Fw: (RADIATOR) MS-CHAP v2 killing radiusd

Tunde Itayemi aitayemi at taralos.metrong.com
Wed May 15 02:55:10 CDT 2002


Hi Hugh,
The "NAS" in this case is a Windows 2000 (VPN) Server - 2 of them infact.
Any ideas what should be added to the access-replies in this case? I have
tried
the two you suggested but no change.
Now the VPN connection returns with a "Your credentials have failed remote
network
authentication. Enter a user name and password with access to the remote
network domain.
This dialog box requests repeatedly that I re-enter my user name, password
and possibly a domain.
After about 3 tries it terminates with a user name or password invalid error
message. Am I missing
something about MSCHAPv2 or is there an extra entry I need to make to the
Client definitions for
Windows clients or something that needs to be added to the standard
dictionary?
Finally, is there anybody that has implemented a similar setup - radiator on
a Linux (RedHat7.2) box
with Windows 2000 VPN server set to use MSCHAPv2 for authentication?

Regards,
Tunde I.

----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Tunde Itayemi" <aitayemi at taralos.metrong.com>
Cc: <swilliam at metrong.com>
Sent: Wednesday, May 15, 2002 1:34 AM
Subject: Re: Fw: (RADIATOR) MS-CHAP v2 killing radiusd


>
> Hello Tunde -
>
> Thanks for sending the files.
>
> The logfile shows that the access requests are being accepted, however I
> suspect the problem now is that you must specify some reply attributes in
the
> access accept so that the NAS can set up a session. I suspect you will
need
> at least something like this:
>
> AddToReply Service-Type = Framed-User, \
> Framed-Protocol = PPP, \
> .....
>
> As far as these messages are concerned:
>
> Mon May 13 21:20:27 2002:1021328427:mikem:UNKNOWN-MS-CHAP-V2:fred:PASS
>
> they are normal. The "UNKNOWN-MS-CHAP-V2" simply means that the password
in
> the request itself is unknown because it cannot be decrypted. The "PASS"
> indicates that the password checking has succeeded.
>
> regards
>
> Hugh
>
>
> On Tue, 14 May 2002 18:27, Tunde Itayemi wrote:
> > Hi Hugh,
> >
> > Hope you haven't turned in yet - all the way from Nigeria!
> > The first successful login for the user adefolum had the
> > PAP, CHAP and MSCHAPv1 checked on the VPN client's connection.
> >
> > The unsuccessful logins had only MSCHAPv2 checked (for one) and all
> > authentication methods checked for the second. They both gave the Error
778
> > message below.
> > I have also included the password.log file - notice the
> > "UNKNOWN-MS-CHAP-V2" that is placed in the file in the place of
passwords
> > sent to radiator by the client.
> >
> > Tunde I.
> >
> > ----- Original Message -----
> > From: "Hugh Irvine" <hugh at open.com.au>
> > To: "Tunde Itayemi" <aitayemi at taralos.metrong.com>;
<radiator at open.com.au>
> > Cc: "Martyn.Brown at Team17.Com" <martyn.brown at team17.com>
> > Sent: Tuesday, May 14, 2002 12:02 AM
> > Subject: Re: Fw: (RADIATOR) MS-CHAP v2 killing radiusd
> >
> > > Hello Tunde -
> > >
> > > It would be most helpful if you could send me a copy of your
> > > configuration file, a complete trace 4 debug from Radiator showing
what
> > > is going on, and
> >
> > a
> >
> > > description of the hardware/software system that you are running.
> > >
> > > If Radiator is sending an access accept back in response to the
initial
> > > request, then it is likely that you need some additional reply
> > > attributes.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > On Tue, 14 May 2002 06:32, Tunde Itayemi wrote:
> > > > ----- Original Message -----
> > > > From: Tunde Itayemi
> > > > To: Tunde Itayemi
> > > > Sent: Monday, May 13, 2002 8:38 PM
> > > > Subject: Re: (RADIATOR) MS-CHAP v2 killing radiusd
> > > >
> > > >
> > > > Hi all,
> > > > new development - I downloaded SHA perl module and installed it.
Now,
> >
> > the
> >
> > > > radiusd does not crash anymore but I can't get it to authenticate
with
> > > > MSCHAPv2. I get the message below when I do a VPN to my radius
server:
> > > >
> > > > Verifying username and password...
> > > > Error 778: It was not possible to verify the identity of the server.
> > > >
> > > > Also, I noticed that the logfile states that radiator is sending
> > > > access-accept packets to the NAS (windows 2K server) and yet, I keep
> > > > getting the message above on the test client. Bu the password.log
gives
> > > > messages of the form:
> > > >
> > > > Mon May 13 21:20:27
2002:1021328427:mikem:UNKNOWN-MS-CHAP-V2:fred:PASS
> > > >
> > > > Any ideas about all these discrepancies?
> > > >
> > > > Tunde I.
> > > >   ----- Original Message -----
> > > >   From: Tunde Itayemi
> > > >   To: Tichahleyi Mpofu
> > > >   Cc: Hugh at Open.Com.Au ; Mike McCauley
> > > >   Sent: Monday, May 13, 2002 8:03 PM
> > > >   Subject: Re: (RADIATOR) MS-CHAP v2 killing radiusd
> > > >
> > > >
> > > >   Hi,
> > > >
> > > >   I downloaded the Digest-MD4-1.1.tar.gz and installed it. Have you
> > > > actually authenticated a user with MS CHAP v2?
> > > >   Also, with all the CHAP variants, I get something in the nature of
> > > >
> > > >   Mon May 13 18:49:44 2002:1021319384:oan:UNKNOWN-MS-CHAP::FAIL
> > > >
> > > >   Note that it could not decode the password sent to it by the
client.
> > > >   By the way, do you have the Digest-SHA perl module installed? I
get
> >
> > the
> >
> > > > error below when I test radiator with radpwtst with the mschap2
switch
> > > > e.g., radpwtst -mschapv2 -user mikem -password fred -nas_ip_address
> > > > 192.160.0.4
> > > >
> > > >   Can't locate SHA.pm in @INC (@INC contains: .
> > > > /usr/lib/perl5/5.6.0/i386-linux /u sr/lib/perl5/5.6.0
> > > > /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site
> >
> > _perl/5.6.0
> >
> > > > /usr/lib/perl5/site_perl .) at /usr/lib/perl5/site_perl/5.6.0/Radius
> > > > /MSCHAP.pm line 131.
> > > >
> > > >   where can I get a "working" SHA perl module - assuming it is the
> > > > cause
> >
> > of
> >
> > > > my problems? The one I downloaded from CPAN refuse to install
> > > > (Digest-SHA1-2.01.tar.gz)
> > > >
> > > >   Hope to hear from you soon.
> > > >   Regards,
> > > >   Tunde I.
> > > >     ----- Original Message -----
> > > >     From: Tichahleyi Mpofu
> > > >     To: Tunde Itayemi
> > > >     Sent: Monday, May 13, 2002 6:22 PM
> > > >     Subject: Re: (RADIATOR) MS-CHAP v2 killing radiusd
> > > >
> > > >
> > > >     i installed MD4 perl module and it worked for me.
> > > >     Regards
> > > >     Tich
> > > >
> > > >       ----- Original Message -----
> > > >       From: Tunde Itayemi
> > > >       To: Mike McCauley
> > > >       Cc: Hugh at Open.Com.Au ; radiator at open.com.au
> > > >       Sent: Monday, May 13, 2002 5:48 PM
> > > >       Subject: (RADIATOR) MS-CHAP v2 killing radiusd
> > > >
> > > >
> > > >       Hi Mike, Hugh and All,
> > > >
> > > >       I found out through trial and error that it is MS CHAP v2 that
is
> > > > killing the radius server. According to you - support for it has
been
> >
> > added
> >
> > > > since last year. Is there a bug in there? I have installed MD4 perl
> >
> > module.
> >
> > > >       I have also tried downloading the file Radiator-3.0.tgz at
your
> >
> > site,
> >
> > > > extracting just the AuthGeneric file and using it to replace the
> >
> > original
> >
> > > > one installed by the RPM but it had no effect?
> > > >
> > > >       What is responsible? That is what is stopping me from taking
> >
> > radiator
> >
> > > > live!
> > > >
> > > >       Hope to hear from you really soon.
> > > >
> > > >       Regards,
> > > >       Tunde I.
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > > -
> > > Nets: internetwork inventory and management - graphical, extensible,
> > > flexible with hardware, software, platform and database independence.
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list