(RADIATOR) FW: Help with AuthBy LSA
Mike McCauley
mikem at open.com.au
Sat Aug 9 20:05:04 CDT 2003
Hello Steve,
On Sun, 10 Aug 2003 12:47 am, Steve Rogers wrote:
> Hello,
>
> I have changed the password a couple of times after the "store passwords
> in reversible encryption" and still it fails. I've rebooted the machine
> and tried creating new user accounts and authenticating against those,
> but chap still fails.
That should be enought to set the password properly.
>
> Am I still missing something? I'd really appreciate any ideas.
Hmmm.
Is MSCHAPV2 working OK?
Are you testing with radpwtst?
What sort of host is your AD on?
Cheers.
>
> Steve
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: 09 August 2003 01:06
> To: Steve Rogers
> Subject: Re: Help with AuthBy LSA
>
>
> Hello Steve,
>
> On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> > Hi Mike,
> >
> > I've been trying out the new AuthBy LSA code and I can't get chap to
> > work. Pap, mschap work flawlessly. The user accounts are on the local
> > machine so there's no AD/NT domain.
> >
> > I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl
> > 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg
> > from goodies dir in the Radiator distribution.
> >
> > Radiator is running with Admin privs, with act as part of operating
> > system and the local computer policy has store passwords in reversible
> >
> > encryption enabled.
>
> Thats sounds all OK, but if you turned on "store passwords in reversible
>
> encryption" _after_ the users password has been set in AD, you will need
> to
> _reset_ the password in AD, else it does not really have the reversible
> password stored.
>
> Hope that helps.
>
> BTW, it would be better if you address any future technical questions
> you
> might have to the Radiator mailing list. That way others can learn
> from the question and answer, and possibly contribute in areas where I
> am not expert. Also, we have other staff on the mailing list who can
> respond when I am not available.
>
> You can join the Radiator mailing list by sending email with the
> single word subscribe in the body (not in the subject line) to
> radiator-request at open.com.au
> There is an archive at http://www.open.com.au/archives/radiator/
> Cheers.
>
> > He's the debug - first is pap auth, then mschap and finally chap which
> >
> > has the following warning:
> >
> > WARNING: Could not LogonUserNetworkCHAP:
> >
> >
> > D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug 8
> > 22:44:12 2003: DEBUG: Finished reading configuration file 'lsa.cfg'
> > Fri Aug 8 22:44:12 2003: DEBUG: Reading dictionary file
>
> './dictionary'
>
> > Fri Aug 8 22:44:12 2003: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Fri Aug 8 22:44:12 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> > Fri Aug 8 22:44:12 2003: NOTICE: Server started: Radiator 3.6 on
> > ROGERSSLT1
> > Fri Aug 8 22:44:40 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1120 ....
> > Code: Access-Request
> > Identifier: 85
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "stever"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
> >
> > >"
> >
> > Fri Aug 8 22:44:40 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug 8 22:44:40 2003: DEBUG: Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug 8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug 8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug 8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug 8 22:44:40 2003: DEBUG: Access accepted for stever
> > Fri Aug 8 22:44:40 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1120 ....
> > Code: Access-Accept
> > Identifier: 85
> > Authentic: 1234567890123456
> > Attributes:
> >
> > Fri Aug 8 22:44:46 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1121 ....
> > Code: Access-Request
> > Identifier: 90
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "stever"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
> > MS-CHAP-Response =
> > "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> > 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>1<
> > 0>23
> > 3><209><
> > 156><188>O<234><205><243><24>sn"
> >
> > Fri Aug 8 22:44:46 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug 8 22:44:46 2003: DEBUG: Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug 8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug 8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug 8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug 8 22:44:46 2003: DEBUG: Access accepted for stever
> > Fri Aug 8 22:44:46 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1121 ....
> > Code: Access-Accept
> > Identifier: 90
> > Authentic: 1234567890123456
> > Attributes:
> >
> > Fri Aug 8 22:44:51 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1122 ....
> > Code: Access-Request
> > Identifier: 95
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "stever"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > CHAP-Password =
> > 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> > 19><163>i
> > CHAP-Challenge = 1234567890123456
> >
> > Fri Aug 8 22:44:51 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug 8 22:44:51 2003: DEBUG: Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug 8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug 8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug 8 22:44:51 2003: WARNING: Could not LogonUserNetworkCHAP: The
> > specified
> > procedure could not be found.
> >
> > Fri Aug 8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> > Password che ck failed
> > Fri Aug 8 22:44:51 2003: INFO: Access rejected for stever: AuthBy LSA
> > Password
> > check failed
> > Fri Aug 8 22:44:51 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1122 ....
> > Code: Access-Reject
> > Identifier: 95
> > Authentic: 1234567890123456
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> >
> > Can you help?
> >
> > Steve
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list