(RADIATOR) Error with standard Dial-up Settings.

Hugh Irvine hugh at open.com.au
Thu Jan 31 21:58:27 CST 2002 

Hello Allister -

If you are using encrypted passwords in your LDAP server, you can only use 
PAP authentication. If you want to use CHAP authentication, you must have 
cleartext passwords in the LDAP database.

The trace 4 debug will show whether you are receiving radius accounting 
packets from the NAS, which will have to be configured to generate accounting 
records and send them to Radiator.

regards

Hugh

>
> Hello,
>
> We are running in a Test environment Radiator with LDAP Authentications
> to Active Directory. If we setup a Dialup connection (default settings)
> on windows 2000 we get the error below. To make it work we must change
> the security settings of the connection ie: "Advanced Security
> Settings:" (Only have this selected) "Allow these protocols",
> "Unencrypted password (PAP)".
>
> How can I fix this so we don't have to change the default settings when
> creating a dialup?
>
> Also it does not produce accounting logs, How can I fix this also?
>
> Also is it possible to pull all the settings from LDAP but authenicate
> with Kerberos V or PAM Kerberso V?
>
> Included below is the error message and config file.
>
> Thanks
>
> Allister Maguire
>
>
> ************************************************************************
> ***************************************************************
>
> Fri Feb  1 13:55:50 2002: DEBUG: Packet dump:
> *** Received from 192.168.0.11 port 1025 ....
> Code:       Access-Request
> Identifier: 61
> Authentic:  A<223><246><167><165>y<162>^T<177><130><239><158><232><175>:
> Attributes:
>         User-Name = "bbuilder"
>         CHAP-Password = "<1><201>W<158><152>
> *XK9<177>Im<134><236><190>t"
>         NAS-Identifier = "192.168.0.11"
>         NAS-Port = 20131
>         NAS-Port-Type = Async
>         State = ""
>         Caller-Id = "49157700"
>         Client-Port-DNIS = "049173901"
>         Acct-Session-Id = "281178974"
>
> Fri Feb  1 13:55:50 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Feb  1 13:55:50 2002: DEBUG:  Deleting session for bbuilder,
> 192.168.0.11, 20131
> Fri Feb  1 13:55:50 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Feb  1 13:55:50 2002: INFO: Connecting to 192.168.0.6, port 389
> Fri Feb  1 13:55:50 2002: INFO: Attempting to bind with cn=Proxy
> User,ou=Resources,ou=Globe.Net Communications Ltd,dc=gnc,dc=net,dc=nz,
> xxxxx (server 192.168.0.6:389)
> Fri Feb  1 13:55:50 2002: DEBUG: LDAP got result for CN=Bob
> Builder,OU=People,OU=Globe.Net Communications Ltd,DC=gnc,DC=net,DC=nz
> Fri Feb  1 13:55:50 2002: DEBUG: LDAP got msNPCallingStationID: 49157700
> Fri Feb  1 13:55:50 2002: DEBUG: LDAP got msRADIUSCallbackNumber:
> 192.168.0.189
> Fri Feb  1 13:55:50 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> bbuilder
> Fri Feb  1 13:55:50 2002: ERR: Attribute number 79 is not defined in
> your dictionary
> Fri Feb  1 13:55:50 2002: WARNING: Cant use encrypted passwords with
> CHAP
> Fri Feb  1 13:55:50 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
> password
> Fri Feb  1 13:55:50 2002: INFO: Connecting to 192.168.0.6, port 389
> Fri Feb  1 13:55:50 2002: INFO: Attempting to bind with cn=Proxy
> User,ou=Resources,ou=Globe.Net Communications Ltd,dc=gnc,dc=net,dc=nz,
> xxxxx (server 192.168.0.6:389)
> Fri Feb  1 13:55:50 2002: DEBUG: No entries for DEFAULT found in LDAP
> database
> Fri Feb  1 13:55:50 2002: INFO: Access rejected for bbuilder: Bad
> Encrypted password
> Fri Feb  1 13:55:50 2002: DEBUG: Packet dump:
> *** Sending to 192.168.0.11 port 1025 ....
> Code:       Access-Reject
> Identifier: 61
> Authentic:  A<223><246><167><165>y<162>^T<177><130><239><158><232><175>:
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> ************************************************************************
> *************************************************************
>
>
>
> # ad-ldap.cfg
> #
> # Example Radiator configuration file for authenticating from
> # Active Directory via LDAP2, possibly from a Unix host.
> #
> # This very simple file will allow you to get started with
> # a simple LDAP authentication system from AD.
> #
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> #
> # You should consider this file to be a starting point only
> # $Id: ad-ldap.cfg,v 1.1 2001/05/17 05:33:34 mikem Exp $
>
> Foreground
> LogStdout
> LogDir          /var/log/radacct/radius
> DbDir           .
> Trace           4
> LogFile         %L/%Y-logfile
>
> DictionaryFile /home/amaguire/Radiator/dictionary.ascend
>
>
> # You will probably want to add other Clients to suit your site.
> <Client localhost>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <Client 192.168.0.11>
>         Secret  xxxxxxx
>         DupInterval 0
> </Client>
>
> # Authenticates users in the Organisational Unit called 'csx users'
> # The user name coming from the NAS must match the sAMAccountName
> # attribute of a user in that OU./ Users that are not in 'csx users'
> # will not be able to log in.
> <Realm DEFAULT>
>         <AuthBy LDAP2>
>                 Host            192.168.0.6
>                 AuthDN cn=Proxy User,ou=Resources,ou=Globe.Net
> Communications Ltd,dc=gnc,dc=net,dc=nz
> #               AuthPassword    yourADadminpasswordhere
>                 AuthPassword    xxxxxx
>                 BaseDN          ou=People,ou=Globe.Net Communications
> Ltd,dc=gnc,dc=net,dc=nz
>                 ServerChecksPassword
>                 UsernameAttr sAMAccountName
> #               PasswordAttr msSFUPassword
>
> #               AuthAttrDef logonHours,MS-Login-Hours,check
>
>                 AddToReply Service-Type = Framed-User,\
>                         Framed-Protocol = PPP,\
>                         Framed-Netmask = 255.255.255.255,\
>                         Framed-Routing = None,\
>                         Ascend-Idle-Limit = 900,\
>                         Framed-Compression = Van-Jacobson-TCP-IP,\
>                         Ascend-Maximum-Channels = 1
>
> #               AuthAttrDef
> msRADIUSFramedIPAddress,Framed-IP-Address,reply
>                 AuthAttrDef
> msRADIUSCallbackNumber,Framed-IP-Address,reply
> #               AuthAttrDef ,Framed-Protocol,reply
> #               AuthAttrDef ,User-Service,reply
> #               AuthAttrDef msRADIUSCallbackNumber,Callback-Number,reply
>                 # Caller-ID Check.
>                 AuthAttrDef msNPCallingStationID,Caller-Id,check
>         </AuthBy>
>         AcctLogFileName %L/%Y-%v-detail
> </Realm>
>
> -------------------------------------------------------

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list