<br><br><div class="gmail_quote">On Thu, Jan 21, 2010 at 1:48 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">
</div> If you're not going to bother reading the messages here, I don't see<br>
why you're asking questions.<br>
<div class="im"><br> <br></div></blockquote><div>I thought the golden rule around here was Don't Touch the Conf's, it should just work. Using that information, I wanted to get everything working under the default conf before I went making changes.<br>
<br>The other is issue is that this is a production environment I'm working in, so I can only fiddle with it at night when no one's around and put it back before morning, and even then it's only once or twice a week I can do this. This is why I don't get to test every single suggestion the day it is suggested. I will get to it eventually, but I have to guarantee no one is on the network first. There is no funding for a test lab yet. So it may take a few days for me to get output's for these.<br>
<br>So here is my current experiment, change "user" from the users file to read "<a href="mailto:user@example.com">user@example.com</a> Proxy-To-Realm := LOCAL, Auth-Type: EAP". What this has done for me. Now after [pap] has finished I see this output, which looks promising:<br>
<span style="font-family: courier new,monospace;">Found Auth-Type = EAP</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">+- entering group authenticate {...}</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[eap] Request found, released from the list</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[eap] EAP NAK</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[eap] EAP-NAK asked for EAP-Type/tls</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[eap] processing type tls</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] Requiring client certificate</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] Initiate</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] Start returned 1</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">++[eap] returns handled</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Sending Access-Challenge of id 0 to 192.168.1.1 port 3085</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> EAP-Message = 0x010300060d20</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> Message-Authenticator = 0x00000000000000000000000000000000</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> State = 0x5c8c8a805d8f877c3b23b024f6c52334</span><br>
<font face="arial,helvetica,sans-serif">OR I see this after [pap] finishes:<br><span style="font-family: courier new,monospace;">Found Auth-Type = EAP</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">+- entering group authenticate {...}</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[eap] Request found, released from the list</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[eap] EAP/tls</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[eap] processing type tls</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] Authenticate</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] processing EAP-TLS</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> TLS Length 70</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] Length Included</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] eaptls_verify returned 11 </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] (other): before/accept initialization </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: before/accept initialization </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: SSLv3 read client hello A </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: SSLv3 write server hello A </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] >>> TLS 1.0 Handshake [length 01cf], Certificate </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: SSLv3 write certificate A </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] >>> TLS 1.0 Handshake [length 0088], CertificateRequest </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: SSLv3 write certificate request A </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] TLS_accept: SSLv3 flush data </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">In SSL Handshake Phase </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">In SSL Accept mode </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">[tls] eaptls_process returned 13 </span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">++[eap] returns handled</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Sending Access-Challenge of id 0 to 192.168.1.1 port 3085</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> EAP-Message = 0x0104029a0d8000000290160301002a0200002603014b58d66df2beab...</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> EAP-Message = 0x654e66d7258c14a9f79bcf1c8ee70bd2b801f39057a0bcaa434ba517...</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> EAP-Message = 0x391081d76569059c3613f16442bc0edad9d95016030100880d000080...</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> Message-Authenticator = 0x00000000000000000000000000000000</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> State = 0x5c8c8a805e88877c3b23b024f6c52334</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Finished request 42.<br><br style="font-family: arial,helvetica,sans-serif;"><span style="font-family: arial,helvetica,sans-serif;">The Windows host now states "Attempting to authenticate" as opposed to "Vailidating Identity"/"Failed to vaildate identity" as it did before. And the [tls] module is running now so this is obviously a step in the right direction. Adding or removing a Cleartext-Password or Reply-Message didn't affect the output greatly.<br>
<br>~Huckle Berry<br></span></span><br></font><br></div></div>