(RADIATOR) Auth by NT group & Radius rejects expired passwords

neil d. quiogue quioguen at cpcnet-hk.com
Wed Jul 17 22:39:44 CDT 2002 

Hello Richard,

Are you running it in a UNIX-based system?  If so then NT Global Groups (Group check item) are not enforced.

FYI, The Group check item does not work with Local Groups.

Regards,

Neil D. Quiogue
 
"Information and attachments herein are intended for the named recipients
only.  It may contain attorney-client privileged or confidential matter.
If you have received this message in error, please notify the sender
immediately, and destroy the original message.  Do not disclose the
contents to anyone.  Thank you."
  ----- Original Message ----- 
  From: Richard_Challinor at kaz.com.au 
  To: radiator at open.com.au 
  Sent: Thursday, July 18, 2002 10:02 AM
  Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords


  Hugh

  Here is the copy the trace 4 debug. As you can see we are using a user called "radius". This user is not a member of the group "Dialup" and should be rejected.

  We downloaded the updated file AuthNT.pm. We have not tested this yet but will soon and I will feed back our success to you for expired passwords. 

  Thanks
  Richard 


  Fri Jul 12 15:05:37 2002: DEBUG: Reading users file /usr/local/etc/radius/users

  Fri Jul 12 15:05:38 2002: INFO: Server started: Radiator 3.1 on KWGENLX01

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Received from 127.0.0.1 port 32903 ....

  Code: Access-Request

  Identifier: 96

  Authentic: 1234567890123456

  Attributes:

  User-Name = "radius"

  Service-Type = Framed-User

  NAS-IP-Address = 203.63.154.1

  NAS-Port = 1234

  Called-Station-Id = "123456789"

  Calling-Station-Id = "987654321"

  NAS-Port-Type = Async

  User-Password = "<137><234>,<222><216>3v<146><188>8<9><160><216>}x<153>"

  Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

  Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234

  Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

  Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with radius

  Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT

  Wed Jul 17 20:18:22 2002: DEBUG: Handling with NT

  Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE ACCEPT: 

  Wed Jul 17 20:18:22 2002: DEBUG: Access accepted for radius

  Wed Jul 17 20:18:22 2002: WARNING: No such attribute Framed-Protocal

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Sending to 127.0.0.1 port 32903 ....

  Code: Access-Accept

  Identifier: 96

  Authentic: 1234567890123456

  Attributes:

  Service-Type = Framed-User

  Framed-Protocal = PPP

  Framed-IP-Address = 255.255.255.254

  Framed-IP-Netmask = 255.255.255.255

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Received from 127.0.0.1 port 32903 ....

  Code: Accounting-Request

  Identifier: 97

  Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p

  Attributes:

  User-Name = "radius"

  Service-Type = Framed-User

  NAS-IP-Address = 203.63.154.1

  NAS-Port = 1234

  NAS-Port-Type = Async

  Acct-Session-Id = "00001234"

  Acct-Status-Type = Start

  Called-Station-Id = "123456789"

  Calling-Station-Id = "987654321"

  Framed-IP-Address = 255.255.255.254

  Acct-Delay-Time = 0

  Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

  Wed Jul 17 20:18:22 2002: DEBUG: Adding session for radius, 203.63.154.1, 1234

  Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

  Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Sending to 127.0.0.1 port 32903 ....

  Code: Accounting-Response

  Identifier: 97

  Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p

  Attributes:

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Received from 127.0.0.1 port 32903 ....

  Code: Accounting-Request

  Identifier: 98

  Authentic: <180><189><208><251><201>\5A at K<0>f<210><186>n<217>

  Attributes:

  User-Name = "radius"

  Service-Type = Framed-User

  NAS-IP-Address = 203.63.154.1

  NAS-Port = 1234

  NAS-Port-Type = Async

  Acct-Session-Id = "00001234"

  Acct-Status-Type = Stop

  Called-Station-Id = "123456789"

  Calling-Station-Id = "987654321"

  Framed-IP-Address = 255.255.255.254

  Acct-Delay-Time = 0

  Acct-Session-Time = 1000

  Acct-Input-Octets = 20000

  Acct-Output-Octets = 30000

  Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

  Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234

  Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

  Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted

  Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

  *** Sending to 127.0.0.1 port 32903 ....

  Code: Accounting-Response

  Identifier: 98

  Authentic: <180><189><208><251><201>\5A at K<0>f<210><186>n<217>

  Attributes:




  -----Forwarded by Richard Challinor/Perth/KAZ/AU on 07/18/2002 09:39AM -----

  To: radiator at open.com.au
  From: owner-radiator at open.com.au
  Date: 07/11/2002 05:15PM
  Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords


  Hugh

  I made the changes as sugested. I used the sample cfg file you sent me previouly and used the examples Ash provided us. When using radius pwtest it checks the username and password aganist NT domain OK. But still dose not check if the user is in the NT group. Could you have a look at our new config files attached and tell us were we are going wrong.

  Thanks
  Richard Challinor 

  # define AuthBy clauses





  <AuthBy NT>

  Identifier CheckPrimary

  Domain KWI_CSBP

  DomainController KWI_NT5


  </AuthBy>

  <AuthBy NT>


  Identifier CheckBackup

  Domain KWI_CSBP

  DomainController KWDRPNT01


  </AuthBy>



  <AuthBy FILE>


  Identifier CheckUsers

  Filename /usr/local/etc/radius/users

  AddToReply Service-Type = Framed-User, \

  Framed-Protocal = PPP, \

  Framed-IP-Address = 255.255.255.254, \

  Framed-IP-Netmask = 255.255.255.255

  </AuthBy>

  <Realm DEFAULT>

  AuthBy CheckUsers 

  # Log accounting to a detail file

  AcctLogFileName %L/detail


  </Realm>



  # Full copy of users our "users" file below

  DEFAULT Auth-Type = CheckPrimary, Group = Dialup

  DEFAULT Auth-Type = CheckBackup, Group = Dialup


   
  -----owner-radiator at open.com.au wrote: -----

  To: Richard_Challinor at kaz.com.au, radiator at open.com.au
  From: owner-radiator at open.com.au
  Date: 06/29/2002 09:00AM
  Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords


Hello Richard -I notice that Ashley Kent has already sent you an example (thanks Ash).You should also note that there is a patched version of AuthNT.pm for Radiator 3.1 that implements a number of new flags for dealing with password expiry, etc.Finally, there is usually no way to prompt a client for anything as the dialup client doesn't display any return messages (ie: Microsoft).regardsHughOn Fri, 28 Jun 2002 15:16, Richard_Challinor at kaz.com.au wrote:> We would like Radiator to auth to an NT group on the Domain. But we are> unsure of how to get it working. We have been trying to use the Group => XXX, but we must have the syntax wrong. If we could get an example> Radius.cfg to copy from someone it would help heaps.>> We also have an issue were Radiator rejects expired passwords for clients> logging on. Is there a way to have the client prompted to change the> expired password when dialing in.>> I have included a copy of our radius.cfg. Please make explanations simple> as we are newbies. :-)>> Thanks> Richard>>> # define AuthBy clauses>> <Realm DEFAULT>> <AuthBy NT>>> Identifier CheckPrimary>           Domain KWI_CSBP>           DomainController KWI_NT5>>      </AuthBy>>> <AuthBy NT>> Identifier CheckBackup>           Domain KWI_CSBP>           DomainController KWDRPNT01>>      </AuthBy>>>>         <AuthBy NT>>                 AddToReply Service-Type = Framed-User, \>           Framed-Protocal = PPP, \>           Framed-IP-Address = 255.255.255.254, \>           Framed-IP-Netmask = 255.255.255.255>      </AuthBy>>> # Log accounting to a detail file>      AcctLogFileName %L/detail>> </Realm>>>>> ===> Archive at http://www.open.com.au/archives/radiator/> Announcements on radiator-announce at open.com.au> To unsubscribe, email 'majordomo at open.com.au' with> 'unsubscribe radiator' in the body of the message.-- Radiator: the most portable, flexible and configurable RADIUS serveranywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.-Nets: internetwork inventory and management - graphical, extensible,flexible with hardware, software, platform and database independence.===Archive at http://www.open.com.au/archives/radiator/Announcements on radiator-announce at open.com.auTo unsubscribe, email 'majordomo at open.com.au' with'unsubscribe radiator' in the body of the message.= Archive at http://www.open.com.au/archives/radiator/ Announcements on radiator-announce at open.com.au To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the message. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020718/22be1784/attachment.html>

More information about the radiator mailing list