<185><184><174>`<216><149><136><163><128><194>6<211>?rK^w<236><150><143><152>^(<229><28><134><12><193><251>Q<132>!<2><3>
>     EAP-Message =
> <1><0><1><163><130><1>30<130><1>/0<29><6><3>U<29><14><4><22><4><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B0<129><255><6><3>U<29>#<4><129><247>0<129><244><128><20><14><174><229><25><249><1>d[+<252><160>JZ<211><145>W<134>9<238>B<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
>     EAP-Message = n)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au
> <mailto:mikem at open.com.au><130><9><0><163>Gw<236><211>F<201><17>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><224><155><161><236><140><231><132><11><160>)w<207>O<218>l<3>E'<216><255><169><179>;<171><147>W<239>a<147><31>q<158><199>0q<236><18><28>T<218><248>,<15><1>I<228><178><23><231>Y?<244>z<30><196>@<196><203><152>k=<145><255>]<134><220>@<251>T<210><216><198><187><15><199><155>mMw<208><145>j<244><150><235><170>3$<180><20><31>gS<151><253>f%V<249><166>i<16>f<237>0<147><131>+<193><31><183>'<5><221>|<240><195><181><131><223><28><225><143><165><215><242>&<1><22><3><1><0><4><14><0><0><0>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 241
> Authentic:  Q<196>t<26>K<9>t"<167><214><226><231><182>u<147><156>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><4><0><208><25><128><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>R<253><8><5><148>W<192><18>=<155>|<218>W<251><241>9`+<247><165><192><27>Y<186><205><231><130>c<226><11>Us<227><213><131>y(<241>"<169>C<212>+<14><172><133><164><127>p<23><237>*g<148><254>DI#s<170><24>{<195><131><201>C<237><216><21>!<149><143>;B<158>R<162><148><174><182><211><131><137><234>J<142><217><162>eL<26><14><14><224><151>i<205><169><183><135><162>n=<244><183>O<224><244>z}x.m{<240><142><156>visIg<225>{I<235><171>:<20><3><1><0><1><1><22><3><1><0>0<249><158><12><128><252><129><172><27><239><133><141>A<196>5><9>\<1><173><14><163>~<206>j<219><12><153><25><143><130><231><235><200>n2Vj<196><31><236><155><215><221><195><131>hM<212>
>     Message-Authenticator =
> <155><129>nP<30><189><237><191><132>9<211><23><172><255>"a
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 4, 208, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 241
> Authentic:  <172>8<159><176>t(<2>~<223><173><1><248>{'~<214>
> Attributes:
>     EAP-Message =
> <1><5><0>E<25><128><0><0><0>;<20><3><1><0><1><1><22><3><1><0>04z<234>Q<225>8t<195><152>/<208><155>R<201><204>S<162>.Fj<138><169><203><139>e%<178><190><231><203>k<219>yn{Sh<15><23><208><201><215>y<230><167>-[+
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 242
> Authentic:  <178>_<231>RzE<231><222><10><221>#<136><188>mNx
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><5><0><6><25><0>
>     Message-Authenticator =
> <249><178><2><227><157>=<174><143>J<160><127><233><154>~<235><17>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 5, 6, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 242
> Authentic:  p<31><217>R<237>O<168><146><216>@<197><238><17>6<168>p
> Attributes:
>     EAP-Message = <1><6><0>+<25><0><23><3><1><0>
> y3<169><171><169>Ur)<251>sm<172>Q<185><211><248><202><3>8<210><184><180><<201><138><138>D&-<31><30>b
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 243
> Authentic:  @<24><150><225>\<235><196><234>e<167><24>ayL<226><31>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><6><0>;<25><0><23><3><1><0>0<12>@O]<253><176>x<128><137><195><158><236><255>n<9><21><131><227><231>.mr<12><228><237><215><173>3<144><166>@<157>.U<162><152><148><220><133>Z<131>{\(K3<1>3
>     Message-Authenticator =
> }<209><252><171><157><22><196><239><22><3><223>R=<177><203><204>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 59, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
>     EAP-Message = <2><6><0><14><1>gitchy_gimbol
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     NAS-Port = 252
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     User-Name = "anonymous"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 6, 14, 1
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 1
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  ?<169><181><215>:1r<157><138><161>2{<215>|<15>>
> Attributes:
>     EAP-Message =
> <1><7><0>/<26><1><7><0>*<16><202>g<7><208><27><14>'<208>S<140>j<207><226><187><165>.localhost.localdomain
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 243
> Authentic:  7<173>o<249><19>|<227><195>9*<28><142>-`<255><238>
> Attributes:
>     EAP-Message =
> <1><7><0>K<25><0><23><3><1><0>@v<219>@<224>s4<202>N1<239><184><137>#<137><129><161><'x<141><180><182><254><175><153>S<158>A2S<235><209><17><142><24><221><210><0><182><1><20><253><195><22>!<181>x<207><168>M<191><164>p<206><174>0<166><201><137>F<151><190><166><203>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 244
> Authentic:  <129>j<224>9<234>'[<235><30><15><0>E<197><159><127><147>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message =
> <2><7><0>k<25><0><23><3><1><0>`<165>/Tl<186>h<140><158><16>x}C<128><144><166>3l<127><171><16><16>x+<192><140><141><245>{C<135>J<234><251><250><214><239><249>lE<226><129>N<185><3><237><188><205>.2<127><31><252>y<145><22><200>Xv<243><127><150><212><153><130>+<180>E<206><163>5<19><159>O<203><174><2><167><200><211>y<140><22>5<146><157>>s<224>or<241>.<199><216>`<229>
>     Message-Authenticator =
> <210><249>`<226><24><253><235><228><4><160>hPW<202><214><160>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 107, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Tue Feb  7 15:19:11 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
>     EAP-Message =
> <2><7><0>D<26><2><7><0>C19<243>W<19>ZKTq2T<22><218>g<207><223><149><0><0><0><0><0><0><0><0><155>C<0><202><135>%Zh<158><168><209><31><11><240>"N<239>+Z<199>y<148><219><172><0>gitchy_gimbol
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     NAS-Port = 252
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     User-Name = "anonymous"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for anonymous,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 7, 68, 26
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 26
> Tue Feb  7 15:19:11 2012: INFO: Connecting to ldap.mesd.k12.or.us:389
> <http://ldap.mesd.k12.or.us:389>
> Tue Feb  7 15:19:11 2012: INFO: Attempting to bind to LDAP server
> ldap.mesd.k12.or.us:389 <http://ldap.mesd.k12.or.us:389>
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got result for
> uid=gitchy_gimbol,ou=staff,dc=ddouglas,dc=k12,dc=or,dc=us
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got cn: Gitchy Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got givenName: Gitchy
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got sn: Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got objectClass: MESDperson
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mail:
> Gitchy_Gimbol at ddouglas.k12.or.us <mailto:Gitchy_Gimbol at ddouglas.k12.or.us>
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got maildrop: gitchy_gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got mailacceptinggeneralid:
> Gitchy_Gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uid: gitchy_gimbol
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got o: David Douglas
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got ou: District Office
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got uidNumber: 1031
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got apple-generateduid:
> DBDE2115-9C46-42A5-91D8-8D43DB208D8E
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got gidNumber: 1028
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got employeeNumber: 999999
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got houseIdentifier: West
> Powellhurst District Office
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got telephoneNumber: 5555
> Tue Feb  7 15:19:11 2012: DEBUG: LDAP got pwdLastSet: 1328300336
> Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> gitchy_gimbol [anonymous]
> Tue Feb  7 15:19:11 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> gitchy_gimbol [anonymous]
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Tue Feb  7 15:19:11 2012: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Tue Feb  7 15:19:11 2012: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic:  <255>A<247><254><228><148><244><8><157>w<200><4><135>x)<138>
> Attributes:
>     EAP-Message = <4><7><0><4>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     Reply-Message = "Request Denied"
> 
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
> PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Access challenged for gitchy_gimbol:
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Challenge
> Identifier: 244
> Authentic:  <167><148>C<22><133><129><248><145><243>)<219><243>7q<147><238>
> Attributes:
>     EAP-Message = <1><8><0>+<25><0><23><3><1><0>
> B<127>IV]<27>r<4><141>Vu<5><188><175><24><233>%<174><175><133><144><230><171><<226>_<217><16>,k<223><155>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Received from 10.51.254.76 port 1024 ....
> Code:       Access-Request
> Identifier: 245
> Authentic: 
> <189><143><229><141><217><227><186>C]<176><218><199>6<175><20><151>
> Attributes:
>     Framed-MTU = 1466
>     NAS-IP-Address = 10.51.254.76
>     NAS-Identifier = "RADIUS TEST"
>     User-Name = "gitchy_gimbol"
>     Service-Type = Framed-User
>     NAS-Port = 252
>     NAS-Port-Type = Ethernet
>     NAS-Port-Id = "wl0"
>     Called-Station-Id = "00-11-24-a9-7f-88"
>     Calling-Station-Id = "00-0d-93-84-a4-11"
>     Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>     EAP-Message = <2><8><0>+<25><0><23><3><1><0>
> X9zfJ<185>2<198><186><232><226><194>vB<163><13>j9}<17><149>$<30><176><234>&<157><226>-V~<223>
>     Message-Authenticator = 4I<139><218><141>B><2><236><24>9(j<12><27>?
> 
> Tue Feb  7 15:19:11 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb  7 15:19:11 2012: DEBUG:  Deleting session for gitchy_gimbol,
> 10.51.254.76, 252
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Feb  7 15:19:11 2012: DEBUG: Handling with EAP: code 2, 8, 43, 25
> Tue Feb  7 15:19:11 2012: DEBUG: Response type 25
> Tue Feb  7 15:19:11 2012: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb  7 15:19:11 2012: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
> Authentication Failure
> Tue Feb  7 15:19:11 2012: INFO: Access rejected for gitchy_gimbol: PEAP
> Authentication Failure
> Tue Feb  7 15:19:11 2012: DEBUG: Packet dump:
> *** Sending to 10.51.254.76 port 1024 ....
> Code:       Access-Reject
> Identifier: 245
> Authentic:  @<178>#<191>/F<14><204>A<219><188>2<240>o<145>*
> Attributes:
>     EAP-Message = <4><8><0><4>
>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     Reply-Message = "Request Denied"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Shay Smith
> ----------------------------------------
> 
> Gmail Evangelist
> David Douglas School District
> 503-261-8235
> 
> www.ddouglas.k12.or.us <http://www.ddouglas.k12.or.us>
> <http://shay.ddouglas.k12.or.us>
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From lee at supanet.net.uk  Wed Feb  8 11:40:08 2012
From: lee at supanet.net.uk (Lee Solway)
Date: Wed, 08 Feb 2012 17:40:08 +0000
Subject: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results
Message-ID: <4F32B378.5010102@supanet.net.uk>

Is there a way I can set an access Accept or Reject in the MySQL results 
generated by AuthBy SQL?

Currently I have a stored procedure that I call in the following.. I 
would like the SP to be able to reject the Access-Request with an error 
message also if possible..

    AuthSelect            CALL get_reply_attr('%U')
    AuthColumnDef     0, GENERIC, reply
    AuthColumnDef     1, User-Password, check

Thanks,
Lee

From hvn at open.com.au  Thu Feb  9 03:01:50 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 09 Feb 2012 11:01:50 +0200
Subject: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results
In-Reply-To: <4F32B378.5010102@supanet.net.uk>
References: <4F32B378.5010102@supanet.net.uk>
Message-ID: <4F338B7E.9030003@open.com.au>

On 02/08/2012 07:40 PM, Lee Solway wrote:

Hello Lee,

> Is there a way I can set an access Accept or Reject in the MySQL results 
> generated by AuthBy SQL?

Please see below for one method.

> Currently I have a stored procedure that I call in the following.. I 
> would like the SP to be able to reject the Access-Request with an error 
> message also if possible..
> 
>     AuthSelect            CALL get_reply_attr('%U')
>     AuthColumnDef     0, GENERIC, reply
>     AuthColumnDef     1, User-Password, check

You could do both (control accept/reject and return reason) with
something like this. First change get_reply_attr to return 'true' or
'false' to control Accept or Reject. Also add another return value which
is the Reply-Message that is returned with Access-Reject.

     AuthColumnDef 2,X-Accepted-By-Sql,check
     AuthColumnDef 3,X-Reject-Msg,request

In the Handler or Realm clause prime X-Accepted-By-Sql like this:

    AddToRequest X-Accepted-By-Sql=true

In the same Handler or Realm add RejectHasReason and a PostAuthHook to
replace reason with the value from SQL call.

    RejectHasReason.
    PostAuthHook sub { my $p = ${$_[0]}; my $rp = ${$_[1]}; \
                       my $result = $_[2]; my $reason = $_[3]; \
        return unless $$result == $main::REJECT; \
        $$reason = $p->get_attr('X-Reject-Msg'); \
        }

Putting this together, if the third value returned by SQL call is
something else than 'true' the request will be rejected. The hook will
then set the returned Reply-Message based on X-Reject-Msg which comes
from SQL call.

For more about the hook parameters, please see the reference manual.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From ringo at vianet.ca  Thu Feb  9 05:43:36 2012
From: ringo at vianet.ca (Michael)
Date: Thu, 09 Feb 2012 06:43:36 -0500
Subject: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results
In-Reply-To: <4F32B378.5010102@supanet.net.uk>
References: <4F32B378.5010102@supanet.net.uk>
Message-ID: <4F33B168.3090008@vianet.ca>

I use a reject column in my user database, and SELECT it like this:
SELECT username, crypt, CONCAT('Reject:',reject), ....

and:
AuthColumnDef   2, Auth-Type, check

so, if the reject column is NULL, CONCAT returns NULL and it passed, but if the reject column has text in it, CONCAT returns 'Reject:reject reason', and the user is rejected.




On 12-02-08 12:40 PM, Lee Solway wrote:
> Is there a way I can set an access Accept or Reject in the MySQL results
> generated by AuthBy SQL?
>
> Currently I have a stored procedure that I call in the following.. I
> would like the SP to be able to reject the Access-Request with an error
> message also if possible..
>
>      AuthSelect            CALL get_reply_attr('%U')
>      AuthColumnDef     0, GENERIC, reply
>      AuthColumnDef     1, User-Password, check
>
> Thanks,
> Lee
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>

From puchol at me.com  Thu Feb  9 07:08:24 2012
From: puchol at me.com (Mike Puchol)
Date: Thu, 09 Feb 2012 14:08:24 +0100
Subject: [RADIATOR] iOS5 and untrusted/not verified EAP certificates
Message-ID: <9651683AA1E1413EBC81547950B10A91@me.com>

Hi all, 

I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm using an SSL certificate from Digicert, signed using SHA-1, and Digicert being on the list of trusted CAs by iOS (I even checked the serial number, which is good), I get the following on the iPad's debug console:

Feb  9 14:02:08 Mikes-iPad kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Feb  9 14:02:08 Mikes-iPad eapolclient[149] <Notice>: peap_verify_server: server certificate not trusted, status 3 0
Feb  9 14:02:08 Mikes-iPad Preferences[93] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
Feb  9 14:02:10 Mikes-iPad eapolclient[149] <Notice>: peap_verify_server: server certificate not trusted, status 3 0
Feb  9 14:02:16 Mikes-iPad eapolclient[149] <Notice>: peap_verify_server: server certificate not trusted, status 3 0

The iPad then shows up an "Add certificate" dialog, but with a big red button and the text "Not verified". My guess is that it's trying to check a CRL, but of course, being still offline, this cannot be done.

Has anyone successfully connected an iOS5 device using EAP without "bad certificate" warnings? As clarification, I'm not using provisioning profiles, so the iPad doesn't "know" the network when it first connects to it.

Cheers,

Mike 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120209/92d6d389/attachment.html 

From alexander.hartmaier at t-systems.at  Thu Feb  9 08:11:18 2012
From: alexander.hartmaier at t-systems.at (Alexander Hartmaier)
Date: Thu, 9 Feb 2012 15:11:18 +0100
Subject: [RADIATOR] iOS5 and untrusted/not verified EAP certificates
In-Reply-To: <9651683AA1E1413EBC81547950B10A91@me.com>
References: <9651683AA1E1413EBC81547950B10A91@me.com>
Message-ID: <4F33D406.2090503@t-systems.at>

Hi Mike,

does IOS 5.1 finally support PEAP-TLS?

Best regards, Alex

Am 2012-02-09 14:08, schrieb Mike Puchol:
> Hi all,
>
> I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> being on the list of trusted CAs by iOS (I even checked the serial
> number, which is good), I get the following on the iPad's debug console:
>
> Feb  9 14:02:08 Mikes-iPad kernel[0] <Debug>:
> AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK,
> index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
> Feb  9 14:02:08 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:08 Mikes-iPad Preferences[93] <Warning>:
> -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User
> Information required
> Feb  9 14:02:10 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:16 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
>
> The iPad then shows up an "Add certificate" dialog, but with a big red
> button and the text "Not verified". My guess is that it's trying to
> check a CRL, but of course, being still offline, this cannot be done.
>
> Has anyone successfully connected an iOS5 device using EAP without "bad
> certificate" warnings? As clarification, I'm not using provisioning
> profiles, so the iPad doesn't "know" the network when it first connects
> to it.
>
> Cheers,
>
> Mike
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

From hvn at open.com.au  Thu Feb  9 08:32:14 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 09 Feb 2012 16:32:14 +0200
Subject: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results
In-Reply-To: <4F33B168.3090008@vianet.ca>
References: <4F32B378.5010102@supanet.net.uk> <4F33B168.3090008@vianet.ca>
Message-ID: <4F33D8EE.6080603@open.com.au>

On 02/09/2012 01:43 PM, Michael wrote:

> I use a reject column in my user database, and SELECT it like this:
> SELECT username, crypt, CONCAT('Reject:',reject), ....
> 
> and:
> AuthColumnDef   2, Auth-Type, check

Yes, this is a very good method to do it.

> so, if the reject column is NULL, CONCAT returns NULL and it passed, but if the reject column has text in it, CONCAT returns 'Reject:reject reason', and the user is rejected.

Also, if SQL call returns 'Accept', the password check must still be
successful. So Auth-Type by itself does not accept the user if the
password is wrong.

A slight difference between this method and using hooks is the returned
Reply-Message with bad password. The above method returns Bad password
while with hooks it's possible to return message from SQL call.

Thanks!
Heikki

> 
> 
> On 12-02-08 12:40 PM, Lee Solway wrote:
>> Is there a way I can set an access Accept or Reject in the MySQL results
>> generated by AuthBy SQL?
>>
>> Currently I have a stored procedure that I call in the following.. I
>> would like the SP to be able to reject the Access-Request with an error
>> message also if possible..
>>
>>      AuthSelect            CALL get_reply_attr('%U')
>>      AuthColumnDef     0, GENERIC, reply
>>      AuthColumnDef     1, User-Password, check
>>
>> Thanks,
>> Lee
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Thu Feb  9 08:55:09 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 09 Feb 2012 16:55:09 +0200
Subject: [RADIATOR] iOS5 and untrusted/not verified EAP certificates
In-Reply-To: <9651683AA1E1413EBC81547950B10A91@me.com>
References: <9651683AA1E1413EBC81547950B10A91@me.com>
Message-ID: <4F33DE4D.7050102@open.com.au>

On 02/09/2012 03:08 PM, Mike Puchol wrote:

Hello Mike,

> I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> being on the list of trusted CAs by iOS (I even checked the serial
> number, which is good), I get the following on the iPad's debug console:

I get the following certificate dialog when joining a WPA-Enterprise
network for the first time:

           Certificate
*cn.from.certificate*    (e.g. radius.example.com)
thawte Primary Root CA

*red*Not Verified*red*     button:Accept

Description: Client Authentication
Expires: 27.11.2013 1.59.59

More details >


The root CA is from thawte, as seen above, and Radiator sends full
certificate chain linking the root via the intermediary CAs to
radius.example.com's certificate.

So the root CA is known by iOS, certificate chain is complete and
everything is good. However, it still displays the red 'Not Verified'
and Accept button. Once Accept is chosen, the dialog does not come back
when rejoining the network.

The only way to get rid of all dialogs has been to use the configuration
utility and create a profile.

Note: there was no 'Add certificate', 'bad certificate' or red button.
If you see those, maybe the certifiate chain RADIUS server sends is not
complete. It does display 'Not verified', though, when not configured
with external profile.

Heikki

> Feb  9 14:02:08 Mikes-iPad kernel[0] <Debug>:
> AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK,
> index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
> Feb  9 14:02:08 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:08 Mikes-iPad Preferences[93] <Warning>:
> -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User
> Information required
> Feb  9 14:02:10 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:16 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> 
> The iPad then shows up an "Add certificate" dialog, but with a big red
> button and the text "Not verified". My guess is that it's trying to
> check a CRL, but of course, being still offline, this cannot be done.
> 
> Has anyone successfully connected an iOS5 device using EAP without "bad
> certificate" warnings? As clarification, I'm not using provisioning
> profiles, so the iPad doesn't "know" the network when it first connects
> to it.
> 
> Cheers,
> 
> Mike
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From JWatkins at acninc.com  Thu Feb  9 10:07:05 2012
From: JWatkins at acninc.com (Jared Watkins)
Date: Thu, 9 Feb 2012 16:07:05 +0000
Subject: [RADIATOR] Performance tuning
Message-ID: <586DE206-6765-40F8-AF9C-68C2640FDD43@acninc.com>

Hello.. 

I'm attempting to load some old cdr accounting data into my dev environment through Radiator and I'm seeing a problem with dropped records.  I saw the note in the doc about increasing the SocketQueueLength and I've done that both in the Radiator config and in the OS... taking it from 128k to 12M. (overkill?) but even with that... every time I reload the same days data from disk.. I'm getting more and more records into the DB for that day. It's not a big difference.. maybe 200 more recs out of 18k each time I resend the data. I'm using the unique recordid as the primary DB key to avoid duplicate entries.   I'm not seeing any errors or timeouts on the client side.. which tells me the packets are being acknowledged as received.... and I see a continuous stream of packets to and from the client.. but when tailing a debug log from radiator where I should see one log entry for every record.. I see periodic pauses in the log... sometimes of a few seconds. 

Of course this isn't a normal level of activity... this is me blasting the server from cdr files stored on disk. Any insight on what else I might try here? 

Thanks,
J


From puchol at me.com  Fri Feb 10 04:04:21 2012
From: puchol at me.com (Mike Puchol)
Date: Fri, 10 Feb 2012 11:04:21 +0100
Subject: [RADIATOR] iOS5 and untrusted/not verified EAP certificates
In-Reply-To: <4F33DE4D.7050102@open.com.au>
References: <9651683AA1E1413EBC81547950B10A91@me.com>
	<4F33DE4D.7050102@open.com.au>
Message-ID: <E6688E47F080427DAB693B4A75A16171@me.com>

Hi Heikki, 

Thank you for your comments - indeed it appears that the only way to avoid the "Not verified" certificate message is to provision the device with a mobileconfig profile.

Best,

Mike 

On Thursday, February 9, 2012 at 3:55 PM, Heikki Vatiainen wrote:

> On 02/09/2012 03:08 PM, Mike Puchol wrote:
> 
> Hello Mike,
> 
> > I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> > using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> > being on the list of trusted CAs by iOS (I even checked the serial
> > number, which is good), I get the following on the iPad's debug console:
> > 
> 
> 
> I get the following certificate dialog when joining a WPA-Enterprise
> network for the first time:
> 
> Certificate
> *cn.from.certificate* (e.g. radius.example.com (http://radius.example.com))
> thawte Primary Root CA
> 
> *red*Not Verified*red* button:Accept
> 
> Description: Client Authentication
> Expires: 27.11.2013 1.59.59
> 
> More details >
> 
> 
> The root CA is from thawte, as seen above, and Radiator sends full
> certificate chain linking the root via the intermediary CAs to
> radius.example.com (http://radius.example.com)'s certificate.
> 
> So the root CA is known by iOS, certificate chain is complete and
> everything is good. However, it still displays the red 'Not Verified'
> and Accept button. Once Accept is chosen, the dialog does not come back
> when rejoining the network.
> 
> The only way to get rid of all dialogs has been to use the configuration
> utility and create a profile.
> 
> Note: there was no 'Add certificate', 'bad certificate' or red button.
> If you see those, maybe the certifiate chain RADIUS server sends is not
> complete. It does display 'Not verified', though, when not configured
> with external profile.
> 
> Heikki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120210/cfea36c7/attachment.html 

From JWatkins at acninc.com  Fri Feb 10 10:31:31 2012
From: JWatkins at acninc.com (Jared Watkins)
Date: Fri, 10 Feb 2012 16:31:31 +0000
Subject: [RADIATOR] Performance tuning
In-Reply-To: <586DE206-6765-40F8-AF9C-68C2640FDD43@acninc.com>
References: <586DE206-6765-40F8-AF9C-68C2640FDD43@acninc.com>
Message-ID: <C578FFD9-823E-4458-8618-108D26F74F2F@acninc.com>

Replying to my own comment.. just so others could maybe benefit.  After wasting many hours trying to figure this out.. I finally did this morning.  My problem was that I was sending multiple streams of records from one IP to the same Radiator server and it was discarding most of them because of overlapping sequence numbers.  The network buffer *may* have been part of the original problem.. but subsequent attempts to load historical data through the same servers I was loading live data was not working as expected. 




On Feb 9, 2012, at 11:07 AM, Jared Watkins wrote:

> Hello.. 
> 
> I'm attempting to load some old cdr accounting data into my dev environment through Radiator and I'm seeing a problem with dropped records.  I saw the note in the doc about increasing the SocketQueueLength and I've done that both in the Radiator config and in the OS... taking it from 128k to 12M. (overkill?) but even with that... every time I reload the same days data from disk.. I'm getting more and more records into the DB for that day. It's not a big difference.. maybe 200 more recs out of 18k each time I resend the data. I'm using the unique recordid as the primary DB key to avoid duplicate entries.   I'm not seeing any errors or timeouts on the client side.. which tells me the packets are being acknowledged as received.... and I see a continuous stream of packets to and from the client.. but when tailing a debug log from radiator where I should see one log entry for every record.. I see periodic pauses in the log... sometimes of a few seconds. 
> 
> Of course this isn't a normal level of activity... this is me blasting the server from cdr files stored on disk. Any insight on what else I might try here? 
> 
> Thanks,
> J
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


From alby26 at gmail.com  Tue Feb 14 03:24:01 2012
From: alby26 at gmail.com (Alby)
Date: Tue, 14 Feb 2012 10:24:01 +0100
Subject: [RADIATOR] Limit users' request rate
Message-ID: <CAGg551HQicidxmL+ZTpPMZnNxVn1fKWtF9jjUEDQuem_Jqi87A@mail.gmail.com>

Hi all,
does anyone know if Radiator has an easy way to limit the users' request
rate? I would like to make users that fail the authentication for more than
10 times consequently to wait for some minutes before being able to
authenticate again in the system. This could be useful to keep away people
trying to guess other users' password.
Thank you for your help!
Alberto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120214/02594ae4/attachment.html 

From hugh at open.com.au  Tue Feb 14 04:13:21 2012
From: hugh at open.com.au (Hugh Irvine)
Date: Tue, 14 Feb 2012 21:13:21 +1100
Subject: [RADIATOR] Limit users' request rate
In-Reply-To: <CAGg551HQicidxmL+ZTpPMZnNxVn1fKWtF9jjUEDQuem_Jqi87A@mail.gmail.com>
References: <CAGg551HQicidxmL+ZTpPMZnNxVn1fKWtF9jjUEDQuem_Jqi87A@mail.gmail.com>
Message-ID: <82036DC0-5B14-4BF9-9B1F-C9CD04F229DC@open.com.au>


Hello Alberto -

There are a couple of examples in "goodies/hooks.txt" in the Radiator distribution.

regards

Hugh


On 14 Feb 2012, at 20:24, Alby wrote:

> Hi all,
> does anyone know if Radiator has an easy way to limit the users' request rate? I would like to make users that fail the authentication for more than 10 times consequently to wait for some minutes before being able to authenticate again in the system. This could be useful to keep away people trying to guess other users' password. 
> Thank you for your help!
> Alberto
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


From alby26 at gmail.com  Tue Feb 14 05:04:59 2012
From: alby26 at gmail.com (Alby)
Date: Tue, 14 Feb 2012 12:04:59 +0100
Subject: [RADIATOR] Limit users' request rate
In-Reply-To: <82036DC0-5B14-4BF9-9B1F-C9CD04F229DC@open.com.au>
References: <CAGg551HQicidxmL+ZTpPMZnNxVn1fKWtF9jjUEDQuem_Jqi87A@mail.gmail.com>
	<82036DC0-5B14-4BF9-9B1F-C9CD04F229DC@open.com.au>
Message-ID: <CAGg551G_2FkQtkA03FA5ACf=zRAfGFc1YUdSoB=0zUphu=NedQ@mail.gmail.com>

Hi Hugh,
thank you for your quick response. I'm going to have a look to it asap.
Alberto

Il giorno 14 febbraio 2012 11:13, Hugh Irvine <hugh at open.com.au> ha scritto:

>
> Hello Alberto -
>
> There are a couple of examples in "goodies/hooks.txt" in the Radiator
> distribution.
>
> regards
>
> Hugh
>
>
> On 14 Feb 2012, at 20:24, Alby wrote:
>
> > Hi all,
> > does anyone know if Radiator has an easy way to limit the users' request
> rate? I would like to make users that fail the authentication for more than
> 10 times consequently to wait for some minutes before being able to
> authenticate again in the system. This could be useful to keep away people
> trying to guess other users' password.
> > Thank you for your help!
> > Alberto
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120214/bc9ceddf/attachment.html 

From estassen at gmail.com  Tue Feb 14 07:53:04 2012
From: estassen at gmail.com (Eddie Stassen)
Date: Tue, 14 Feb 2012 15:53:04 +0200
Subject: [RADIATOR] Bug in SessSQL.pm
Message-ID: <CAPhbAj4PTKStnmEMfB1OHMBVeviwygEW0m30Fy2czuDhYhDqkw@mail.gmail.com>

UpdateQuery <SessionDatabase SQL> crashes Radiator when the query
contains %{Quote:...}.  This is due to $self not being passed as the
third parameter to Radius::Util::format_special(). The patch below
fixes it.

Regards,
Eddie Stassen

--- SessSQL.pm.ORIG     2012-02-14 15:32:12.000000000 +0200
+++ SessSQL.pm  2012-02-14 15:44:42.000000000 +0200
@@ -132,7 +132,9 @@
     $self->log($main::LOG_DEBUG,
               "$self->{Identifier} Updating session for $name,
$nas_id, $nas_port", $p);
     # Now add the new one
-    $self->do(&Radius::Util::format_special($self->{UpdateQuery}, $p));
+    $self->do(&$self->{UpdateQuery}, $p, $self,
+            $self->quote($name), $nas_id, $nas_port+0,
+            $self->quote($p->getAttrByNum($Radius::Radius::ACCT_SESSION_ID))));
 }

From yakuman77 at gmail.com  Tue Feb 14 09:34:36 2012
From: yakuman77 at gmail.com (Mark Green)
Date: Tue, 14 Feb 2012 16:34:36 +0100
Subject: [RADIATOR] Chap challenge in AuthBy EXTERNAL
Message-ID: <CAGSkO-XeSrRn_is6BJkvASMfTh82294X=0KREbX+-f_HsSZm9A@mail.gmail.com>

Hello,

I'm using an external command to authenticate users with <AuthBy EXTERNAL>.

I've implemented PAP and CHAP.

I've a problem with CHAP. If the NAS sends CHAP-Challenge I have no problem.
But some ciscos send only CHAP-Password.

How can I get the CHAP challenge in this case?

In AuthGeneric.pm i read these lines

# The challenge is sent by the client in CHAP-Challenge.
# If that is not set, the challenge is in the authenticator
$challenge = $p->getAttrByNum($Radius::Radius::CHAP_CHALLENGE);
$challenge = $p->authenticator unless defined $challenge;

What is authenticator? How can I read this value in AuthBy EXTERNAL?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120214/234aaa58/attachment.html 

From mikem at open.com.au  Tue Feb 14 14:45:08 2012
From: mikem at open.com.au (Mike McCauley)
Date: Wed, 15 Feb 2012 06:45:08 +1000
Subject: [RADIATOR] Bug in SessSQL.pm
In-Reply-To: <CAPhbAj4PTKStnmEMfB1OHMBVeviwygEW0m30Fy2czuDhYhDqkw@mail.gmail.com>
References: <CAPhbAj4PTKStnmEMfB1OHMBVeviwygEW0m30Fy2czuDhYhDqkw@mail.gmail.com>
Message-ID: <265863814.CHhWZl2pCU@zulu>

Hi Eddie,

thanks for reporting this.
It has now been fixed in the latest patch set.

Cheers.

On Tuesday, February 14, 2012 03:53:04 PM Eddie Stassen wrote:
> UpdateQuery <SessionDatabase SQL> crashes Radiator when the query
> contains %{Quote:...}.  This is due to $self not being passed as the
> third parameter to Radius::Util::format_special(). The patch below
> fixes it.
> 
> Regards,
> Eddie Stassen
> 
> --- SessSQL.pm.ORIG     2012-02-14 15:32:12.000000000 +0200
> +++ SessSQL.pm  2012-02-14 15:44:42.000000000 +0200
> @@ -132,7 +132,9 @@
>      $self->log($main::LOG_DEBUG,
>                "$self->{Identifier} Updating session for $name,
> $nas_id, $nas_port", $p);
>      # Now add the new one
> -    $self->do(&Radius::Util::format_special($self->{UpdateQuery}, $p));
> +    $self->do(&$self->{UpdateQuery}, $p, $self,
> +            $self->quote($name), $nas_id, $nas_port+0,
> +           
> $self->quote($p->getAttrByNum($Radius::Radius::ACCT_SESSION_ID)))); }
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


From hugh at open.com.au  Tue Feb 14 16:29:09 2012
From: hugh at open.com.au (Hugh Irvine)
Date: Wed, 15 Feb 2012 09:29:09 +1100
Subject: [RADIATOR] Limit users' request rate
In-Reply-To: <7EFF9DA7125B3546A49D38FFDED4F88A23B5584B@CED01MBXS05.replynet.prv>
References: <CAGg551HQicidxmL+ZTpPMZnNxVn1fKWtF9jjUEDQuem_Jqi87A@mail.gmail.com>,
	<82036DC0-5B14-4BF9-9B1F-C9CD04F229DC@open.com.au>
	<7EFF9DA7125B3546A49D38FFDED4F88A23B5584B@CED01MBXS05.replynet.prv>
Message-ID: <790D9222-3002-4ED8-870C-7D8669B57544@open.com.au>


Ciao Matteo -

I'm sorry but I don't understand your question.

The Radiator documentation is available on the web site:

	http://www.open.com.au/radiator/documentation.html

and there are a great many examples of how to configure Radiator in the "goodies" directory of the Radiator distribution.

regards

Hugh


On 14 Feb 2012, at 23:21, Guiati Matteo wrote:

> Hi Irvine,
>   thanks again for your quick responce.
> We would like to know security features developed in Radiator.
> Could you share with us docs?
> 
> 
> Thanks in advance,
> 
> Best regards,
> 
> Matteo
> 
> 
> 
> Matteo Guiati
> Spike Reply
> Via Castellanza, 11
> 20151 - Milano - ITALY
> phone: +39 02 535761
> mobile: +39 345 3307484
> m.guiati at reply.it
> www.reply.it
> 
> ________________________________________
> From: Hugh Irvine [hugh at open.com.au]
> Sent: Tuesday, 14 February 2012 11:13 AM
> To: Alby
> Cc: radiator at open.com.au; Guiati Matteo
> Subject: Re: [RADIATOR] Limit users' request rate
> 
> Hello Alberto -
> 
> There are a couple of examples in "goodies/hooks.txt" in the Radiator distribution.
> 
> regards
> 
> Hugh
> 
> 
> On 14 Feb 2012, at 20:24, Alby wrote:
> 
>> Hi all,
>> does anyone know if Radiator has an easy way to limit the users' request rate? I would like to make users that fail the authentication for more than 10 times consequently to wait for some minutes before being able to authenticate again in the system. This could be useful to keep away people trying to guess other users' password.
>> Thank you for your help!
>> Alberto
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> ________________________________
> 
> --
> The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


From alexander.hartmaier at t-systems.at  Wed Feb 15 09:18:24 2012
From: alexander.hartmaier at t-systems.at (Alexander Hartmaier)
Date: Wed, 15 Feb 2012 16:18:24 +0100
Subject: [RADIATOR] missing request attributes with TunnelledByPEAP
Message-ID: <4F3BCCC0.3050908@t-systems.at>

Hi,
we're doing PEAP-TLS for our WLANs and need to have different settings
per SSID.
The outer PEAP packet includes the Called-Station-Id attribute in the
form of 01-23-45-67-89-0a:SSID which I match using:
<Handler Client-Identifier="wlancontroller", EAP-Message=/.+/,
Called-Station-Id=/:SSID$/>

The inner TLS packet is matched by
<Handler Client-Identifier="wlancontroller", TunnelledByPEAP=1>
but in case we want to have multiple SSIDs using PEAP-something we can't
distinguish the inner request because the Called-Station-Id isn't
included in the inner request.

Is there an option which attributes get copied to the inner request packet?

Thanks!

--
Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

From scottshaw at 163.com  Wed Feb 15 09:40:28 2012
From: scottshaw at 163.com (Scott)
Date: Wed, 15 Feb 2012 23:40:28 +0800 (CST)
Subject: [RADIATOR] Radiator Radius with VPN, mobile OTP
In-Reply-To: <265863814.CHhWZl2pCU@zulu>
References: <265863814.CHhWZl2pCU@zulu>
	<CAPhbAj4PTKStnmEMfB1OHMBVeviwygEW0m30Fy2czuDhYhDqkw@mail.gmail.com>
Message-ID: <90a706b.a907.13581ac0511.Coremail.scottshaw@163.com>

Hi Team  - I am currently working on a potential customer for a
> e-government project. For it's external VPN access, I am proposing  Radiator. any of you have any white paper, success story, or case study related I can refer to ? Prefer some VPN radiau authetication with Mobile OTP, or other enhanced security authentication method.
> Thanks !
> best regards
Scott




At 2012-02-15 04:45:08,"Mike McCauley" <mikem at open.com.au> wrote:
>Hi Eddie,
>
>thanks for reporting this.
>It has now been fixed in the latest patch set.
>
>Cheers.
>
>On Tuesday, February 14, 2012 03:53:04 PM Eddie Stassen wrote:
>> UpdateQuery <SessionDatabase SQL> crashes Radiator when the query
>> contains %{Quote:...}.  This is due to $self not being passed as the
>> third parameter to Radius::Util::format_special(). The patch below
>> fixes it.
>> 
>> Regards,
>> Eddie Stassen
>> 
>> --- SessSQL.pm.ORIG     2012-02-14 15:32:12.000000000 +0200
>> +++ SessSQL.pm  2012-02-14 15:44:42.000000000 +0200
>> @@ -132,7 +132,9 @@
>>      $self->log($main::LOG_DEBUG,
>>                "$self->{Identifier} Updating session for $name,
>> $nas_id, $nas_port", $p);
>>      # Now add the new one
>> -    $self->do(&Radius::Util::format_special($self->{UpdateQuery}, $p));
>> +    $self->do(&$self->{UpdateQuery}, $p, $self,
>> +            $self->quote($name), $nas_id, $nas_port+0,
>> +           
>> $self->quote($p->getAttrByNum($Radius::Radius::ACCT_SESSION_ID)))); }
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>-- 
>Mike McCauley                               mikem at open.com.au
>Open System Consultants Pty. Ltd
>9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
>Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
>Radiator: the most portable, flexible and configurable RADIUS server 
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120215/c9866f18/attachment.html 

From hvn at open.com.au  Wed Feb 15 12:40:18 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 15 Feb 2012 20:40:18 +0200
Subject: [RADIATOR] missing request attributes with TunnelledByPEAP
In-Reply-To: <4F3BCCC0.3050908@t-systems.at>
References: <4F3BCCC0.3050908@t-systems.at>
Message-ID: <4F3BFC12.50001@open.com.au>

On 02/15/2012 05:18 PM, Alexander Hartmaier wrote:

Hello Alex,

> The inner TLS packet is matched by
> <Handler Client-Identifier="wlancontroller", TunnelledByPEAP=1>
> but in case we want to have multiple SSIDs using PEAP-something we can't
> distinguish the inner request because the Called-Station-Id isn't
> included in the inner request.
> 
> Is there an option which attributes get copied to the inner request packet?

You can use PreHandlerHook. It is now documented in 4.9 ref.pdf too:

  5.20.65 PreHandlerHook
  For EAP types that carry inner requests (such as PEAP, TTLS, FAST
  etc), specifies a Perl hook to be called before the inner request
  is redispatched to a matching Realm or Handler.


In the outer Handler do something like this:

PreHandlerHook sub { \
  my $tp = ${$_[0]}; \
  $tp->add_attr('Called-Station-Id', \
                $tp->{outerRequest}->get_attr('Called-Station-Id')); \
  };

tp stands for tunnelled packet. It can be manipulated with
PreHandlerHook from the outer Handler.

Thanks!
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Wed Feb 15 13:03:08 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 15 Feb 2012 21:03:08 +0200
Subject: [RADIATOR] Chap challenge in AuthBy EXTERNAL
In-Reply-To: <CAGSkO-XeSrRn_is6BJkvASMfTh82294X=0KREbX+-f_HsSZm9A@mail.gmail.com>
References: <CAGSkO-XeSrRn_is6BJkvASMfTh82294X=0KREbX+-f_HsSZm9A@mail.gmail.com>
Message-ID: <4F3C016C.9090705@open.com.au>

On 02/14/2012 05:34 PM, Mark Green wrote:

> # The challenge is sent by the client in CHAP-Challenge. 
> # If that is not set, the challenge is in the authenticator
> $challenge = $p->getAttrByNum($Radius::Radius::CHAP_CHALLENGE);
> $challenge = $p->authenticator unless defined $challenge;
> 
> What is authenticator? How can I read this value in AuthBy EXTERNAL?

It's not an attribute, but part of fixed RADIUS packet header.

http://tools.ietf.org/html/rfc2865#section-3

This also means you can not access it from AuthBy EXTERNAL. You could
consider using AuthBy INTERNAL and e.g., RequestHook or AuthHook instead.

Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From jay.tuala at gmail.com  Wed Feb 15 14:31:06 2012
From: jay.tuala at gmail.com (Jay Tuala)
Date: Thu, 16 Feb 2012 10:31:06 +1400
Subject: [RADIATOR] Cannot install rpm file
Message-ID: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>

Hi there,

following the setup notes and can't seem to install Radiator rpm file. I'm
a newbie to centos/radiator but am really keen to set it up and test it.

the error i'm getting is as follows:

[root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
Retrieving http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
error: skipping http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd> -
transfer failed - Unknown or unexpected error


I have the file located below,

[root at radiator1 ~]# ls
anaconda-ks.cfg  install.log  install.log.syslog
Radiator-Locked-4.9-2.noarch.rpm



I would greatly appreciate any help i can get.


Many thanks,
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120216/f8f3b256/attachment.html 

From puchol at me.com  Wed Feb 15 15:41:03 2012
From: puchol at me.com (Mike Puchol)
Date: Wed, 15 Feb 2012 22:41:03 +0100
Subject: [RADIATOR] Looking for Radiator expert, consultancy work
Message-ID: <0EE21F02184F40E8AB8FD55CB9F41FAF@me.com>

Hi all, 

I'm looking for an expert on Radiator setup & configuration, particularly in handling hooks and non-typical operations on access requests and accounting. This is for a particular project, but there could be continued work for a suitable individual. Please contact me for details if you're interested!

Regards,

Mike 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120215/452715a4/attachment.html 

From Lucas.Hazel at une.edu.au  Wed Feb 15 23:16:53 2012
From: Lucas.Hazel at une.edu.au (Lucas Hazel)
Date: Thu, 16 Feb 2012 16:16:53 +1100
Subject: [RADIATOR] Looking for Radiator expert, consultancy work
In-Reply-To: <0EE21F02184F40E8AB8FD55CB9F41FAF@me.com>
References: <0EE21F02184F40E8AB8FD55CB9F41FAF@me.com>
Message-ID: <1329369413.12782.28.camel@snapper08>

On Thu, 2012-02-16 at 08:41 +1100, Mike Puchol wrote:
> Hi all, 
> 
> 
> I'm looking for an expert on Radiator setup & configuration,
> particularly in handling hooks and non-typical operations on access
> requests and accounting. This is for a particular project, but there
> could be continued work for a suitable individual. Please contact me
> for details if you're interested!

I can highly recommend the paid support that Open provides themselves. I
have worked with Heikki, who helped me with an unusual implementation of
Eduroam. He was a pleasure to work with and imparted a great deal of
knowledge in the process.

-- 
Lucas Hazel 

Communications Systems Officer (Networks)
Communications Infrastructure

Information Technology
University of New England
Armidale NSW 2351

Phone  +61267732666
Mobile +61407569330

Sent from my Dell Latitude E6400

From alexander.hartmaier at t-systems.at  Thu Feb 16 02:39:52 2012
From: alexander.hartmaier at t-systems.at (Alexander Hartmaier)
Date: Thu, 16 Feb 2012 09:39:52 +0100
Subject: [RADIATOR] missing request attributes with TunnelledByPEAP
In-Reply-To: <4F3BFC12.50001@open.com.au>
References: <4F3BCCC0.3050908@t-systems.at> <4F3BFC12.50001@open.com.au>
Message-ID: <4F3CC0D8.9050504@t-systems.at>

Hi Heikki,
I had to upgrade Radiator which was version 4.8 on this server so that
it knows PreHandlerHook.
It works when the PreHandlerHook is in the AuthBy but not when it is in
the Handler but doesn't warn about the PreHandlerHook in the Handler.
Is both supported for different usages?

What confused me is the fact that the copied attribute isn't visible in
the trace file but the dispatching still works:

Thu Feb 16 09:34:34 2012: DEBUG: EAP PEAP inner authentication request
for anonymous
Thu Feb 16 09:34:34 2012: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <30><142><221><130>g<220><185>cI<189><138>Z<234>6*~
Attributes:
        EAP-Message = <2><12><0><2><13><0>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        NAS-IP-Address = 10.1.2.3
        NAS-Identifier = "nas.fqdn.net"
        NAS-Port = 13
        Calling-Station-Id = "00-21-6a-42-e8-46"
        User-Name = "anonymous"

Thu Feb 16 09:34:34 2012: DEBUG: Handling request with Handler
'Client-Identifier="wlancontroller", Called-Station-Id=/:SSID$/,
TunnelledByPEAP=1', Identifier ''

Best regards, Alex

Am 2012-02-15 19:40, schrieb Heikki Vatiainen:
> On 02/15/2012 05:18 PM, Alexander Hartmaier wrote:
>
> Hello Alex,
>
>> The inner TLS packet is matched by
>> <Handler Client-Identifier="wlancontroller", TunnelledByPEAP=1>
>> but in case we want to have multiple SSIDs using PEAP-something we can't
>> distinguish the inner request because the Called-Station-Id isn't
>> included in the inner request.
>>
>> Is there an option which attributes get copied to the inner request packet?
> You can use PreHandlerHook. It is now documented in 4.9 ref.pdf too:
>
>   5.20.65 PreHandlerHook
>   For EAP types that carry inner requests (such as PEAP, TTLS, FAST
>   etc), specifies a Perl hook to be called before the inner request
>   is redispatched to a matching Realm or Handler.
>
>
> In the outer Handler do something like this:
>
> PreHandlerHook sub { \
>   my $tp = ${$_[0]}; \
>   $tp->add_attr('Called-Station-Id', \
>                 $tp->{outerRequest}->get_attr('Called-Station-Id')); \
>   };
>
> tp stands for tunnelled packet. It can be manipulated with
> PreHandlerHook from the outer Handler.
>
> Thanks!
> Heikki
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

From yakuman77 at gmail.com  Thu Feb 16 03:32:30 2012
From: yakuman77 at gmail.com (Mark Green)
Date: Thu, 16 Feb 2012 10:32:30 +0100
Subject: [RADIATOR] Chap challenge in AuthBy EXTERNAL
In-Reply-To: <4F3C016C.9090705@open.com.au>
References: <CAGSkO-XeSrRn_is6BJkvASMfTh82294X=0KREbX+-f_HsSZm9A@mail.gmail.com>
	<4F3C016C.9090705@open.com.au>
Message-ID: <CAGSkO-VHYf8hhHwCg61Nawp37qG1L=q333wRyEShKHgJS1=e9Q@mail.gmail.com>

Thank you very much for your answer.

I could use PreAuthHook to read the authenticator and add it as a
custom attribute.
But how can I read the packet info I need from the hook?

Please somebody help me.

2012/2/15 Heikki Vatiainen <hvn at open.com.au>
>
> On 02/14/2012 05:34 PM, Mark Green wrote:
>
> > # The challenge is sent by the client in CHAP-Challenge.
> > # If that is not set, the challenge is in the authenticator
> > $challenge = $p->getAttrByNum($Radius::Radius::CHAP_CHALLENGE);
> > $challenge = $p->authenticator unless defined $challenge;
> >
> > What is authenticator? How can I read this value in AuthBy EXTERNAL?
>
> It's not an attribute, but part of fixed RADIUS packet header.
>
> http://tools.ietf.org/html/rfc2865#section-3
>
> This also means you can not access it from AuthBy EXTERNAL. You could
> consider using AuthBy INTERNAL and e.g., RequestHook or AuthHook instead.
>
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.

From alby26 at gmail.com  Thu Feb 16 08:17:26 2012
From: alby26 at gmail.com (Alby)
Date: Thu, 16 Feb 2012 15:17:26 +0100
Subject: [RADIATOR] Radiator's database handle
Message-ID: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>

Hi all,
I'm using radiator with a SQL database that stores the users' data. I've
also a PostAuthHook that writes some data on the SQL database. Up to now my
Hook connects to the database, writes the data and then disconnects. I
suspect that connecting and disconnecting each time I write to the database
is not a really good idea (expecially for the performance). I've noticed
that Radiator opens the connection to the database only the first time,
then reuses it (this is of course a better way than mine). Since the
database that I write is the same that I use on Radiator (same name, same
user and same password), is there a way to reuse the Radiator's DB handle
instead of creating a new one and destroying it each time?
At at first glance, my idea was to open the database connection with a
StartUpHook and then close with a ShutdownHook, but there is the problem on
how to share the DB handle between the three Hooks. This should be made
securely, because if an attacker is able to obtain the handler, it will be
able to read and write the database without performing authentication
first, I think. In my opinion reusing the Radiator DB handle is the best
solution if it can be implemented.
Thank you very much in advance for your help and for your attention
Alberto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120216/21809745/attachment-0001.html 

From ringo at vianet.ca  Thu Feb 16 08:32:47 2012
From: ringo at vianet.ca (Michael)
Date: Thu, 16 Feb 2012 09:32:47 -0500
Subject: [RADIATOR] Radiator's database handle
In-Reply-To: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
References: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
Message-ID: <4F3D138F.6030201@vianet.ca>

I hate to answer a question with another question, but what, why and/or when are you writing data to the sql?  I write data to sql but I do it through any combination of <AuthBy SQL> <AuthLog SQL>, and sometimes an AuthBy SessionDB.  Works much better for me.  I try to avoid custom hooks if at all possible.  The ability for hooks is great to have, but if Radiator can already do a task just through config, i try to do it that way instead of a hook.

So, if you want to write something to a table for example ever time a user authenticates, use an <AuthBy AuthLog>, a SuccessQuery, and "LogSuccess      1".
if you want to write something when stop packets come in, use <AuthBy SQL>, with "HandleAcctStatusTypes   Stop", and a AcctSQLStatement.

depends on what you need to do.


On 12-02-16 09:17 AM, Alby wrote:
> Hi all,
> I'm using radiator with a SQL database that stores the users' data. I've also a PostAuthHook that writes some data on the SQL database. Up to now my Hook connects to the database, writes the data and then disconnects. I suspect that connecting and disconnecting each time I write to the database is not a really good idea (expecially for the performance). I've noticed that Radiator opens the connection to the database only the first time, then reuses it (this is of course a better way than mine). Since the database that I write is the same that I use on Radiator (same name, same user and same password), is there a way to reuse the Radiator's DB handle instead of creating a new one and destroying it each time?
> At at first glance, my idea was to open the database connection with a StartUpHook and then close with a ShutdownHook, but there is the problem on how to share the DB handle between the three Hooks. This should be made securely, because if an attacker is able to obtain the handler, it will be able to read and write the database without performing authentication first, I think. In my opinion reusing the Radiator DB handle is the best solution if it can be implemented.
> Thank you very much in advance for your help and for your attention
> Alberto
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

From alby26 at gmail.com  Thu Feb 16 08:55:14 2012
From: alby26 at gmail.com (Alby)
Date: Thu, 16 Feb 2012 15:55:14 +0100
Subject: [RADIATOR] Radiator's database handle
In-Reply-To: <4F3D138F.6030201@vianet.ca>
References: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
	<4F3D138F.6030201@vianet.ca>
Message-ID: <CAGg551F44+vawuOgg5w0BnK+eSdkteuhbxAoyBsimesiS-nMeQ@mail.gmail.com>

Hi Michael,
thank you for your answer!
I agree with you, if you can do what you need with Radiator's
configuration, of course it is a better way to operate. But I need to
implement a sort of Self-Provisioning  procedure. When a new user tries to
authenticate, I first let Radiator rejects the request (because the user
does not have an account on the system). But then I check if the user
satisfies with some prerequisites (e.g. a special password used and some
more). If so, I create an account for the new user (and write the SQL
database from my PostAuthHook) and then notify it of the account creation,
for example by mail. Up to now, I use a PostAuthHook script to do that. It
works very well, the only matter is about the performance when writing to
the database because I connect and disconnect each time. I've tried to do
it in other ways, but without any success, since up to now this seems to be
the best solution.
Cheers,
Alberto

Il giorno 16 febbraio 2012 15:32, Michael <ringo at vianet.ca> ha scritto:

> I hate to answer a question with another question, but what, why and/or
> when are you writing data to the sql?  I write data to sql but I do it
> through any combination of <AuthBy SQL> <AuthLog SQL>, and sometimes an
> AuthBy SessionDB.  Works much better for me.  I try to avoid custom hooks
> if at all possible.  The ability for hooks is great to have, but if
> Radiator can already do a task just through config, i try to do it that way
> instead of a hook.
>
> So, if you want to write something to a table for example ever time a user
> authenticates, use an <AuthBy AuthLog>, a SuccessQuery, and "LogSuccess
>  1".
> if you want to write something when stop packets come in, use <AuthBy
> SQL>, with "HandleAcctStatusTypes   Stop", and a AcctSQLStatement.
>
> depends on what you need to do.
>
>
>
> On 12-02-16 09:17 AM, Alby wrote:
>
>> Hi all,
>> I'm using radiator with a SQL database that stores the users' data. I've
>> also a PostAuthHook that writes some data on the SQL database. Up to now my
>> Hook connects to the database, writes the data and then disconnects. I
>> suspect that connecting and disconnecting each time I write to the database
>> is not a really good idea (expecially for the performance). I've noticed
>> that Radiator opens the connection to the database only the first time,
>> then reuses it (this is of course a better way than mine). Since the
>> database that I write is the same that I use on Radiator (same name, same
>> user and same password), is there a way to reuse the Radiator's DB handle
>> instead of creating a new one and destroying it each time?
>> At at first glance, my idea was to open the database connection with a
>> StartUpHook and then close with a ShutdownHook, but there is the problem on
>> how to share the DB handle between the three Hooks. This should be made
>> securely, because if an attacker is able to obtain the handler, it will be
>> able to read and write the database without performing authentication
>> first, I think. In my opinion reusing the Radiator DB handle is the best
>> solution if it can be implemented.
>> Thank you very much in advance for your help and for your attention
>> Alberto
>>
>>
>> ______________________________**_________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/**mailman/listinfo/radiator<http://www.open.com.au/mailman/listinfo/radiator>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120216/52ecda36/attachment.html 

From scottshaw at 163.com  Thu Feb 16 10:19:52 2012
From: scottshaw at 163.com (Scott)
Date: Fri, 17 Feb 2012 00:19:52 +0800 (CST)
Subject: [RADIATOR] RADIATOR] Radiator SSL VPN, mobile OTP
In-Reply-To: <90a706b.a907.13581ac0511.Coremail.scottshaw@163.com>
References: <90a706b.a907.13581ac0511.Coremail.scottshaw@163.com>
	<265863814.CHhWZl2pCU@zulu>
	<CAPhbAj4PTKStnmEMfB1OHMBVeviwygEW0m30Fy2czuDhYhDqkw@mail.gmail.com>
Message-ID: <47c3f5d3.2347a.13586f673c0.Coremail.scottshaw@163.com>

 

Hi Team - I am currently working on a potential customer for a
> e-government project. For it's external VPN access, I am proposing Radiator. any of you have any white paper, success story, or case study related I can refer to ? Prefer some VPN radiau authetication with Mobile OTP, or other enhanced security authentication method.
> Thanks !
> best regards
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120217/9c5f6d9c/attachment.html 

From ringo at vianet.ca  Thu Feb 16 13:38:16 2012
From: ringo at vianet.ca (Michael)
Date: Thu, 16 Feb 2012 14:38:16 -0500
Subject: [RADIATOR] Radiator's database handle
In-Reply-To: <CAGg551F44+vawuOgg5w0BnK+eSdkteuhbxAoyBsimesiS-nMeQ@mail.gmail.com>
References: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
	<4F3D138F.6030201@vianet.ca>
	<CAGg551F44+vawuOgg5w0BnK+eSdkteuhbxAoyBsimesiS-nMeQ@mail.gmail.com>
Message-ID: <4F3D5B28.4090103@vianet.ca>

sounds like you may be trying to do something that is pretty complex.  maybe you should be thinking about creating your own custom Auth Clause. section 17.0 in the Radiator manual. For example, i've created my own Auth Clause (AuthUNIX_UID) to support the UID value from unix password files as it was required for my purpose.  The normal AuthUNIX doesn't do anything with UIDs.



On 12-02-16 09:55 AM, Alby wrote:
> Hi Michael,
> thank you for your answer!
> I agree with you, if you can do what you need with Radiator's configuration, of course it is a better way to operate. But I need to implement a sort of Self-Provisioning  procedure. When a new user tries to authenticate, I first let Radiator rejects the request (because the user does not have an account on the system). But then I check if the user satisfies with some prerequisites (e.g. a special password used and some more). If so, I create an account for the new user (and write the SQL database from my PostAuthHook) and then notify it of the account creation, for example by mail. Up to now, I use a PostAuthHook script to do that. It works very well, the only matter is about the performance when writing to the database because I connect and disconnect each time. I've tried to do it in other ways, but without any success, since up to now this seems to be the best solution.
> Cheers,
> Alberto
>
> Il giorno 16 febbraio 2012 15:32, Michael <ringo at vianet.ca <mailto:ringo at vianet.ca>> ha scritto:
>
>     I hate to answer a question with another question, but what, why and/or when are you writing data to the sql?  I write data to sql but I do it through any combination of <AuthBy SQL> <AuthLog SQL>, and sometimes an AuthBy SessionDB.  Works much better for me.  I try to avoid custom hooks if at all possible.  The ability for hooks is great to have, but if Radiator can already do a task just through config, i try to do it that way instead of a hook.
>
>     So, if you want to write something to a table for example ever time a user authenticates, use an <AuthBy AuthLog>, a SuccessQuery, and "LogSuccess      1".
>     if you want to write something when stop packets come in, use <AuthBy SQL>, with "HandleAcctStatusTypes   Stop", and a AcctSQLStatement.
>
>     depends on what you need to do.
>
>
>
>     On 12-02-16 09:17 AM, Alby wrote:
>
>         Hi all,
>         I'm using radiator with a SQL database that stores the users' data. I've also a PostAuthHook that writes some data on the SQL database. Up to now my Hook connects to the database, writes the data and then disconnects. I suspect that connecting and disconnecting each time I write to the database is not a really good idea (expecially for the performance). I've noticed that Radiator opens the connection to the database only the first time, then reuses it (this is of course a better way than mine). Since the database that I write is the same that I use on Radiator (same name, same user and same password), is there a way to reuse the Radiator's DB handle instead of creating a new one and destroying it each time?
>         At at first glance, my idea was to open the database connection with a StartUpHook and then close with a ShutdownHook, but there is the problem on how to share the DB handle between the three Hooks. This should be made securely, because if an attacker is able to obtain the handler, it will be able to read and write the database without performing authentication first, I think. In my opinion reusing the Radiator DB handle is the best solution if it can be implemented.
>         Thank you very much in advance for your help and for your attention
>         Alberto
>
>
>         _________________________________________________
>         radiator mailing list
>         radiator at open.com.au <mailto:radiator at open.com.au>
>         http://www.open.com.au/__mailman/listinfo/radiator <http://www.open.com.au/mailman/listinfo/radiator>
>
>

From ringo at vianet.ca  Thu Feb 16 14:45:54 2012
From: ringo at vianet.ca (Michael)
Date: Thu, 16 Feb 2012 15:45:54 -0500
Subject: [RADIATOR] Radiator's database handle
In-Reply-To: <4F3D5B28.4090103@vianet.ca>
References: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
	<4F3D138F.6030201@vianet.ca>
	<CAGg551F44+vawuOgg5w0BnK+eSdkteuhbxAoyBsimesiS-nMeQ@mail.gmail.com>
	<4F3D5B28.4090103@vianet.ca>
Message-ID: <4F3D6B02.1030604@vianet.ca>

maybe this may help spark some ideas:
- check normal auth.
- if pass, done and accept.
- if fail, continue to a second auth that checks only a password.
- if fail, done and reject.
- but if password only passes, send to another handler which does something.


<Handler ...>
         # auth policy set to continue only if the auth fails.
         AuthByPolicy    ContinueWhileReject

         AuthLog NORMAL_ATUH_LOG

         # a normal username/password test
         <AuthBy SQL>
         ...
         </AuthBy>

         # due to policy, this is only done if previous failed.
         <AuthBy GROUP>
                 # policy changed
                 AuthByPolicy    ContinueWhileAccept

                 # authby to check a DEFAULT account and check password only.
                 <AuthBy SQL>
                 ...

                        AuthSelect      SELECT username, crypt, ... FROM table WHERE BINARY username='DEFAULT'

                         AuthColumnDef   1, Encrypted-Password, check
                         AuthColumnDef   2, ...
                 ...
                 </AuthBy>

                 # due to AuthByPolicy only pass to another handler if previous auth passes.
                 <AuthBy HANDLER>
                         HandlerId "call another handler"
                 </AuthBy>
         </AuthBy>
</Handler>







On 12-02-16 02:38 PM, Michael wrote:
> sounds like you may be trying to do something that is pretty complex.  maybe you should be thinking about creating your own custom Auth Clause. section 17.0 in the Radiator manual. For example, i've created my own Auth Clause (AuthUNIX_UID) to support the UID value from unix password files as it was required for my purpose.  The normal AuthUNIX doesn't do anything with UIDs.
>
>
>
> On 12-02-16 09:55 AM, Alby wrote:
>> Hi Michael,
>> thank you for your answer!
>> I agree with you, if you can do what you need with Radiator's configuration, of course it is a better way to operate. But I need to implement a sort of Self-Provisioning  procedure. When a new user tries to authenticate, I first let Radiator rejects the request (because the user does not have an account on the system). But then I check if the user satisfies with some prerequisites (e.g. a special password used and some more). If so, I create an account for the new user (and write the SQL database from my PostAuthHook) and then notify it of the account creation, for example by mail. Up to now, I use a PostAuthHook script to do that. It works very well, the only matter is about the performance when writing to the database because I connect and disconnect each time. I've tried to do it in other ways, but without any success, since up to now this seems to be the best solution.
>> Cheers,
>> Alberto
>>
>> Il giorno 16 febbraio 2012 15:32, Michael<ringo at vianet.ca<mailto:ringo at vianet.ca>>  ha scritto:
>>
>>      I hate to answer a question with another question, but what, why and/or when are you writing data to the sql?  I write data to sql but I do it through any combination of<AuthBy SQL>  <AuthLog SQL>, and sometimes an AuthBy SessionDB.  Works much better for me.  I try to avoid custom hooks if at all possible.  The ability for hooks is great to have, but if Radiator can already do a task just through config, i try to do it that way instead of a hook.
>>
>>      So, if you want to write something to a table for example ever time a user authenticates, use an<AuthBy AuthLog>, a SuccessQuery, and "LogSuccess      1".
>>      if you want to write something when stop packets come in, use<AuthBy SQL>, with "HandleAcctStatusTypes   Stop", and a AcctSQLStatement.
>>
>>      depends on what you need to do.
>>
>>
>>
>>      On 12-02-16 09:17 AM, Alby wrote:
>>
>>          Hi all,
>>          I'm using radiator with a SQL database that stores the users' data. I've also a PostAuthHook that writes some data on the SQL database. Up to now my Hook connects to the database, writes the data and then disconnects. I suspect that connecting and disconnecting each time I write to the database is not a really good idea (expecially for the performance). I've noticed that Radiator opens the connection to the database only the first time, then reuses it (this is of course a better way than mine). Since the database that I write is the same that I use on Radiator (same name, same user and same password), is there a way to reuse the Radiator's DB handle instead of creating a new one and destroying it each time?
>>          At at first glance, my idea was to open the database connection with a StartUpHook and then close with a ShutdownHook, but there is the problem on how to share the DB handle between the three Hooks. This should be made securely, because if an attacker is able to obtain the handler, it will be able to read and write the database without performing authentication first, I think. In my opinion reusing the Radiator DB handle is the best solution if it can be implemented.
>>          Thank you very much in advance for your help and for your attention
>>          Alberto
>>
>>
>>          _________________________________________________
>>          radiator mailing list
>>          radiator at open.com.au<mailto:radiator at open.com.au>
>>          http://www.open.com.au/__mailman/listinfo/radiator<http://www.open.com.au/mailman/listinfo/radiator>
>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>

From hvn at open.com.au  Thu Feb 16 17:12:50 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Fri, 17 Feb 2012 01:12:50 +0200
Subject: [RADIATOR] Chap challenge in AuthBy EXTERNAL
In-Reply-To: <CAGSkO-VHYf8hhHwCg61Nawp37qG1L=q333wRyEShKHgJS1=e9Q@mail.gmail.com>
References: <CAGSkO-XeSrRn_is6BJkvASMfTh82294X=0KREbX+-f_HsSZm9A@mail.gmail.com>
	<4F3C016C.9090705@open.com.au>
	<CAGSkO-VHYf8hhHwCg61Nawp37qG1L=q333wRyEShKHgJS1=e9Q@mail.gmail.com>
Message-ID: <4F3D8D72.7010506@open.com.au>

On 02/16/2012 11:32 AM, Mark Green wrote:

> I could use PreAuthHook to read the authenticator and add it as a
> custom attribute.
> But how can I read the packet info I need from the hook?

Try ${$_[0]}->authenticator. That should give you the authenticator from
the current request.

Thanks!
Heikki


> Please somebody help me.
> 
> 2012/2/15 Heikki Vatiainen <hvn at open.com.au>
>>
>> On 02/14/2012 05:34 PM, Mark Green wrote:
>>
>>> # The challenge is sent by the client in CHAP-Challenge.
>>> # If that is not set, the challenge is in the authenticator
>>> $challenge = $p->getAttrByNum($Radius::Radius::CHAP_CHALLENGE);
>>> $challenge = $p->authenticator unless defined $challenge;
>>>
>>> What is authenticator? How can I read this value in AuthBy EXTERNAL?
>>
>> It's not an attribute, but part of fixed RADIUS packet header.
>>
>> http://tools.ietf.org/html/rfc2865#section-3
>>
>> This also means you can not access it from AuthBy EXTERNAL. You could
>> consider using AuthBy INTERNAL and e.g., RequestHook or AuthHook instead.
>>
>> Heikki
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Thu Feb 16 17:38:05 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Fri, 17 Feb 2012 01:38:05 +0200
Subject: [RADIATOR] missing request attributes with TunnelledByPEAP
In-Reply-To: <4F3CC0D8.9050504@t-systems.at>
References: <4F3BCCC0.3050908@t-systems.at> <4F3BFC12.50001@open.com.au>
	<4F3CC0D8.9050504@t-systems.at>
Message-ID: <4F3D935D.8070000@open.com.au>

On 02/16/2012 10:39 AM, Alexander Hartmaier wrote:

> I had to upgrade Radiator which was version 4.8 on this server so that
> it knows PreHandlerHook.

It should work with 4.8 and earlier versions too. It was documented in
the latest reference manual, but the functionality should have been
there. Sorry if I was unclear about this.

> It works when the PreHandlerHook is in the AuthBy but not when it is in
> the Handler but doesn't warn about the PreHandlerHook in the Handler.
> Is both supported for different usages?

You are correct, it goes in AuthBy. When I took a look at one example
configuration I had, I mistakingly thought I was looking at a Handler.
The correct place is AuthBy. Thanks for notifying about this.

> What confused me is the fact that the copied attribute isn't visible in
> the trace file but the dispatching still works:

Since the PreHandlerHook runs just before the inner request is
dispatched for handling, packet dumping trace happens just immediately
before the hook runs. So what you are seeing in the log is the packet
dump before the PreHandlerHook runs.

I'll make a note about this and see if the order can be reversed. First
PreHandlerHook and then inner request dump. That would make it easier to
follow what gets added into inner request.

If you add this as the last line in your hook, it will show how the
inner request was changed:

   main::log($main::LOG_DEBUG, "PEAP Tunnelled request Packet dump after
PreHandlerHook\n" . $tp->dump)

Thanks!
Heikki


> Thu Feb 16 09:34:34 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Thu Feb 16 09:34:34 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <30><142><221><130>g<220><185>cI<189><138>Z<234>6*~
> Attributes:
>         EAP-Message = <2><12><0><2><13><0>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 10.1.2.3
>         NAS-Identifier = "nas.fqdn.net"
>         NAS-Port = 13
>         Calling-Station-Id = "00-21-6a-42-e8-46"
>         User-Name = "anonymous"
> 
> Thu Feb 16 09:34:34 2012: DEBUG: Handling request with Handler
> 'Client-Identifier="wlancontroller", Called-Station-Id=/:SSID$/,
> TunnelledByPEAP=1', Identifier ''
> 
> Best regards, Alex
> 
> Am 2012-02-15 19:40, schrieb Heikki Vatiainen:
>> On 02/15/2012 05:18 PM, Alexander Hartmaier wrote:
>>
>> Hello Alex,
>>
>>> The inner TLS packet is matched by
>>> <Handler Client-Identifier="wlancontroller", TunnelledByPEAP=1>
>>> but in case we want to have multiple SSIDs using PEAP-something we can't
>>> distinguish the inner request because the Called-Station-Id isn't
>>> included in the inner request.
>>>
>>> Is there an option which attributes get copied to the inner request packet?
>> You can use PreHandlerHook. It is now documented in 4.9 ref.pdf too:
>>
>>   5.20.65 PreHandlerHook
>>   For EAP types that carry inner requests (such as PEAP, TTLS, FAST
>>   etc), specifies a Perl hook to be called before the inner request
>>   is redispatched to a matching Realm or Handler.
>>
>>
>> In the outer Handler do something like this:
>>
>> PreHandlerHook sub { \
>>   my $tp = ${$_[0]}; \
>>   $tp->add_attr('Called-Station-Id', \
>>                 $tp->{outerRequest}->get_attr('Called-Station-Id')); \
>>   };
>>
>> tp stands for tunnelled packet. It can be manipulated with
>> PreHandlerHook from the outer Handler.
>>
>> Thanks!
>> Heikki
>>
>>
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Thu Feb 16 17:45:26 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Fri, 17 Feb 2012 01:45:26 +0200
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
Message-ID: <4F3D9516.6090207@open.com.au>

On 02/15/2012 10:31 PM, Jay Tuala wrote:

Hello Jay,

> following the setup notes and can't seem to install Radiator rpm file.
> I'm a newbie to centos/radiator but am really keen to set it up and test it.
>  
> the error i'm getting is as follows:
>  
> [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
> Retrieving http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> error: skipping http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> - transfer failed - Unknown or unexpected error

That looks like head of HTML file from the Radiator downloads section.
The link titled 'RPM format for Linux' in the table listing different
versions gives you the download page, not the RPM. So please try
downloading again.

Thanks!
Heikki


> I have the file located below,
>  
> [root at radiator1 ~]# ls
> anaconda-ks.cfg  install.log  install.log.syslog 
> Radiator-Locked-4.9-2.noarch.rpm
>  
>  
>  
> I would greatly appreciate any help i can get.
>  
>  
> Many thanks,
> J
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From jay.tuala at gmail.com  Thu Feb 16 19:27:11 2012
From: jay.tuala at gmail.com (Jay Tuala)
Date: Fri, 17 Feb 2012 15:27:11 +1400
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <4F3D9516.6090207@open.com.au>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
Message-ID: <CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>

Hello Heikki,

I followed the 'RPM format for Linux' link and accepted the license
agreement to download the file. After downloading the file onto the Centos,
I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm' command but still
getting the same issue. By the way, is there any issue with running
Radiator on a vm. I wouldn't think so but just wondering if I needed a
seperate box for radiator?

Many thanks,
Jay  #radiatornewbie :-|





On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 02/15/2012 10:31 PM, Jay Tuala wrote:
>
> Hello Jay,
>
> > following the setup notes and can't seem to install Radiator rpm file.
> > I'm a newbie to centos/radiator but am really keen to set it up and test
> it.
> >
> > the error i'm getting is as follows:
> >
> > [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
> > Retrieving http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> > error: skipping http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> > - transfer failed - Unknown or unexpected error
>
> That looks like head of HTML file from the Radiator downloads section.
> The link titled 'RPM format for Linux' in the table listing different
> versions gives you the download page, not the RPM. So please try
> downloading again.
>
> Thanks!
> Heikki
>
>
> > I have the file located below,
> >
> > [root at radiator1 ~]# ls
> > anaconda-ks.cfg  install.log  install.log.syslog
> > Radiator-Locked-4.9-2.noarch.rpm
> >
> >
> >
> > I would greatly appreciate any help i can get.
> >
> >
> > Many thanks,
> > J
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120217/b817f9af/attachment-0001.html 

From hvn at open.com.au  Fri Feb 17 03:10:53 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Fri, 17 Feb 2012 11:10:53 +0200
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
Message-ID: <4F3E199D.2080705@open.com.au>

On 02/17/2012 03:27 AM, Jay Tuala wrote:

> I followed the 'RPM format for Linux' link and accepted the license
> agreement to download the file. After downloading the file onto the
> Centos, I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm' command
> but still getting the same issue. By the way, is there any issue with
> running Radiator on a vm. I wouldn't think so but just wondering if I
> needed a seperate box for radiator?

If you use e.g. less command or editor to view the downloaded RPM file
do you see HTML page or RPM binary? It still sounds like HTML file was
downloaded.

Running Radiator on a virtual machine is not a problem. It's actually
quite common.

Thanks!
Heikki

> Many thanks,
> Jay  #radiatornewbie :-|
>  
>  
> 
> 
>  
> On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au
> <mailto:hvn at open.com.au>> wrote:
> 
>     On 02/15/2012 10:31 PM, Jay Tuala wrote:
> 
>     Hello Jay,
> 
>     > following the setup notes and can't seem to install Radiator rpm file.
>     > I'm a newbie to centos/radiator but am really keen to set it up
>     and test it.
>     >
>     > the error i'm getting is as follows:
>     >
>     > [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
>     > Retrieving http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
>     > error: skipping
>     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
>     > - transfer failed - Unknown or unexpected error
> 
>     That looks like head of HTML file from the Radiator downloads section.
>     The link titled 'RPM format for Linux' in the table listing different
>     versions gives you the download page, not the RPM. So please try
>     downloading again.
> 
>     Thanks!
>     Heikki
> 
> 
>     > I have the file located below,
>     >
>     > [root at radiator1 ~]# ls
>     > anaconda-ks.cfg  install.log  install.log.syslog
>     > Radiator-Locked-4.9-2.noarch.rpm
>     >
>     >
>     >
>     > I would greatly appreciate any help i can get.
>     >
>     >
>     > Many thanks,
>     > J
>     >
>     >
>     > _______________________________________________
>     > radiator mailing list
>     > radiator at open.com.au <mailto:radiator at open.com.au>
>     > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
>     --
>     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> 
>     Radiator: the most portable, flexible and configurable RADIUS server
>     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>     NetWare etc.
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From jay.tuala at gmail.com  Fri Feb 17 08:19:22 2012
From: jay.tuala at gmail.com (Jay Tuala)
Date: Sat, 18 Feb 2012 04:19:22 +1400
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <4F3E199D.2080705@open.com.au>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
	<4F3E199D.2080705@open.com.au>
Message-ID: <CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>

Using cat to view the downloaded RPM file shows the software license
agreement. the following command is what i used to download the file,

wget --http-user=XXXXXX --http-password=XXXXXX *
http://www.open.com.au/radiator/demo-downloads/dl.cgi/Radiator-Locked-4.9-2.noarch.rpm
*<http://www.open.com.au/radiator/demo-downloads/dl.cgi/Radiator-Locked-4.9-2.noarch.rpm>

I suspect this is where the problem lies. Would be able to point me in the
right direction?

thanks again.


On Fri, Feb 17, 2012 at 11:10 PM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 02/17/2012 03:27 AM, Jay Tuala wrote:
>
> > I followed the 'RPM format for Linux' link and accepted the license
> > agreement to download the file. After downloading the file onto the
> > Centos, I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm' command
> > but still getting the same issue. By the way, is there any issue with
> > running Radiator on a vm. I wouldn't think so but just wondering if I
> > needed a seperate box for radiator?
>
> If you use e.g. less command or editor to view the downloaded RPM file
> do you see HTML page or RPM binary? It still sounds like HTML file was
> downloaded.
>
> Running Radiator on a virtual machine is not a problem. It's actually
> quite common.
>
> Thanks!
> Heikki
>
> > Many thanks,
> > Jay  #radiatornewbie :-|
> >
> >
> >
> >
> >
> > On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au
>  > <mailto:hvn at open.com.au>> wrote:
> >
> >     On 02/15/2012 10:31 PM, Jay Tuala wrote:
> >
> >     Hello Jay,
> >
> >     > following the setup notes and can't seem to install Radiator rpm
> file.
> >     > I'm a newbie to centos/radiator but am really keen to set it up
> >     and test it.
> >     >
> >     > the error i'm getting is as follows:
> >     >
> >     > [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
> >     > Retrieving http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
> >
> >     > error: skipping
> >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> >     > - transfer failed - Unknown or unexpected error
> >
> >     That looks like head of HTML file from the Radiator downloads
> section.
> >     The link titled 'RPM format for Linux' in the table listing different
> >     versions gives you the download page, not the RPM. So please try
> >     downloading again.
> >
> >     Thanks!
> >     Heikki
> >
> >
> >     > I have the file located below,
> >     >
> >     > [root at radiator1 ~]# ls
> >     > anaconda-ks.cfg  install.log  install.log.syslog
> >     > Radiator-Locked-4.9-2.noarch.rpm
> >     >
> >     >
> >     >
> >     > I would greatly appreciate any help i can get.
> >     >
> >     >
> >     > Many thanks,
> >     > J
> >     >
> >     >
> >     > _______________________________________________
> >     > radiator mailing list
> >     > radiator at open.com.au <mailto:radiator at open.com.au>
> >     > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> >     --
> >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
>  >
> >     Radiator: the most portable, flexible and configurable RADIUS server
> >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS,
> >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >     NetWare etc.
> >
> >
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120218/97c46a83/attachment.html 

From hvn at open.com.au  Mon Feb 20 02:36:51 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Mon, 20 Feb 2012 10:36:51 +0200
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
	<4F3E199D.2080705@open.com.au>
	<CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>
Message-ID: <4F420623.7030208@open.com.au>

On 02/17/2012 04:19 PM, Jay Tuala wrote:

Hello Jay,

> Using cat to view the downloaded RPM file shows the software license
> agreement. the following command is what i used to download the file,
> 
> wget --http-user=XXXXXX --http-password=XXXXXX
> _http://www.open.com.au/radiator/demo-downloads/dl.cgi/Radiator-Locked-4.9-2.noarch.rpm_

Ok, that explains what happens. Using a non-interactive tool such as
wget may not work here because of the CGI that creates the actual
download link.

> I suspect this is where the problem lies. Would be able to point me in
> the right direction?

Try this: Use Chrome, IE, Firefox or any other browser to download the
software to your workstation and then copy it to the target machine
unless you can run the browser on the target machine directly.

Or you could install one of elinks, links or lynx. These are test mode
browsers that can run in the terminal. You can install one of those on
your Radiator evaluation host and use text mode browser to access the
download link.

In any case you need to accept the license agreement before the actual
download link becomes available.

Please let us know how it goes.

Thanks!
Heikki


> thanks again.
>  
> 
> On Fri, Feb 17, 2012 at 11:10 PM, Heikki Vatiainen <hvn at open.com.au
> <mailto:hvn at open.com.au>> wrote:
> 
>     On 02/17/2012 03:27 AM, Jay Tuala wrote:
> 
>     > I followed the 'RPM format for Linux' link and accepted the license
>     > agreement to download the file. After downloading the file onto the
>     > Centos, I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm'
>     command
>     > but still getting the same issue. By the way, is there any issue with
>     > running Radiator on a vm. I wouldn't think so but just wondering if I
>     > needed a seperate box for radiator?
> 
>     If you use e.g. less command or editor to view the downloaded RPM file
>     do you see HTML page or RPM binary? It still sounds like HTML file was
>     downloaded.
> 
>     Running Radiator on a virtual machine is not a problem. It's actually
>     quite common.
> 
>     Thanks!
>     Heikki
> 
>     > Many thanks,
>     > Jay  #radiatornewbie :-|
>     >
>     >
>     >
>     >
>     >
>     > On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au
>     <mailto:hvn at open.com.au>
>     > <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>> wrote:
>     >
>     >     On 02/15/2012 10:31 PM, Jay Tuala wrote:
>     >
>     >     Hello Jay,
>     >
>     >     > following the setup notes and can't seem to install Radiator
>     rpm file.
>     >     > I'm a newbie to centos/radiator but am really keen to set it up
>     >     and test it.
>     >     >
>     >     > the error i'm getting is as follows:
>     >     >
>     >     > [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
>     >     > Retrieving
>     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
>     >     > error: skipping
>     >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
>     >     > - transfer failed - Unknown or unexpected error
>     >
>     >     That looks like head of HTML file from the Radiator downloads
>     section.
>     >     The link titled 'RPM format for Linux' in the table listing
>     different
>     >     versions gives you the download page, not the RPM. So please try
>     >     downloading again.
>     >
>     >     Thanks!
>     >     Heikki
>     >
>     >
>     >     > I have the file located below,
>     >     >
>     >     > [root at radiator1 ~]# ls
>     >     > anaconda-ks.cfg  install.log  install.log.syslog
>     >     > Radiator-Locked-4.9-2.noarch.rpm
>     >     >
>     >     >
>     >     >
>     >     > I would greatly appreciate any help i can get.
>     >     >
>     >     >
>     >     > Many thanks,
>     >     > J
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > radiator mailing list
>     >     > radiator at open.com.au <mailto:radiator at open.com.au>
>     <mailto:radiator at open.com.au <mailto:radiator at open.com.au>>
>     >     > http://www.open.com.au/mailman/listinfo/radiator
>     >
>     >
>     >     --
>     >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>
>     <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>>
>     >
>     >     Radiator: the most portable, flexible and configurable RADIUS
>     server
>     >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>     Emerald,
>     >     Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>     EAP, TLS,
>     >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>     >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>     >     NetWare etc.
>     >
>     >
> 
> 
>     --
>     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> 
>     Radiator: the most portable, flexible and configurable RADIUS server
>     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>     NetWare etc.
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From jay.tuala at gmail.com  Mon Feb 20 17:38:57 2012
From: jay.tuala at gmail.com (Jay Tuala)
Date: Tue, 21 Feb 2012 13:38:57 +1400
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <4F420623.7030208@open.com.au>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
	<4F3E199D.2080705@open.com.au>
	<CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>
	<4F420623.7030208@open.com.au>
Message-ID: <CAO5qXN5yh8ee4N6yy9nEH0OsKJABPH0=Q4ynfS_ar==Z376isA@mail.gmail.com>

Hello there Heikki,

With your help I was finally able to get radiator downloaded and installed.
Thanks a bunch and keep up the good work.

I will now focus on configuring and testing.


Cheers,
Jay

On Mon, Feb 20, 2012 at 10:36 PM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 02/17/2012 04:19 PM, Jay Tuala wrote:
>
> Hello Jay,
>
> > Using cat to view the downloaded RPM file shows the software license
> > agreement. the following command is what i used to download the file,
> >
> > wget --http-user=XXXXXX --http-password=XXXXXX
> > _
> http://www.open.com.au/radiator/demo-downloads/dl.cgi/Radiator-Locked-4.9-2.noarch.rpm_
>
> Ok, that explains what happens. Using a non-interactive tool such as
> wget may not work here because of the CGI that creates the actual
> download link.
>
> > I suspect this is where the problem lies. Would be able to point me in
> > the right direction?
>
> Try this: Use Chrome, IE, Firefox or any other browser to download the
> software to your workstation and then copy it to the target machine
> unless you can run the browser on the target machine directly.
>
> Or you could install one of elinks, links or lynx. These are test mode
> browsers that can run in the terminal. You can install one of those on
> your Radiator evaluation host and use text mode browser to access the
> download link.
>
> In any case you need to accept the license agreement before the actual
> download link becomes available.
>
> Please let us know how it goes.
>
> Thanks!
> Heikki
>
>
> > thanks again.
> >
> >
> > On Fri, Feb 17, 2012 at 11:10 PM, Heikki Vatiainen <hvn at open.com.au
> > <mailto:hvn at open.com.au>> wrote:
> >
> >     On 02/17/2012 03:27 AM, Jay Tuala wrote:
> >
> >     > I followed the 'RPM format for Linux' link and accepted the license
> >     > agreement to download the file. After downloading the file onto the
> >     > Centos, I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm'
> >     command
> >     > but still getting the same issue. By the way, is there any issue
> with
> >     > running Radiator on a vm. I wouldn't think so but just wondering
> if I
> >     > needed a seperate box for radiator?
> >
> >     If you use e.g. less command or editor to view the downloaded RPM
> file
> >     do you see HTML page or RPM binary? It still sounds like HTML file
> was
> >     downloaded.
> >
> >     Running Radiator on a virtual machine is not a problem. It's actually
> >     quite common.
> >
> >     Thanks!
> >     Heikki
> >
> >     > Many thanks,
> >     > Jay  #radiatornewbie :-|
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au
> >     <mailto:hvn at open.com.au>
>  >     > <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>> wrote:
> >     >
> >     >     On 02/15/2012 10:31 PM, Jay Tuala wrote:
> >     >
> >     >     Hello Jay,
> >     >
> >     >     > following the setup notes and can't seem to install Radiator
> >     rpm file.
> >     >     > I'm a newbie to centos/radiator but am really keen to set it
> up
> >     >     and test it.
> >     >     >
> >     >     > the error i'm getting is as follows:
> >     >     >
> >     >     > [root at radiator1 ~]# rpm -ivh
> Radiator-Locked-4.9-2.noarch.rpm
> >     >     > Retrieving
> >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> >     >     > error: skipping
> >     >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> >     >     > - transfer failed - Unknown or unexpected error
> >     >
> >     >     That looks like head of HTML file from the Radiator downloads
> >     section.
> >     >     The link titled 'RPM format for Linux' in the table listing
> >     different
> >     >     versions gives you the download page, not the RPM. So please
> try
> >     >     downloading again.
> >     >
> >     >     Thanks!
> >     >     Heikki
> >     >
> >     >
> >     >     > I have the file located below,
> >     >     >
> >     >     > [root at radiator1 ~]# ls
> >     >     > anaconda-ks.cfg  install.log  install.log.syslog
> >     >     > Radiator-Locked-4.9-2.noarch.rpm
> >     >     >
> >     >     >
> >     >     >
> >     >     > I would greatly appreciate any help i can get.
> >     >     >
> >     >     >
> >     >     > Many thanks,
> >     >     > J
> >     >     >
> >     >     >
> >     >     > _______________________________________________
> >     >     > radiator mailing list
> >     >     > radiator at open.com.au <mailto:radiator at open.com.au>
> >     <mailto:radiator at open.com.au <mailto:radiator at open.com.au>>
> >     >     > http://www.open.com.au/mailman/listinfo/radiator
> >     >
> >     >
> >     >     --
> >     >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>
> >     <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>>
>  >     >
> >     >     Radiator: the most portable, flexible and configurable RADIUS
> >     server
> >     >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> >     Emerald,
> >     >     Platypus, Freeside, TACACS+, PAM, external, Active Directory,
> >     EAP, TLS,
> >     >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >     >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris,
> VMS,
> >     >     NetWare etc.
> >     >
> >     >
> >
> >
> >     --
> >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> >
> >     Radiator: the most portable, flexible and configurable RADIUS server
> >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS,
> >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >     NetWare etc.
> >
> >
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120221/7a6e7fed/attachment.html 

From simon.morley at me.com  Mon Feb 20 17:40:57 2012
From: simon.morley at me.com (Simon Morley)
Date: Mon, 20 Feb 2012 23:40:57 +0000
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <CAO5qXN5yh8ee4N6yy9nEH0OsKJABPH0=Q4ynfS_ar==Z376isA@mail.gmail.com>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
	<4F3E199D.2080705@open.com.au>
	<CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>
	<4F420623.7030208@open.com.au>
	<CAO5qXN5yh8ee4N6yy9nEH0OsKJABPH0=Q4ynfS_ar==Z376isA@mail.gmail.com>
Message-ID: <7C55EBE5-CDDA-481D-A40A-41748E742E97@me.com>

How on earth can I unsubscribe from this list?

I don't think the email unsubscribe options work... 

Please take me off the list.


On 21 Feb 2012, at 13:38, Jay Tuala wrote:

> Hello there Heikki,
>  
> With your help I was finally able to get radiator downloaded and installed. Thanks a bunch and keep up the good work.
>  
> I will now focus on configuring and testing.
>  
>  
> Cheers,
> Jay
> 
> On Mon, Feb 20, 2012 at 10:36 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 02/17/2012 04:19 PM, Jay Tuala wrote:
> 
> Hello Jay,
> 
> > Using cat to view the downloaded RPM file shows the software license
> > agreement. the following command is what i used to download the file,
> >
> > wget --http-user=XXXXXX --http-password=XXXXXX
> > _http://www.open.com.au/radiator/demo-downloads/dl.cgi/Radiator-Locked-4.9-2.noarch.rpm_
> 
> Ok, that explains what happens. Using a non-interactive tool such as
> wget may not work here because of the CGI that creates the actual
> download link.
> 
> > I suspect this is where the problem lies. Would be able to point me in
> > the right direction?
> 
> Try this: Use Chrome, IE, Firefox or any other browser to download the
> software to your workstation and then copy it to the target machine
> unless you can run the browser on the target machine directly.
> 
> Or you could install one of elinks, links or lynx. These are test mode
> browsers that can run in the terminal. You can install one of those on
> your Radiator evaluation host and use text mode browser to access the
> download link.
> 
> In any case you need to accept the license agreement before the actual
> download link becomes available.
> 
> Please let us know how it goes.
> 
> Thanks!
> Heikki
> 
> 
> > thanks again.
> >
> >
> > On Fri, Feb 17, 2012 at 11:10 PM, Heikki Vatiainen <hvn at open.com.au
> > <mailto:hvn at open.com.au>> wrote:
> >
> >     On 02/17/2012 03:27 AM, Jay Tuala wrote:
> >
> >     > I followed the 'RPM format for Linux' link and accepted the license
> >     > agreement to download the file. After downloading the file onto the
> >     > Centos, I tried the 'rpm -ivh Radiator-Locked-4.9-2.noarch.rpm'
> >     command
> >     > but still getting the same issue. By the way, is there any issue with
> >     > running Radiator on a vm. I wouldn't think so but just wondering if I
> >     > needed a seperate box for radiator?
> >
> >     If you use e.g. less command or editor to view the downloaded RPM file
> >     do you see HTML page or RPM binary? It still sounds like HTML file was
> >     downloaded.
> >
> >     Running Radiator on a virtual machine is not a problem. It's actually
> >     quite common.
> >
> >     Thanks!
> >     Heikki
> >
> >     > Many thanks,
> >     > Jay  #radiatornewbie :-|
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > On Fri, Feb 17, 2012 at 1:45 PM, Heikki Vatiainen <hvn at open.com.au
> >     <mailto:hvn at open.com.au>
> >     > <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>> wrote:
> >     >
> >     >     On 02/15/2012 10:31 PM, Jay Tuala wrote:
> >     >
> >     >     Hello Jay,
> >     >
> >     >     > following the setup notes and can't seem to install Radiator
> >     rpm file.
> >     >     > I'm a newbie to centos/radiator but am really keen to set it up
> >     >     and test it.
> >     >     >
> >     >     > the error i'm getting is as follows:
> >     >     >
> >     >     > [root at radiator1 ~]# rpm -ivh Radiator-Locked-4.9-2.noarch.rpm
> >     >     > Retrieving
> >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> >     >     > error: skipping
> >     >     http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
> >     >     > - transfer failed - Unknown or unexpected error
> >     >
> >     >     That looks like head of HTML file from the Radiator downloads
> >     section.
> >     >     The link titled 'RPM format for Linux' in the table listing
> >     different
> >     >     versions gives you the download page, not the RPM. So please try
> >     >     downloading again.
> >     >
> >     >     Thanks!
> >     >     Heikki
> >     >
> >     >
> >     >     > I have the file located below,
> >     >     >
> >     >     > [root at radiator1 ~]# ls
> >     >     > anaconda-ks.cfg  install.log  install.log.syslog
> >     >     > Radiator-Locked-4.9-2.noarch.rpm
> >     >     >
> >     >     >
> >     >     >
> >     >     > I would greatly appreciate any help i can get.
> >     >     >
> >     >     >
> >     >     > Many thanks,
> >     >     > J
> >     >     >
> >     >     >
> >     >     > _______________________________________________
> >     >     > radiator mailing list
> >     >     > radiator at open.com.au <mailto:radiator at open.com.au>
> >     <mailto:radiator at open.com.au <mailto:radiator at open.com.au>>
> >     >     > http://www.open.com.au/mailman/listinfo/radiator
> >     >
> >     >
> >     >     --
> >     >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>
> >     <mailto:hvn at open.com.au <mailto:hvn at open.com.au>>>
> >     >
> >     >     Radiator: the most portable, flexible and configurable RADIUS
> >     server
> >     >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> >     Emerald,
> >     >     Platypus, Freeside, TACACS+, PAM, external, Active Directory,
> >     EAP, TLS,
> >     >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >     >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >     >     NetWare etc.
> >     >
> >     >
> >
> >
> >     --
> >     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> >
> >     Radiator: the most portable, flexible and configurable RADIUS server
> >     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >     NetWare etc.
> >
> >
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120220/db81a4fc/attachment-0001.html 

From puchol at me.com  Mon Feb 20 18:36:15 2012
From: puchol at me.com (Mike Puchol)
Date: Tue, 21 Feb 2012 01:36:15 +0100
Subject: [RADIATOR] Cannot install rpm file
In-Reply-To: <7C55EBE5-CDDA-481D-A40A-41748E742E97@me.com>
References: <CAO5qXN7u9WxtZA7w5i_qBxOjQruQfrK5yiwxF_c5pT6qJV5o5Q@mail.gmail.com>
	<4F3D9516.6090207@open.com.au>
	<CAO5qXN7pmLnGOoEgMxjUD=Yy8RrKrmxNUj555oPQcyamoSY56w@mail.gmail.com>
	<4F3E199D.2080705@open.com.au>
	<CAO5qXN5Pr5riFLeXxjAx35CR1qTV9Q-xtj1QWfQht+rQdB+f=w@mail.gmail.com>
	<4F420623.7030208@open.com.au>
	<CAO5qXN5yh8ee4N6yy9nEH0OsKJABPH0=Q4ynfS_ar==Z376isA@mail.gmail.com>
	<7C55EBE5-CDDA-481D-A40A-41748E742E97@me.com>
Message-ID: <AD186098F4634F04A59EF7BC98C8649D@me.com>

Well, on every email, at the bottom, you have: 

http://www.open.com.au/mailman/listinfo/radiator

and at the bottom of that is a text field + button that allows you to enter your email and unsubscribe. 


On Tuesday, February 21, 2012 at 12:40 AM, Simon Morley wrote:

> How on earth can I unsubscribe from this list?
> 
> I don't think the email unsubscribe options work... 
> 
> Please take me off the list.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120221/e44b5c25/attachment.html 

From supphasak.n at touchtechnologies.co.th  Mon Feb 20 21:47:14 2012
From: supphasak.n at touchtechnologies.co.th (Supphasak Ninjarat)
Date: Tue, 21 Feb 2012 10:47:14 +0700
Subject: [RADIATOR] Raddius Question : Acct-Interim-Interval session time
 not working (Want to Top-Up Session Time Online)
Message-ID: <CAOBkk9LE3QKaUspOccUpV7j5SYosb0_=sPMN=Ady1cvUMGQzfA@mail.gmail.com>

Hello all,

Purpose : Want to Top-Up Session Time Online Login

I am using freeradius 2.1.0 on Ubuntu 10.10 and using rp-pppoe server and
chillispot server for user login authentication method on same machine and
set up radius attribute for end user such as
#-------------------------------------------------------------------------------------

*radtest   abc   abc123   127.0.0.1  0   SecretKey*
Sending Access-Request of id 185 to 127.0.0.1 port 1812
        User-Name = "abc"
        User-Password = "abc123"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185,
length=80
        Idle-Timeout = 600
        WISPr-Bandwidth-Max-Down = 100000000
        WISPr-Bandwidth-Max-Up = 100000000
        *Acct-Interim-Interval = 60*
        Acct-Status-Type = Interim-Update
        *Session-Timeout = 300*

( All  user can login all of session is 5mins )
#-------------------------------------------------------------------------------------


1.After first use logged in  ( with pppoe or chillispot) the user "abc" use
the network times 200secs  (left time=100secs) and logged off later.

2.The user "abc"  logged in again with radius message
        User-Name = "abc"
        User-Password = "abc123"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185,
length=80
        Idle-Timeout = 600
        WISPr-Bandwidth-Max-Down = 100000000
        WISPr-Bandwidth-Max-Up = 100000000
        *Acct-Interim-Interval = 60*
        Acct-Status-Type = Interim-Update
        *Session-Timeout = 100*

 During live logged in session , In the radius database and radacct table
has 2 record insert (first record is first login and *secondary record is
now login*)

 I delete the first database record (use time= 200secs) so that the
attribute Acct-Interim-Interval it is  updating  all sessiontime count to 0
and "abc" can use the network 300secs. But it is not updating session and
the user "abc" was terminate after 100 secs normally  by AcctTerminateCause
 is "Session-Timeout" .

     What does debug or how?

Thanks for every thing.


-- 
Touch Technologies
Mr. Supphasak Ninjarat
089-4595046
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120221/43be948b/attachment.html 

From hugh at open.com.au  Mon Feb 20 22:32:55 2012
From: hugh at open.com.au (Hugh Irvine)
Date: Tue, 21 Feb 2012 15:32:55 +1100
Subject: [RADIATOR] Raddius Question : Acct-Interim-Interval session
	time not working (Want to Top-Up Session Time Online)
In-Reply-To: <CAOBkk9LE3QKaUspOccUpV7j5SYosb0_=sPMN=Ady1cvUMGQzfA@mail.gmail.com>
References: <CAOBkk9LE3QKaUspOccUpV7j5SYosb0_=sPMN=Ady1cvUMGQzfA@mail.gmail.com>
Message-ID: <097904AF-6801-4BB6-A449-BDEF35AE7FA3@open.com.au>


Hello -

This is the Radiator mailing list, not the freeradius mailing list.

regards

Hugh


On 21 Feb 2012, at 14:47, Supphasak Ninjarat wrote:

> Hello all, 
> 
> Purpose : Want to Top-Up Session Time Online Login
> 
> I am using freeradius 2.1.0 on Ubuntu 10.10 and using rp-pppoe server and chillispot server for user login authentication method on same machine and set up radius attribute for end user such as 
> #------------------------------------------------------------------------------------- 
> radtest   abc   abc123   127.0.0.1  0   SecretKey
> Sending Access-Request of id 185 to 127.0.0.1 port 1812 
>         User-Name = "abc" 
>         User-Password = "abc123" 
>         NAS-IP-Address = 127.0.1.1 
>         NAS-Port = 0 
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185, length=80 
>         Idle-Timeout = 600 
>         WISPr-Bandwidth-Max-Down = 100000000 
>         WISPr-Bandwidth-Max-Up = 100000000 
>         Acct-Interim-Interval = 60
>         Acct-Status-Type = Interim-Update 
>         Session-Timeout = 300
> 
> ( All  user can login all of session is 5mins ) 
> #------------------------------------------------------------------------------------- 
> 
> 1.After first use logged in  ( with pppoe or chillispot) the user "abc" use the network times 200secs  (left time=100secs) and logged off later. 
> 
> 2.The user "abc"  logged in again with radius message 
>         User-Name = "abc" 
>         User-Password = "abc123" 
>         NAS-IP-Address = 127.0.1.1 
>         NAS-Port = 0 
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185, length=80 
>         Idle-Timeout = 600 
>         WISPr-Bandwidth-Max-Down = 100000000 
>         WISPr-Bandwidth-Max-Up = 100000000 
>         Acct-Interim-Interval = 60  
>         Acct-Status-Type = Interim-Update 
>         Session-Timeout = 100
> 
>  During live logged in session , In the radius database and radacct table has 2 record insert (first record is first login and secondary record is now login)    
> 
>  I delete the first database record (use time= 200secs) so that the attribute Acct-Interim-Interval it is  updating  all sessiontime count to 0 and "abc" can use the network 300secs. But it is not updating session and the user "abc" was terminate after 100 secs normally  by AcctTerminateCause  is "Session-Timeout" . 
>  
>      What does debug or how? 
> 
> Thanks for every thing. 
> 
> 
> -- 
> Touch Technologies
> Mr. Supphasak Ninjarat
> 089-4595046
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


From alby26 at gmail.com  Tue Feb 21 04:29:02 2012
From: alby26 at gmail.com (Alby)
Date: Tue, 21 Feb 2012 11:29:02 +0100
Subject: [RADIATOR] Radiator's database handle
In-Reply-To: <4F3D6B02.1030604@vianet.ca>
References: <CAGg551HpsdvLkBUqB799kXbpsGayAOgfYpv9Lpmoa1M85hMRfA@mail.gmail.com>
	<4F3D138F.6030201@vianet.ca>
	<CAGg551F44+vawuOgg5w0BnK+eSdkteuhbxAoyBsimesiS-nMeQ@mail.gmail.com>
	<4F3D5B28.4090103@vianet.ca> <4F3D6B02.1030604@vianet.ca>
Message-ID: <CAGg551FE8-CiN8SyWN5XgFfq_EdZeQJHQ40CvvpetErscwZiGg@mail.gmail.com>

Hi Michael,
thank you for your response. Now I agree with you. It seems that doing a
new Auth clause is the best way to solve my problems, although it is not
the easier one.
I'm working on it hard!
Bye
Alberto

Il giorno 16 febbraio 2012 21:45, Michael <ringo at vianet.ca> ha scritto:

> maybe this may help spark some ideas:
> - check normal auth.
> - if pass, done and accept.
> - if fail, continue to a second auth that checks only a password.
> - if fail, done and reject.
> - but if password only passes, send to another handler which does
> something.
>
>
> <Handler ...>
>        # auth policy set to continue only if the auth fails.
>        AuthByPolicy    ContinueWhileReject
>
>        AuthLog NORMAL_ATUH_LOG
>
>        # a normal username/password test
>        <AuthBy SQL>
>        ...
>        </AuthBy>
>
>        # due to policy, this is only done if previous failed.
>        <AuthBy GROUP>
>                # policy changed
>                AuthByPolicy    ContinueWhileAccept
>
>                # authby to check a DEFAULT account and check password only.
>                <AuthBy SQL>
>                ...
>
>                       AuthSelect      SELECT username, crypt, ... FROM
> table WHERE BINARY username='DEFAULT'
>
>                        AuthColumnDef   1, Encrypted-Password, check
>                        AuthColumnDef   2, ...
>                ...
>                </AuthBy>
>
>                # due to AuthByPolicy only pass to another handler if
> previous auth passes.
>                <AuthBy HANDLER>
>                        HandlerId "call another handler"
>                </AuthBy>
>        </AuthBy>
> </Handler>
>
>
>
>
>
>
>
>
> On 12-02-16 02:38 PM, Michael wrote:
>
>> sounds like you may be trying to do something that is pretty complex.
>>  maybe you should be thinking about creating your own custom Auth Clause.
>> section 17.0 in the Radiator manual. For example, i've created my own Auth
>> Clause (AuthUNIX_UID) to support the UID value from unix password files as
>> it was required for my purpose.  The normal AuthUNIX doesn't do anything
>> with UIDs.
>>
>>
>>
>> On 12-02-16 09:55 AM, Alby wrote:
>>
>>> Hi Michael,
>>> thank you for your answer!
>>> I agree with you, if you can do what you need with Radiator's
>>> configuration, of course it is a better way to operate. But I need to
>>> implement a sort of Self-Provisioning  procedure. When a new user tries to
>>> authenticate, I first let Radiator rejects the request (because the user
>>> does not have an account on the system). But then I check if the user
>>> satisfies with some prerequisites (e.g. a special password used and some
>>> more). If so, I create an account for the new user (and write the SQL
>>> database from my PostAuthHook) and then notify it of the account creation,
>>> for example by mail. Up to now, I use a PostAuthHook script to do that. It
>>> works very well, the only matter is about the performance when writing to
>>> the database because I connect and disconnect each time. I've tried to do
>>> it in other ways, but without any success, since up to now this seems to be
>>> the best solution.
>>> Cheers,
>>> Alberto
>>>
>>> Il giorno 16 febbraio 2012 15:32, Michael<ringo at vianet.ca<**mailto:
>>> ringo at vianet.ca>>  ha scritto:
>>>
>>>     I hate to answer a question with another question, but what, why
>>> and/or when are you writing data to the sql?  I write data to sql but I do
>>> it through any combination of<AuthBy SQL>  <AuthLog SQL>, and sometimes an
>>> AuthBy SessionDB.  Works much better for me.  I try to avoid custom hooks
>>> if at all possible.  The ability for hooks is great to have, but if
>>> Radiator can already do a task just through config, i try to do it that way
>>> instead of a hook.
>>>
>>>     So, if you want to write something to a table for example ever time
>>> a user authenticates, use an<AuthBy AuthLog>, a SuccessQuery, and
>>> "LogSuccess      1".
>>>     if you want to write something when stop packets come in, use<AuthBy
>>> SQL>, with "HandleAcctStatusTypes   Stop", and a AcctSQLStatement.
>>>
>>>     depends on what you need to do.
>>>
>>>
>>>
>>>     On 12-02-16 09:17 AM, Alby wrote:
>>>
>>>         Hi all,
>>>         I'm using radiator with a SQL database that stores the users'
>>> data. I've also a PostAuthHook that writes some data on the SQL database.
>>> Up to now my Hook connects to the database, writes the data and then
>>> disconnects. I suspect that connecting and disconnecting each time I write
>>> to the database is not a really good idea (expecially for the performance).
>>> I've noticed that Radiator opens the connection to the database only the
>>> first time, then reuses it (this is of course a better way than mine).
>>> Since the database that I write is the same that I use on Radiator (same
>>> name, same user and same password), is there a way to reuse the Radiator's
>>> DB handle instead of creating a new one and destroying it each time?
>>>         At at first glance, my idea was to open the database connection
>>> with a StartUpHook and then close with a ShutdownHook, but there is the
>>> problem on how to share the DB handle between the three Hooks. This should
>>> be made securely, because if an attacker is able to obtain the handler, it
>>> will be able to read and write the database without performing
>>> authentication first, I think. In my opinion reusing the Radiator DB handle
>>> is the best solution if it can be implemented.
>>>         Thank you very much in advance for your help and for your
>>> attention
>>>         Alberto
>>>
>>>
>>>         ______________________________**___________________
>>>         radiator mailing list
>>>         radiator at open.com.au<mailto:ra**diator at open.com.au<radiator at open.com.au>
>>> >
>>>         http://www.open.com.au/__**mailman/listinfo/radiator<http://www.open.com.au/__mailman/listinfo/radiator>
>>> <http**://www.open.com.au/mailman/**listinfo/radiator<http://www.open.com.au/mailman/listinfo/radiator>
>>> >
>>>
>>>
>>>  ______________________________**_________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/**mailman/listinfo/radiator<http://www.open.com.au/mailman/listinfo/radiator>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120221/50b7e20c/attachment-0001.html 

From shay_smith at ddouglas.k12.or.us  Tue Feb 21 17:56:07 2012
From: shay_smith at ddouglas.k12.or.us (Shay Smith)
Date: Tue, 21 Feb 2012 15:56:07 -0800
Subject: [RADIATOR] Authenticating Devices...
Message-ID: <CAAM=0pBAABczSj5cYDWC6e7rTDvgP5HmTGRULgZm4PXZQ2RE0g@mail.gmail.com>

Hello,

I've got a working config that authenticates users connecting via Wifi.
Their credentials are compared against our LDAP database. I'm having
trouble figuring out how to get a non-login device to have access over the
same AP. I would like to know how to get a network device on the network
without requiring a login. I'd really like to compare it's MAC address or
IP address against a list in MySQL.

-- 
Shay Smith
----------------------------------------

Gmail Evangelist
David Douglas School District
503-261-8235

www.ddouglas.k12.or.us
<http://shay.ddouglas.k12.or.us>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120221/97f2f1c7/attachment.html 

From puchol at me.com  Tue Feb 21 19:07:15 2012
From: puchol at me.com (Mike Puchol)
Date: Wed, 22 Feb 2012 02:07:15 +0100
Subject: [RADIATOR] Authenticating Devices...
In-Reply-To: <CAAM=0pBAABczSj5cYDWC6e7rTDvgP5HmTGRULgZm4PXZQ2RE0g@mail.gmail.com>
References: <CAAM=0pBAABczSj5cYDWC6e7rTDvgP5HmTGRULgZm4PXZQ2RE0g@mail.gmail.com>
Message-ID: <C1301BC9ED2841DEB70B8873686A44E1@me.com>

Shay, 

You should be able to configure your hotspot to perform MAC-based authentication by default upon stations associating. What this results is in an access-request with the username set to the MAC of the connecting device. You can keep these in your normal subscribers database.

Cheers,

Mike 


On Wednesday, February 22, 2012 at 12:56 AM, Shay Smith wrote:

> Hello,
> 
> I've got a working config that authenticates users connecting via Wifi. Their credentials are compared against our LDAP database. I'm having trouble figuring out how to get a non-login device to have access over the same AP. I would like to know how to get a network device on the network without requiring a login. I'd really like to compare it's MAC address or IP address against a list in MySQL.
> 
> -- 
> Shay Smith
> ----------------------------------------
> 
> 
> Gmail Evangelist
> David Douglas School District
> 503-261-8235 
> 
> www.ddouglas.k12.or.us (http://www.ddouglas.k12.or.us)
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au (mailto:radiator at open.com.au)
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120222/50606936/attachment.html 

From webmaster at alluneed.it  Wed Feb 22 05:25:58 2012
From: webmaster at alluneed.it (G.N.)
Date: Wed, 22 Feb 2012 12:25:58 +0100
Subject: [RADIATOR] (Radiator) Filtering log Message
Message-ID: <C4A27EEF-E004-4C15-95FD-7AA1F5C9F82F@alluneed.it>

Hi All,

i would like to know if is possible to filter Authlog entry, logging all except access from certain username.

Here my AuthLog conf

<AuthLog FILE>
        Identifier tL
        Filename %L/Auth
        LogSuccess 1
        LogFailure 0
        SuccessFormat %d-%m-%Y %H:%M:%S,%U,%{NAS-Identifier},%N
</AuthLog>

Thank's.

G.

From hvn at open.com.au  Wed Feb 22 16:04:27 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 23 Feb 2012 00:04:27 +0200
Subject: [RADIATOR] (Radiator) Filtering log Message
In-Reply-To: <C4A27EEF-E004-4C15-95FD-7AA1F5C9F82F@alluneed.it>
References: <C4A27EEF-E004-4C15-95FD-7AA1F5C9F82F@alluneed.it>
Message-ID: <4F45666B.4070605@open.com.au>

On 02/22/2012 01:25 PM, G.N. wrote:

> i would like to know if is possible to filter Authlog entry, logging all except access from certain username.

Unfortunately that is not possible.

> Here my AuthLog conf
> 
> <AuthLog FILE>
>         Identifier tL
>         Filename %L/Auth
>         LogSuccess 1
>         LogFailure 0
>         SuccessFormat %d-%m-%Y %H:%M:%S,%U,%{NAS-Identifier},%N
> </AuthLog>

There are a couple of possibilities:
1. Use a script, based on grep or something similar, to filter
everything else except of the usernames you are interested in.

2. You could experiment with a named pipe
http://en.wikipedia.org/wiki/Named_pipe

Create a named pipe with mkfifo command and create a process that reads
the named fifo. For example:

% while :; do cat Auth|grep -v hvn ; done

This will print out only LogSuccess lines that do not contain 'hvn'. The
while loop is needed because radiusd closes the file after each write.

Note that possibility 1 is the best especially if you are not familiar
with handling named pipes. For example, you should watch file
permissions and keep the reader process running all the time or radiusd
will block waiting for the reader.

Thanks!
Heikki


> Thank's.
> 
> G.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Wed Feb 22 16:33:51 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 23 Feb 2012 00:33:51 +0200
Subject: [RADIATOR] Authenticating Devices...
In-Reply-To: <CAAM=0pBAABczSj5cYDWC6e7rTDvgP5HmTGRULgZm4PXZQ2RE0g@mail.gmail.com>
References: <CAAM=0pBAABczSj5cYDWC6e7rTDvgP5HmTGRULgZm4PXZQ2RE0g@mail.gmail.com>
Message-ID: <4F456D4F.9060403@open.com.au>

On 02/22/2012 01:56 AM, Shay Smith wrote:

> I've got a working config that authenticates users connecting via Wifi.
> Their credentials are compared against our LDAP database. I'm having
> trouble figuring out how to get a non-login device to have access over
> the same AP. I would like to know how to get a network device on the
> network without requiring a login. I'd really like to compare it's MAC
> address or IP address against a list in MySQL.

You could consider using AuthenticateAttribute and/or NoCheckPassword
(see ref.pdf for more) to change how username lookup is done and if
password checking is needed. Be sure to check Trace 4 log to see how the
SQL queries and Radiator behaviour changes with the above options.

This might be the way to go if you can not configure your wlan gear to
send mac address as username as Mike suggested.

Thanks!
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From nmarques at ubi.pt  Thu Feb 23 03:59:50 2012
From: nmarques at ubi.pt (Nuno Marques)
Date: Thu, 23 Feb 2012 09:59:50 +0000
Subject: [RADIATOR] Inner and outer authentication
Message-ID: <016901ccf211$e216e9a0$a644bce0$@ubi.pt>

Hello

While storing the accounting information of a TTLS authentication I noticed
that the login name being stored is the outer one and the inner
authentication (the real one) is missing in the accounting.
Is there a way to get my accounting filled up with the inner login and not
with the outer login?

Best regards,
Nuno Marques

Here's some of the code that I'm using:

<AuthBy LDAP2>
        Identifier      PessoalAlunos
        Host            ubi.pt
        Port            3268
        EAPType         PEAP, TTLS, TLS
        EAPTLS_CAFile /etc/radiator/certificate.pem
        EAPTLS_CertificateFile /etc/radiator/certificate.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/key.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1000
        AutoMPPEKeys
        SSLeayTrace 4
        AuthDN          cn=ldap,cn=Users,dc=ubi,dc=pt
        AuthPassword    rt78mn!"
        BaseDN          dc=ubi,dc=pt
        Scope           sub
        UsernameAttr    cn
        ServerChecksPassword
</AuthBy>

<Handler Realm=/pessoal.ubi.pt/i, TunnelledByTTLS=1>
        AuthByPolicy ContinueAlways
        AuthBy SQLAccounting
        RewriteUsername s/^([^@]+).*/$1/
        AuthLog localusers
        AcctLogFileName %L/%Y-%m-local-detail
        AuthBy PessoalAlunos
</Handler>

<Handler Realm=/pessoal.ubi.pt/i>
        AuthByPolicy ContinueAlways
        AuthBy SQLAccounting
        AuthLog localusers
        AcctLogFileName %L/%Y-%m-local-detail
        AuthBy PessoalAlunos
</Handler>


________________________________

UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As ?rvores s?o um bem imprescind?vel.

From hvn at open.com.au  Thu Feb 23 08:46:58 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 23 Feb 2012 16:46:58 +0200
Subject: [RADIATOR] (Radiator) Filtering log Message
In-Reply-To: <4F45666B.4070605@open.com.au>
References: <C4A27EEF-E004-4C15-95FD-7AA1F5C9F82F@alluneed.it>
	<4F45666B.4070605@open.com.au>
Message-ID: <4F465162.7010707@open.com.au>

Following up myself with one more option:

The patches for 4.9 now has support for defining Filename in AuthLog
FILE similarly to Filename in Log FILE. That is, | (pipe) character can
be specified to support this:

 # Pipe to my-log-prog
 Filename |/usr/local/bin/my-log-prog

See e.g., section "5.13.1 Filename" for more about using pipes.

Heikki


On 02/23/2012 12:04 AM, Heikki Vatiainen wrote:

> On 02/22/2012 01:25 PM, G.N. wrote:
> 
>> i would like to know if is possible to filter Authlog entry, logging all except access from certain username.
> 
> Unfortunately that is not possible.
> 
>> Here my AuthLog conf
>>
>> <AuthLog FILE>
>>         Identifier tL
>>         Filename %L/Auth
>>         LogSuccess 1
>>         LogFailure 0
>>         SuccessFormat %d-%m-%Y %H:%M:%S,%U,%{NAS-Identifier},%N
>> </AuthLog>
> 
> There are a couple of possibilities:
> 1. Use a script, based on grep or something similar, to filter
> everything else except of the usernames you are interested in.
> 
> 2. You could experiment with a named pipe
> http://en.wikipedia.org/wiki/Named_pipe
> 
> Create a named pipe with mkfifo command and create a process that reads
> the named fifo. For example:
> 
> % while :; do cat Auth|grep -v hvn ; done
> 
> This will print out only LogSuccess lines that do not contain 'hvn'. The
> while loop is needed because radiusd closes the file after each write.
> 
> Note that possibility 1 is the best especially if you are not familiar
> with handling named pipes. For example, you should watch file
> permissions and keep the reader process running all the time or radiusd
> will block waiting for the reader.
> 
> Thanks!
> Heikki
> 
> 
>> Thank's.
>>
>> G.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Thu Feb 23 09:10:39 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Thu, 23 Feb 2012 17:10:39 +0200
Subject: [RADIATOR] Inner and outer authentication
In-Reply-To: <016901ccf211$e216e9a0$a644bce0$@ubi.pt>
References: <016901ccf211$e216e9a0$a644bce0$@ubi.pt>
Message-ID: <4F4656EF.1050603@open.com.au>

On 02/23/2012 11:59 AM, Nuno Marques wrote:

Hello Nuno,

> While storing the accounting information of a TTLS authentication I noticed
> that the login name being stored is the outer one and the inner
> authentication (the real one) is missing in the accounting.
> Is there a way to get my accounting filled up with the inner login and not
> with the outer login?

Try adding adding 'AddToReply User-Name=%y' in PessoalAlunos AuthBy (the
inner AuthBy). The username should then be returned with Access-Accept
to the NAS. The NAS should then use it as User-Name for the accounting
requests. See this for more:

http://tools.ietf.org/html/rfc2865#section-5.1

Note that this exposes the real username which TTLS hides. If this is
not acceptable, see goodies/eap_anon_hook.pl for another alternative.

Heikki


> Best regards,
> Nuno Marques
> 
> Here's some of the code that I'm using:
> 
> <AuthBy LDAP2>
>         Identifier      PessoalAlunos
>         Host            ubi.pt
>         Port            3268
>         EAPType         PEAP, TTLS, TLS
>         EAPTLS_CAFile /etc/radiator/certificate.pem
>         EAPTLS_CertificateFile /etc/radiator/certificate.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/key.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
>         SSLeayTrace 4
>         AuthDN          cn=ldap,cn=Users,dc=ubi,dc=pt
>         AuthPassword    rt78mn!"
>         BaseDN          dc=ubi,dc=pt
>         Scope           sub
>         UsernameAttr    cn
>         ServerChecksPassword
> </AuthBy>
> 
> <Handler Realm=/pessoal.ubi.pt/i, TunnelledByTTLS=1>
>         AuthByPolicy ContinueAlways
>         AuthBy SQLAccounting
>         RewriteUsername s/^([^@]+).*/$1/
>         AuthLog localusers
>         AcctLogFileName %L/%Y-%m-local-detail
>         AuthBy PessoalAlunos
> </Handler>
> 
> <Handler Realm=/pessoal.ubi.pt/i>
>         AuthByPolicy ContinueAlways
>         AuthBy SQLAccounting
>         AuthLog localusers
>         AcctLogFileName %L/%Y-%m-local-detail
>         AuthBy PessoalAlunos
> </Handler>
> 
> 
> ________________________________
> 
> UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As ?rvores s?o um bem imprescind?vel.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From Traiano.Welcome at mtnbusiness.co.za  Fri Feb 24 09:49:11 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Fri, 24 Feb 2012 15:49:11 +0000
Subject: [RADIATOR] Documentation Update? Sources for SNMP_Session
Message-ID: <CB6D7E16.8DB2%traiano.welcome@mtnbusiness.co.za>

Hi Radiator Developers!

 I see in the Radiator reference manual section (Radiator version 4.9) on
SNMP Monitoring for radiator:

---
5.15 <SNMPAgent>
.
.
.
SNMPAgent requires SNMP_Session-0.92.tar.gz or later from
http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first.
---

However it appears this URL is no longer valid on the www.switch.ch site.
Simon Leinen, who hosted it on his staff website says that SWITCH is no
longer supporting personal staff pages and so he's moved the home page for
SNMP_Session to: 

 https://code.google.com/p/snmp-session/

You might want to update the documentation with this.

Kind Regards,
Traiano Welcome






From Andreas.Bader at rus.uni-stuttgart.de  Fri Feb 24 11:03:46 2012
From: Andreas.Bader at rus.uni-stuttgart.de (Andreas Bader)
Date: Fri, 24 Feb 2012 18:03:46 +0100
Subject: [RADIATOR] MacSec (802.1AE) possible with Radiator?
Message-ID: <4F47C2F2.8020002@rus.uni-stuttgart.de>

An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120224/69cdd76b/attachment.html 

From Andreas.Bader at rus.uni-stuttgart.de  Fri Feb 24 11:08:15 2012
From: Andreas.Bader at rus.uni-stuttgart.de (Andreas Bader)
Date: Fri, 24 Feb 2012 18:08:15 +0100
Subject: [RADIATOR] MacSec (802.1AE) possible with Radiator?
Message-ID: <4F47C3FF.7060002@rus.uni-stuttgart.de>

Sry. the mail got scrubbed ... here again in plain

---------------------

Hi,

I am actually trying to get a testbed ready for Cisco MacSec with 
Radiator as radius server, but I don't know if this is even possible.
Does Radiator has the needed features? (see links below)
Did anyone tried that already? (I didn't find anything on google or on 
the mailinglist about radiator and macsec).

The main problem ist that cisco uses some new EAP arguments for macsec 
and these seem to require EAP-FAST and EAP-FASTv2.
When you try first without any special config, you will get something 
like "Zero length EAP Session ID" from MKA.
It seems that Macsec needs some attributes like MS-MPPE-Send-Key, 
MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some values, 
the error changes to:
*Mar  1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was NOT 
found for Rx CKN xxxx xxxx xxxx xxxx.
*Mar  1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error: 
INVALID_PARAM).

The problem is, that the CKN (some kind of key) is generated with 
EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally 
calculated by the EAP functions and so I don't know how to specify them 
myself. The Problem is that the CKN is wrong, there is no problems with 
the certs (they are correctly imported at the client machine, etc.).

Everything works with 802.1x without MacSec (802.1AE)!

Here the actual testbed:
We got 1 x Cisco 3750-X, 1 x Cisco 3750.
There we have basically two machines plugged in: A Ubuntu 11.10 machine, 
which is dhcp,bind and radius server (Radiator).
(Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is 4.9.
The other machine is the "client" plugged into the 3750-X with Windows 7 
Professional N and Cisco Anyconnect Secure Mobility Client 3.0.5080.

I also tried freeradius, but it can not really do EAP-FAST, so it does 
not even work when you define some EAP-Key-Name value. (You don't get 
further than the "zero length session id" error mentioned above).

I post you some links below for more information. I don't know if I am 
allowed to post links to Cisco and Freeradius on the mailinglist here, 
sry. if it is not allowed, please delete the links then.

Hopefully somebody knows the right settings for getting this to work. If 
not, is it planned to be implemented in future versions of radiator?

Some of my configs, mainly standardconfigs:
/etc/radiator/users:
[...]
testuser User-Password = "xxx"
         MS-MPPE-Send-Key = "xxx",
         MS-MPPE-Recv-Key = "xxx",
         EAP-Key-Name = "xxx"
[...]

/etc/radiator/radius.cfg
[...]
<Client 192.168.0.2>
     Secret xxx
     NasType Cisco
</Client>

<Client 192.168.0.3>
         Secret xxx
         NasType Cisco
</Client>
[...]
<Handler TunnelledByPEAP=1>
     RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
         Filename %D/users
         EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
         EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
<AuthBy FILE>
         Filename %D/users
         EAPType MSCHAP-V2,MD5,TLS
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
</AuthBy>
</Handler>

<Handler TunnelledByFAST=1>
<AuthBy FILE>
            Filename %D/users
            EAPType MSCHAP-V2,Generic-Token
            AutoMPPEKeys
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
         Filename %D/users
             EAPType FAST,MSCHAP-V2,TTLS,TLS
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
         EAPTLS_MaxFragmentSize 1000.
         AutoMPPEKeys
         EAPTLS_PEAPVersion 0
         EAPTLS_PEAPBrokenV1Label
         EAPTLS_DHFile %D/certificates/dh2048.pem
</AuthBy>
        PreProcessingHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
        PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
        AcctLogFileName %D/detail

</Handler>
[...]

xxxx always some self chosen strings, containing numbers and characters.

Links for more information:
http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-td5508545.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1316521
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

Best Regards


From mikem at open.com.au  Fri Feb 24 15:39:38 2012
From: mikem at open.com.au (Mike McCauley)
Date: Sat, 25 Feb 2012 07:39:38 +1000
Subject: [RADIATOR] Documentation Update? Sources for SNMP_Session
In-Reply-To: <CB6D7E16.8DB2%traiano.welcome@mtnbusiness.co.za>
References: <CB6D7E16.8DB2%traiano.welcome@mtnbusiness.co.za>
Message-ID: <5560815.4zOoTC9I4m@zulu>

Hi,

Thanks for reporting this.
It will be fixed in the next release of Radiator and has already been updated 
in the FAQ.

Thanks again.

Cheers.

On Friday, February 24, 2012 03:49:11 PM Traiano Welcome wrote:
> Hi Radiator Developers!
> 
>  I see in the Radiator reference manual section (Radiator version 4.9) on
> SNMP Monitoring for radiator:
> 
> ---
> 5.15 <SNMPAgent>
> .
> .
> .
> SNMPAgent requires SNMP_Session-0.92.tar.gz or later from
> http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first.
> ---
> 
> However it appears this URL is no longer valid on the www.switch.ch site.
> Simon Leinen, who hosted it on his staff website says that SWITCH is no
> longer supporting personal staff pages and so he's moved the home page for
> SNMP_Session to:
> 
>  https://code.google.com/p/snmp-session/
> 
> You might want to update the documentation with this.
> 
> Kind Regards,
> Traiano Welcome
> 
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


From bruno.tiago.rodrigues at gmail.com  Mon Feb 27 12:45:41 2012
From: bruno.tiago.rodrigues at gmail.com (Bruno Tiago Rodrigues)
Date: Mon, 27 Feb 2012 18:45:41 +0000
Subject: [RADIATOR] PreClientHook not behaving as expected
Message-ID: <CAEpGAkHTXAdtG78CqdJVyp4aFsOVm4w0gBs2jsO1Bc1iJuVeuQ@mail.gmail.com>

This looks like a basic question, but I haven't been able to sort it out.

Basically I have a structure of Radiator AuthBy and Handlers set for
Accounting and needed to filter out some "special" packets being sent
to the server.

I've done this with a specific hook, pointed it to a ClientHook clause
and had it running as expected. Then I moved it to a PreClientHook
clause and it didn't work properly.

This is happening when I peek at the Acct-Status-Type for the request
packet, I managed to narrow it down to a specific bit of code, but I
found out by dumping the packet structure that there are other fields
showing up garbled.

When called from a PreClientHook, Data::Dumper on the request packet
shows a bunch of entries like this
                 'Attributes' => [
                                   [
                                     'Acct-Status-Type',
                                     '^@^@^@^C'
                                   ],
                                   [
                                     'NAS-IP-Address',
                                     'S<AE>3<FD>'
                                   ],
                                   [
                                     'User-Name',
                                     '00:14:7f:eb:36:4b'
                                   ],
                                   [
                                     'Framed-IP-Address',
                                     'S<AE>5<EA>'
                                   ],
                                   [
                                     'Framed-IP-Netmask',
                                     '<FF><FF><FF><80>'
                                   ],
                                   [
                                     'NAS-Identifier',
                                     'test01nas'
                                   ],
                                   [
                                     'Acct-Session-Id',

'23 at 2/1/1:2999 at 10.0.0.234@00:14:7f:eb:36:4b at 0_2012/02/27 17:05:23'
                                   ],
                                   [
                                     'Acct-Session-Time',
                                     '^@^@^U<89>'
                                   ],


There are some entries that show up as expected (ie, not garbled).
When called from a ClientHook, the Data::Dumper show the expected
(plaintext ASCII) value for all fields of the same packet.

Is this normal?

The code is fairly simple, I narrowed it down to something like

sub {
    my $r = ${$_[0]};
    return unless $r->code() eq 'Accounting-Request';

    my $acct_type=$r->get_attr('Acct-Status-Type');

    &main::log($main::LOG_INFO,"Caught Accounting $acct_type packet");
    return;
}

From ringo at vianet.ca  Mon Feb 27 13:22:31 2012
From: ringo at vianet.ca (Michael)
Date: Mon, 27 Feb 2012 14:22:31 -0500
Subject: [RADIATOR] PreClientHook not behaving as expected
In-Reply-To: <CAEpGAkHTXAdtG78CqdJVyp4aFsOVm4w0gBs2jsO1Bc1iJuVeuQ@mail.gmail.com>
References: <CAEpGAkHTXAdtG78CqdJVyp4aFsOVm4w0gBs2jsO1Bc1iJuVeuQ@mail.gmail.com>
Message-ID: <4F4BD7F7.50108@vianet.ca>

The PreClientHook is a hook that is run before the packet is unpacked.

<snip>
Caution: At the time this hook is run, integer attributes have not yet been unpacked and
decoded, and encrypted attributes have not yet been decrypted. If you need unpacked,
decrypted versions of these attributes, consider using a per-client ClientHook instead.
<snip>


On 12-02-27 01:45 PM, Bruno Tiago Rodrigues wrote:
> This looks like a basic question, but I haven't been able to sort it out.
>
> Basically I have a structure of Radiator AuthBy and Handlers set for
> Accounting and needed to filter out some "special" packets being sent
> to the server.
>
> I've done this with a specific hook, pointed it to a ClientHook clause
> and had it running as expected. Then I moved it to a PreClientHook
> clause and it didn't work properly.
>
> This is happening when I peek at the Acct-Status-Type for the request
> packet, I managed to narrow it down to a specific bit of code, but I
> found out by dumping the packet structure that there are other fields
> showing up garbled.
>
> When called from a PreClientHook, Data::Dumper on the request packet
> shows a bunch of entries like this
>                   'Attributes' =>  [
>                                     [
>                                       'Acct-Status-Type',
>                                       '^@^@^@^C'
>                                     ],
>                                     [
>                                       'NAS-IP-Address',
>                                       'S<AE>3<FD>'
>                                     ],
>                                     [
>                                       'User-Name',
>                                       '00:14:7f:eb:36:4b'
>                                     ],
>                                     [
>                                       'Framed-IP-Address',
>                                       'S<AE>5<EA>'
>                                     ],
>                                     [
>                                       'Framed-IP-Netmask',
>                                       '<FF><FF><FF><80>'
>                                     ],
>                                     [
>                                       'NAS-Identifier',
>                                       'test01nas'
>                                     ],
>                                     [
>                                       'Acct-Session-Id',
>
> '23 at 2/1/1:2999 at 10.0.0.234@00:14:7f:eb:36:4b at 0_2012/02/27 17:05:23'
>                                     ],
>                                     [
>                                       'Acct-Session-Time',
>                                       '^@^@^U<89>'
>                                     ],
>
>
> There are some entries that show up as expected (ie, not garbled).
> When called from a ClientHook, the Data::Dumper show the expected
> (plaintext ASCII) value for all fields of the same packet.
>
> Is this normal?
>
> The code is fairly simple, I narrowed it down to something like
>
> sub {
>      my $r = ${$_[0]};
>      return unless $r->code() eq 'Accounting-Request';
>
>      my $acct_type=$r->get_attr('Acct-Status-Type');
>
>      &main::log($main::LOG_INFO,"Caught Accounting $acct_type packet");
>      return;
> }
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>

From Traiano.Welcome at mtnbusiness.co.za  Tue Feb 28 08:44:47 2012
From: Traiano.Welcome at mtnbusiness.co.za (Traiano Welcome)
Date: Tue, 28 Feb 2012 14:44:47 +0000
Subject: [RADIATOR] ERROR:  invalid byte sequence for encoding "UTF8"
Message-ID: <CB72B4FD.9823%traiano.welcome@mtnbusiness.co.za>

Hi List

Recently, I've begun seeing the following error message in my radius logs
at the point where radius accounting packet data is inserted to the
postgresql database I'm using with radiator 4.9:

---
ERROR: invalid byte sequence for encoding "UTF8": 0x9e
HINT: This error can also happen if the byte sequence does not match the
encoding expected by the server, which is controlled by "client_encoding".
---


It appears that strings based on a non-UTF8 character set are being
included in the radius accounting data and sent on to my radius server by
the NAS (an ACME SBC appliance).

Below is a more complete segment of a sample log:

---
Tue Feb 28 10:44:30 2012: DEBUG: Handling request with Handler
'NAS-Identifier=/^TRAITECH-.*$/', Identifier ''
Tue Feb 28 10:44:30 2012: DEBUG:  Adding session for , 127.0.0.100, 5060
Tue Feb 28 10:44:30 2012: DEBUG: Handling with Radius::AuthSQL:
Tue Feb 28 10:44:30 2012: DEBUG: Handling accounting with Radius::AuthSQL

Tue Feb 28 10:44:30 2012: DEBUG: do query is: 'insert into acmevoiprecords
(calledstationid,callingstationid,egresscallid,ingresscallid,nasidentifier,
nasipaddress,sessionegresscallid,sessionforkedcallid,sessiongenericid,sessi
oningresscallid,sessionprotocoltype,statustype,timestamp) values
('<9e>^N^F','Matroos,16319
<sip:0873116319 at 172.32.0.61>;tag=9tBN868U1B42S^^
','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','23c4e3e9-dc8b-122f-088a-5cf3fc962
edc','TRAITECH-DBN-VPR','127.0.0.100','23c4e3e9-dc8b-122f-088a-5cf3fc962edc
','','','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','SIP','Stop','1330418670')':

Tue Feb 28 10:44:30 2012: DEBUG: do query is: 'insert into acmevoiprecords
(calledstationid,callingstationid,cdrsequencenumber,connecttime,customvsa20
0,customvsa201,customvsa202,customvsa203,customvsa204,customvsa205,customvs
a206,customvsa207,customvsa208,customvsa209,customvsa210,customvsa211,custo
mvsa212,customvsa213,customvsa214,customvsa215,customvsa216,customvsa217,cu
stomvsa218,customvsa219,customvsa220,customvsa221,customvsa222,customvsa223
,customvsa224,customvsa225,customvsa226,customvsa227,customvsa228,customvsa
229,customvsa230,egresscallid,egressfinalroutingnumber,egresslocaladdr,egre
ssnetworkinterfaceid,egressremoteaddr,egressvlantagvalue,firmwareversion,fl
owindstaddr,flowinsrcaddr,flowoutdstaddr,flowoutsrcaddr,ingresscallid,ingre
sslocaladdr,ingressnetworkinterfaceid,ingressrealm,ingressremoteaddr,ingres
svlantagvalue,localtimezone,nasidentifier,nasipaddress,originatingtrunkcont
ext,originatingtrunkgroup,passertedid,postdialdelay,primaryroutingnumber,se
ssionchargingvector,sessionegresscallid,sessionegressrealm,sessionegressrph
,sessionforkedcallid,sessiongenericid,sessioningresscallid,sessioningressre
alm,sessioningressrph,sessionprotocoltype,setuptime,sipdiversion,statustype
,terminatingtrunkcontext,terminatingtrunkgroup,timestamp) values
('<sip:+27838781684 at 192.168.0.236>','"+2721113641"
<sip:+2721113641 at 192.168.0.38>;tag=as6b537178',10019633,'00:00:00.000 SAST
JAN 01 
1970','','','','','','','','','','','','','','','','','','','','','','','',
'','','','','','','','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0.38','',
'0.0.0.0:0','','0.0.0.0:0','0','SCX6.2.0 MR-3 Patch 1 (Build
642)','0.0.0.0','0.0.0.0','0.0.0.0','0.0.0.0','4e25d24c4df4a88c57d0ed281ca3
a638 at 192.168.0.38','192.168.0.236:5060','t3p-in0_0','t3_ecn','192.168.0.33:
5060','2027','GMT+02:00','TRAITECH-DBN-VPR','127.0.0.100','','','','0','sip
:+27838781684 at 192.168.0.236','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0
.38','','','','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0.38','t3_ecn','
','SIP','10:44:18.607 SAST FEB 28 2012','','Start','','','1330418670')':

Tue Feb 28 10:44:30 2012: ERR: do failed for 'insert into acmevoiprecords
(calledstationid,callingstationid,egresscallid,ingresscallid,nasidentifier,
nasipaddress,sessionegresscallid,sessionforkedcallid,sessiongenericid,sessi
oningresscallid,sessionprotocoltype,statustype,timestamp) values
('<9e>^N^F','Matroos,16319
<sip:0873116319 at 172.32.0.61>;tag=9tBN868U1B42S^^
','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','23c4e3e9-dc8b-122f-088a-5cf3fc962
edc','TRAITECH-DBN-VPR','127.0.0.100','23c4e3e9-dc8b-122f-088a-5cf3fc962edc
','','','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','SIP','Stop','1330418670')':
 ERROR:  invalid byte sequence for encoding "UTF8": 0x9e

HINT:  This error can also happen if the byte sequence does not match the
encoding expected by the server, which is controlled by "client_encoding".

Tue Feb 28 10:44:30 2012: DEBUG: AuthBy SQL result: ACCEPT,
Tue Feb 28 10:44:30 2012: DEBUG: Accounting accepted
Tue Feb 28 10:44:30 2012: DEBUG: Packet dump:

*** Received from 192.168.93.3 port 1098 ....
----



Has anyone encountered this issue before ? Would this be something I
should have fixed on the NAS end of things, or is there some way to work
around it in Radiator or in my  postgresql database configuration?
	

Thanks in advance,
Traiano


From jtp at nc.rr.com  Tue Feb 28 11:38:00 2012
From: jtp at nc.rr.com (James)
Date: Tue, 28 Feb 2012 12:38:00 -0500
Subject: [RADIATOR] eap + apple products - failed auth
Message-ID: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>

All,

I'm facing a pretty weird problem while trying to set up EAP
authentication. Windows and Linux devices seem to work fine without
issues -- the clients are prompted to authenticate, accept the
certificate, and then they're successfully auth'ed and hop onto the
wireless network.

Apple products (OS X, iPad and iPod) seem to have a strange issue,
however: Radiator sends an Access-Accept, the client sees that
authentication was successful, but the client will disconnect and then
reconnect ensuing in an authentication loop. Logs on OS X indicate
that authentication *IS* successful, but the operating system
eventually reports a timeout in the 4-way handshake.

Here's the Radiator configuration:

-->8--

DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config
LogDir  /opt/radiator/logs
DbDir   /opt/radiator/db
Trace   4
AuthPort 1645
AcctPort 1646
PidFile  %L/wireless.pid
LogFile
<Log FILE>
    Identifier radiatorLog
    Filename %L/%d.%v.%Y/wireless.log
    Trace   4
    LogMicroseconds
</Log>
<Client DEFAULT>
    Secret whatever
    DupInterval 0
</Client>
<SessionDatabase NULL>
    Identifier Null
</SessionDatabase>
<AuthLog FILE>
    Identifier authLogger
    Filename %L/%d.%v.%Y/wireless.auth
    LogSuccess 1
    LogFailure 1
    SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED %T
request from %c (nas = %N) for user %U
    FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
request from %c (nas = %N) for user %U
</AuthLog>
include %{GlobalVar:ConfigDir}/auth.wireless
<Handler TunnelledByPEAP=1>
    AuthBy dm-wifi
    AuthLog authLogger
    Log radiatorLog
    AcctLogFileName %L/%d.%v.%Y/wireless.log
</Handler>
<Handler>
    AuthBy eap-outer
    AuthLog authLogger
    Log radiatorLog
    AcctLogFileName %L/%d.%v.%Y/wireless.log
</Handler>
<AuthBy NTLM>
    Identifier dm-wifi
    NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
    DefaultDomain DHE
    EAPType MSCHAP-V2
</AuthBy>
<AuthBy FILE>
    Identifier eap-outer
    Filename %D/users
    EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
    EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
    EAPTLS_CertificateFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
    EAPTLS_CertificateType PEM
    EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
    EAPTLS_PrivateKeyPassword whatever
    EAPTLS_MaxFragmentSize 1000
    AutoMPPEKeys
    EAPTLS_PEAPVersion 1
</AuthBy>

--8<--

Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
*** Received from 10.11.55.232 port 32768 ....
Code:       Access-Request
Identifier: 145
Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
Attributes:
	User-Name = "testUser"
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
	NAS-Port = 29
	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	Airespace-WLAN-Id = 7
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 924
	EAP-Message = <2><9><0>+<25><1><23><3><1><0>
|<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
	Message-Authenticator =
<196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>

Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
Radius::AuthFILE: eap-outer
Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9, 43, 25
Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner authentication
request for anonymous
Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
Attributes:
	EAP-Message = <2><0><0><10><1>testUser
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	NAS-Port = 29
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	User-Name = "anonymous"

Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 0, 10, 1
Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE,
EAP MSCHAP-V2 Challenge
Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result: CHALLENGE,
EAP MSCHAP-V2 Challenge
Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
anonymous: EAP MSCHAP-V2 Challenge
Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
anonymous: EAP MSCHAP-V2 Challenge
Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
Attributes:
	EAP-Message = <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
*** Sending to 10.11.55.232 port 32768 ....
Code:       Access-Challenge
Identifier: 145
Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
Attributes:
	EAP-Message = <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
*** Received from 10.11.55.232 port 32768 ....
Code:       Access-Request
Identifier: 146
Authentic:  <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
Attributes:
	User-Name = "testUser"
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
	NAS-Port = 29
	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	Airespace-WLAN-Id = 7
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 924
	EAP-Message = <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
<229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
	Message-Authenticator = <30><<150><197>JcR<14><223>lY<161><24>w/<250>

Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
Radius::AuthFILE: eap-outer
Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 10, 107, 25
Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication
request for anonymous
Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
Attributes:
	EAP-Message = <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	NAS-Port = 29
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	User-Name = "anonymous"

Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 1, 64, 26
Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
match with testUser [anonymous]
Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
testUser [anonymous]
Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
Request-User-Session-Key: Yes
Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
Request-LanMan-Session-Key: Yes
Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
LANMAN-Challenge: some-challenge
Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
some-response
Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
some-domain
Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
some-username
Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: Authenticated: Yes
Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
User-Session-Key: session-key
Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
Challenge: Success
Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: CHALLENGE,
EAP MSCHAP V2 Challenge: Success
Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result: CHALLENGE,
EAP MSCHAP V2 Challenge: Success
Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
anonymous: EAP MSCHAP V2 Challenge: Success
Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
anonymous: EAP MSCHAP V2 Challenge: Success
Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
Attributes:
	EAP-Message = <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
M=success
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
*** Sending to 10.11.55.232 port 32768 ....
Code:       Access-Challenge
Identifier: 146
Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
Attributes:
	EAP-Message = <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
*** Received from 10.11.55.232 port 32768 ....
Code:       Access-Request
Identifier: 147
Authentic:  <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
Attributes:
	User-Name = "testUser"
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
	NAS-Port = 29
	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	Airespace-WLAN-Id = 7
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 924
	EAP-Message = <2><11><0>+<25><1><23><3><1><0>
<12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
	Message-Authenticator =
<249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>

Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
Radius::AuthFILE: eap-outer
Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 11, 43, 25
Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication
request for anonymous
Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
Attributes:
	EAP-Message = <2><2><0><6><26><3>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	NAS-Port = 29
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	User-Name = "anonymous"

Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for anonymous
Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for anonymous
Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
Attributes:
	EAP-Message = <3><2><0><4>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result: CHALLENGE,
EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
testUser: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
*** Sending to 10.11.55.232 port 32768 ....
Code:       Access-Challenge
Identifier: 147
Authentic:  <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
Attributes:
	EAP-Message = <1><12><0>+<25><1><23><3><1><0>
@l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
*** Received from 10.11.55.232 port 32768 ....
Code:       Access-Request
Identifier: 148
Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
Attributes:
	User-Name = "testUser"
	Calling-Station-Id = "b3-dd-ae-87-22-b3"
	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
	NAS-Port = 29
	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
	NAS-IP-Address = 10.11.55.232
	NAS-Identifier = "cisco-wism"
	Airespace-WLAN-Id = 7
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 924
	EAP-Message = <2><12><0>+<25><1><23><3><1><0>
c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
	Message-Authenticator =
(<217><144>3I<171><10><194><28><15><8><18><242><139><198>W

Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler
'', Identifier ''
Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
Radius::AuthFILE: eap-outer
Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 12, 43, 25
Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
*** Sending to 10.11.55.232 port 32768 ....
Code:       Access-Accept
Identifier: 148
Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
Attributes:
	EAP-Message = <3><12><0><4>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	MS-MPPE-Send-Key =
<131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
	MS-MPPE-Recv-Key =
<193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>

-->8--

Thoughts on what may be happening? I can't seem to find anything on
the web about this, but I'm also hard-pressed to believe we're the
only folks that have run into this. The client simply refuses to
connect. It's worth noting that OS X indicates the client is
"connected" with a self-assigned 169.x.x.x IP address, but the logs
really indicate that en1 (the wireless interface) continues to go
up/down and re-attempt authentication.

Any help would be greatly appreciated.

-james

From Adam.Bishop at ja.net  Tue Feb 28 11:48:53 2012
From: Adam.Bishop at ja.net (Adam Bishop)
Date: Tue, 28 Feb 2012 17:48:53 +0000
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
Message-ID: <EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>

Hi,

Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while since I wrote my configuration but I think that was the value that made OS X and iOS clients work for me.

Regards,

Adam Bishop

On 28 Feb 2012, at 17:38, James wrote:

> All,
> 
> I'm facing a pretty weird problem while trying to set up EAP
> authentication. Windows and Linux devices seem to work fine without
> issues -- the clients are prompted to authenticate, accept the
> certificate, and then they're successfully auth'ed and hop onto the
> wireless network.
> 
> Apple products (OS X, iPad and iPod) seem to have a strange issue,
> however: Radiator sends an Access-Accept, the client sees that
> authentication was successful, but the client will disconnect and then
> reconnect ensuing in an authentication loop. Logs on OS X indicate
> that authentication *IS* successful, but the operating system
> eventually reports a timeout in the 4-way handshake.
> 
> Here's the Radiator configuration:
> 
> -->8--
> 
> DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config
> LogDir  /opt/radiator/logs
> DbDir   /opt/radiator/db
> Trace   4
> AuthPort 1645
> AcctPort 1646
> PidFile  %L/wireless.pid
> LogFile
> <Log FILE>
>    Identifier radiatorLog
>    Filename %L/%d.%v.%Y/wireless.log
>    Trace   4
>    LogMicroseconds
> </Log>
> <Client DEFAULT>
>    Secret whatever
>    DupInterval 0
> </Client>
> <SessionDatabase NULL>
>    Identifier Null
> </SessionDatabase>
> <AuthLog FILE>
>    Identifier authLogger
>    Filename %L/%d.%v.%Y/wireless.auth
>    LogSuccess 1
>    LogFailure 1
>    SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED %T
> request from %c (nas = %N) for user %U
>    FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
> request from %c (nas = %N) for user %U
> </AuthLog>
> include %{GlobalVar:ConfigDir}/auth.wireless
> <Handler TunnelledByPEAP=1>
>    AuthBy dm-wifi
>    AuthLog authLogger
>    Log radiatorLog
>    AcctLogFileName %L/%d.%v.%Y/wireless.log
> </Handler>
> <Handler>
>    AuthBy eap-outer
>    AuthLog authLogger
>    Log radiatorLog
>    AcctLogFileName %L/%d.%v.%Y/wireless.log
> </Handler>
> <AuthBy NTLM>
>    Identifier dm-wifi
>    NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
>    DefaultDomain DHE
>    EAPType MSCHAP-V2
> </AuthBy>
> <AuthBy FILE>
>    Identifier eap-outer
>    Filename %D/users
>    EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>    EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>    EAPTLS_CertificateFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>    EAPTLS_CertificateType PEM
>    EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>    EAPTLS_PrivateKeyPassword whatever
>    EAPTLS_MaxFragmentSize 1000
>    AutoMPPEKeys
>    EAPTLS_PEAPVersion 1
> </AuthBy>
> 
> --8<--
> 
> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 145
> Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
> Attributes:
> 	User-Name = "testUser"
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> 	NAS-Port = 29
> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	Airespace-WLAN-Id = 7
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Tunnel-Type = 0:VLAN
> 	Tunnel-Medium-Type = 0:802
> 	Tunnel-Private-Group-ID = 924
> 	EAP-Message = <2><9><0>+<25><1><23><3><1><0>
> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
> 	Message-Authenticator =
> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
> 
> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9, 43, 25
> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner authentication
> request for anonymous
> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> Attributes:
> 	EAP-Message = <2><0><0><10><1>testUser
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	NAS-Port = 29
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	User-Name = "anonymous"
> 
> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 0, 10, 1
> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE,
> EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result: CHALLENGE,
> EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
> anonymous: EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
> anonymous: EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> Attributes:
> 	EAP-Message = <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 145
> Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
> Attributes:
> 	EAP-Message = <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 146
> Authentic:  <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
> Attributes:
> 	User-Name = "testUser"
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> 	NAS-Port = 29
> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	Airespace-WLAN-Id = 7
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Tunnel-Type = 0:VLAN
> 	Tunnel-Medium-Type = 0:802
> 	Tunnel-Private-Group-ID = 924
> 	EAP-Message = <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
> 	Message-Authenticator = <30><<150><197>JcR<14><223>lY<161><24>w/<250>
> 
> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 10, 107, 25
> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication
> request for anonymous
> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> Attributes:
> 	EAP-Message = <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	NAS-Port = 29
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	User-Name = "anonymous"
> 
> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 1, 64, 26
> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
> match with testUser [anonymous]
> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
> testUser [anonymous]
> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
> Request-User-Session-Key: Yes
> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
> Request-LanMan-Session-Key: Yes
> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
> LANMAN-Challenge: some-challenge
> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
> some-response
> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
> some-domain
> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
> some-username
> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: Authenticated: Yes
> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
> User-Session-Key: session-key
> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: CHALLENGE,
> EAP MSCHAP V2 Challenge: Success
> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result: CHALLENGE,
> EAP MSCHAP V2 Challenge: Success
> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
> anonymous: EAP MSCHAP V2 Challenge: Success
> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
> anonymous: EAP MSCHAP V2 Challenge: Success
> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> Attributes:
> 	EAP-Message = <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
> M=success
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 146
> Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
> Attributes:
> 	EAP-Message = <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 147
> Authentic:  <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
> Attributes:
> 	User-Name = "testUser"
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> 	NAS-Port = 29
> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	Airespace-WLAN-Id = 7
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Tunnel-Type = 0:VLAN
> 	Tunnel-Medium-Type = 0:802
> 	Tunnel-Private-Group-ID = 924
> 	EAP-Message = <2><11><0>+<25><1><23><3><1><0>
> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
> 	Message-Authenticator =
> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
> 
> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 11, 43, 25
> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication
> request for anonymous
> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> Attributes:
> 	EAP-Message = <2><2><0><6><26><3>
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	NAS-Port = 29
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	User-Name = "anonymous"
> 
> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for anonymous
> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for anonymous
> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> Attributes:
> 	EAP-Message = <3><2><0><4>
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result: CHALLENGE,
> EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 147
> Authentic:  <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
> Attributes:
> 	EAP-Message = <1><12><0>+<25><1><23><3><1><0>
> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 148
> Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
> Attributes:
> 	User-Name = "testUser"
> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> 	NAS-Port = 29
> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> 	NAS-IP-Address = 10.11.55.232
> 	NAS-Identifier = "cisco-wism"
> 	Airespace-WLAN-Id = 7
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Tunnel-Type = 0:VLAN
> 	Tunnel-Medium-Type = 0:802
> 	Tunnel-Private-Group-ID = 924
> 	EAP-Message = <2><12><0>+<25><1><23><3><1><0>
> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
> 	Message-Authenticator =
> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
> 
> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler
> '', Identifier ''
> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 12, 43, 25
> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Accept
> Identifier: 148
> Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
> Attributes:
> 	EAP-Message = <3><12><0><4>
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	MS-MPPE-Send-Key =
> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
> 	MS-MPPE-Recv-Key =
> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
> 
> -->8--
> 
> Thoughts on what may be happening? I can't seem to find anything on
> the web about this, but I'm also hard-pressed to believe we're the
> only folks that have run into this. The client simply refuses to
> connect. It's worth noting that OS X indicates the client is
> "connected" with a self-assigned 169.x.x.x IP address, but the logs
> really indicate that en1 (the wireless interface) continues to go
> up/down and re-attempt authentication.
> 
> Any help would be greatly appreciated.
> 
> -james
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG


From mberube at jeancoutu.com  Tue Feb 28 11:49:17 2012
From: mberube at jeancoutu.com (=?iso-8859-1?Q?Martin_B=E9rub=E9?=)
Date: Tue, 28 Feb 2012 12:49:17 -0500
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
Message-ID: <504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>

Hello James,

Are you using MD5 hashing for the issuer certificate ?
Apple dropped support for MD5 hashing for all certificates, except the CA (root) ones, starting with iOS 5.


Martin B?rub?
Analyste Technique
Architecture Et S?curit?
T?l. : (450) 463-1890 poste 3362
Avant d'imprimer, pensez ? l'environnement.



> -----Message d'origine-----
> De : radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] De
> la part de James
> Envoy? : 28 f?vrier 2012 12:38
> ? : radiator at open.com.au
> Objet : [RADIATOR] eap + apple products - failed auth
>
> All,
>
> I'm facing a pretty weird problem while trying to set up EAP authentication.
> Windows and Linux devices seem to work fine without issues -- the clients
> are prompted to authenticate, accept the certificate, and then they're
> successfully auth'ed and hop onto the wireless network.
>
> Apple products (OS X, iPad and iPod) seem to have a strange issue,
> however: Radiator sends an Access-Accept, the client sees that
> authentication was successful, but the client will disconnect and then
> reconnect ensuing in an authentication loop. Logs on OS X indicate that
> authentication *IS* successful, but the operating system eventually reports
> a timeout in the 4-way handshake.
>
> Here's the Radiator configuration:
>
> -->8--
>
> DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config
> LogDir  /opt/radiator/logs
> DbDir   /opt/radiator/db
> Trace   4
> AuthPort 1645
> AcctPort 1646
> PidFile  %L/wireless.pid
> LogFile
> <Log FILE>
>     Identifier radiatorLog
>     Filename %L/%d.%v.%Y/wireless.log
>     Trace   4
>     LogMicroseconds
> </Log>
> <Client DEFAULT>
>     Secret whatever
>     DupInterval 0
> </Client>
> <SessionDatabase NULL>
>     Identifier Null
> </SessionDatabase>
> <AuthLog FILE>
>     Identifier authLogger
>     Filename %L/%d.%v.%Y/wireless.auth
>     LogSuccess 1
>     LogFailure 1
>     SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED %T
> request from %c (nas = %N) for user %U
>     FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T request
> from %c (nas = %N) for user %U </AuthLog> include
> %{GlobalVar:ConfigDir}/auth.wireless
> <Handler TunnelledByPEAP=1>
>     AuthBy dm-wifi
>     AuthLog authLogger
>     Log radiatorLog
>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <Handler>
>     AuthBy eap-outer
>     AuthLog authLogger
>     Log radiatorLog
>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <AuthBy NTLM>
>     Identifier dm-wifi
>     NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
>     DefaultDomain DHE
>     EAPType MSCHAP-V2
> </AuthBy>
> <AuthBy FILE>
>     Identifier eap-outer
>     Filename %D/users
>     EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>     EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>     EAPTLS_CertificateFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>     EAPTLS_CertificateType PEM
>     EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>     EAPTLS_PrivateKeyPassword whatever
>     EAPTLS_MaxFragmentSize 1000
>     AutoMPPEKeys
>     EAPTLS_PEAPVersion 1
> </AuthBy>
>
> --8<--
>
> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 145
> Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
> Attributes:
>       User-Name = "testUser"
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>       NAS-Port = 29
>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       Airespace-WLAN-Id = 7
>       Service-Type = Framed-User
>       Framed-MTU = 1300
>       NAS-Port-Type = Wireless-IEEE-802-11
>       Tunnel-Type = 0:VLAN
>       Tunnel-Medium-Type = 0:802
>       Tunnel-Private-Group-ID = 924
>       EAP-Message = <2><9><0>+<25><1><23><3><1><0>
> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><22
> |7><2>6rs<166>f<144><141><244><3><150>
>       Message-Authenticator =
> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>
> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9, 43, 25
> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25 Tue Feb 28 12:27:59
> 2012 739078: DEBUG: EAP PEAP inner authentication request for anonymous Tue
> Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> Attributes:
>       EAP-Message = <2><0><0><10><1>testUser
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       NAS-Port = 29
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       User-Name = "anonymous"
>
> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with Radius::AuthNTLM: dm-
> wifi Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 0,
> 10, 1 Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1 Tue Feb 28
> 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge Tue Feb
> 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2
> Challenge Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result:
> CHALLENGE, EAP MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740560: DEBUG:
> Access challenged for
> anonymous: EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
> anonymous: EAP MSCHAP-V2 Challenge
> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> Attributes:
>       EAP-Message =
> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12>
> <128>ywifi-radius-temp
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 741267:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> redispatched to a Handler Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy
> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
> Handler Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 741619: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 741984: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 145
> Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
> Attributes:
>       EAP-Message =
> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<
> 218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242
> ><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170
> >)<129>T
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 146
> Authentic:
> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
> Attributes:
>       User-Name = "testUser"
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>       NAS-Port = 29
>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       Airespace-WLAN-Id = 7
>       Service-Type = Framed-User
>       Framed-MTU = 1300
>       NAS-Port-Type = Wireless-IEEE-802-11
>       Tunnel-Type = 0:VLAN
>       Tunnel-Medium-Type = 0:802
>       Tunnel-Private-Group-ID = 924
>       EAP-Message =
> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<14
> 0>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160
> ><202><131>
> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161>
> <133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<
> 7><f<189>QY<195><209>D<141>
>       Message-Authenticator = <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>
> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 10, 107,
> 25 Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25 Tue Feb 28
> 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication request for
> anonymous Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request
> Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> Attributes:
>       EAP-Message =
> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><22
> 3><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<1
> 32><241>x<145>HE<217>=vu<21><233><0>testUser
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       NAS-Port = 29
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       User-Name = "anonymous"
>
> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with Radius::AuthNTLM: dm-
> wifi Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 1,
> 64, 26 Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26 Tue Feb 28
> 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for match with testUser
> [anonymous] Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT:
> :
> testUser [anonymous]
> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
> Request-User-Session-Key: Yes
> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
> Request-LanMan-Session-Key: Yes
> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
> LANMAN-Challenge: some-challenge
> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
> some-response
> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
> some-domain
> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
> some-username
> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: Authenticated:
> Yes Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
> User-Session-Key: session-key
> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: CHALLENGE, EAP
> MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy
> NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59
> 2012 755478: DEBUG: Access challenged for
> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755588:
> DEBUG: Access challenged for
> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755815:
> DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> Attributes:
>       EAP-Message =
> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
> M=success
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 756137:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> redispatched to a Handler Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy
> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
> Handler Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 756485: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 756882: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 146
> Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
> Attributes:
>       EAP-Message =
> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><1
> 37><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*
> <151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><
> 237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><
> 184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 147
> Authentic:  <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
> Attributes:
>       User-Name = "testUser"
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>       NAS-Port = 29
>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       Airespace-WLAN-Id = 7
>       Service-Type = Framed-User
>       Framed-MTU = 1300
>       NAS-Port-Type = Wireless-IEEE-802-11
>       Tunnel-Type = 0:VLAN
>       Tunnel-Medium-Type = 0:802
>       Tunnel-Private-Group-ID = 924
>       EAP-Message = <2><11><0>+<25><1><23><3><1><0>
> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>
> >/<27><134><201>v1<128>
>       Message-Authenticator =
> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>
> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 11, 43,
> 25 Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25 Tue Feb 28
> 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication request for
> anonymous Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request
> Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> Attributes:
>       EAP-Message = <2><2><0><6><26><3>
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       NAS-Port = 29
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       User-Name = "anonymous"
>
> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with Radius::AuthNTLM: dm-
> wifi Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 2,
> 6, 26 Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26 Tue Feb 28
> 12:27:59 2012 763319: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012 763440:
> DEBUG: AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763548: DEBUG:
> AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763677: DEBUG: Access
> accepted for anonymous Tue Feb 28 12:27:59 2012 763788: DEBUG: Access
> accepted for anonymous Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP
> tunnelled packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> Attributes:
>       EAP-Message = <3><2><0><4>
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 764535:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> redispatched to a Handler Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy
> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
> Handler Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 764905: DEBUG: Access challenged for
> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
> 12:27:59 2012 765255: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Challenge
> Identifier: 147
> Authentic:  <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
> Attributes:
>       EAP-Message = <1><12><0>+<25><1><23><3><1><0>
> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-
> <8>].s<148><226><245><217><26>
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
> *** Received from 10.11.55.232 port 32768 ....
> Code:       Access-Request
> Identifier: 148
> Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
> Attributes:
>       User-Name = "testUser"
>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>       NAS-Port = 29
>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>       NAS-IP-Address = 10.11.55.232
>       NAS-Identifier = "cisco-wism"
>       Airespace-WLAN-Id = 7
>       Service-Type = Framed-User
>       Framed-MTU = 1300
>       NAS-Port-Type = Wireless-IEEE-802-11
>       Tunnel-Type = 0:VLAN
>       Tunnel-Medium-Type = 0:802
>       Tunnel-Private-Group-ID = 924
>       EAP-Message = <2><12><0>+<25><1><23><3><1><0>
> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><
> 145><173>)<226>B<22><29>G<222>`6<183>
>       Message-Authenticator =
> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>
> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
> Radius::AuthFILE: eap-outer
> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 12, 43,
> 25 Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25 Tue Feb 28
> 12:27:59 2012 771782: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012 771975:
> DEBUG: AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772145: DEBUG:
> AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772338: DEBUG: Access
> accepted for testUser Tue Feb 28 12:27:59 2012 772508: DEBUG: Access
> accepted for testUser Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
> *** Sending to 10.11.55.232 port 32768 ....
> Code:       Access-Accept
> Identifier: 148
> Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
> Attributes:
>       EAP-Message = <3><12><0><4>
>       Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>       MS-MPPE-Send-Key =
> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217
> ><26><245><14>;<167>%;W<200>
>       MS-MPPE-Recv-Key =
> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><
> 218>G)<175>
>
> -->8--
>
> Thoughts on what may be happening? I can't seem to find anything on the web
> about this, but I'm also hard-pressed to believe we're the only folks that
> have run into this. The client simply refuses to connect. It's worth noting
> that OS X indicates the client is "connected" with a self-assigned 169.x.x.x
> IP address, but the logs really indicate that en1 (the wireless interface)
> continues to go up/down and re-attempt authentication.
>
> Any help would be greatly appreciated.
>
> -james
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE

Ce message, incluant ses pieces jointes, est strictement reserve a l'usage de l'individu ou de l'entite a qui il est
adresse et contient de l'information privilegiee et confidentielle. La dissemination, distribution ou copie de cette
communication est strictement prohibee.  Si vous n'etes pas le destinataire projete veuillez retourner
immediatement un courrier electronique a l'expediteur et effacez toutes les copies.


CONFIDENTIALITY WARNING

This message, including its attachments, is strictly intended for the use of the individual or the entity to which it is addressed
and contains privileged and confidential information. Disclosure, distribution or copy of this communication is strictly
prohibited. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator and
deleting all copies.


From jtp at nc.rr.com  Tue Feb 28 11:56:25 2012
From: jtp at nc.rr.com (James)
Date: Tue, 28 Feb 2012 12:56:25 -0500
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>
Message-ID: <CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>

Thanks for the response.

I'm not sure how to determine that; can you give me a nudge in the
right direction?

-james


On Tue, Feb 28, 2012 at 12:49, Martin B?rub? <mberube at jeancoutu.com> wrote:
> Hello James,
>
> Are you using MD5 hashing for the issuer certificate ?
> Apple dropped support for MD5 hashing for all certificates, except the CA (root) ones, starting with iOS 5.
>
>
> Martin B?rub?
> Analyste Technique
> Architecture Et S?curit?
> T?l. : (450) 463-1890 poste 3362
> Avant d'imprimer, pensez ? l'environnement.
>
>
>
>> -----Message d'origine-----
>> De : radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] De
>> la part de James
>> Envoy? : 28 f?vrier 2012 12:38
>> ? : radiator at open.com.au
>> Objet : [RADIATOR] eap + apple products - failed auth
>>
>> All,
>>
>> I'm facing a pretty weird problem while trying to set up EAP authentication.
>> Windows and Linux devices seem to work fine without issues -- the clients
>> are prompted to authenticate, accept the certificate, and then they're
>> successfully auth'ed and hop onto the wireless network.
>>
>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>> however: Radiator sends an Access-Accept, the client sees that
>> authentication was successful, but the client will disconnect and then
>> reconnect ensuing in an authentication loop. Logs on OS X indicate that
>> authentication *IS* successful, but the operating system eventually reports
>> a timeout in the 4-way handshake.
>>
>> Here's the Radiator configuration:
>>
>> -->8--
>>
>> DefineFormattedGlobalVar ? ?ConfigDir ? /opt/radiator/config
>> LogDir ?/opt/radiator/logs
>> DbDir ? /opt/radiator/db
>> Trace ? 4
>> AuthPort 1645
>> AcctPort 1646
>> PidFile ?%L/wireless.pid
>> LogFile
>> <Log FILE>
>> ? ? Identifier radiatorLog
>> ? ? Filename %L/%d.%v.%Y/wireless.log
>> ? ? Trace ? 4
>> ? ? LogMicroseconds
>> </Log>
>> <Client DEFAULT>
>> ? ? Secret whatever
>> ? ? DupInterval 0
>> </Client>
>> <SessionDatabase NULL>
>> ? ? Identifier Null
>> </SessionDatabase>
>> <AuthLog FILE>
>> ? ? Identifier authLogger
>> ? ? Filename %L/%d.%v.%Y/wireless.auth
>> ? ? LogSuccess 1
>> ? ? LogFailure 1
>> ? ? SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED %T
>> request from %c (nas = %N) for user %U
>> ? ? FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T request
>> from %c (nas = %N) for user %U </AuthLog> include
>> %{GlobalVar:ConfigDir}/auth.wireless
>> <Handler TunnelledByPEAP=1>
>> ? ? AuthBy dm-wifi
>> ? ? AuthLog authLogger
>> ? ? Log radiatorLog
>> ? ? AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <Handler>
>> ? ? AuthBy eap-outer
>> ? ? AuthLog authLogger
>> ? ? Log radiatorLog
>> ? ? AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <AuthBy NTLM>
>> ? ? Identifier dm-wifi
>> ? ? NtlmAuthProg /usr/bin/ntlm_auth ?--helper-protocol=ntlm-server-1
>> ? ? DefaultDomain DHE
>> ? ? EAPType MSCHAP-V2
>> </AuthBy>
>> <AuthBy FILE>
>> ? ? Identifier eap-outer
>> ? ? Filename %D/users
>> ? ? EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>> ? ? EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>> ? ? EAPTLS_CertificateFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>> ? ? EAPTLS_CertificateType PEM
>> ? ? EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>> ? ? EAPTLS_PrivateKeyPassword whatever
>> ? ? EAPTLS_MaxFragmentSize 1000
>> ? ? AutoMPPEKeys
>> ? ? EAPTLS_PEAPVersion 1
>> </AuthBy>
>>
>> --8<--
>>
>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 145
>> Authentic: ?ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><22
>> |7><2>6rs<166>f<144><141><244><3><150>
>> ? ? ? Message-Authenticator =
>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>>
>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9, 43, 25
>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25 Tue Feb 28 12:27:59
>> 2012 739078: DEBUG: EAP PEAP inner authentication request for anonymous Tue
>> Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> ? ? ? EAP-Message = <2><0><0><10><1>testUser
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with Radius::AuthNTLM: dm-
>> wifi Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 0,
>> 10, 1 Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1 Tue Feb 28
>> 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge Tue Feb
>> 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2
>> Challenge Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result:
>> CHALLENGE, EAP MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740560: DEBUG:
>> Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: ? ? ? Access-Challenge
>> Identifier: UNDEF
>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> ? ? ? EAP-Message =
>> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12>
>> <128>ywifi-radius-temp
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 741267:
>> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
>> redispatched to a Handler Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy
>> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
>> Handler Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 741619: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 741984: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 145
>> Authentic: ?+r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>> Attributes:
>> ? ? ? EAP-Message =
>> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<
>> 218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242
>> ><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170
>> >)<129>T
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 146
>> Authentic:
>> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message =
>> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<14
>> 0>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160
>> ><202><131>
>> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161>
>> <133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<
>> 7><f<189>QY<195><209>D<141>
>> ? ? ? Message-Authenticator = <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>>
>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 10, 107,
>> 25 Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25 Tue Feb 28
>> 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication request for
>> anonymous Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request
>> Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> ? ? ? EAP-Message =
>> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><22
>> 3><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<1
>> 32><241>x<145>HE<217>=vu<21><233><0>testUser
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with Radius::AuthNTLM: dm-
>> wifi Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 1,
>> 64, 26 Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26 Tue Feb 28
>> 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for match with testUser
>> [anonymous] Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT:
>> :
>> testUser [anonymous]
>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>> Request-User-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>> Request-LanMan-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>> LANMAN-Challenge: some-challenge
>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
>> some-response
>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
>> some-domain
>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
>> some-username
>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: Authenticated:
>> Yes Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>> User-Session-Key: session-key
>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
>> Challenge: Success
>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: CHALLENGE, EAP
>> MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy
>> NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59
>> 2012 755478: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755588:
>> DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012 755815:
>> DEBUG: Returned PEAP tunnelled packet dump:
>> Code: ? ? ? Access-Challenge
>> Identifier: UNDEF
>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> ? ? ? EAP-Message =
>> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>> M=success
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 756137:
>> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
>> redispatched to a Handler Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy
>> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
>> Handler Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 756485: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 756882: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 146
>> Authentic: ?.<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>> Attributes:
>> ? ? ? EAP-Message =
>> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><1
>> 37><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*
>> <151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><
>> 237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><
>> 184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 147
>> Authentic: ?<219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>
>> >/<27><134><201>v1<128>
>> ? ? ? Message-Authenticator =
>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>>
>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 11, 43,
>> 25 Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25 Tue Feb 28
>> 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication request for
>> anonymous Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request
>> Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> ? ? ? EAP-Message = <2><2><0><6><26><3>
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with Radius::AuthNTLM: dm-
>> wifi Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 2,
>> 6, 26 Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26 Tue Feb 28
>> 12:27:59 2012 763319: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012 763440:
>> DEBUG: AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763548: DEBUG:
>> AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763677: DEBUG: Access
>> accepted for anonymous Tue Feb 28 12:27:59 2012 763788: DEBUG: Access
>> accepted for anonymous Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP
>> tunnelled packet dump:
>> Code: ? ? ? Access-Accept
>> Identifier: UNDEF
>> Authentic: ?<162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> ? ? ? EAP-Message = <3><2><0><4>
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 764535:
>> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
>> redispatched to a Handler Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy
>> FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a
>> Handler Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 764905: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler Tue Feb 28
>> 12:27:59 2012 765255: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 147
>> Authentic: ?<241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>> Attributes:
>> ? ? ? EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-
>> <8>].s<148><226><245><217><26>
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 148
>> Authentic: ?<191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><
>> 145><173>)<226>B<22><29>G<222>`6<183>
>> ? ? ? Message-Authenticator =
>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>>
>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 12, 43,
>> 25 Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25 Tue Feb 28
>> 12:27:59 2012 771782: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012 771975:
>> DEBUG: AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772145: DEBUG:
>> AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772338: DEBUG: Access
>> accepted for testUser Tue Feb 28 12:27:59 2012 772508: DEBUG: Access
>> accepted for testUser Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Accept
>> Identifier: 148
>> Authentic: ?C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>> Attributes:
>> ? ? ? EAP-Message = <3><12><0><4>
>> ? ? ? Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? MS-MPPE-Send-Key =
>> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217
>> ><26><245><14>;<167>%;W<200>
>> ? ? ? MS-MPPE-Recv-Key =
>> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><
>> 218>G)<175>
>>
>> -->8--
>>
>> Thoughts on what may be happening? I can't seem to find anything on the web
>> about this, but I'm also hard-pressed to believe we're the only folks that
>> have run into this. The client simply refuses to connect. It's worth noting
>> that OS X indicates the client is "connected" with a self-assigned 169.x.x.x
>> IP address, but the logs really indicate that en1 (the wireless interface)
>> continues to go up/down and re-attempt authentication.
>>
>> Any help would be greatly appreciated.
>>
>> -james
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE
>
> Ce message, incluant ses pieces jointes, est strictement reserve a l'usage de l'individu ou de l'entite a qui il est
> adresse et contient de l'information privilegiee et confidentielle. La dissemination, distribution ou copie de cette
> communication est strictement prohibee. ?Si vous n'etes pas le destinataire projete veuillez retourner
> immediatement un courrier electronique a l'expediteur et effacez toutes les copies.
>
>
> CONFIDENTIALITY WARNING
>
> This message, including its attachments, is strictly intended for the use of the individual or the entity to which it is addressed
> and contains privileged and confidential information. Disclosure, distribution or copy of this communication is strictly
> prohibited. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator and
> deleting all copies.
>

From jtp at nc.rr.com  Tue Feb 28 11:56:38 2012
From: jtp at nc.rr.com (James)
Date: Tue, 28 Feb 2012 12:56:38 -0500
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
Message-ID: <CAN90s0KLCbdymfPYPEj8tpxKP3N_aUqWmWomy-46co835qWzmw@mail.gmail.com>

Adam,

Thanks for the response. I'll give that a whirl and get back.

Thanks!
-james

On Tue, Feb 28, 2012 at 12:48, Adam Bishop <Adam.Bishop at ja.net> wrote:
> Hi,
>
> Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while since I wrote my configuration but I think that was the value that made OS X and iOS clients work for me.
>
> Regards,
>
> Adam Bishop
>
> On 28 Feb 2012, at 17:38, James wrote:
>
>> All,
>>
>> I'm facing a pretty weird problem while trying to set up EAP
>> authentication. Windows and Linux devices seem to work fine without
>> issues -- the clients are prompted to authenticate, accept the
>> certificate, and then they're successfully auth'ed and hop onto the
>> wireless network.
>>
>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>> however: Radiator sends an Access-Accept, the client sees that
>> authentication was successful, but the client will disconnect and then
>> reconnect ensuing in an authentication loop. Logs on OS X indicate
>> that authentication *IS* successful, but the operating system
>> eventually reports a timeout in the 4-way handshake.
>>
>> Here's the Radiator configuration:
>>
>> -->8--
>>
>> DefineFormattedGlobalVar ? ?ConfigDir ? /opt/radiator/config
>> LogDir ?/opt/radiator/logs
>> DbDir ? /opt/radiator/db
>> Trace ? 4
>> AuthPort 1645
>> AcctPort 1646
>> PidFile ?%L/wireless.pid
>> LogFile
>> <Log FILE>
>> ? ?Identifier radiatorLog
>> ? ?Filename %L/%d.%v.%Y/wireless.log
>> ? ?Trace ? 4
>> ? ?LogMicroseconds
>> </Log>
>> <Client DEFAULT>
>> ? ?Secret whatever
>> ? ?DupInterval 0
>> </Client>
>> <SessionDatabase NULL>
>> ? ?Identifier Null
>> </SessionDatabase>
>> <AuthLog FILE>
>> ? ?Identifier authLogger
>> ? ?Filename %L/%d.%v.%Y/wireless.auth
>> ? ?LogSuccess 1
>> ? ?LogFailure 1
>> ? ?SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED %T
>> request from %c (nas = %N) for user %U
>> ? ?FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
>> request from %c (nas = %N) for user %U
>> </AuthLog>
>> include %{GlobalVar:ConfigDir}/auth.wireless
>> <Handler TunnelledByPEAP=1>
>> ? ?AuthBy dm-wifi
>> ? ?AuthLog authLogger
>> ? ?Log radiatorLog
>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>> </Handler>
>> <Handler>
>> ? ?AuthBy eap-outer
>> ? ?AuthLog authLogger
>> ? ?Log radiatorLog
>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>> </Handler>
>> <AuthBy NTLM>
>> ? ?Identifier dm-wifi
>> ? ?NtlmAuthProg /usr/bin/ntlm_auth ?--helper-protocol=ntlm-server-1
>> ? ?DefaultDomain DHE
>> ? ?EAPType MSCHAP-V2
>> </AuthBy>
>> <AuthBy FILE>
>> ? ?Identifier eap-outer
>> ? ?Filename %D/users
>> ? ?EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>> ? ?EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>> ? ?EAPTLS_CertificateFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>> ? ?EAPTLS_CertificateType PEM
>> ? ?EAPTLS_PrivateKeyFile %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>> ? ?EAPTLS_PrivateKeyPassword whatever
>> ? ?EAPTLS_MaxFragmentSize 1000
>> ? ?AutoMPPEKeys
>> ? ?EAPTLS_PEAPVersion 1
>> </AuthBy>
>>
>> --8<--
>>
>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 145
>> Authentic: ?ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
>> ? ? ? Message-Authenticator =
>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>>
>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9, 43, 25
>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> ? ? ? EAP-Message = <2><0><0><10><1>testUser
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 0, 10, 1
>> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
>> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE,
>> EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result: CHALLENGE,
>> EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: ? ? ? Access-Challenge
>> Identifier: UNDEF
>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> ? ? ? EAP-Message = <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 145
>> Authentic: ?+r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>> Attributes:
>> ? ? ? EAP-Message = <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 146
>> Authentic: ?<28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
>> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
>> ? ? ? Message-Authenticator = <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>>
>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 10, 107, 25
>> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> ? ? ? EAP-Message = <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 1, 64, 26
>> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
>> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
>> match with testUser [anonymous]
>> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
>> testUser [anonymous]
>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>> Request-User-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>> Request-LanMan-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>> LANMAN-Challenge: some-challenge
>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
>> some-response
>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
>> some-domain
>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
>> some-username
>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: Authenticated: Yes
>> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>> User-Session-Key: session-key
>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
>> Challenge: Success
>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: CHALLENGE,
>> EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result: CHALLENGE,
>> EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: ? ? ? Access-Challenge
>> Identifier: UNDEF
>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> ? ? ? EAP-Message = <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>> M=success
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 146
>> Authentic: ?.<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>> Attributes:
>> ? ? ? EAP-Message = <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 147
>> Authentic: ?<219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
>> ? ? ? Message-Authenticator =
>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>>
>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 11, 43, 25
>> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: ? ? ? Access-Request
>> Identifier: UNDEF
>> Authentic: ?<162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> ? ? ? EAP-Message = <2><2><0><6><26><3>
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? NAS-Port = 29
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 2, 6, 26
>> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
>> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
>> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for anonymous
>> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for anonymous
>> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: ? ? ? Access-Accept
>> Identifier: UNDEF
>> Authentic: ?<162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> ? ? ? EAP-Message = <3><2><0><4>
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result: CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Challenge
>> Identifier: 147
>> Authentic: ?<241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>> Attributes:
>> ? ? ? EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Request
>> Identifier: 148
>> Authentic: ?<191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>> Attributes:
>> ? ? ? User-Name = "testUser"
>> ? ? ? Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> ? ? ? Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> ? ? ? NAS-Port = 29
>> ? ? ? cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> ? ? ? NAS-IP-Address = 10.11.55.232
>> ? ? ? NAS-Identifier = "cisco-wism"
>> ? ? ? Airespace-WLAN-Id = 7
>> ? ? ? Service-Type = Framed-User
>> ? ? ? Framed-MTU = 1300
>> ? ? ? NAS-Port-Type = Wireless-IEEE-802-11
>> ? ? ? Tunnel-Type = 0:VLAN
>> ? ? ? Tunnel-Medium-Type = 0:802
>> ? ? ? Tunnel-Private-Group-ID = 924
>> ? ? ? EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
>> ? ? ? Message-Authenticator =
>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>>
>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 12, 43, 25
>> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
>> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
>> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
>> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code: ? ? ? Access-Accept
>> Identifier: 148
>> Authentic: ?C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>> Attributes:
>> ? ? ? EAP-Message = <3><12><0><4>
>> ? ? ? Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> ? ? ? MS-MPPE-Send-Key =
>> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
>> ? ? ? MS-MPPE-Recv-Key =
>> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
>>
>> -->8--
>>
>> Thoughts on what may be happening? I can't seem to find anything on
>> the web about this, but I'm also hard-pressed to believe we're the
>> only folks that have run into this. The client simply refuses to
>> connect. It's worth noting that OS X indicates the client is
>> "connected" with a self-assigned 169.x.x.x IP address, but the logs
>> really indicate that en1 (the wireless interface) continues to go
>> up/down and re-attempt authentication.
>>
>> Any help would be greatly appreciated.
>>
>> -james
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>

From chema at uniovi.es  Tue Feb 28 12:06:44 2012
From: chema at uniovi.es (chema)
Date: Tue, 28 Feb 2012 19:06:44 +0100
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
Message-ID: <58a97376cd4294110cca647e27253f5e@uniovi.es>

 Hi,

 Sometime ago, we had the same problem, and our solution was making this 
 change (EAPTLS_PEAPVersion to 0). We had no previous problems using 
 PAP/TTLS.
 Hope you can solve this. Regards

 On Tue, 28 Feb 2012 17:48:53 +0000, Adam Bishop wrote:
> Hi,
>
> Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while since
> I wrote my configuration but I think that was the value that made OS 
> X
> and iOS clients work for me.
>
> Regards,
>
> Adam Bishop
>
> On 28 Feb 2012, at 17:38, James wrote:
>
>> All,
>>
>> I'm facing a pretty weird problem while trying to set up EAP
>> authentication. Windows and Linux devices seem to work fine without
>> issues -- the clients are prompted to authenticate, accept the
>> certificate, and then they're successfully auth'ed and hop onto the
>> wireless network.
>>
>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>> however: Radiator sends an Access-Accept, the client sees that
>> authentication was successful, but the client will disconnect and 
>> then
>> reconnect ensuing in an authentication loop. Logs on OS X indicate
>> that authentication *IS* successful, but the operating system
>> eventually reports a timeout in the 4-way handshake.
>>
>> Here's the Radiator configuration:
>>
>> -->8--
>>
>> DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config
>> LogDir  /opt/radiator/logs
>> DbDir   /opt/radiator/db
>> Trace   4
>> AuthPort 1645
>> AcctPort 1646
>> PidFile  %L/wireless.pid
>> LogFile
>> <Log FILE>
>>    Identifier radiatorLog
>>    Filename %L/%d.%v.%Y/wireless.log
>>    Trace   4
>>    LogMicroseconds
>> </Log>
>> <Client DEFAULT>
>>    Secret whatever
>>    DupInterval 0
>> </Client>
>> <SessionDatabase NULL>
>>    Identifier Null
>> </SessionDatabase>
>> <AuthLog FILE>
>>    Identifier authLogger
>>    Filename %L/%d.%v.%Y/wireless.auth
>>    LogSuccess 1
>>    LogFailure 1
>>    SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED 
>> %T
>> request from %c (nas = %N) for user %U
>>    FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
>> request from %c (nas = %N) for user %U
>> </AuthLog>
>> include %{GlobalVar:ConfigDir}/auth.wireless
>> <Handler TunnelledByPEAP=1>
>>    AuthBy dm-wifi
>>    AuthLog authLogger
>>    Log radiatorLog
>>    AcctLogFileName %L/%d.%v.%Y/wireless.log
>> </Handler>
>> <Handler>
>>    AuthBy eap-outer
>>    AuthLog authLogger
>>    Log radiatorLog
>>    AcctLogFileName %L/%d.%v.%Y/wireless.log
>> </Handler>
>> <AuthBy NTLM>
>>    Identifier dm-wifi
>>    NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
>>    DefaultDomain DHE
>>    EAPType MSCHAP-V2
>> </AuthBy>
>> <AuthBy FILE>
>>    Identifier eap-outer
>>    Filename %D/users
>>    EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>>    EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>>    EAPTLS_CertificateFile 
>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>>    EAPTLS_CertificateType PEM
>>    EAPTLS_PrivateKeyFile 
>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>>    EAPTLS_PrivateKeyPassword whatever
>>    EAPTLS_MaxFragmentSize 1000
>>    AutoMPPEKeys
>>    EAPTLS_PEAPVersion 1
>> </AuthBy>
>>
>> --8<--
>>
>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code:       Access-Request
>> Identifier: 145
>> Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>> Attributes:
>> 	User-Name = "testUser"
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> 	NAS-Port = 29
>> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	Airespace-WLAN-Id = 7
>> 	Service-Type = Framed-User
>> 	Framed-MTU = 1300
>> 	NAS-Port-Type = Wireless-IEEE-802-11
>> 	Tunnel-Type = 0:VLAN
>> 	Tunnel-Medium-Type = 0:802
>> 	Tunnel-Private-Group-ID = 924
>> 	EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>> 
>> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
>> 	Message-Authenticator =
>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>>
>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 
>> 9, 43, 25
>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner 
>> authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request 
>> Packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> 	EAP-Message = <2><0><0><10><1>testUser
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	NAS-Port = 29
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with 
>> Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2, 
>> 0, 10, 1
>> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
>> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 
>> Challenge
>> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: 
>> CHALLENGE,
>> EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result: 
>> CHALLENGE,
>> EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP-V2 Challenge
>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled 
>> packet dump:
>> Code:       Access-Challenge
>> Identifier: UNDEF
>> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>> Attributes:
>> 	EAP-Message = 
>> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP 
>> inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code:       Access-Challenge
>> Identifier: 145
>> Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>> Attributes:
>> 	EAP-Message = 
>> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code:       Access-Request
>> Identifier: 146
>> Authentic:  
>> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>> Attributes:
>> 	User-Name = "testUser"
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> 	NAS-Port = 29
>> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	Airespace-WLAN-Id = 7
>> 	Service-Type = Framed-User
>> 	Framed-MTU = 1300
>> 	NAS-Port-Type = Wireless-IEEE-802-11
>> 	Tunnel-Type = 0:VLAN
>> 	Tunnel-Medium-Type = 0:802
>> 	Tunnel-Private-Group-ID = 924
>> 	EAP-Message = 
>> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
>> 
>> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
>> 	Message-Authenticator = 
>> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>>
>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2, 
>> 10, 107, 25
>> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner 
>> authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request 
>> Packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> 	EAP-Message = 
>> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	NAS-Port = 29
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with 
>> Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2, 
>> 1, 64, 26
>> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
>> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
>> match with testUser [anonymous]
>> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
>> testUser [anonymous]
>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>> Request-User-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>> Request-LanMan-Session-Key: Yes
>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>> LANMAN-Challenge: some-challenge
>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute 
>> NT-Response:
>> some-response
>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute 
>> NT-Domain::
>> some-domain
>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
>> some-username
>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute: 
>> Authenticated: Yes
>> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>> User-Session-Key: session-key
>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
>> Challenge: Success
>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result: 
>> CHALLENGE,
>> EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result: 
>> CHALLENGE,
>> EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
>> anonymous: EAP MSCHAP V2 Challenge: Success
>> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled 
>> packet dump:
>> Code:       Access-Challenge
>> Identifier: UNDEF
>> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>> Attributes:
>> 	EAP-Message = 
>> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>> M=success
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP 
>> inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code:       Access-Challenge
>> Identifier: 146
>> Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>> Attributes:
>> 	EAP-Message = 
>> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code:       Access-Request
>> Identifier: 147
>> Authentic:  
>> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>> Attributes:
>> 	User-Name = "testUser"
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> 	NAS-Port = 29
>> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	Airespace-WLAN-Id = 7
>> 	Service-Type = Framed-User
>> 	Framed-MTU = 1300
>> 	NAS-Port-Type = Wireless-IEEE-802-11
>> 	Tunnel-Type = 0:VLAN
>> 	Tunnel-Medium-Type = 0:802
>> 	Tunnel-Private-Group-ID = 924
>> 	EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>> 
>> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
>> 	Message-Authenticator =
>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>>
>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2, 
>> 11, 43, 25
>> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner 
>> authentication
>> request for anonymous
>> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request 
>> Packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  
>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> 	EAP-Message = <2><2><0><6><26><3>
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	NAS-Port = 29
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	User-Name = "anonymous"
>>
>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with 
>> Handler
>> 'TunnelledByPEAP=1', Identifier ''
>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with 
>> Radius::AuthNTLM: dm-wifi
>> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2, 
>> 2, 6, 26
>> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
>> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
>> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for 
>> anonymous
>> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for 
>> anonymous
>> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled 
>> packet dump:
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:  
>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>> Attributes:
>> 	EAP-Message = <3><2><0><4>
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP 
>> inner
>> authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result: 
>> CHALLENGE,
>> EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
>> testUser: EAP PEAP inner authentication redispatched to a Handler
>> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code:       Access-Challenge
>> Identifier: 147
>> Authentic:  
>> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>> Attributes:
>> 	EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>> 
>> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>> *** Received from 10.11.55.232 port 32768 ....
>> Code:       Access-Request
>> Identifier: 148
>> Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>> Attributes:
>> 	User-Name = "testUser"
>> 	Calling-Station-Id = "b3-dd-ae-87-22-b3"
>> 	Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>> 	NAS-Port = 29
>> 	cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>> 	NAS-IP-Address = 10.11.55.232
>> 	NAS-Identifier = "cisco-wism"
>> 	Airespace-WLAN-Id = 7
>> 	Service-Type = Framed-User
>> 	Framed-MTU = 1300
>> 	NAS-Port-Type = Wireless-IEEE-802-11
>> 	Tunnel-Type = 0:VLAN
>> 	Tunnel-Medium-Type = 0:802
>> 	Tunnel-Private-Group-ID = 924
>> 	EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>> 
>> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
>> 	Message-Authenticator =
>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>>
>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with 
>> Handler
>> '', Identifier ''
>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>> Radius::AuthFILE: eap-outer
>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2, 
>> 12, 43, 25
>> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
>> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
>> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
>> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
>> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>> *** Sending to 10.11.55.232 port 32768 ....
>> Code:       Access-Accept
>> Identifier: 148
>> Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>> Attributes:
>> 	EAP-Message = <3><12><0><4>
>> 	Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> 	MS-MPPE-Send-Key =
>> 
>> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
>> 	MS-MPPE-Recv-Key =
>> 
>> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
>>
>> -->8--
>>
>> Thoughts on what may be happening? I can't seem to find anything on
>> the web about this, but I'm also hard-pressed to believe we're the
>> only folks that have run into this. The client simply refuses to
>> connect. It's worth noting that OS X indicates the client is
>> "connected" with a self-assigned 169.x.x.x IP address, but the logs
>> really indicate that en1 (the wireless interface) continues to go
>> up/down and re-attempt authentication.
>>
>> Any help would be greatly appreciated.
>>
>> -james
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


From jtp at nc.rr.com  Tue Feb 28 12:10:40 2012
From: jtp at nc.rr.com (James)
Date: Tue, 28 Feb 2012 13:10:40 -0500
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <58a97376cd4294110cca647e27253f5e@uniovi.es>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
	<58a97376cd4294110cca647e27253f5e@uniovi.es>
Message-ID: <CAN90s0KQE5oYrDq0KpYvLUV_3YehgY4urLt9AJFSxc=U5cXY8Q@mail.gmail.com>

Yes, setting the EAPTLS_PEAPVersion set to '0' seems to work.

Does this result in any sort of "less secure" communications? What is
the difference between the two PEAP draft versions?

-james


On Tue, Feb 28, 2012 at 13:06, chema <chema at uniovi.es> wrote:
> ?Hi,
>
> ?Sometime ago, we had the same problem, and our solution was making this
> ?change (EAPTLS_PEAPVersion to 0). We had no previous problems using
> ?PAP/TTLS.
> ?Hope you can solve this. Regards
>
> ?On Tue, 28 Feb 2012 17:48:53 +0000, Adam Bishop wrote:
>> Hi,
>>
>> Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while since
>> I wrote my configuration but I think that was the value that made OS
>> X
>> and iOS clients work for me.
>>
>> Regards,
>>
>> Adam Bishop
>>
>> On 28 Feb 2012, at 17:38, James wrote:
>>
>>> All,
>>>
>>> I'm facing a pretty weird problem while trying to set up EAP
>>> authentication. Windows and Linux devices seem to work fine without
>>> issues -- the clients are prompted to authenticate, accept the
>>> certificate, and then they're successfully auth'ed and hop onto the
>>> wireless network.
>>>
>>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>>> however: Radiator sends an Access-Accept, the client sees that
>>> authentication was successful, but the client will disconnect and
>>> then
>>> reconnect ensuing in an authentication loop. Logs on OS X indicate
>>> that authentication *IS* successful, but the operating system
>>> eventually reports a timeout in the 4-way handshake.
>>>
>>> Here's the Radiator configuration:
>>>
>>> -->8--
>>>
>>> DefineFormattedGlobalVar ? ?ConfigDir ? /opt/radiator/config
>>> LogDir ?/opt/radiator/logs
>>> DbDir ? /opt/radiator/db
>>> Trace ? 4
>>> AuthPort 1645
>>> AcctPort 1646
>>> PidFile ?%L/wireless.pid
>>> LogFile
>>> <Log FILE>
>>> ? ?Identifier radiatorLog
>>> ? ?Filename %L/%d.%v.%Y/wireless.log
>>> ? ?Trace ? 4
>>> ? ?LogMicroseconds
>>> </Log>
>>> <Client DEFAULT>
>>> ? ?Secret whatever
>>> ? ?DupInterval 0
>>> </Client>
>>> <SessionDatabase NULL>
>>> ? ?Identifier Null
>>> </SessionDatabase>
>>> <AuthLog FILE>
>>> ? ?Identifier authLogger
>>> ? ?Filename %L/%d.%v.%Y/wireless.auth
>>> ? ?LogSuccess 1
>>> ? ?LogFailure 1
>>> ? ?SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED
>>> %T
>>> request from %c (nas = %N) for user %U
>>> ? ?FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
>>> request from %c (nas = %N) for user %U
>>> </AuthLog>
>>> include %{GlobalVar:ConfigDir}/auth.wireless
>>> <Handler TunnelledByPEAP=1>
>>> ? ?AuthBy dm-wifi
>>> ? ?AuthLog authLogger
>>> ? ?Log radiatorLog
>>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>>> </Handler>
>>> <Handler>
>>> ? ?AuthBy eap-outer
>>> ? ?AuthLog authLogger
>>> ? ?Log radiatorLog
>>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>>> </Handler>
>>> <AuthBy NTLM>
>>> ? ?Identifier dm-wifi
>>> ? ?NtlmAuthProg /usr/bin/ntlm_auth ?--helper-protocol=ntlm-server-1
>>> ? ?DefaultDomain DHE
>>> ? ?EAPType MSCHAP-V2
>>> </AuthBy>
>>> <AuthBy FILE>
>>> ? ?Identifier eap-outer
>>> ? ?Filename %D/users
>>> ? ?EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>>> ? ?EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>>> ? ?EAPTLS_CertificateFile
>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>>> ? ?EAPTLS_CertificateType PEM
>>> ? ?EAPTLS_PrivateKeyFile
>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>>> ? ?EAPTLS_PrivateKeyPassword whatever
>>> ? ?EAPTLS_MaxFragmentSize 1000
>>> ? ?AutoMPPEKeys
>>> ? ?EAPTLS_PEAPVersion 1
>>> </AuthBy>
>>>
>>> --8<--
>>>
>>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>>> *** Received from 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Request
>>> Identifier: 145
>>> Authentic: ?ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>>> Attributes:
>>> ? ? ?User-Name = "testUser"
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?Airespace-WLAN-Id = 7
>>> ? ? ?Service-Type = Framed-User
>>> ? ? ?Framed-MTU = 1300
>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>> ? ? ?Tunnel-Type = 0:VLAN
>>> ? ? ?Tunnel-Medium-Type = 0:802
>>> ? ? ?Tunnel-Private-Group-ID = 924
>>> ? ? ?EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>>>
>>> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
>>> ? ? ?Message-Authenticator =
>>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>>>
>>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>>> Radius::AuthFILE: eap-outer
>>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2,
>>> 9, 43, 25
>>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
>>> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner
>>> authentication
>>> request for anonymous
>>> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request
>>> Packet dump:
>>> Code: ? ? ? Access-Request
>>> Identifier: UNDEF
>>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>>> Attributes:
>>> ? ? ?EAP-Message = <2><0><0><10><1>testUser
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?User-Name = "anonymous"
>>>
>>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with
>>> Radius::AuthNTLM: dm-wifi
>>> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2,
>>> 0, 10, 1
>>> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
>>> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2
>>> Challenge
>>> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result:
>>> CHALLENGE,
>>> EAP MSCHAP-V2 Challenge
>>> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result:
>>> CHALLENGE,
>>> EAP MSCHAP-V2 Challenge
>>> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
>>> anonymous: EAP MSCHAP-V2 Challenge
>>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>>> anonymous: EAP MSCHAP-V2 Challenge
>>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled
>>> packet dump:
>>> Code: ? ? ? Access-Challenge
>>> Identifier: UNDEF
>>> Authentic: ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>>> Attributes:
>>> ? ? ?EAP-Message =
>>> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP
>>> inner
>>> authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
>>> *** Sending to 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Challenge
>>> Identifier: 145
>>> Authentic: ?+r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>>> Attributes:
>>> ? ? ?EAP-Message =
>>> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>>> *** Received from 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Request
>>> Identifier: 146
>>> Authentic:
>>> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>>> Attributes:
>>> ? ? ?User-Name = "testUser"
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?Airespace-WLAN-Id = 7
>>> ? ? ?Service-Type = Framed-User
>>> ? ? ?Framed-MTU = 1300
>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>> ? ? ?Tunnel-Type = 0:VLAN
>>> ? ? ?Tunnel-Medium-Type = 0:802
>>> ? ? ?Tunnel-Private-Group-ID = 924
>>> ? ? ?EAP-Message =
>>> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
>>>
>>> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
>>> ? ? ?Message-Authenticator =
>>> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>>>
>>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>>> Radius::AuthFILE: eap-outer
>>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2,
>>> 10, 107, 25
>>> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
>>> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner
>>> authentication
>>> request for anonymous
>>> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request
>>> Packet dump:
>>> Code: ? ? ? Access-Request
>>> Identifier: UNDEF
>>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>>> Attributes:
>>> ? ? ?EAP-Message =
>>> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?User-Name = "anonymous"
>>>
>>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with
>>> Radius::AuthNTLM: dm-wifi
>>> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2,
>>> 1, 64, 26
>>> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
>>> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
>>> match with testUser [anonymous]
>>> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
>>> testUser [anonymous]
>>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>>> Request-User-Session-Key: Yes
>>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>>> Request-LanMan-Session-Key: Yes
>>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>>> LANMAN-Challenge: some-challenge
>>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute
>>> NT-Response:
>>> some-response
>>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute
>>> NT-Domain::
>>> some-domain
>>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
>>> some-username
>>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute:
>>> Authenticated: Yes
>>> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>>> User-Session-Key: session-key
>>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
>>> Challenge: Success
>>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result:
>>> CHALLENGE,
>>> EAP MSCHAP V2 Challenge: Success
>>> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result:
>>> CHALLENGE,
>>> EAP MSCHAP V2 Challenge: Success
>>> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
>>> anonymous: EAP MSCHAP V2 Challenge: Success
>>> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
>>> anonymous: EAP MSCHAP V2 Challenge: Success
>>> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled
>>> packet dump:
>>> Code: ? ? ? Access-Challenge
>>> Identifier: UNDEF
>>> Authentic: ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>>> Attributes:
>>> ? ? ?EAP-Message =
>>> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>>> M=success
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP
>>> inner
>>> authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
>>> *** Sending to 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Challenge
>>> Identifier: 146
>>> Authentic: ?.<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>>> Attributes:
>>> ? ? ?EAP-Message =
>>> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>>> *** Received from 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Request
>>> Identifier: 147
>>> Authentic:
>>> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>>> Attributes:
>>> ? ? ?User-Name = "testUser"
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?Airespace-WLAN-Id = 7
>>> ? ? ?Service-Type = Framed-User
>>> ? ? ?Framed-MTU = 1300
>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>> ? ? ?Tunnel-Type = 0:VLAN
>>> ? ? ?Tunnel-Medium-Type = 0:802
>>> ? ? ?Tunnel-Private-Group-ID = 924
>>> ? ? ?EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>>>
>>> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
>>> ? ? ?Message-Authenticator =
>>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>>>
>>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>>> Radius::AuthFILE: eap-outer
>>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2,
>>> 11, 43, 25
>>> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
>>> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner
>>> authentication
>>> request for anonymous
>>> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request
>>> Packet dump:
>>> Code: ? ? ? Access-Request
>>> Identifier: UNDEF
>>> Authentic:
>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>>> Attributes:
>>> ? ? ?EAP-Message = <2><2><0><6><26><3>
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?User-Name = "anonymous"
>>>
>>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with
>>> Handler
>>> 'TunnelledByPEAP=1', Identifier ''
>>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with
>>> Radius::AuthNTLM: dm-wifi
>>> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2,
>>> 2, 6, 26
>>> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
>>> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
>>> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: ACCEPT,
>>> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: ACCEPT,
>>> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for
>>> anonymous
>>> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for
>>> anonymous
>>> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled
>>> packet dump:
>>> Code: ? ? ? Access-Accept
>>> Identifier: UNDEF
>>> Authentic:
>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>>> Attributes:
>>> ? ? ?EAP-Message = <3><2><0><4>
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP
>>> inner
>>> authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result:
>>> CHALLENGE,
>>> EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
>>> *** Sending to 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Challenge
>>> Identifier: 147
>>> Authentic:
>>> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>>> Attributes:
>>> ? ? ?EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>>>
>>> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>>> *** Received from 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Request
>>> Identifier: 148
>>> Authentic: ?<191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>>> Attributes:
>>> ? ? ?User-Name = "testUser"
>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>> ? ? ?NAS-Port = 29
>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>> ? ? ?NAS-Identifier = "cisco-wism"
>>> ? ? ?Airespace-WLAN-Id = 7
>>> ? ? ?Service-Type = Framed-User
>>> ? ? ?Framed-MTU = 1300
>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>> ? ? ?Tunnel-Type = 0:VLAN
>>> ? ? ?Tunnel-Medium-Type = 0:802
>>> ? ? ?Tunnel-Private-Group-ID = 924
>>> ? ? ?EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>>>
>>> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
>>> ? ? ?Message-Authenticator =
>>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>>>
>>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with
>>> Handler
>>> '', Identifier ''
>>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>>> Radius::AuthFILE: eap-outer
>>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2,
>>> 12, 43, 25
>>> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
>>> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
>>> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: ACCEPT,
>>> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: ACCEPT,
>>> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for testUser
>>> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for testUser
>>> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>>> *** Sending to 10.11.55.232 port 32768 ....
>>> Code: ? ? ? Access-Accept
>>> Identifier: 148
>>> Authentic: ?C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>>> Attributes:
>>> ? ? ?EAP-Message = <3><12><0><4>
>>> ? ? ?Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> ? ? ?MS-MPPE-Send-Key =
>>>
>>> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
>>> ? ? ?MS-MPPE-Recv-Key =
>>>
>>> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
>>>
>>> -->8--
>>>
>>> Thoughts on what may be happening? I can't seem to find anything on
>>> the web about this, but I'm also hard-pressed to believe we're the
>>> only folks that have run into this. The client simply refuses to
>>> connect. It's worth noting that OS X indicates the client is
>>> "connected" with a self-assigned 169.x.x.x IP address, but the logs
>>> really indicate that en1 (the wireless interface) continues to go
>>> up/down and re-attempt authentication.
>>>
>>> Any help would be greatly appreciated.
>>>
>>> -james
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> JANET(UK) is a trading name of The JNT Association, a company limited
>> by guarantee which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

From mberube at jeancoutu.com  Tue Feb 28 12:16:44 2012
From: mberube at jeancoutu.com (=?iso-8859-1?Q?Martin_B=E9rub=E9?=)
Date: Tue, 28 Feb 2012 13:16:44 -0500
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>
	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>
Message-ID: <504530040EFFF7429CE24A0AF04FF21DD15E919B0C@GJCEXCH.groupe.jeancoutu.com>

Well,

The problem we had was for TLS. Our PKI infrastructure had a hashed signature whit MD5. The hashing used should be at least SHA-1 for iOS 5 devices.

In Microsoft Windows, if you start certmgr.msc, and look at a Root CA certificate, in Details, you can find the hashing algorythm used for the signature.

We had to change our infrastructure, so we took SHA-256. The only certificate that kept the MD5 hashing is our Root CA.

It works fine, since then.  But, as I wrote, it is for TLS authentication.


Martin B?rub?
Analyste Technique
Architecture Et S?curit?
T?l. : (450) 463-1890 poste 3362
Avant d'imprimer, pensez ? l'environnement.




> -----Message d'origine-----
> De : jz.penguin at gmail.com [mailto:jz.penguin at gmail.com] De la part de James
> Envoy? : 28 f?vrier 2012 12:56
> ? : Martin B?rub?
> Cc : radiator at open.com.au
> Objet : Re: [RADIATOR] eap + apple products - failed auth
>
> Thanks for the response.
>
> I'm not sure how to determine that; can you give me a nudge in the right
> direction?
>
> -james
>
>
> On Tue, Feb 28, 2012 at 12:49, Martin B?rub? <mberube at jeancoutu.com> wrote:
> > Hello James,
> >
> > Are you using MD5 hashing for the issuer certificate ?
> > Apple dropped support for MD5 hashing for all certificates, except the CA
> (root) ones, starting with iOS 5.
> >
> >
> > Martin B?rub?
> > Analyste Technique
> > Architecture Et S?curit?
> > T?l. : (450) 463-1890 poste 3362
> > Avant d'imprimer, pensez ? l'environnement.
> >
> >
> >
> >> -----Message d'origine-----
> >> De : radiator-bounces at open.com.au
> >> [mailto:radiator-bounces at open.com.au] De la part de James Envoy? : 28
> >> f?vrier 2012 12:38 ? : radiator at open.com.au Objet : [RADIATOR] eap +
> >> apple products - failed auth
> >>
> >> All,
> >>
> >> I'm facing a pretty weird problem while trying to set up EAP
> authentication.
> >> Windows and Linux devices seem to work fine without issues -- the
> >> clients are prompted to authenticate, accept the certificate, and
> >> then they're successfully auth'ed and hop onto the wireless network.
> >>
> >> Apple products (OS X, iPad and iPod) seem to have a strange issue,
> >> however: Radiator sends an Access-Accept, the client sees that
> >> authentication was successful, but the client will disconnect and
> >> then reconnect ensuing in an authentication loop. Logs on OS X
> >> indicate that authentication *IS* successful, but the operating
> >> system eventually reports a timeout in the 4-way handshake.
> >>
> >> Here's the Radiator configuration:
> >>
> >> -->8--
> >>
> >> DefineFormattedGlobalVar    ConfigDir   /opt/radiator/config LogDir
> >> /opt/radiator/logs DbDir   /opt/radiator/db Trace   4 AuthPort 1645
> >> AcctPort 1646 PidFile  %L/wireless.pid LogFile <Log FILE>
> >>     Identifier radiatorLog
> >>     Filename %L/%d.%v.%Y/wireless.log
> >>     Trace   4
> >>     LogMicroseconds
> >> </Log>
> >> <Client DEFAULT>
> >>     Secret whatever
> >>     DupInterval 0
> >> </Client>
> >> <SessionDatabase NULL>
> >>     Identifier Null
> >> </SessionDatabase>
> >> <AuthLog FILE>
> >>     Identifier authLogger
> >>     Filename %L/%d.%v.%Y/wireless.auth
> >>     LogSuccess 1
> >>     LogFailure 1
> >>     SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED
> >> %T request from %c (nas = %N) for user %U
> >>     FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
> >> request from %c (nas = %N) for user %U </AuthLog> include
> >> %{GlobalVar:ConfigDir}/auth.wireless
> >> <Handler TunnelledByPEAP=1>
> >>     AuthBy dm-wifi
> >>     AuthLog authLogger
> >>     Log radiatorLog
> >>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <Handler>
> >>     AuthBy eap-outer
> >>     AuthLog authLogger
> >>     Log radiatorLog
> >>     AcctLogFileName %L/%d.%v.%Y/wireless.log </Handler> <AuthBy NTLM>
> >>     Identifier dm-wifi
> >>     NtlmAuthProg /usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1
> >>     DefaultDomain DHE
> >>     EAPType MSCHAP-V2
> >> </AuthBy>
> >> <AuthBy FILE>
> >>     Identifier eap-outer
> >>     Filename %D/users
> >>     EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
> >>     EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
> >>     EAPTLS_CertificateFile
> >> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
> >>     EAPTLS_CertificateType PEM
> >>     EAPTLS_PrivateKeyFile
> >> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
> >>     EAPTLS_PrivateKeyPassword whatever
> >>     EAPTLS_MaxFragmentSize 1000
> >>     AutoMPPEKeys
> >>     EAPTLS_PEAPVersion 1
> >> </AuthBy>
> >>
> >> --8<--
> >>
> >> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 145
> >> Authentic:  ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><9><0>+<25><1><23><3><1><0>
> >> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183>
> >> |<22
> >> |7><2>6rs<166>f<144><141><244><3><150>
> >>       Message-Authenticator =
> >> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
> >>
> >> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2, 9,
> >> 43, 25 Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25 Tue
> >> Feb 28 12:27:59
> >> 2012 739078: DEBUG: EAP PEAP inner authentication request for
> >> anonymous Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request
> Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> >> Attributes:
> >>       EAP-Message = <2><0><0><10><1>testUser
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 739910: DEBUG:
> >> Handling with EAP: code 2, 0, 10, 1 Tue Feb 28 12:27:59 2012 740035:
> >> DEBUG: Response type 1 Tue Feb 28
> >> 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> >> Tue Feb
> >> 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result: CHALLENGE, EAP
> >> MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM
> result:
> >> CHALLENGE, EAP MSCHAP-V2 Challenge Tue Feb 28 12:27:59 2012 740560:
> DEBUG:
> >> Access challenged for
> >> anonymous: EAP MSCHAP-V2 Challenge
> >> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP-V2 Challenge
> >> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled packet
> dump:
> >> Code:       Access-Challenge
> >> Identifier: UNDEF
> >> Authentic:  <199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
> >> Attributes:
> >>       EAP-Message =
> >> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<1
> >> 62><12>
> >> <128>ywifi-radius-temp
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 741267:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 741377: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 741504: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 741619: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 741984: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 145
> >> Authentic:  +r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
> >> Attributes:
> >>       EAP-Message =
> >> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18>
> >> <188>[<
> >> 218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196
> >> 218>>"o<242
> >> ><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><18
> >> >3>W<170
> >> >)<129>T
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 146
> >> Authentic:
> >> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message =
> >> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145>
> >> <2>v<14
> >> 0>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<22
> >> 0>4>D<160
> >> ><202><131>
> >> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><21
> >> 0><161>
> >> <133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t
> >> <237>5<
> >> 7><f<189>QY<195><209>D<141>
> >>       Message-Authenticator =
> >> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
> >>
> >> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2,
> >> 10, 107,
> >> 25 Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 747489: DEBUG: EAP PEAP inner authentication request
> >> for anonymous Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled
> >> request Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> >> Attributes:
> >>       EAP-Message =
> >> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l
> >> <16><22
> >> 3><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><
> >> 3>227>7<1
> >> 32><241>x<145>HE<217>=vu<21><233><0>testUser
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 748362: DEBUG:
> >> Handling with EAP: code 2, 1, 64, 26 Tue Feb 28 12:27:59 2012 748490:
> >> DEBUG: Response type 26 Tue Feb 28
> >> 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for match with
> >> testUser [anonymous] Tue Feb 28 12:27:59 2012 748801: DEBUG:
> Radius::AuthNTLM ACCEPT:
> >> :
> >> testUser [anonymous]
> >> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
> >> Request-User-Session-Key: Yes
> >> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
> >> Request-LanMan-Session-Key: Yes
> >> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
> >> LANMAN-Challenge: some-challenge
> >> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute NT-Response:
> >> some-response
> >> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute NT-Domain::
> >> some-domain
> >> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute Username::
> >> some-username
> >> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute:
> Authenticated:
> >> Yes Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
> >> User-Session-Key: session-key
> >> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
> >> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP V2
> >> Challenge: Success
> >> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result:
> >> CHALLENGE, EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> >> 755351: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2
> >> Challenge: Success Tue Feb 28 12:27:59
> >> 2012 755478: DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> 755588:
> >> DEBUG: Access challenged for
> >> anonymous: EAP MSCHAP V2 Challenge: Success Tue Feb 28 12:27:59 2012
> 755815:
> >> DEBUG: Returned PEAP tunnelled packet dump:
> >> Code:       Access-Challenge
> >> Identifier: UNDEF
> >> Authentic:  <30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
> >> Attributes:
> >>       EAP-Message =
> >> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
> >> M=success
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 756137:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 756247: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 756374: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 756485: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 756882: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 146
> >> Authentic:  .<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
> >> Attributes:
> >>       EAP-Message =
> >> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y>
> >> <178><1
> >> 37><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25>
> >> 37><237>%*
> >> <151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207
> >> ><147><
> >> 237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180
> >> 237>><150><
> >> 184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 147
> >> Authentic:
> >> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><11><0>+<25><1><23><3><1><0>
> >> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<24
> >> 5><167>
> >> >/<27><134><201>v1<128>
> >>       Message-Authenticator =
> >> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
> >>
> >> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2,
> >> 11, 43,
> >> 25 Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 762048: DEBUG: EAP PEAP inner authentication request
> >> for anonymous Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled
> >> request Packet dump:
> >> Code:       Access-Request
> >> Identifier: UNDEF
> >> Authentic:
> >> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> >> Attributes:
> >>       EAP-Message = <2><2><0><6><26><3>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       NAS-Port = 29
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       User-Name = "anonymous"
> >>
> >> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with Handler
> >> 'TunnelledByPEAP=1', Identifier ''
> >> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with
> >> Radius::AuthNTLM: dm- wifi Tue Feb 28 12:27:59 2012 762984: DEBUG:
> >> Handling with EAP: code 2, 2, 6, 26 Tue Feb 28 12:27:59 2012 763143:
> >> DEBUG: Response type 26 Tue Feb 28
> >> 12:27:59 2012 763319: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012
> 763440:
> >> DEBUG: AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763548:
> DEBUG:
> >> AuthBy NTLM result: ACCEPT, Tue Feb 28 12:27:59 2012 763677: DEBUG:
> >> Access accepted for anonymous Tue Feb 28 12:27:59 2012 763788: DEBUG:
> >> Access accepted for anonymous Tue Feb 28 12:27:59 2012 764183: DEBUG:
> >> Returned PEAP tunnelled packet dump:
> >> Code:       Access-Accept
> >> Identifier: UNDEF
> >> Authentic:
> >> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
> >> Attributes:
> >>       EAP-Message = <3><2><0><4>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP inner
> >> authentication redispatched to a Handler Tue Feb 28 12:27:59 2012 764535:
> >> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 764659: DEBUG:
> >> AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication
> >> redispatched to a Handler Tue Feb 28 12:27:59 2012 764791: DEBUG:
> >> Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 764905: DEBUG: Access challenged for
> >> testUser: EAP PEAP inner authentication redispatched to a Handler Tue
> >> Feb 28
> >> 12:27:59 2012 765255: DEBUG: Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Challenge
> >> Identifier: 147
> >> Authentic:
> >> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
> >> Attributes:
> >>       EAP-Message = <1><12><0>+<25><1><23><3><1><0>
> >> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160
> >> ><213>-
> >> <8>].s<148><226><245><217><26>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>
> >> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
> >> *** Received from 10.11.55.232 port 32768 ....
> >> Code:       Access-Request
> >> Identifier: 148
> >> Authentic:  <191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
> >> Attributes:
> >>       User-Name = "testUser"
> >>       Calling-Station-Id = "b3-dd-ae-87-22-b3"
> >>       Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
> >>       NAS-Port = 29
> >>       cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
> >>       NAS-IP-Address = 10.11.55.232
> >>       NAS-Identifier = "cisco-wism"
> >>       Airespace-WLAN-Id = 7
> >>       Service-Type = Framed-User
> >>       Framed-MTU = 1300
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       Tunnel-Type = 0:VLAN
> >>       Tunnel-Medium-Type = 0:802
> >>       Tunnel-Private-Group-ID = 924
> >>       EAP-Message = <2><12><0>+<25><1><23><3><1><0>
> >> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>
> >> I<253><
> >> 145><173>)<226>B<22><29>G<222>`6<183>
> >>       Message-Authenticator =
> >> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
> >>
> >> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with Handler
> >> '', Identifier ''
> >> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
> >> Radius::AuthFILE: eap-outer
> >> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2,
> >> 12, 43,
> >> 25 Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25 Tue Feb
> >> 28
> >> 12:27:59 2012 771782: DEBUG: EAP result: 0, Tue Feb 28 12:27:59 2012
> 771975:
> >> DEBUG: AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772145:
> DEBUG:
> >> AuthBy FILE result: ACCEPT, Tue Feb 28 12:27:59 2012 772338: DEBUG:
> >> Access accepted for testUser Tue Feb 28 12:27:59 2012 772508: DEBUG:
> >> Access accepted for testUser Tue Feb 28 12:27:59 2012 773368: DEBUG:
> Packet dump:
> >> *** Sending to 10.11.55.232 port 32768 ....
> >> Code:       Access-Accept
> >> Identifier: 148
> >> Authentic:  C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
> >> Attributes:
> >>       EAP-Message = <3><12><0><4>
> >>       Message-Authenticator =
> >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>       MS-MPPE-Send-Key =
> >> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><14
> >> 3>t<217
> >> ><26><245><14>;<167>%;W<200>
> >>       MS-MPPE-Recv-Key =
> >> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|
> >> ^<230><
> >> 218>G)<175>
> >>
> >> -->8--
> >>
> >> Thoughts on what may be happening? I can't seem to find anything on
> >> the web about this, but I'm also hard-pressed to believe we're the
> >> only folks that have run into this. The client simply refuses to
> >> connect. It's worth noting that OS X indicates the client is
> >> "connected" with a self-assigned 169.x.x.x IP address, but the logs
> >> really indicate that en1 (the wireless interface) continues to go up/down
> and re-attempt authentication.
> >>
> >> Any help would be greatly appreciated.
> >>
> >> -james
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> > AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE
> >
> > Ce message, incluant ses pieces jointes, est strictement reserve a
> > l'usage de l'individu ou de l'entite a qui il est adresse et contient
> > de l'information privilegiee et confidentielle. La dissemination,
> > distribution ou copie de cette communication est strictement prohibee.  Si
> vous n'etes pas le destinataire projete veuillez retourner immediatement un
> courrier electronique a l'expediteur et effacez toutes les copies.
> >
> >
> > CONFIDENTIALITY WARNING
> >
> > This message, including its attachments, is strictly intended for the
> > use of the individual or the entity to which it is addressed and
> > contains privileged and confidential information. Disclosure,
> > distribution or copy of this communication is strictly prohibited. If you
> are not the intended recipient please notify us immediately by returning the
> e-mail to the originator and deleting all copies.
> >

From chema at uniovi.es  Tue Feb 28 13:25:32 2012
From: chema at uniovi.es (chema)
Date: Tue, 28 Feb 2012 20:25:32 +0100
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <CAN90s0KQE5oYrDq0KpYvLUV_3YehgY4urLt9AJFSxc=U5cXY8Q@mail.gmail.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
	<58a97376cd4294110cca647e27253f5e@uniovi.es>
	<CAN90s0KQE5oYrDq0KpYvLUV_3YehgY4urLt9AJFSxc=U5cXY8Q@mail.gmail.com>
Message-ID: <c6c481abb29d14572198191d985b7fa2@uniovi.es>

 Hi, now i can?t remember exactly the differences between the two types. 
 Among others, it relates to the inner capabilities of the authentication 
 protocol.
 Keep in mind that is only used for authentication, which is protected 
 also by the wireless methods on the air (WPA, WPA2, etc). I don't think 
 it's a security hole. I mean, there are some protection layers in the 
 process. You must secure the air using something like WPA2, the channel 
 between the NAS and Radius using shared secrets, protected vlans, SSL 
 tunnels, the way between APs and NAS, and so ... PEAP protects the inner 
 authentication inside the other layers.

 On Tue, 28 Feb 2012 13:10:40 -0500, James wrote:
> Yes, setting the EAPTLS_PEAPVersion set to '0' seems to work.
>
> Does this result in any sort of "less secure" communications? What is
> the difference between the two PEAP draft versions?
>
> -james
>
>
> On Tue, Feb 28, 2012 at 13:06, chema <chema at uniovi.es> wrote:
>> ?Hi,
>>
>> ?Sometime ago, we had the same problem, and our solution was making 
>> this
>> ?change (EAPTLS_PEAPVersion to 0). We had no previous problems using
>> ?PAP/TTLS.
>> ?Hope you can solve this. Regards
>>
>> ?On Tue, 28 Feb 2012 17:48:53 +0000, Adam Bishop wrote:
>>> Hi,
>>>
>>> Try setting EAPTLS_PEAPVersion as 0 instead of 1 - been a while 
>>> since
>>> I wrote my configuration but I think that was the value that made 
>>> OS
>>> X
>>> and iOS clients work for me.
>>>
>>> Regards,
>>>
>>> Adam Bishop
>>>
>>> On 28 Feb 2012, at 17:38, James wrote:
>>>
>>>> All,
>>>>
>>>> I'm facing a pretty weird problem while trying to set up EAP
>>>> authentication. Windows and Linux devices seem to work fine 
>>>> without
>>>> issues -- the clients are prompted to authenticate, accept the
>>>> certificate, and then they're successfully auth'ed and hop onto 
>>>> the
>>>> wireless network.
>>>>
>>>> Apple products (OS X, iPad and iPod) seem to have a strange issue,
>>>> however: Radiator sends an Access-Accept, the client sees that
>>>> authentication was successful, but the client will disconnect and
>>>> then
>>>> reconnect ensuing in an authentication loop. Logs on OS X indicate
>>>> that authentication *IS* successful, but the operating system
>>>> eventually reports a timeout in the 4-way handshake.
>>>>
>>>> Here's the Radiator configuration:
>>>>
>>>> -->8--
>>>>
>>>> DefineFormattedGlobalVar ? ?ConfigDir ? /opt/radiator/config
>>>> LogDir ?/opt/radiator/logs
>>>> DbDir ? /opt/radiator/db
>>>> Trace ? 4
>>>> AuthPort 1645
>>>> AcctPort 1646
>>>> PidFile ?%L/wireless.pid
>>>> LogFile
>>>> <Log FILE>
>>>> ? ?Identifier radiatorLog
>>>> ? ?Filename %L/%d.%v.%Y/wireless.log
>>>> ? ?Trace ? 4
>>>> ? ?LogMicroseconds
>>>> </Log>
>>>> <Client DEFAULT>
>>>> ? ?Secret whatever
>>>> ? ?DupInterval 0
>>>> </Client>
>>>> <SessionDatabase NULL>
>>>> ? ?Identifier Null
>>>> </SessionDatabase>
>>>> <AuthLog FILE>
>>>> ? ?Identifier authLogger
>>>> ? ?Filename %L/%d.%v.%Y/wireless.auth
>>>> ? ?LogSuccess 1
>>>> ? ?LogFailure 1
>>>> ? ?SuccessFormat %q %v %e %Y @ %s (child process %O) -> AUTHORIZED
>>>> %T
>>>> request from %c (nas = %N) for user %U
>>>> ? ?FailureFormat %q %v %e %Y @ %s (child process %O) -> DENIED %T
>>>> request from %c (nas = %N) for user %U
>>>> </AuthLog>
>>>> include %{GlobalVar:ConfigDir}/auth.wireless
>>>> <Handler TunnelledByPEAP=1>
>>>> ? ?AuthBy dm-wifi
>>>> ? ?AuthLog authLogger
>>>> ? ?Log radiatorLog
>>>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>>>> </Handler>
>>>> <Handler>
>>>> ? ?AuthBy eap-outer
>>>> ? ?AuthLog authLogger
>>>> ? ?Log radiatorLog
>>>> ? ?AcctLogFileName %L/%d.%v.%Y/wireless.log
>>>> </Handler>
>>>> <AuthBy NTLM>
>>>> ? ?Identifier dm-wifi
>>>> ? ?NtlmAuthProg /usr/bin/ntlm_auth 
>>>> ?--helper-protocol=ntlm-server-1
>>>> ? ?DefaultDomain DHE
>>>> ? ?EAPType MSCHAP-V2
>>>> </AuthBy>
>>>> <AuthBy FILE>
>>>> ? ?Identifier eap-outer
>>>> ? ?Filename %D/users
>>>> ? ?EAPType MSCHAP-V2,PEAP,FAST,TLS,TTLS
>>>> ? ?EAPTLS_CAFile %{GlobalVar:ConfigDir}/certs/duke.ca.cert
>>>> ? ?EAPTLS_CertificateFile
>>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.cert
>>>> ? ?EAPTLS_CertificateType PEM
>>>> ? ?EAPTLS_PrivateKeyFile
>>>> %{GlobalVar:ConfigDir}/certs/wifi-radius1.key
>>>> ? ?EAPTLS_PrivateKeyPassword whatever
>>>> ? ?EAPTLS_MaxFragmentSize 1000
>>>> ? ?AutoMPPEKeys
>>>> ? ?EAPTLS_PEAPVersion 1
>>>> </AuthBy>
>>>>
>>>> --8<--
>>>>
>>>> Tue Feb 28 12:27:59 2012 737876: DEBUG: Packet dump:
>>>> *** Received from 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Request
>>>> Identifier: 145
>>>> Authentic: ?ES<<16><147>F<136><228>l<229>#z<234><212><182><128>
>>>> Attributes:
>>>> ? ? ?User-Name = "testUser"
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?Airespace-WLAN-Id = 7
>>>> ? ? ?Service-Type = Framed-User
>>>> ? ? ?Framed-MTU = 1300
>>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>>> ? ? ?Tunnel-Type = 0:VLAN
>>>> ? ? ?Tunnel-Medium-Type = 0:802
>>>> ? ? ?Tunnel-Private-Group-ID = 924
>>>> ? ? ?EAP-Message = <2><9><0>+<25><1><23><3><1><0>
>>>>
>>>> 
>>>> |<195><27><180>;<16>F<128>"K<158><253>3<141><243>+<216><11><159><183><227><2>6rs<166>f<144><141><244><3><150>
>>>> ? ? ?Message-Authenticator =
>>>> <196><237><143><215><203><146>/v<170><219><21><233><214><29>"<193>
>>>>
>>>> Tue Feb 28 12:27:59 2012 738099: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 738216: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 738406: DEBUG: Handling with
>>>> Radius::AuthFILE: eap-outer
>>>> Tue Feb 28 12:27:59 2012 738611: DEBUG: Handling with EAP: code 2,
>>>> 9, 43, 25
>>>> Tue Feb 28 12:27:59 2012 738738: DEBUG: Response type 25
>>>> Tue Feb 28 12:27:59 2012 739078: DEBUG: EAP PEAP inner
>>>> authentication
>>>> request for anonymous
>>>> Tue Feb 28 12:27:59 2012 739300: DEBUG: PEAP Tunnelled request
>>>> Packet dump:
>>>> Code: ? ? ? Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: 
>>>> ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>>>> Attributes:
>>>> ? ? ?EAP-Message = <2><0><0><10><1>testUser
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?User-Name = "anonymous"
>>>>
>>>> Tue Feb 28 12:27:59 2012 739446: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 739556: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 739737: DEBUG: Handling with
>>>> Radius::AuthNTLM: dm-wifi
>>>> Tue Feb 28 12:27:59 2012 739910: DEBUG: Handling with EAP: code 2,
>>>> 0, 10, 1
>>>> Tue Feb 28 12:27:59 2012 740035: DEBUG: Response type 1
>>>> Tue Feb 28 12:27:59 2012 740206: DEBUG: EAP result: 3, EAP 
>>>> MSCHAP-V2
>>>> Challenge
>>>> Tue Feb 28 12:27:59 2012 740326: DEBUG: AuthBy NTLM result:
>>>> CHALLENGE,
>>>> EAP MSCHAP-V2 Challenge
>>>> Tue Feb 28 12:27:59 2012 740434: DEBUG: AuthBy NTLM result:
>>>> CHALLENGE,
>>>> EAP MSCHAP-V2 Challenge
>>>> Tue Feb 28 12:27:59 2012 740560: DEBUG: Access challenged for
>>>> anonymous: EAP MSCHAP-V2 Challenge
>>>> Tue Feb 28 12:27:59 2012 740680: DEBUG: Access challenged for
>>>> anonymous: EAP MSCHAP-V2 Challenge
>>>> Tue Feb 28 12:27:59 2012 740931: DEBUG: Returned PEAP tunnelled
>>>> packet dump:
>>>> Code: ? ? ? Access-Challenge
>>>> Identifier: UNDEF
>>>> Authentic: 
>>>> ?<199><244><220><211><14><18>.<159><18>B}<30><209><202>kr
>>>> Attributes:
>>>> ? ? ?EAP-Message =
>>>> 
>>>> <1><1><0>*<26><1><1><0>%<16><214><185><12><255>~v<196><242>]<176>QX<162><12><128>ywifi-radius-temp
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 741140: DEBUG: EAP result: 3, EAP PEAP
>>>> inner
>>>> authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 741267: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 741377: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 741504: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 741619: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 741984: DEBUG: Packet dump:
>>>> *** Sending to 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Challenge
>>>> Identifier: 145
>>>> Authentic: 
>>>> ?+r<221>"<169>)<140><154>0<188><185><183><167><220>[<23>
>>>> Attributes:
>>>> ? ? ?EAP-Message =
>>>> 
>>>> <1><10><0>K<25><1><23><3><1><0>@5<212>O<151>\,I<180><210>>7<185>|<18><188>[<218>Y<148><144><231><173>w<180><138><218>c<225><160>=C]n<233><13><196>"o<242><11><165><198><18>&<215>]<242>M<151><159><145><140>'6D<163>a<177><183>W<170>)<129>T
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 746317: DEBUG: Packet dump:
>>>> *** Received from 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Request
>>>> Identifier: 146
>>>> Authentic:
>>>> 
>>>> <28>2<198><208><212>(<13><254><13><162><148><227><134><229><246><201>
>>>> Attributes:
>>>> ? ? ?User-Name = "testUser"
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?Airespace-WLAN-Id = 7
>>>> ? ? ?Service-Type = Framed-User
>>>> ? ? ?Framed-MTU = 1300
>>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>>> ? ? ?Tunnel-Type = 0:VLAN
>>>> ? ? ?Tunnel-Medium-Type = 0:802
>>>> ? ? ?Tunnel-Private-Group-ID = 924
>>>> ? ? ?EAP-Message =
>>>> 
>>>> <2><10><0>k<25><1><23><3><1><0>`<229><182>~U<231>LL<224><11><25><145><2>v<140>y?y4<170><224>Q<24>8<169><158>f<184>&<165><166><147>%<253><143>/<224>D<160><202><131>
>>>>
>>>> 
>>>> <229><203>4<237><2><145>Z@<129><137>$<200><229><218><181><10><235><210><161><133>H!<28>F<205>?<173>:[<184>`<210>)<19><184><21><<187>A4<139><169>t<237>5<7><f<189>QY<195><209>D<141>
>>>> ? ? ?Message-Authenticator =
>>>> <30><<150><197>JcR<14><223>lY<161><24>w/<250>
>>>>
>>>> Tue Feb 28 12:27:59 2012 746562: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 746682: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 746872: DEBUG: Handling with
>>>> Radius::AuthFILE: eap-outer
>>>> Tue Feb 28 12:27:59 2012 747078: DEBUG: Handling with EAP: code 2,
>>>> 10, 107, 25
>>>> Tue Feb 28 12:27:59 2012 747210: DEBUG: Response type 25
>>>> Tue Feb 28 12:27:59 2012 747489: DEBUG: EAP PEAP inner
>>>> authentication
>>>> request for anonymous
>>>> Tue Feb 28 12:27:59 2012 747762: DEBUG: PEAP Tunnelled request
>>>> Packet dump:
>>>> Code: ? ? ? Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: 
>>>> ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>>>> Attributes:
>>>> ? ? ?EAP-Message =
>>>> 
>>>> <2><1><0>@<26><2><1><0>;1<190>b<188><197>3Q<236><201><196><174><137>l<16><223><224>h<0><0><0><0><0><0><0><0><232><133><210><161>Jr[<249><233><7><227>7<132><241>x<145>HE<217>=vu<21><233><0>testUser
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?User-Name = "anonymous"
>>>>
>>>> Tue Feb 28 12:27:59 2012 747906: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 748018: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 748192: DEBUG: Handling with
>>>> Radius::AuthNTLM: dm-wifi
>>>> Tue Feb 28 12:27:59 2012 748362: DEBUG: Handling with EAP: code 2,
>>>> 1, 64, 26
>>>> Tue Feb 28 12:27:59 2012 748490: DEBUG: Response type 26
>>>> Tue Feb 28 12:27:59 2012 748661: DEBUG: Radius::AuthNTLM looks for
>>>> match with testUser [anonymous]
>>>> Tue Feb 28 12:27:59 2012 748801: DEBUG: Radius::AuthNTLM ACCEPT: :
>>>> testUser [anonymous]
>>>> Tue Feb 28 12:27:59 2012 749086: DEBUG: Passing attribute
>>>> Request-User-Session-Key: Yes
>>>> Tue Feb 28 12:27:59 2012 749251: DEBUG: Passing attribute
>>>> Request-LanMan-Session-Key: Yes
>>>> Tue Feb 28 12:27:59 2012 749395: DEBUG: Passing attribute
>>>> LANMAN-Challenge: some-challenge
>>>> Tue Feb 28 12:27:59 2012 749542: DEBUG: Passing attribute
>>>> NT-Response:
>>>> some-response
>>>> Tue Feb 28 12:27:59 2012 749687: DEBUG: Passing attribute
>>>> NT-Domain::
>>>> some-domain
>>>> Tue Feb 28 12:27:59 2012 749832: DEBUG: Passing attribute 
>>>> Username::
>>>> some-username
>>>> Tue Feb 28 12:27:59 2012 754539: DEBUG: Received attribute:
>>>> Authenticated: Yes
>>>> Tue Feb 28 12:27:59 2012 754685: DEBUG: Received attribute:
>>>> User-Session-Key: session-key
>>>> Tue Feb 28 12:27:59 2012 754809: DEBUG: Received attribute: .
>>>> Tue Feb 28 12:27:59 2012 755114: DEBUG: EAP result: 3, EAP MSCHAP 
>>>> V2
>>>> Challenge: Success
>>>> Tue Feb 28 12:27:59 2012 755241: DEBUG: AuthBy NTLM result:
>>>> CHALLENGE,
>>>> EAP MSCHAP V2 Challenge: Success
>>>> Tue Feb 28 12:27:59 2012 755351: DEBUG: AuthBy NTLM result:
>>>> CHALLENGE,
>>>> EAP MSCHAP V2 Challenge: Success
>>>> Tue Feb 28 12:27:59 2012 755478: DEBUG: Access challenged for
>>>> anonymous: EAP MSCHAP V2 Challenge: Success
>>>> Tue Feb 28 12:27:59 2012 755588: DEBUG: Access challenged for
>>>> anonymous: EAP MSCHAP V2 Challenge: Success
>>>> Tue Feb 28 12:27:59 2012 755815: DEBUG: Returned PEAP tunnelled
>>>> packet dump:
>>>> Code: ? ? ? Access-Challenge
>>>> Identifier: UNDEF
>>>> Authentic: 
>>>> ?<30>7<160><153><167><133>'<151>KG<136><213>u<30><242><3>
>>>> Attributes:
>>>> ? ? ?EAP-Message =
>>>> <1><2><0>=<26><3><1><0>8S=537886D34156194318425B12CE9ED8969124063C
>>>> M=success
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 756011: DEBUG: EAP result: 3, EAP PEAP
>>>> inner
>>>> authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 756137: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 756247: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 756374: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 756485: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 756882: DEBUG: Packet dump:
>>>> *** Sending to 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Challenge
>>>> Identifier: 146
>>>> Authentic: ?.<152>4<150><245><134>JV<14><147><241><182><18>}$<26>
>>>> Attributes:
>>>> ? ? ?EAP-Message =
>>>> 
>>>> <1><11><0>k<25><1><23><3><1><0>`<215>8]<183>m<197>N<250>kl<10><179>y><178><137><183>v<233><<255>{<177>r<207><186><1><9>*<142><207>Rl<31><173><25><237>%*<151><219>ts<16>H<218><169><10><252>eY<245>+<245><213><157>b<202><207><147><237><156>i<15><253><175><204><16><167><239>e<198><175><228>X<175><180><150><184>s<179>4<146>&w<20><203><175><16><155>*<162><133><224><129>-
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 760841: DEBUG: Packet dump:
>>>> *** Received from 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Request
>>>> Identifier: 147
>>>> Authentic:
>>>> <219><222>T<233><179><159><5>S<22><172><227><160><206>l<162>G
>>>> Attributes:
>>>> ? ? ?User-Name = "testUser"
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?Airespace-WLAN-Id = 7
>>>> ? ? ?Service-Type = Framed-User
>>>> ? ? ?Framed-MTU = 1300
>>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>>> ? ? ?Tunnel-Type = 0:VLAN
>>>> ? ? ?Tunnel-Medium-Type = 0:802
>>>> ? ? ?Tunnel-Private-Group-ID = 924
>>>> ? ? ?EAP-Message = <2><11><0>+<25><1><23><3><1><0>
>>>>
>>>> 
>>>> <12><177><248><244><30><235>n_<205><245>@/<3><224>$Ov$<237><138>+R<245><167>>/<27><134><201>v1<128>
>>>> ? ? ?Message-Authenticator =
>>>> <249>=<217><165><5><31>|<7><149>]<201><180><209><187><234><175>
>>>>
>>>> Tue Feb 28 12:27:59 2012 761081: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 761204: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 761434: DEBUG: Handling with
>>>> Radius::AuthFILE: eap-outer
>>>> Tue Feb 28 12:27:59 2012 761631: DEBUG: Handling with EAP: code 2,
>>>> 11, 43, 25
>>>> Tue Feb 28 12:27:59 2012 761761: DEBUG: Response type 25
>>>> Tue Feb 28 12:27:59 2012 762048: DEBUG: EAP PEAP inner
>>>> authentication
>>>> request for anonymous
>>>> Tue Feb 28 12:27:59 2012 762274: DEBUG: PEAP Tunnelled request
>>>> Packet dump:
>>>> Code: ? ? ? Access-Request
>>>> Identifier: UNDEF
>>>> Authentic:
>>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>>>> Attributes:
>>>> ? ? ?EAP-Message = <2><2><0><6><26><3>
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?User-Name = "anonymous"
>>>>
>>>> Tue Feb 28 12:27:59 2012 762416: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 762614: DEBUG: Handling request with
>>>> Handler
>>>> 'TunnelledByPEAP=1', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 762809: DEBUG: Handling with
>>>> Radius::AuthNTLM: dm-wifi
>>>> Tue Feb 28 12:27:59 2012 762984: DEBUG: Handling with EAP: code 2,
>>>> 2, 6, 26
>>>> Tue Feb 28 12:27:59 2012 763143: DEBUG: Response type 26
>>>> Tue Feb 28 12:27:59 2012 763319: DEBUG: EAP result: 0,
>>>> Tue Feb 28 12:27:59 2012 763440: DEBUG: AuthBy NTLM result: 
>>>> ACCEPT,
>>>> Tue Feb 28 12:27:59 2012 763548: DEBUG: AuthBy NTLM result: 
>>>> ACCEPT,
>>>> Tue Feb 28 12:27:59 2012 763677: DEBUG: Access accepted for
>>>> anonymous
>>>> Tue Feb 28 12:27:59 2012 763788: DEBUG: Access accepted for
>>>> anonymous
>>>> Tue Feb 28 12:27:59 2012 764183: DEBUG: Returned PEAP tunnelled
>>>> packet dump:
>>>> Code: ? ? ? Access-Accept
>>>> Identifier: UNDEF
>>>> Authentic:
>>>> <162><242><137><247><165><197>\<<169><158>L<188>5<1>f<246>
>>>> Attributes:
>>>> ? ? ?EAP-Message = <3><2><0><4>
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 764406: DEBUG: EAP result: 3, EAP PEAP
>>>> inner
>>>> authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 764535: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 764659: DEBUG: AuthBy FILE result:
>>>> CHALLENGE,
>>>> EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 764791: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 764905: DEBUG: Access challenged for
>>>> testUser: EAP PEAP inner authentication redispatched to a Handler
>>>> Tue Feb 28 12:27:59 2012 765255: DEBUG: Packet dump:
>>>> *** Sending to 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Challenge
>>>> Identifier: 147
>>>> Authentic:
>>>> <241>:\<176><204><154>`O<196><183><201><153><173><8><247><136>
>>>> Attributes:
>>>> ? ? ?EAP-Message = <1><12><0>+<25><1><23><3><1><0>
>>>>
>>>> 
>>>> @l<31><147>[<223><1>`<236><233>~<226><189><208><215>@X<248>a<210><160><213>-<8>].s<148><226><245><217><26>
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Tue Feb 28 12:27:59 2012 769812: DEBUG: Packet dump:
>>>> *** Received from 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Request
>>>> Identifier: 148
>>>> Authentic: 
>>>> ?<191><247><200>F<176>Q<229>!<235>P<254>g<187><229><228>t
>>>> Attributes:
>>>> ? ? ?User-Name = "testUser"
>>>> ? ? ?Calling-Station-Id = "b3-dd-ae-87-22-b3"
>>>> ? ? ?Called-Station-Id = "bb-3d-b3-ae-00-b0:test"
>>>> ? ? ?NAS-Port = 29
>>>> ? ? ?cisco-avpair = "audit-session-id=0abff816000000f84f4d0bcd"
>>>> ? ? ?NAS-IP-Address = 10.11.55.232
>>>> ? ? ?NAS-Identifier = "cisco-wism"
>>>> ? ? ?Airespace-WLAN-Id = 7
>>>> ? ? ?Service-Type = Framed-User
>>>> ? ? ?Framed-MTU = 1300
>>>> ? ? ?NAS-Port-Type = Wireless-IEEE-802-11
>>>> ? ? ?Tunnel-Type = 0:VLAN
>>>> ? ? ?Tunnel-Medium-Type = 0:802
>>>> ? ? ?Tunnel-Private-Group-ID = 924
>>>> ? ? ?EAP-Message = <2><12><0>+<25><1><23><3><1><0>
>>>>
>>>> 
>>>> c<231><169>g(<173><133><225><149>{<193><185><201><139>2<160><20><169>I<253><145><173>)<226>B<22><29>G<222>`6<183>
>>>> ? ? ?Message-Authenticator =
>>>> (<217><144>3I<171><10><194><28><15><8><18><242><139><198>W
>>>>
>>>> Tue Feb 28 12:27:59 2012 770148: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 770331: DEBUG: Handling request with
>>>> Handler
>>>> '', Identifier ''
>>>> Tue Feb 28 12:27:59 2012 770707: DEBUG: Handling with
>>>> Radius::AuthFILE: eap-outer
>>>> Tue Feb 28 12:27:59 2012 770989: DEBUG: Handling with EAP: code 2,
>>>> 12, 43, 25
>>>> Tue Feb 28 12:27:59 2012 771224: DEBUG: Response type 25
>>>> Tue Feb 28 12:27:59 2012 771782: DEBUG: EAP result: 0,
>>>> Tue Feb 28 12:27:59 2012 771975: DEBUG: AuthBy FILE result: 
>>>> ACCEPT,
>>>> Tue Feb 28 12:27:59 2012 772145: DEBUG: AuthBy FILE result: 
>>>> ACCEPT,
>>>> Tue Feb 28 12:27:59 2012 772338: DEBUG: Access accepted for 
>>>> testUser
>>>> Tue Feb 28 12:27:59 2012 772508: DEBUG: Access accepted for 
>>>> testUser
>>>> Tue Feb 28 12:27:59 2012 773368: DEBUG: Packet dump:
>>>> *** Sending to 10.11.55.232 port 32768 ....
>>>> Code: ? ? ? Access-Accept
>>>> Identifier: 148
>>>> Authentic: ?C<196><31><206><169>bF<220>j<237>K<1><183>+c<4>
>>>> Attributes:
>>>> ? ? ?EAP-Message = <3><12><0><4>
>>>> ? ? ?Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> ? ? ?MS-MPPE-Send-Key =
>>>>
>>>> 
>>>> <131>9<217>1<158><174><131>q><23>)<182><132>*<175><161>><26>I<187><143>t<217><26><245><14>;<167>%;W<200>
>>>> ? ? ?MS-MPPE-Recv-Key =
>>>>
>>>> 
>>>> <193>$B<0>sn"<10><190>_U<221>1<173>#<153><7><198>+5<188>}<200>F<251>|^<230><218>G)<175>
>>>>
>>>> -->8--
>>>>
>>>> Thoughts on what may be happening? I can't seem to find anything 
>>>> on
>>>> the web about this, but I'm also hard-pressed to believe we're the
>>>> only folks that have run into this. The client simply refuses to
>>>> connect. It's worth noting that OS X indicates the client is
>>>> "connected" with a self-assigned 169.x.x.x IP address, but the 
>>>> logs
>>>> really indicate that en1 (the wireless interface) continues to go
>>>> up/down and re-attempt authentication.
>>>>
>>>> Any help would be greatly appreciated.
>>>>
>>>> -james
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>> JANET(UK) is a trading name of The JNT Association, a company 
>>> limited
>>> by guarantee which is registered in England under No. 2881024
>>> and whose Registered Office is at Lumen House, Library Avenue,
>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator


From A.L.M.Buxey at lboro.ac.uk  Tue Feb 28 13:58:13 2012
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 28 Feb 2012 19:58:13 +0000
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <c6c481abb29d14572198191d985b7fa2@uniovi.es>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
	<58a97376cd4294110cca647e27253f5e@uniovi.es>
	<CAN90s0KQE5oYrDq0KpYvLUV_3YehgY4urLt9AJFSxc=U5cXY8Q@mail.gmail.com>
	<c6c481abb29d14572198191d985b7fa2@uniovi.es>
Message-ID: <20120228195813.GB20570@lboro.ac.uk>

Hi,

PEAPv0 is the standard method that everyone uses that was created by RSA/Microsoft/Cisco
(I think Intel had some say as well...but cant recall)

its the usual one in almost all clients when you choose 'PEAP'

Cisco went ahead to 'fix' things and, using GTC as the inner method helped
push for the adoption of PEAPv1 (probably because of the LEAP issues....)

the 2 are different beasts and almost everyone will only ever need
PEAPv0 - PEAPv1 is a very rare beast..rarer than PEAPv2 ;-)

if you really want to know the differences the RFCs are free to read...
some people spend their evenings reading such things...i personally
dont find them that thrilling ;-)

alan


From A.L.M.Buxey at lboro.ac.uk  Tue Feb 28 14:02:38 2012
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 28 Feb 2012 20:02:38 +0000
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>
	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>
Message-ID: <20120228200238.GD20570@lboro.ac.uk>

Hi,
> Thanks for the response.
> 
> I'm not sure how to determine that; can you give me a nudge in the
> right direction?

you can use the 'openssl' tool to view your certificates details eg

openssl x509 -in yourcert.der -text -noout  (or such...) 

alan

From purevbat at telemax.mn  Tue Feb 28 19:07:57 2012
From: purevbat at telemax.mn (Purevbat. Ya)
Date: Wed, 29 Feb 2012 09:07:57 +0800
Subject: [RADIATOR]  Eap ttls/mschapv2 & MySQL
In-Reply-To: <20120228200238.GD20570@lboro.ac.uk>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>
	<20120228200238.GD20570@lboro.ac.uk>
Message-ID: <001801ccf67e$92aa2c80$b7fe8580$@mn>

Hi,

 

I currently have an evaluation license of Radiator RADIUS server.

And I would like to use it on Wimax 16e, EAP-TTLS/MSCHAPv2 and MySQL.

Don't understand where to begin a configuration.

All I have is old RADIUS server's DB and configuration. (aradial aaa)

In my opinion I should have select auth type as eap-ttls/mschapv2 somewhere and then modify DB configuration. DB including user info & accounting log info. I don?t know how to configure every table fields into a radiator configuration.

Your support much appreciated.

Tnx.

 

 

BR,

Puje

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120229/220e269f/attachment.html 

From purevbat at telemax.mn  Tue Feb 28 19:34:08 2012
From: purevbat at telemax.mn (Purevbat. Ya)
Date: Wed, 29 Feb 2012 09:34:08 +0800
Subject: [RADIATOR] Eap ttls/mschapv2 & MySQL
In-Reply-To: <001801ccf67e$92aa2c80$b7fe8580$@mn>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>	<20120228200238.GD20570@lboro.ac.uk>
	<001801ccf67e$92aa2c80$b7fe8580$@mn>
Message-ID: <002601ccf682$3b1d5060$b157f120$@mn>

Hi,


Forgot to mention I?ve followed  <http://www.open.com.au/radiator/install-demo.html> http://www.open.com.au/radiator/install-demo.html Section ?Windows installation with XAMPP?  all went good up to step 11. Now need more configuration J


BR,

Puje

 

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Purevbat. Ya
Sent: Wednesday, February 29, 2012 9:08 AM
To: radiator at open.com.au
Subject: [RADIATOR] Eap ttls/mschapv2 & MySQL

 

Hi,

 

I currently have an evaluation license of Radiator RADIUS server.

And I would like to use it on Wimax 16e, EAP-TTLS/MSCHAPv2 and MySQL.

Don't understand where to begin a configuration.

All I have is old RADIUS server's DB and configuration. (aradial aaa)

In my opinion I should have select auth type as eap-ttls/mschapv2 somewhere and then modify DB configuration. DB including user info & accounting log info. I don?t know how to configure every table fields into a radiator configuration.

Your support much appreciated.

Tnx.

 

 

BR,

Puje

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120229/9995553d/attachment.html 

From purevbat at telemax.mn  Tue Feb 28 21:11:19 2012
From: purevbat at telemax.mn (Purevbat. Ya)
Date: Wed, 29 Feb 2012 11:11:19 +0800
Subject: [RADIATOR] Eap ttls/mschapv2 & MySQL
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>	<20120228200238.GD20570@lboro.ac.uk>
	<001801ccf67e$92aa2c80$b7fe8580$@mn> 
Message-ID: <004001ccf68f$ce8ac960$6ba05c20$@mn>

Hi,


Forgot to mention I?ve followed  <http://www.open.com.au/radiator/install-demo.html> http://www.open.com.au/radiator/install-demo.html Section ?Windows installation with XAMPP?  all went good up to step 11. 


Now need more configuration J, Reading Goodies.


BR,

Puje

 

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Purevbat. Ya
Sent: Wednesday, February 29, 2012 9:08 AM
To: radiator at open.com.au
Subject: [RADIATOR] Eap ttls/mschapv2 & MySQL

 

Hi,

 

I currently have an evaluation license of Radiator RADIUS server.

And I would like to use it on Wimax 16e, EAP-TTLS/MSCHAPv2 and MySQL.

Don't understand where to begin a configuration.

All I have is old RADIUS server's DB and configuration. (aradial aaa)

In my opinion I should have select auth type as eap-ttls/mschapv2 somewhere and then modify DB configuration. DB including user info & accounting log info. I don?t know how to configure every table fields into a radiator configuration.

Your support much appreciated.

Tnx.

 

 

BR,

Puje

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120229/9752371a/attachment-0001.html 

From hvn at open.com.au  Wed Feb 29 15:28:03 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 29 Feb 2012 23:28:03 +0200
Subject: [RADIATOR] ERROR:  invalid byte sequence for encoding "UTF8"
In-Reply-To: <CB72B4FD.9823%traiano.welcome@mtnbusiness.co.za>
References: <CB72B4FD.9823%traiano.welcome@mtnbusiness.co.za>
Message-ID: <4F4E9863.9070304@open.com.au>

On 02/28/2012 04:44 PM, Traiano Welcome wrote:

> Recently, I've begun seeing the following error message in my radius logs
> at the point where radius accounting packet data is inserted to the
> postgresql database I'm using with radiator 4.9:
> 
> ---
> ERROR: invalid byte sequence for encoding "UTF8": 0x9e
> HINT: This error can also happen if the byte sequence does not match the
> encoding expected by the server, which is controlled by "client_encoding".

I have seen that too. In your case it seems to be that calledstationid
is probably of type text or varchar, and a binary value was received and
then tried to be inserted in the database.

http://tools.ietf.org/html/rfc2865#section-5.30

The RFC recommends UTF-8, so it might be possible to configure the NAS
to send a string instead of binary.

It this is a problem with a certain client, then a ClientHook can be
used to rewrite Called-Station-Id to a value accepted by the database.

I'd say this is very rare. I have only seen strings in Called-Station-Id
attributes so far.

Heikki


> It appears that strings based on a non-UTF8 character set are being
> included in the radius accounting data and sent on to my radius server by
> the NAS (an ACME SBC appliance).
> 
> Below is a more complete segment of a sample log:
> 
> ---
> Tue Feb 28 10:44:30 2012: DEBUG: Handling request with Handler
> 'NAS-Identifier=/^TRAITECH-.*$/', Identifier ''
> Tue Feb 28 10:44:30 2012: DEBUG:  Adding session for , 127.0.0.100, 5060
> Tue Feb 28 10:44:30 2012: DEBUG: Handling with Radius::AuthSQL:
> Tue Feb 28 10:44:30 2012: DEBUG: Handling accounting with Radius::AuthSQL
> 
> Tue Feb 28 10:44:30 2012: DEBUG: do query is: 'insert into acmevoiprecords
> (calledstationid,callingstationid,egresscallid,ingresscallid,nasidentifier,
> nasipaddress,sessionegresscallid,sessionforkedcallid,sessiongenericid,sessi
> oningresscallid,sessionprotocoltype,statustype,timestamp) values
> ('<9e>^N^F','Matroos,16319
> <sip:0873116319 at 172.32.0.61>;tag=9tBN868U1B42S^^
> ','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','23c4e3e9-dc8b-122f-088a-5cf3fc962
> edc','TRAITECH-DBN-VPR','127.0.0.100','23c4e3e9-dc8b-122f-088a-5cf3fc962edc
> ','','','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','SIP','Stop','1330418670')':
> 
> Tue Feb 28 10:44:30 2012: DEBUG: do query is: 'insert into acmevoiprecords
> (calledstationid,callingstationid,cdrsequencenumber,connecttime,customvsa20
> 0,customvsa201,customvsa202,customvsa203,customvsa204,customvsa205,customvs
> a206,customvsa207,customvsa208,customvsa209,customvsa210,customvsa211,custo
> mvsa212,customvsa213,customvsa214,customvsa215,customvsa216,customvsa217,cu
> stomvsa218,customvsa219,customvsa220,customvsa221,customvsa222,customvsa223
> ,customvsa224,customvsa225,customvsa226,customvsa227,customvsa228,customvsa
> 229,customvsa230,egresscallid,egressfinalroutingnumber,egresslocaladdr,egre
> ssnetworkinterfaceid,egressremoteaddr,egressvlantagvalue,firmwareversion,fl
> owindstaddr,flowinsrcaddr,flowoutdstaddr,flowoutsrcaddr,ingresscallid,ingre
> sslocaladdr,ingressnetworkinterfaceid,ingressrealm,ingressremoteaddr,ingres
> svlantagvalue,localtimezone,nasidentifier,nasipaddress,originatingtrunkcont
> ext,originatingtrunkgroup,passertedid,postdialdelay,primaryroutingnumber,se
> ssionchargingvector,sessionegresscallid,sessionegressrealm,sessionegressrph
> ,sessionforkedcallid,sessiongenericid,sessioningresscallid,sessioningressre
> alm,sessioningressrph,sessionprotocoltype,setuptime,sipdiversion,statustype
> ,terminatingtrunkcontext,terminatingtrunkgroup,timestamp) values
> ('<sip:+27838781684 at 192.168.0.236>','"+2721113641"
> <sip:+2721113641 at 192.168.0.38>;tag=as6b537178',10019633,'00:00:00.000 SAST
> JAN 01 
> 1970','','','','','','','','','','','','','','','','','','','','','','','',
> '','','','','','','','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0.38','',
> '0.0.0.0:0','','0.0.0.0:0','0','SCX6.2.0 MR-3 Patch 1 (Build
> 642)','0.0.0.0','0.0.0.0','0.0.0.0','0.0.0.0','4e25d24c4df4a88c57d0ed281ca3
> a638 at 192.168.0.38','192.168.0.236:5060','t3p-in0_0','t3_ecn','192.168.0.33:
> 5060','2027','GMT+02:00','TRAITECH-DBN-VPR','127.0.0.100','','','','0','sip
> :+27838781684 at 192.168.0.236','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0
> .38','','','','','4e25d24c4df4a88c57d0ed281ca3a638 at 192.168.0.38','t3_ecn','
> ','SIP','10:44:18.607 SAST FEB 28 2012','','Start','','','1330418670')':
> 
> Tue Feb 28 10:44:30 2012: ERR: do failed for 'insert into acmevoiprecords
> (calledstationid,callingstationid,egresscallid,ingresscallid,nasidentifier,
> nasipaddress,sessionegresscallid,sessionforkedcallid,sessiongenericid,sessi
> oningresscallid,sessionprotocoltype,statustype,timestamp) values
> ('<9e>^N^F','Matroos,16319
> <sip:0873116319 at 172.32.0.61>;tag=9tBN868U1B42S^^
> ','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','23c4e3e9-dc8b-122f-088a-5cf3fc962
> edc','TRAITECH-DBN-VPR','127.0.0.100','23c4e3e9-dc8b-122f-088a-5cf3fc962edc
> ','','','23c4e3e9-dc8b-122f-088a-5cf3fc962edc','SIP','Stop','1330418670')':
>  ERROR:  invalid byte sequence for encoding "UTF8": 0x9e
> 
> HINT:  This error can also happen if the byte sequence does not match the
> encoding expected by the server, which is controlled by "client_encoding".
> 
> Tue Feb 28 10:44:30 2012: DEBUG: AuthBy SQL result: ACCEPT,
> Tue Feb 28 10:44:30 2012: DEBUG: Accounting accepted
> Tue Feb 28 10:44:30 2012: DEBUG: Packet dump:
> 
> *** Received from 192.168.93.3 port 1098 ....
> ----
> 
> 
> 
> Has anyone encountered this issue before ? Would this be something I
> should have fixed on the NAS end of things, or is there some way to work
> around it in Radiator or in my  postgresql database configuration?
> 	
> 
> Thanks in advance,
> Traiano
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Wed Feb 29 15:48:17 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 29 Feb 2012 23:48:17 +0200
Subject: [RADIATOR] eap + apple products - failed auth
In-Reply-To: <20120228195813.GB20570@lboro.ac.uk>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>
	<EC509E20-3C39-4379-B3B3-96928B49083C@ja.net>
	<58a97376cd4294110cca647e27253f5e@uniovi.es>
	<CAN90s0KQE5oYrDq0KpYvLUV_3YehgY4urLt9AJFSxc=U5cXY8Q@mail.gmail.com>
	<c6c481abb29d14572198191d985b7fa2@uniovi.es>
	<20120228195813.GB20570@lboro.ac.uk>
Message-ID: <4F4E9D21.1010202@open.com.au>

On 02/28/2012 09:58 PM, Alan Buxey wrote:

> PEAPv0 is the standard method that everyone uses that was created by RSA/Microsoft/Cisco
> (I think Intel had some say as well...but cant recall)
> 
> its the usual one in almost all clients when you choose 'PEAP'
> 
> Cisco went ahead to 'fix' things and, using GTC as the inner method helped
> push for the adoption of PEAPv1 (probably because of the LEAP issues....)
> 
> the 2 are different beasts and almost everyone will only ever need
> PEAPv0 - PEAPv1 is a very rare beast..rarer than PEAPv2 ;-)
> 
> if you really want to know the differences the RFCs are free to read...
> some people spend their evenings reading such things...i personally
> dont find them that thrilling ;-)

Good summary about the different versions. I think part of the problem
is there is no PEAP RFC. There are a number of internet-drafts, but none
made it to RFC. For example:

http://tools.ietf.org/html/draft-kamath-pppext-peapv0-00

and these 10 drafts that go up to version 2:

http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap


Microsoft seems to maintain PEAP these days:
http://msdn.microsoft.com/en-us/library/cc238354%28v=prot.13%29.aspx

This PEAP document is frequently updated and has text about version
negotiation but uses 0 for its own version.

In summary: there are multiple documents with different versions, but
version 0 seems to work the best among all implementations. Especially
Macs do not like version 1.

Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

From hvn at open.com.au  Wed Feb 29 15:53:06 2012
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 29 Feb 2012 23:53:06 +0200
Subject: [RADIATOR] Eap ttls/mschapv2 & MySQL
In-Reply-To: <002601ccf682$3b1d5060$b157f120$@mn>
References: <CAN90s0JaTL_c_Av-MU50yMP=9PEoJ4pjk7GgT0zakqqA60cm8w@mail.gmail.com>	<504530040EFFF7429CE24A0AF04FF21DD15E919B05@GJCEXCH.groupe.jeancoutu.com>	<CAN90s0L-+hM2C8bffX4GhByCW8TCrHojdn+G4iq-kHdSv+QsJg@mail.gmail.com>	<20120228200238.GD20570@lboro.ac.uk>
	<001801ccf67e$92aa2c80$b7fe8580$@mn>
	<002601ccf682$3b1d5060$b157f120$@mn>
Message-ID: <4F4E9E42.1020207@open.com.au>

On 02/29/2012 03:34 AM, Purevbat. Ya wrote:

>     Forgot to mention I?ve followed
>     http://www.open.com.au/radiator/install-demo.html Section ?Windows
>     installation with XAMPP?  all went good up to step 11. Now need more
>     configuration J

For configuration examples see goodies/README for an index of
configuration examples and other related files. Studying them with the
reference manual, see doc/ref.pdf, will get you started.

Thanks!
Heikk


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.