(RADIATOR) FW: Help with AuthBy LSA

Mike McCauley mikem at open.com.au
Sun Aug 10 05:35:25 CDT 2003 

Hello Steve,


On Sun, 10 Aug 2003 12:47 am, Steve Rogers wrote:
> Hello,
>
> I have changed the password a couple of times after the "store passwords
> in reversible encryption" and still it fails. I've rebooted the machine
> and tried creating new user accounts and authenticating against those,
> but chap still fails.
>
> Am I still missing something? I'd really appreciate any ideas.

Im not sure what the problem is but you might try this:

In Control Panel
	Administrative tools
		Local Security Settings
			Account POlicies
				Password Policy
					Store passwords using reversible encryption for all users in the domain
						Enabled

On the XP Radiator host (as opposed to the user account in the domain 
controller)

Hope that helps.
Please let me know.

Cheers.

>
> Steve
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: 09 August 2003 01:06
> To: Steve Rogers
> Subject: Re: Help with AuthBy LSA
>
>
> Hello Steve,
>
> On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> > Hi Mike,
> >
> > I've been trying out the new AuthBy LSA code and I can't get chap to
> > work. Pap, mschap work flawlessly. The user accounts are on the local
> > machine so there's no AD/NT domain.
> >
> > I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl
> > 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg
> > from goodies dir in the Radiator distribution.
> >
> > Radiator is running with Admin privs, with act as part of operating
> > system and the local computer policy has store passwords in reversible
> >
> > encryption enabled.
>
> Thats sounds all OK, but if you turned on "store passwords in reversible
>
> encryption" _after_ the users password has been set in AD, you will need
> to
> _reset_ the password in AD, else it does not really have the reversible
> password stored.
>
> Hope that helps.
>
> BTW, it would be better if you address any future technical questions
> you
> might have to the Radiator mailing list. That way others can learn
> from the question and answer, and possibly contribute in areas where I
> am not expert. Also, we have other staff on the mailing list who can
> respond when I am not available.
>
> You can join the Radiator mailing list by sending email with the
> single word subscribe in the body (not in the subject line) to
> radiator-request at open.com.au
> There is an archive at http://www.open.com.au/archives/radiator/
> Cheers.
>
> > He's the debug - first is pap auth, then mschap and finally chap which
> >
> > has the following warning:
> >
> > WARNING: Could not LogonUserNetworkCHAP:
> >
> >
> > D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug  8
> > 22:44:12 2003: DEBUG: Finished reading configuration file 'lsa.cfg'
> > Fri Aug  8 22:44:12 2003: DEBUG: Reading dictionary file
>
> './dictionary'
>
> > Fri Aug  8 22:44:12 2003: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Fri Aug  8 22:44:12 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> > Fri Aug  8 22:44:12 2003: NOTICE: Server started: Radiator 3.6 on
> > ROGERSSLT1
> > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1120 ....
> > Code:       Access-Request
> > Identifier: 85
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password =
> > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
> >
> > >"
> >
> > Fri Aug  8 22:44:40 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug  8 22:44:40 2003: DEBUG:  Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug  8 22:44:40 2003: DEBUG: Access accepted for stever
> > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1120 ....
> > Code:       Access-Accept
> > Identifier: 85
> > Authentic:  1234567890123456
> > Attributes:
> >
> > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1121 ....
> > Code:       Access-Request
> > Identifier: 90
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
> >         MS-CHAP-Response =
> > "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> > 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>1<
> > 0>23
> > 3><209><
> > 156><188>O<234><205><243><24>sn"
> >
> > Fri Aug  8 22:44:46 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug  8 22:44:46 2003: DEBUG:  Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug  8 22:44:46 2003: DEBUG: Access accepted for stever
> > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1121 ....
> > Code:       Access-Accept
> > Identifier: 90
> > Authentic:  1234567890123456
> > Attributes:
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1122 ....
> > Code:       Access-Request
> > Identifier: 95
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         CHAP-Password =
> > 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> > 19><163>i
> >         CHAP-Challenge = 1234567890123456
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Fri Aug  8 22:44:51 2003: DEBUG:  Deleting session for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA:
> > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with
> > stever
> > Fri Aug  8 22:44:51 2003: WARNING: Could not LogonUserNetworkCHAP: The
> > specified
> >  procedure could not be found.
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> > Password che ck failed
> > Fri Aug  8 22:44:51 2003: INFO: Access rejected for stever: AuthBy LSA
> > Password
> > check failed
> > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1122 ....
> > Code:       Access-Reject
> > Identifier: 95
> > Authentic:  1234567890123456
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> >
> > Can you help?
> >
> > Steve

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list