(RADIATOR) FW: Help with AuthBy LSA

Steve Rogers steve.rogers at fjserv.net
Sat Aug 9 09:47:45 CDT 2003 

Hello,

I have changed the password a couple of times after the "store passwords
in reversible encryption" and still it fails. I've rebooted the machine
and tried creating new user accounts and authenticating against those,
but chap still fails.

Am I still missing something? I'd really appreciate any ideas.

Steve

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: 09 August 2003 01:06
To: Steve Rogers
Subject: Re: Help with AuthBy LSA


Hello Steve,

On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> Hi Mike,
>
> I've been trying out the new AuthBy LSA code and I can't get chap to 
> work. Pap, mschap work flawlessly. The user accounts are on the local 
> machine so there's no AD/NT domain.
>
> I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl 
> 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg 
> from goodies dir in the Radiator distribution.
>
> Radiator is running with Admin privs, with act as part of operating 
> system and the local computer policy has store passwords in reversible

> encryption enabled.

Thats sounds all OK, but if you turned on "store passwords in reversible

encryption" _after_ the users password has been set in AD, you will need
to 
_reset_ the password in AD, else it does not really have the reversible 
password stored.

Hope that helps.

BTW, it would be better if you address any future technical questions
you 
might have to the Radiator mailing list. That way others can learn 
from the question and answer, and possibly contribute in areas where I
am not expert. Also, we have other staff on the mailing list who can
respond when I am not available.
 
You can join the Radiator mailing list by sending email with the 
single word subscribe in the body (not in the subject line) to 
radiator-request at open.com.au
There is an archive at http://www.open.com.au/archives/radiator/
Cheers.

>
> He's the debug - first is pap auth, then mschap and finally chap which

> has the following warning:
>
> WARNING: Could not LogonUserNetworkCHAP:
>
>
> D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug  8 
> 22:44:12 2003: DEBUG: Finished reading configuration file 'lsa.cfg'
> Fri Aug  8 22:44:12 2003: DEBUG: Reading dictionary file
'./dictionary'
> Fri Aug  8 22:44:12 2003: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Fri Aug  8 22:44:12 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> Fri Aug  8 22:44:12 2003: NOTICE: Server started: Radiator 3.6 on
> ROGERSSLT1
> Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.2 port 1120 ....
> Code:       Access-Request
> Identifier: 85
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "stever"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
>
> >"
>
> Fri Aug  8 22:44:40 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT' Fri Aug  8 22:44:40 2003: DEBUG:  Deleting session for

> stever, 203.63.154.1, 123
> 4
> Fri Aug  8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with
> stever
> Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> Fri Aug  8 22:44:40 2003: DEBUG: Access accepted for stever
> Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.2 port 1120 ....
> Code:       Access-Accept
> Identifier: 85
> Authentic:  1234567890123456
> Attributes:
>
> Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.2 port 1121 ....
> Code:       Access-Request
> Identifier: 90
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "stever"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
>         MS-CHAP-Response = 
> "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>1<
> 0>23
> 3><209><
> 156><188>O<234><205><243><24>sn"
>
> Fri Aug  8 22:44:46 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT' Fri Aug  8 22:44:46 2003: DEBUG:  Deleting session for

> stever, 203.63.154.1, 123
> 4
> Fri Aug  8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with
> stever
> Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> Fri Aug  8 22:44:46 2003: DEBUG: Access accepted for stever
> Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.2 port 1121 ....
> Code:       Access-Accept
> Identifier: 90
> Authentic:  1234567890123456
> Attributes:
>
> Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.2 port 1122 ....
> Code:       Access-Request
> Identifier: 95
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "stever"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         CHAP-Password = 
> 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> 19><163>i
>         CHAP-Challenge = 1234567890123456
>
> Fri Aug  8 22:44:51 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT' Fri Aug  8 22:44:51 2003: DEBUG:  Deleting session for

> stever, 203.63.154.1, 123
> 4
> Fri Aug  8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with
> stever
> Fri Aug  8 22:44:51 2003: WARNING: Could not LogonUserNetworkCHAP: The
> specified
>  procedure could not be found.
>
> Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA 
> Password che ck failed
> Fri Aug  8 22:44:51 2003: INFO: Access rejected for stever: AuthBy LSA
> Password
> check failed
> Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.2 port 1122 ....
> Code:       Access-Reject
> Identifier: 95
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> Can you help?
>
> Steve

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list