Hi Heikki,
On 07. 06. 21 16:06, Heikki Vatiainen wrote:
At this moment I reduced FailureBackoffTime from 600s to 60s and
provided multiple LDAP servers to AuthBy LDAP2. Which seems to be
working.
It's good to hear that the above helps but the AuthBy itself should also
work so that it can signal LDAP failure by using ignore and allowing the
client to a proper failover.
Can you check if your config has something that does this? If not, I'd
like to see the logs to see why AuthBy LDAP2 does not return IGNORE.
My config:
Looks good but please check if there are additional hooks or AuthBys
that may turn IGNORE to a REJECT.
I reduced config as much as possible it is attached.
I also attached log example. I just realized, that access-reject is
produced for transmitted request. Maybe that is is source of problem??
See, here LDAP fails and result is IGNORE:
Tue Jun 8 15:03:10 2021: INFO: AuthLDAP2 'Check2017LDAP' Connecting to
ldap33.cesnet.cz port 636
Tue Jun 8 15:03:10 2021: ERR: AuthLDAP2 'Check2017LDAP' Could not open
LDAP connection to ldap33.cesnet.cz port 636. Backing off for 600 seconds.
Tue Jun 8 15:03:10 2021: DEBUG: EAP Failure, elapsed time 0.024032
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 2, User database access error
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, User
database access error
Tue Jun 8 15:03:10 2021: DEBUG: Access ignored for [email protected]:
User database access error
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 2, EAP PEAP inner
authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, EAP PEAP
inner authentication redispatched to a Handler
And here is retransmited access request 3 sec later:
Tue Jun 8 15:03:13 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 7
Authentic: <253><3><159><173>.k+<177>B<4><237>V<138>p<211><254>
Attributes:
User-Name = "[email protected]"
And authby LDAP2 produces error and access reject:
Tue Jun 8 15:03:13 2021: DEBUG: Handling with Radius::AuthLDAP2:
Check2017LDAP
Tue Jun 8 15:03:13 2021: DEBUG: Handling with EAP: code 2, 34, 108, 25
Tue Jun 8 15:03:13 2021: DEBUG: Response type 25
Tue Jun 8 15:03:13 2021: DEBUG: EAP Failure, elapsed time 3.029766
Tue Jun 8 15:03:13 2021: ERR: EAP PEAP TLS read failed: 4759: 1 -
error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad
record mac
Tue Jun 8 15:03:13 2021: DEBUG: EAP result: 1, EAP PEAP TLS read
failed: decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: DEBUG: AuthBy LDAP2 result: REJECT, EAP PEAP
TLS read failed: decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: INFO: Access rejected for [email protected]:
EAP PEAP TLS read failed: decryption failed or bad record mac
Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 0
Authentic: <21>>l68;U<254>"<19>ID<156><222><155>)
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2><27><0><23><1>[email protected]
Message-Authenticator = <178><207><195>}$y-N<199>4|<8>FD<197><244>
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 27, 23, 1
Tue Jun 8 15:03:10 2021: DEBUG: Response type 1
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 0
Authentic: <162>|7)<167><141><185>4<190>L;i<206><232><194><164>
Attributes:
EAP-Message = <1><28><0><6><25>
Message-Authenticator = B7q<209><170>f@"];<198><213><246><8><205><252>
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 1
Authentic: h<197>E<241><168><219><2><153><7>!<164><144><236>4<164><215>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2><28><1>!<25><128><0><0><1><23><22><3><1><1><18><1><0><1><14><3><3><163>&E<205><19>K<249><132>y'<219><160>'<152>K<208>[<198>@E<248><208>xiFB<248>81r<196><140> <21><170>6<200>o<231><162><207>.0l<207>{Z<13>+@&<7><14><191><149>C<214>,%+<247><246><0><175><248><0>><19><2><19><3><19><1><192>,<192>0<0><159><204><169><204><168><204><170><192>+<192>/<0><158><192>$<192>(<0>k<192>#<192>'<0>g<192><10><192><20><0>9<192><9><192><19><0>3<0><157><0><156><0>=<0><<0>5<0>/<0><255><1><0><0><135><0><11><0><4><3><0><1><2><0><10><0><12><0><10><0><29><0><23><0><30><0><25><0><24><0><22><0><0><0><23><0><0><0><13><0>*<0>(<4><3><5><3><6><3><8><7><8><8><8><9><8><10><8><11><8><4><8><5><8><6><4><1><5><1><6><1><3><3><3><1><3><2><4><2><5><2><6><2><0>+<0><5><4><3><4><3><3><0>-<0><2><1><1><0>3<0>&<0>$
EAP-Message = <0><29><0> <168><133><187>fGW<172><28><178><128>*PV-R{<28><15>%<13><184><245><233>E<20><127><213><251><234><146>.<3>
Message-Authenticator = <196>=<1><129><28><229><151>9<170><12>s<190><233>8o?
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 28, 289, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP TLS SSL_accept result: -1, 2, 26
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 1
Authentic: <165>#<3><178>A<12>;^<199><239><25>q<22><187><218>a
Attributes:
EAP-Message = <1><29><3><242><25><192><0><0><6><194><22><3><3><0>]<2><0><0>Y<3><3><236><163><195><18>tW<27>,<167><227>1<220>D<229><0><16>M<187><250><249>]<130>H<162>=<237><7><137>`.-<245> *v<224>a<179>e<132><242>0<243><244><165><179><145>d`<200>y<201>C<228><171><245><24>d<249><249><238><26>v[<228><192>0<0><0><17><255><1><0><1><0><0><11><0><4><3><0><1><2><0><23><0><0><22><3><3><5>!<11><0><5><29><0><5><26><0><5><23>0<130><5><19>0<130><2><251><160><3><2><1><2><2><8>!4*6R<238>YM0<13><6><9>*<134>H<134><247><13><1><1><11><5><0>0_1<22>0<20><6><3>U<4><3><12><13>CESNET EAP CA1<22>0<20><6><3>U<4><10><12><13>CESNET EAP CA1<25>0<23><6><10><9><146>&<137><147><242>,d<1><25><22><9>cesnet-ca1<18>0<16><6><10><9><146>&<137><147><242>,d<1>
EAP-Message = <25><22><2>cz0<30><23><13>201005091454Z<23><13>221005091454Z0b1<18>0<16><6><10><9><146>&<137><147><242>,d<1><25><22><2>cz1<25>0<23><6><10><9><146>&<137><147><242>,d<1><25><22><9>cesnet-ca1<22>0<20><6><3>U<4><10><12><13>CESNET EAP CA1<25>0<23><6><3>U<4><3><12><16>radius.cesnet.cz0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><211>n<188><227><3><157>RP<232><169><147><182><198><17><241><178>NT<225><146><184><248>5$<213><198><3><203><2>ef<137><183><243><135><150><143>\<177><210><12><13><155>h<133><1><246><166><218><2>.D)<255><2><227><130>G<129>B0zv<170><138><136><30><128><128><231>3<9>l]<231><170><205><235>s<26><250>$<150>
EAP-Message = 1<128>Q*J<227><199>"<246><193><131><174>y<217><154><171>_<135><165><192>?<19><244>Pe<146>[<23><255><170>.pz<157>f<172>UGV<13><176>:<161><228><23><141><199><140><255>6<225>;<230><218><131>l<225>l<176>AUh;t9<215><213><172>7F<219><181>`C0o<238><28><153><26><153><3><4><23><222>@.<250><3>N<231><2><144>we ?<227><185><184><12>}<196><221>Q<138>Tf<204>Lv<148><173>]<152>pk<8>s<229><4>V<147>R<237>9<204><5><171><6><147><251>h<249><140>m<252><250>;<176><2>8y<147><222><31><203> <226><133>Z<234><161><143><254>",<209><179><193><137><163>4<161>'<136><149>u<14><159><190><207><9><2><3><1><0><1><163><129><207>0<129><204>0<29><6><3>U<29><14><4><22><4><20>^<2><220><242><21><15>Tp<254><26><17><232>!<137><187><206><128>S<192><216>0<12><6><3>U<29><19><1><1><255><4><2>0<0>0<31><6><3>U<29>#<4><24>0<22><128><20><147><185><153><220>o<221>zr^<19><248>
EAP-Message = <252><216><216><8>%<132><225><251><231>0:<6><3>U<29><31><4>3010/<160>-<160>+<134>)http://crt.cesnet-ca.cz/CESNET_EAP_CA.crl0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<27><6><3>U<29><17><4><20>0<18><130><16>radius.cesnet.cz0<13><6><9>*<134>H<134><247><13><1><1><11><5><0><3><130><2><1><0>aPV<203>_<226><228><186><226>'<250>&<142><226><150><214>1<15><232>Yt%<210><15><254><153><6><254><130><195><128><143>I<27>H<172><15><215><248>W<207><242>!!<141><204><7><205><216>"^<215><146><12>&JV<197><248>pvb<223>@WW<10><234><215><216><250><139><212>CI<190><27><172><191> ^,F<233>[<211><190><248><189><1>;Q<186><194><212><146>
Message-Authenticator = <185><133><255>/w<203><219><140><222>"Y<131>We<175>+
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 2
Authentic: <9>(<239>9o(d<228>M"_<196><236><132>?<0>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2><29><0><6><25><0>
Message-Authenticator = <21><239>5r<139><225><223><204>$<177>D<196><21><224><22>N
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 29, 6, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 2
Authentic: s<225>#jqOyz<235><177><217>'<245>O5<232>
Attributes:
EAP-Message = <1><30><2><224><25><0>[:<0><208><148><192>v<142><158><185><185><147>"x[<235><197><21><207><245><232><151>'<170>2I'<188>5<243><185><175><133>H<238>:dU<244>XF~<203>(O2<158><11><173><195>v<195>n/<<230><219>/<30><171>E<155><196>r<151><216>F<174><27><204><31><202><202>@C]<205><232><178>?'<238><1><157>H<206><12><1><182>0}<27><24><245>c<224>7<137>[<191><26><185><250><196><213>v<204><15><5>u;<139><10><191><135>x<219><189>s<152><1>Q<21>}<184><227><130><212><189><26><213>o<141>M<250><131><23>]<26><136><162><29>/<197><239>j<166><254><214><141><139><144><10><244><230>)<184>QH<241>41<141>-<1><22>#<217><135><248>F<<230><239><180><243>X<16><238><137>;<237><20><215>$<134><190>y<15>"jHS<156>Wu3<138><3><11><22>6fY _<216>O<196><24><191><255><28>N<193><208><232><202>YV/?o5<250><241>J<0><174><220> <200><216>U<243>z@<239><140><196><18><155><198>nv <131>
EAP-Message = <197><0><182><12><253><234>,1<25><157><209>}<199>Z:=<166><19>q).P<128><132><250>}<10><184><233><147>j<148>)<134><198>?<245><177><7>R1<255><249>Z*<199><235><253>>+<141><144><160>`<161>k<130>"<237>C(<189>^]<15><8><157>Bny<185>7S<145><11><165><141>/<199><22>E<19>[<186><184><155><21><236>r5<231><152><162><134>@8Pb<139>]<192><141><218><162><187><172>?$<172><208>#<189><161>><132>_<219><227><9><202><212><186>]<162><139><18><132><201><5><140><194>E<214><7>T<242>}<173><215><127><247><170>=<254>6h<3>~<6><0><147><212>x<166><222>d<252><170><19>]e<192><3>[<143><219><226> <136><22><3><3><1>,<12><0><1>(<3><0><29> <31><186><229><148>\L<252><177><2><132><218><134><29><17><143>Q<30><236><149>(<3>]<240><145><244><5>D<245><204><192><172>4<8><4><1><0><194>`g<217><128>~<28>z<246><224><250><217>[h<243><21>h<193><31>/<246> <8><143><156><221><154>h<211>T<160><31><242><197><211>
EAP-Message = <238>E<25><199>B<203><174><210>y2<207><203><E<230>=;o!t-~<164><141>F<19><232>i)<167><146><252><223><2>gh)<3>N<199>w<131>?<154>4<237><157><7>j<198>ml<211><190>&K<6><189><203><200><153><185>Lh<171><25><195><230>7<132>XU<127>?h;@<183>.~<181>+<218><242><162><247><211><201><221><210><213><156>8A|<193>$<9><254><234><31>+x<252>|<235><219>0<6><152><3>}<139><208><30>v<151><169><14><133><144>2<139><252>1q"<215>Oy&<31><164>6<214>~<188><165><146>W<217>_<28><233>w<245><157><16>2<7>~P<224>EOA<190>P<144>H?DE<217><182> <204><224><0>$C<11><181><131><190><194><135><246><174><235>dC<135>2&<132><227><169><248>!<6><239><202>!<159><25><135>Ie<10><4>K<213><22>!d<31><163><248>"<192><238>,e<184>I<163><1><255><233><170><22><3><3><0><4><14><0><0><0>
Message-Authenticator = <212><155>g?<132><189>A\E<238>7w<210>2+<131>
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 3
Authentic: <7>}Oo[h^<29><128>5<13><31><225>I)G
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2><30><0>g<25><128><0><0><0>]<22><3><3><0>%<16><0><0>! 5<164>A,)&<182>wU<192>eu@<6><159>N:9<230><239><163>+}<162>X<207>jx<225><20><255>7<20><3><3><0><1><1><22><3><3><0>(]<242>p>ae<147><128><31><189>V<24><186><227><198>2=<142><151>v<237>Gb<192>2i<204><218>{<207>0bq<217>"<149><198>B<202>X
Message-Authenticator = <162><20>C<151><10><248>&$<137><210>d<138><214><250><28><187>
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 30, 103, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP TLS SSL_accept result: 1, 0, 1
Tue Jun 8 15:03:10 2021: DEBUG: EAP PEAP TLS Session accepted: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 3
Authentic: <193>H<31><153><22><22><145>5<4>Oq<254><194><248>b<159>
Attributes:
EAP-Message = <1><31><0>=<25><128><0><0><0>3<20><3><3><0><1><1><22><3><3><0>(<31><221>D|<226><234><236>K)<171>[A<148><18>J{`-<22>^<216><225>B\<135><152><166><18><193>tnl<225>$<243><243>#<178><22><213>
Message-Authenticator = <21><159><137><2><182><.<1><1>zG<132><160>p<162><227>
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 4
Authentic: W<220><225><239><1><203>~<174><248>N'Y<28><15><229><142>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2><31><0><6><25><0>
Message-Authenticator = t<179><206><215><199><27>0<224><160><228><243><138><167><167><219>L
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 31, 6, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 4
Authentic: Qe<207><164><127>U<238><216><241><190><4>%<200>R<223><174>
Attributes:
EAP-Message = <1> <0>$<25><0><23><3><3><0><25><31><221>D|<226><234><236>L~<195>]<214>u<248><138><245>9<192>8<16>H'<183><227>|
Message-Authenticator = <157><203><128>G<10><21><198>FD<242><190>6/#(G
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 5
Authentic: ^<134>5X]<209>__<250><135>2<228>-<231>9<138>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2> <0>6<25><0><23><3><3><0>+]<242>p>ae<147><129>7<155>w<135>6W<240>B<221>(<12><229><193><199> <25>t<179><235>><248><171><189><187>? \<2><251><255><231>H(5<253>
Message-Authenticator = <208>7q<149><170>^D<196><134><248>;R<29>E<214><162>
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 32, 54, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP PEAP inner authentication request for [email protected]
Tue Jun 8 15:03:10 2021: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <217>N<25>f5H<10><23><219><23><196><192>+<212>E<203>
Attributes:
EAP-Message = <2> <0><23><1>[email protected]
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
User-Name = "[email protected]"
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 32, 23, 1
Tue Jun 8 15:03:10 2021: DEBUG: Response type 1
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: <217>N<25>f5H<10><23><219><23><196><192>+<212>E<203>
Attributes:
EAP-Message = <1>!<0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 5
Authentic: <246><216><22>s<222><184><159><131><145><243><12><193><191><173><171>C
Attributes:
EAP-Message = <1>!<0>%<25><0><23><3><3><0><26><31><221>D|<226><234><236>M<252><143>9<238><249>uD<160>'<30><219>K<130><242><213>:<209>P
Message-Authenticator = M<238><246>x<144><185>`<155><180><208><209><251><12>b<174>e
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 6
Authentic: <141>A<223><10><139>J<6>"<150>X<9><173><164>-<158><207>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2>!<0>%<25><0><23><3><3><0><26>]<242>p>ae<147><130><157>Mg<202>qR<242><151><12><220><214><227><173>vT<189><164><20>
Message-Authenticator = ><20><168><253><162><0><10><130><250><19><218><170>kC<191>H
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 33, 37, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP PEAP inner authentication request for [email protected]
Tue Jun 8 15:03:10 2021: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <175>i<178><163><130><146><129><149>fO<17><29><145><210>3<29>
Attributes:
EAP-Message = <2>!<0><6><3><26>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
User-Name = "[email protected]"
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 33, 6, 3
Tue Jun 8 15:03:10 2021: DEBUG: Response type 3
Tue Jun 8 15:03:10 2021: DEBUG: EAP Nak desires type 26
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP-V2 Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP MSCHAP-V2 Challenge
Tue Jun 8 15:03:10 2021: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: <175>i<178><163><130><146><129><149>fO<17><29><145><210>3<29>
Attributes:
EAP-Message = <1>"<0><30><26><1>"<0><25><16><10>d<238>(/<21><208>r(9<145><204>j<182>F<128>doma
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: Access challenged for [email protected]: EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Challenge
Identifier: 6
Authentic: -<182>W<207>*<248><178><140><161><192>Pk^<159><158><26>
Attributes:
EAP-Message = <1>"<0>=<25><0><23><3><3><0>2<31><221>D|<226><234><236>N<191><169><205>H<181>d<187>*<186><200><154><176>9+<30>S3Xq<254><4>'<199>a<190><23>XH<19><193><216>^<154><14>L<232><232>xr<159>'<204>
Message-Authenticator = o<161><253><10><213><185>YE_V<176><186><158>B<233><198>
Tue Jun 8 15:03:10 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 7
Authentic: <253><3><159><173>.k+<177>B<4><237>V<138>p<211><254>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2>"<0>l<25><0><23><3><3><0>a]<242>p>ae<147><131>g<193><233><135>kX<242><224><131><251><151><196><214><161>oG<248>BY<195>B<131><209>t<164><208><133><218><31><127>.jBb<199><227>TJ_<168><141>[t<245><133>qp<224><252><190><31><221>c,<240>5l*6^-$KKY,<210><248>*<173><181><4><146><181>k<15><8><132><140>#<167><162>BC#<141><170><230>g
Message-Authenticator = <255>$<187><240><131>}`<200>8<157><22>nR<150><130><232>
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 34, 108, 25
Tue Jun 8 15:03:10 2021: DEBUG: Response type 25
Tue Jun 8 15:03:10 2021: DEBUG: EAP PEAP inner authentication request for [email protected]
Tue Jun 8 15:03:10 2021: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <252>c<196><160>y<162><177><217>6<166><143>C<247><150><0><19>
Attributes:
EAP-Message = <2>"<0>M<26><2>"<0>H1z<197><179><4>ga<215><151><21>ce<140><154>L<<171><0><0><0><0><0><0><0><0><246><245>><198><201><158><188>h<227>Wy7<14>%<147><186><189>V<132><23>,n~<30><0>[email protected]
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
User-Name = "[email protected]"
Tue Jun 8 15:03:10 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:10 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:10 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:10 2021: DEBUG: Handling with EAP: code 2, 34, 77, 26
Tue Jun 8 15:03:10 2021: DEBUG: Response type 26
Tue Jun 8 15:03:10 2021: INFO: AuthLDAP2 'Check2017LDAP' Connecting to ldap33.cesnet.cz port 636
Tue Jun 8 15:03:10 2021: ERR: AuthLDAP2 'Check2017LDAP' Could not open LDAP connection to ldap33.cesnet.cz port 636. Backing off for 600 seconds.
Tue Jun 8 15:03:10 2021: DEBUG: EAP Failure, elapsed time 0.024032
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 2, User database access error
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error
Tue Jun 8 15:03:10 2021: DEBUG: Access ignored for [email protected]: User database access error
Tue Jun 8 15:03:10 2021: DEBUG: EAP result: 2, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, EAP PEAP inner authentication redispatched to a Handler
Tue Jun 8 15:03:13 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code: Access-Request
Identifier: 7
Authentic: <253><3><159><173>.k+<177>B<4><237>V<138>p<211><254>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-01-F7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Framed-User
Connect-Info = "ermon.cesnet.cz is testing realm cesnet.cz at radius server radius1.cesnet.cz"
EAP-Message = <2>"<0>l<25><0><23><3><3><0>a]<242>p>ae<147><131>g<193><233><135>kX<242><224><131><251><151><196><214><161>oG<248>BY<195>B<131><209>t<164><208><133><218><31><127>.jBb<199><227>TJ_<168><141>[t<245><133>qp<224><252><190><31><221>c,<240>5l*6^-$KKY,<210><248>*<173><181><4><146><181>k<15><8><132><140>#<167><162>BC#<141><170><230>g
Message-Authenticator = <255>$<187><240><131>}`<200>8<157><22>nR<150><130><232>
Tue Jun 8 15:03:13 2021: DEBUG: Handling request with Handler '', Identifier ''
Tue Jun 8 15:03:13 2021: DEBUG: SessINTERNAL: Deleting session for [email protected], 127.0.0.1,
Tue Jun 8 15:03:13 2021: DEBUG: Handling with Radius::AuthLDAP2: Check2017LDAP
Tue Jun 8 15:03:13 2021: DEBUG: Handling with EAP: code 2, 34, 108, 25
Tue Jun 8 15:03:13 2021: DEBUG: Response type 25
Tue Jun 8 15:03:13 2021: DEBUG: EAP Failure, elapsed time 3.029766
Tue Jun 8 15:03:13 2021: ERR: EAP PEAP TLS read failed: 4759: 1 - error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: DEBUG: EAP result: 1, EAP PEAP TLS read failed: decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: DEBUG: AuthBy LDAP2 result: REJECT, EAP PEAP TLS read failed: decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: INFO: Access rejected for [email protected]: EAP PEAP TLS read failed: decryption failed or bad record mac
Tue Jun 8 15:03:13 2021: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 52252 ....
Code: Access-Reject
Identifier: 7
Authentic: "<19><4><225><189><215>8JX<162>9X<137>+<251><223>
Attributes:
EAP-Message = <4>"<0><4>
Message-Authenticator = @K<216>2<252><227>9<25><129><224>'E<203><151>13
Reply-Message = "Request Denied"
Tue Jun 8 15:05:10 2021: DEBUG: Cleared expired unfinished EAP-MSCHAP-V2 context, elapsed time -1623157510.05943. Client never finished authentication.
#Foreground
Trace 4
LogDir /var/log/arch/radiator
LogFile %L/radiator.%Y_%m_%d.log
DbDir /opt/radiator/radiator
User radiator
Group radiator
AuthPort 1812
AcctPort 1813
<Client localhost>
Secret mysecret
DupInterval 0
</Client>
<Handler>
<AuthBy LDAP2>
Identifier Check2017LDAP
UsernameMatchesWithoutRealm yes
Host ldap33.cesnet.cz
Port 636
UseSSL
SSLCAFile /etc/radiator/certs/chain_CESNET_CA4.pem
AuthDN xxx
AuthPassword xxx
BaseDN dc=cesnet,dc=cz
UsernameAttr uid
PasswordAttr radiusPassword
AuthAttrDef radiusTunnelPrivateGroupID,
Tunnel-Private-Group-ID, reply
SearchFilter
(&(%0=%1)(|(objectClass=eduroamTestAccount)(objectClass=radiusUser)))
EAPType PEAP,MSCHAP-V2,LEAP,TTLS
# 2. 11. 2018 Semik - prestavame posilat korenovy certifikat
EAPTLS_CAPath /etc/ssl/certs/null
EAPTLS_CertificateFile /etc/radiator/certs/radius.cesnet.cz.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/radius.cesnet.cz.key
EAPTLS_PrivateKeyPassword xxx
EAPTLS_MaxFragmentSize 1000
EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}
EAPAnonymous %n
</AuthBy>
</Handler>
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
