(RADIATOR) Auth by NT group & Radius rejects expired passwords
neil d. quiogue
quioguen at cpcnet-hk.com
Thu Jul 18 00:04:17 CDT 2002
Hello Richard,
Unfortunately, it's a limitation of the Authen::SMB module (or is it more on the smbval library).
As of now, the only thing I can think of is install RADIUS on the NT machine. But this might not be an option to you.
Regards,
Neil D. Quiogue
"Information and attachments herein are intended for the named recipients
only. It may contain attorney-client privileged or confidential matter.
If you have received this message in error, please notify the sender
immediately, and destroy the original message. Do not disclose the
contents to anyone. Thank you."
----- Original Message -----
From: Richard_Challinor at kaz.com.au
To: quioguen at cpcnet-hk.com
Cc: radiator at open.com.au
Sent: Thursday, July 18, 2002 12:05 PM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords
Neil
Thanks for the reply. Yes we are using Redhat 7.3 Do you know of a work around?
Hugh
It sounds like Neil has hit the nail on the head.
Thanks
Richard
-----"neil d. quiogue" <quioguen at cpcnet-hk.com> wrote: -----
To: <radiator at open.com.au>, <Richard_Challinor at kaz.com.au>
From: "neil d. quiogue" <quioguen at cpcnet-hk.com>
Date: 07/18/2002 11:39AM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords
Hello Richard,
Are you running it in a UNIX-based system? If so then NT Global Groups (Group check item) are not enforced.
FYI, The Group check item does not work with Local Groups.
Regards,
Neil D. Quiogue
"Information and attachments herein are intended for the named recipients
only. It may contain attorney-client privileged or confidential matter.
If you have received this message in error, please notify the sender
immediately, and destroy the original message. Do not disclose the
contents to anyone. Thank you."
----- Original Message -----
From: Richard_Challinor at kaz.com.au
To: radiator at open.com.au
Sent: Thursday, July 18, 2002 10:02 AM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords
Hugh
Here is the copy the trace 4 debug. As you can see we are using a user called "radius". This user is not a member of the group "Dialup" and should be rejected.
We downloaded the updated file AuthNT.pm. We have not tested this yet but will soon and I will feed back our success to you for expired passwords.
Thanks
Richard
Fri Jul 12 15:05:37 2002: DEBUG: Reading users file /usr/local/etc/radius/users
Fri Jul 12 15:05:38 2002: INFO: Server started: Radiator 3.1 on KWGENLX01
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32903 ....
Code: Access-Request
Identifier: 96
Authentic: 1234567890123456
Attributes:
User-Name = "radius"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<137><234>,<222><216>3v<146><188>8<9><160><216>}x<153>"
Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234
Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers
Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with radius
Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Wed Jul 17 20:18:22 2002: DEBUG: Handling with NT
Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jul 17 20:18:22 2002: DEBUG: Access accepted for radius
Wed Jul 17 20:18:22 2002: WARNING: No such attribute Framed-Protocal
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32903 ....
Code: Access-Accept
Identifier: 96
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocal = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32903 ....
Code: Accounting-Request
Identifier: 97
Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p
Attributes:
User-Name = "radius"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Framed-IP-Address = 255.255.255.254
Acct-Delay-Time = 0
Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jul 17 20:18:22 2002: DEBUG: Adding session for radius, 203.63.154.1, 1234
Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers
Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32903 ....
Code: Accounting-Response
Identifier: 97
Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p
Attributes:
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32903 ....
Code: Accounting-Request
Identifier: 98
Authentic: <180><189><208><251><201>\5A at K<0>f<210><186>n<217>
Attributes:
User-Name = "radius"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Framed-IP-Address = 255.255.255.254
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234
Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers
Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted
Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32903 ....
Code: Accounting-Response
Identifier: 98
Authentic: <180><189><208><251><201>\5A at K<0>f<210><186>n<217>
Attributes:
-----Forwarded by Richard Challinor/Perth/KAZ/AU on 07/18/2002 09:39AM -----
To: radiator at open.com.au
From: owner-radiator at open.com.au
Date: 07/11/2002 05:15PM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords
Hugh
I made the changes as sugested. I used the sample cfg file you sent me previouly and used the examples Ash provided us. When using radius pwtest it checks the username and password aganist NT domain OK. But still dose not check if the user is in the NT group. Could you have a look at our new config files attached and tell us were we are going wrong.
Thanks
Richard Challinor
# define AuthBy clauses
<AuthBy NT>
Identifier CheckPrimary
Domain KWI_CSBP
DomainController KWI_NT5
</AuthBy>
<AuthBy NT>
Identifier CheckBackup
Domain KWI_CSBP
DomainController KWDRPNT01
</AuthBy>
<AuthBy FILE>
Identifier CheckUsers
Filename /usr/local/etc/radius/users
AddToReply Service-Type = Framed-User, \
Framed-Protocal = PPP, \
Framed-IP-Address = 255.255.255.254, \
Framed-IP-Netmask = 255.255.255.255
</AuthBy>
<Realm DEFAULT>
AuthBy CheckUsers
# Log accounting to a detail file
AcctLogFileName %L/detail
</Realm>
# Full copy of users our "users" file below
DEFAULT Auth-Type = CheckPrimary, Group = Dialup
DEFAULT Auth-Type = CheckBackup, Group = Dialup
-----owner-radiator at open.com.au wrote: -----
To: Richard_Challinor at kaz.com.au, radiator at open.com.au
From: owner-radiator at open.com.au
Date: 06/29/2002 09:00AM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords
Hello Richard -I notice that Ashley Kent has already sent you an example (thanks Ash).You should also note that there is a patched version of AuthNT.pm for Radiator 3.1 that implements a number of new flags for dealing with password expiry, etc.Finally, there is usually no way to prompt a client for anything as the dialup client doesn't display any return messages (ie: Microsoft).regardsHughOn Fri, 28 Jun 2002 15:16, Richard_Challinor at kaz.com.au wrote:> We would like Radiator to auth to an NT group on the Domain. But we are> unsure of how to get it working. We have been trying to use the Group => XXX, but we must have the syntax wrong. If we could get an example> Radius.cfg to copy from someone it would help heaps.>> We also have an issue were Radiator rejects expired passwords for clients> logging on. Is there a way to have the client prompted to change the> expired password when dialing in.>> I have included a copy of our radius.cfg. Please make explanations simple> as we are newbies. :-)>> Thanks> Richard>>> # define AuthBy clauses>> <Realm DEFAULT>> <AuthBy NT>>> Identifier CheckPrimary> Domain KWI_CSBP> DomainController KWI_NT5>> </AuthBy>>> <AuthBy NT>> Identifier CheckBackup> Domain KWI_CSBP> DomainController KWDRPNT01>> </AuthBy>>>> <AuthBy NT>> AddToReply Service-Type = Framed-User, \> Framed-Protocal = PPP, \> Framed-IP-Address = 255.255.255.254, \> Framed-IP-Netmask = 255.255.255.255> </AuthBy>>> # Log accounting to a detail file> AcctLogFileName %L/detail>> </Realm>>>>> ===> Archive at http://www.open.com.au/archives/radiator/> Announcements on radiator-announce at open.com.au> To unsubscribe, email 'majordomo at open.com.au' with> 'unsubscribe radiator' in the body of the message.-- Radiator: the most portable, flexible and configurable RADIUS serveranywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.-Nets: internetwork inventory and management - graphical, extensible,flexible with hardware, software, platform and database independence.===Archive at http://www.open.com.au/archives/radiator/Announcements on radiator-announce at open.com.auTo unsubscribe, email 'majordomo at open.com.au' with'unsubscribe radiator' in the body of the message.= Archive at http://www.open.com.au/archives/radiator/ Announcements on radiator-announce at open.com.au To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020718/54cbdcd7/attachment.html>
More information about the radiator
mailing list