[RADIATOR] accessing ntlm_auth Authentication-Error attribute

Mike McCauley mikem at open.com.au
Tue Oct 5 19:46:06 CDT 2010 

Hi David,

thanks for raising this issue.
We have now updated AuthBy NTLM so that if an authentication fails, the 
Warning log message
records the user name along with the Authentication-Error. 

This fix is now in the latest patch set.

As for getting the error message text into the reply message, that would take 
some considerable modification of the code, which of course you may do if you 
wish.

Thanks again for the suggestions.
Cheers.

On Wednesday 06 October 2010 10:23:36 am David Zych wrote:
> Hi,
>
> I'm using AuthBy NTLM to authenticate Active Directory users from a linux
> Radiator instance.  When an authentication fails, ntlm_auth seems to give a
> useful error message in the "Authentication-Error" attribute which would be
> helpful for distinguishing different types of problems.  This attribute is
> clearly visible both in the DEBUG output and in a WARNING log message that
> is generated by the module, but I can't figure out how to reference it
> afterward to do other things with it (such as include it in my AuthLog
> FailureFormat, store it in a database where it can assist our help desk in
> troubleshooting, return it as the reject reason, etc).  Is there any way to
> get at this value short of modifying the module?
>
> Below are sample debug output snippets from two failed ntlm_auth login
> attempts.  In both cases the AuthBy NTLM reject reason is simply "AuthBy
> NTLM Password check failed" which is not nearly as helpful in
> troubleshooting as the Authentication-Error message ("Wrong Password" vs
> "No such user") would be.  Note also that unfortunately the WARNING message
> doesn't include the username, so even that wouldn't be terribly helpful in
> a production environment with lots of requests.
>
> Tue Oct  5 18:55:09 2010: DEBUG: Radius::AuthNTLM looks for match with dmrz
> [dmrz] Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute
> Request-User-Session-Key: Yes Tue Oct  5 18:55:09 2010: DEBUG: Passing
> attribute Request-LanMan-Session-Key: Yes Tue Oct  5 18:55:09 2010: DEBUG:
> Passing attribute LANMAN-Challenge: 551ad887cef366ce Tue Oct  5 18:55:09
> 2010: DEBUG: Passing attribute NT-Response:
> ef76db2128d03a9789133c333175ac5aaad6acedd8c17f44 Tue Oct  5 18:55:09 2010:
> DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct  5 18:55:09 2010:
> DEBUG: Passing attribute Username:: ZG1yeg== Tue Oct  5 18:55:09 2010:
> DEBUG: Received attribute: .
> Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: Authenticated: No
> Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: Authentication-Error:
> Wrong Password Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: .
> Tue Oct  5 18:55:09 2010: WARNING: NTLM Could not authenticate user: Wrong
> Password Tue Oct  5 18:55:09 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy
> NTLM Password check failed: dmrz [dmrz] Tue Oct  5 18:55:09 2010: DEBUG:
> AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue Oct  5
> 18:55:09 2010: INFO: Access rejected for dmrz: AuthBy NTLM Password check
> failed
>
> vs
>
> Tue Oct  5 18:55:38 2010: DEBUG: Radius::AuthNTLM looks for match with
> bogususer [bogususer] Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute
> Request-User-Session-Key: Yes Tue Oct  5 18:55:38 2010: DEBUG: Passing
> attribute Request-LanMan-Session-Key: Yes Tue Oct  5 18:55:38 2010: DEBUG:
> Passing attribute LANMAN-Challenge: f706118f18863992 Tue Oct  5 18:55:38
> 2010: DEBUG: Passing attribute NT-Response:
> 3667e0f1e6a08365d587d54f8a7889357f36e94da008e8cf Tue Oct  5 18:55:38 2010:
> DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct  5 18:55:38 2010:
> DEBUG: Passing attribute Username:: Ym9ndXN1c2Vy Tue Oct  5 18:55:38 2010:
> DEBUG: Received attribute: .
> Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: Authenticated: No
> Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: Authentication-Error:
> No such user Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: .
> Tue Oct  5 18:55:38 2010: WARNING: NTLM Could not authenticate user: No
> such user Tue Oct  5 18:55:38 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy
> NTLM Password check failed: bogususer [bogususer] Tue Oct  5 18:55:38 2010:
> DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue
> Oct  5 18:55:38 2010: INFO: Access rejected for bogususer: AuthBy NTLM
> Password check failed
>
> Thanks,
> David
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list