<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hello, <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We are having an issue with a recent upgrade. We went from 4.2 to 4.6. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We upgraded one of the servers that primarily handled the accounting and then tested to make sure clients were authenticating ok. Once that was verified, we shut down the Authentication server and allowed the clients to fail over to the server running the new version. That is when we started seeing errors in the logs.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A google search did not yield any results that explained these errors to our satisfaction.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Our current config is attached and some of the errors are below.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:31 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:32 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.<o:p></o:p></p><p class=MsoNormal><o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:32 2010: ERR: Could not load EAP module Radius::EAP_152: Can't locate Radius/EAP_152.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 359) line 3.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:32 2010: INFO: Access rejected for domain\username: Unsupported EAP Request 152<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:32 2010: INFO: Duplicate request id 29 received from 10.24.97.21(32770): ignored<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:37 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.<o:p></o:p></p><p class=MsoNormal><o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 437) line 3.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: INFO: Access rejected for anonymous: Unsupported EAP Request 11<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: ERR: EAP TLS error: -1, 1, 8465, 2004: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/d-m0: EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 440) line 3.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/chp-DQD5WF1.domain.local: Unsupported EAP Request 11<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:24:55 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 10:25:08 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 12:24:18 2010: ERR: EAP TLS error: -1, 1, 8465, 3256: 1 - error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early<o:p></o:p></p><p class=MsoNormal><span style='color:red'>Then we restarted at trace 4:<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 11:02:27 2010: DEBUG: Creating accounting port 0.0.0.0:1813<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 11:02:27 2010: NOTICE: Server started: Radiator 4.6 on radauth4<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>*** Received from 10.24.97.13 port 32770 ....<o:p></o:p></p><p class=MsoNormal>Code: Access-Request<o:p></o:p></p><p class=MsoNormal>Identifier: 192<o:p></o:p></p><p class=MsoNormal>Authentic: <232><13>5S<151><174>z<203><146>~<220><202><206>u<127><218><o:p></o:p></p><p class=MsoNormal>Attributes:<o:p></o:p></p><p class=MsoNormal> User-Name = "domain\username"<o:p></o:p></p><p class=MsoNormal> Calling-Station-Id = "0010.7a72.3b64"<o:p></o:p></p><p class=MsoNormal> Called-Station-Id = "0024.c48d.5910:devnet"<o:p></o:p></p><p class=MsoNormal> NAS-Port = 29<o:p></o:p></p><p class=MsoNormal> NAS-IP-Address = 10.24.97.13<o:p></o:p></p><p class=MsoNormal> NAS-Identifier = "wism3a"<o:p></o:p></p><p class=MsoNormal> Airespace-WLAN-Id = 6<o:p></o:p></p><p class=MsoNormal> Service-Type = Framed-User<o:p></o:p></p><p class=MsoNormal> Framed-MTU = 1300<o:p></o:p></p><p class=MsoNormal> NAS-Port-Type = Wireless-IEEE-802-11<o:p></o:p></p><p class=MsoNormal> Tunnel-Type = 0:VLAN<o:p></o:p></p><p class=MsoNormal> Tunnel-Medium-Type = 0:802<o:p></o:p></p><p class=MsoNormal> Tunnel-Private-Group-ID = 256<o:p></o:p></p><p class=MsoNormal> EAP-Message = <2><8><0>P<25><0><23><3><1><0><24><214><15><169><192>_\<15><167>O<6>A<153>ws<1>2<183><194><132><21><131><235><173><194><23><3><1><0>(<249><247><131><209>Mw<127>d<143><247><6><190><158><157><183><224>%<211><4>e<150><191>=<13><132>]<197><153><147>\<149><137><235><193>AWH<31><254>[<o:p></o:p></p><p class=MsoNormal> Message-Authenticator = <239><177>_<203><185>_<246><205>~<167>1Y<211><130><169>i<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan,Called-Station-Id=/devnet/i'<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Deleting session for domain\username, 10.24.97.13, 29<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Handling with Radius::AuthFILE: <o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Handling with EAP: code 2, 8, 80, 25<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Response type 25<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: EAP result: 1, EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: INFO: Access rejected for domain\username: EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:06 2010: DEBUG: Packet dump:<o:p></o:p></p><p class=MsoNormal>*** Sending to 10.24.97.13 port 32770 ....<o:p></o:p></p><p class=MsoNormal>Code: Access-Reject<o:p></o:p></p><p class=MsoNormal>Identifier: 192<o:p></o:p></p><p class=MsoNormal>Authentic: <186>G<12>%<212>lr<14><10><199>y<251>hz<1><27><o:p></o:p></p><p class=MsoNormal>Attributes:<o:p></o:p></p><p class=MsoNormal> EAP-Message = <4><8><0><4><o:p></o:p></p><p class=MsoNormal> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><o:p></o:p></p><p class=MsoNormal> Reply-Message = "Request Denied<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>*** Received from 10.24.97.22 port 32770 ....<o:p></o:p></p><p class=MsoNormal>Code: Access-Request<o:p></o:p></p><p class=MsoNormal>Identifier: 223<o:p></o:p></p><p class=MsoNormal>Authentic: <142><2><190><146><208>Ak<186><5><232>^<252><177>,@"<o:p></o:p></p><p class=MsoNormal>Attributes:<o:p></o:p></p><p class=MsoNormal> User-Name = "username"<o:p></o:p></p><p class=MsoNormal> Calling-Station-Id = "d49a.20a0.9ae4"<o:p></o:p></p><p class=MsoNormal> Called-Station-Id = "0013.60dc.9d60:muscsecure"<o:p></o:p></p><p class=MsoNormal> NAS-Port = 29<o:p></o:p></p><p class=MsoNormal> NAS-IP-Address = 10.24.97.22<o:p></o:p></p><p class=MsoNormal> NAS-Identifier = "wism2b"<o:p></o:p></p><p class=MsoNormal> Airespace-WLAN-Id = 3<o:p></o:p></p><p class=MsoNormal> Service-Type = Framed-User<o:p></o:p></p><p class=MsoNormal> Framed-MTU = 1300<o:p></o:p></p><p class=MsoNormal> NAS-Port-Type = Wireless-IEEE-802-11<o:p></o:p></p><p class=MsoNormal> Tunnel-Type = 0:VLAN<o:p></o:p></p><p class=MsoNormal> Tunnel-Medium-Type = 0:802<o:p></o:p></p><p class=MsoNormal> Tunnel-Private-Group-ID = 168<o:p></o:p></p><p class=MsoNormal> EAP-Message = <2><6><0><208><25><129><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>`<25>7<243><248><0>R<3><26><148>@7<222><164><148><220>!I<24><183><147><159>{8<1><24><166><27>fN<6><<145><255>7k<165><173>+<162><210><132><201><143><166><7>&<232>{oS<216>p<20><236><13>x5\<219>#&1S<21>l<186><7>O<186>=0j<25><203>b_<229><132><0><242>&<133>,<11><243>6<220><209><186>VN<195><129><196><133><238>W<145>,<212>`<253><132>_T<195><19><14>p9<1><26><194>4<227><232><12>M<175>[<189>q3<149><2>V'<20><3><1><0><1><1><22><3><1><0>09<179><21><238><241>T<157>w<234>?<248><154>v<205><172><159><10><148><205><252><200>7<175><143>Q<224><127>l<244>#}<177><167><27>9<206>TF<171>u<9><213>W<225>_<146><215><200><o:p></o:p></p><p class=MsoNormal> Message-Authenticator = &<11><232><228><168><134><170>@Lj<223><168><255><184><213>h<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan'<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Deleting session for username, 10.24.97.22, 29<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Handling with Radius::AuthFILE: <o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Handling with EAP: code 2, 6, 208, 25<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Response type 25<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 - error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: EAP result: 1, EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: INFO: Access rejected for username: EAP PEAP TLS error<o:p></o:p></p><p class=MsoNormal>Thu Mar 11 12:26:25 2010: DEBUG: Packet dump:<o:p></o:p></p><p class=MsoNormal>*** Sending to 10.24.97.22 port 32770 ....<o:p></o:p></p><p class=MsoNormal>Code: Access-Reject<o:p></o:p></p><p class=MsoNormal>Identifier: 223<o:p></o:p></p><p class=MsoNormal>Authentic: '<21><147><143><128><132><243><158><142><12>yj<12><233><216><181><o:p></o:p></p><p class=MsoNormal>Attributes:<o:p></o:p></p><p class=MsoNormal> EAP-Message = <4><6><0><4><o:p></o:p></p><p class=MsoNormal> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><o:p></o:p></p><p class=MsoNormal> Reply-Message = "Request Denied"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> Are these due to fast-reconnect and/or session resumption or something else?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Also, We did this to be able to use CIDR in our client clauses. We noticed that the handlers used were not what we expected <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We had the following clients configured:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Client 10.23.0.0/16><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IdenticalClients 10.24.0.0/16 172.31.1.0/24<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Identifier NST-devices<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Secret secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> DupInterval 2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> NasType Cisco<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> SNMPCommunity private<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IgnoreAcctSignature 1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Client><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>PreClientHook file:"%D/scripts/acct_adjustment.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Client 10.24.97.0/24><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IdenticalClients 10.24.238.41,10.24.238.42<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Secret secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Identifier wlan<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> DupInterval 2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> NasType Cisco<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> SNMPCommunity private<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IgnoreAcctSignature 1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Client><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Client 10.24.97.50><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IdenticalClients 10.24.97.200,10.24.97.201<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Secret secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Identifier wlan<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> DupInterval 2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> NasType Aruba<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> SNMPCommunity private<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> IgnoreAcctSignature 1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Client><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>And these handlers:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Handler TunnelledByPEAP=1><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueUntilAccept<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> RewriteUsername s/(.*)\\(.*)/$2/<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <AuthBy LSA><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Domain domain<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #Group Domain Users<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #DomainController zulu<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPType MSCHAP-V2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Handler><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Handler TunnelledByTTLS=1><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueUntilAccept<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> # Strip realm if in MSN format<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> RewriteUsername s/(.*)\\(.*)/$2/<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthBy LDAPAuthentication<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <AuthBy LSA><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Domain domain<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #Group Domain Users<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #DomainController zulu<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPType MSCHAP-V2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'># <AuthBy UNIX><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'># GroupFilename %D/group<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'># # anonymous-PEAP must be in here:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'># Filename %D/radauth_pass.wlan<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'># </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Handler><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Handler Client-Identifier=wlan,Called-Station-Id=/devnet/i><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueUntilAccept<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> StripFromRequest Class<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <AuthBy FILE><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Filename %D/users<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPType PEAP,TTLS<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CAFile %D/certificates/production/dc1_ca.cer<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CertificateFile %D/certificates/production/%h_dc1.pem<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CertificateType PEM<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PrivateKeyFile %D/certificates/production/%h_dc1.pem<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PrivateKeyPassword secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_VerifyDepth 3<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_MaxFragmentSize 1000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AutoMPPEKeys<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> SSLeayTrace 4<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PEAPVersion 1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PEAPBrokenV1Label<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Handler><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Handler Client-Identifier=wlan><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueUntilAccept<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> StripFromRequest Class<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <AuthBy FILE><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Filename %D/users<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPType PEAP,TTLS<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CAFile %D/certificates/production/verisign-combo.crt<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CertificateFile %D/certificates/production/%h.pem<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_CertificateType PEM<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PrivateKeyPassword secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_VerifyDepth 3<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_MaxFragmentSize 1000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AutoMPPEKeys<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> SSLeayTrace 4<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PEAPVersion 1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> EAPTLS_PEAPBrokenV1Label<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Handler><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><Handler Client-Identifier=NST-devices><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AuthByPolicy ContinueUntilAccept<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueAlways<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthByPolicy ContinueWhileIgnore # Default<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <AuthBy UNIX><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #GroupFilename %D/group<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Filename %D/passwd.nst<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AddToReply Service-Type = "Administrative-User"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AddToReply cisco-avpair = "shell:priv-lvl=15"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #syslog functions not available on win32<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> #AuthLog authlogger<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> # Log accounting to a detail file<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'></Handler><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>And everything seemed to fall to the last handler - <span style='font-size:10.0pt;font-family:"Courier New"'>NST-devices…we tried moving the Client clause down to be the last client but it made no difference.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>While reading the reference manual, it says handlers are evaluated in the order in which they appear in the config. Should we move the TunneledbyPEAP and TunneledbyTTLS below the wlan handler?<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Also, We noticed that the install did not copy the dictionary to the directory…should we have done an uninstall and then reinstalled?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Jay and Steve<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>