(RADIATOR) FW: Help with AuthBy LSA

Mike McCauley mikem at open.com.au
Sun Aug 10 05:41:51 CDT 2003 

Hi again Steve,

more below:

On Sun, 10 Aug 2003 08:35 pm, Mike McCauley wrote:
> Hello Steve,
>
> On Sun, 10 Aug 2003 12:47 am, Steve Rogers wrote:
> > Hello,
> >
> > I have changed the password a couple of times after the "store passwords
> > in reversible encryption" and still it fails. I've rebooted the machine
> > and tried creating new user accounts and authenticating against those,
> > but chap still fails.
> >
> > Am I still missing something? I'd really appreciate any ideas.
>
> Im not sure what the problem is but you might try this:
>
> In Control Panel
> 	Administrative tools
> 		Local Security Settings
> 			Account POlicies
> 				Password Policy
> 					Store passwords using reversible encryption for all users in the
> domain Enabled
>
> On the XP Radiator host (as opposed to the user account in the domain
> controller)
>

Also these articles may be helpful for your situation:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q254/1/72.ASP&NoWebContent=1

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q289/8/84.ASP&NoWebContent=1

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/505.asp
> Hope that helps.
> Please let me know.
>
> Cheers.
>
> > Steve
> >
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: 09 August 2003 01:06
> > To: Steve Rogers
> > Subject: Re: Help with AuthBy LSA
> >
> >
> > Hello Steve,
> >
> > On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> > > Hi Mike,
> > >
> > > I've been trying out the new AuthBy LSA code and I can't get chap to
> > > work. Pap, mschap work flawlessly. The user accounts are on the local
> > > machine so there's no AD/NT domain.
> > >
> > > I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl
> > > 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg
> > > from goodies dir in the Radiator distribution.
> > >
> > > Radiator is running with Admin privs, with act as part of operating
> > > system and the local computer policy has store passwords in reversible
> > >
> > > encryption enabled.
> >
> > Thats sounds all OK, but if you turned on "store passwords in reversible
> >
> > encryption" _after_ the users password has been set in AD, you will need
> > to
> > _reset_ the password in AD, else it does not really have the reversible
> > password stored.
> >
> > Hope that helps.
> >
> > BTW, it would be better if you address any future technical questions
> > you
> > might have to the Radiator mailing list. That way others can learn
> > from the question and answer, and possibly contribute in areas where I
> > am not expert. Also, we have other staff on the mailing list who can
> > respond when I am not available.
> >
> > You can join the Radiator mailing list by sending email with the
> > single word subscribe in the body (not in the subject line) to
> > radiator-request at open.com.au
> > There is an archive at http://www.open.com.au/archives/radiator/
> > Cheers.
> >
> > > He's the debug - first is pap auth, then mschap and finally chap which
> > >
> > > has the following warning:
> > >
> > > WARNING: Could not LogonUserNetworkCHAP:
> > >
> > >
> > > D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug  8
> > > 22:44:12 2003: DEBUG: Finished reading configuration file 'lsa.cfg'
> > > Fri Aug  8 22:44:12 2003: DEBUG: Reading dictionary file
> >
> > './dictionary'
> >
> > > Fri Aug  8 22:44:12 2003: DEBUG: Creating authentication port
> > > 0.0.0.0:1645
> > > Fri Aug  8 22:44:12 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> > > Fri Aug  8 22:44:12 2003: NOTICE: Server started: Radiator 3.6 on
> > > ROGERSSLT1
> > > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1120 ....
> > > Code:       Access-Request
> > > Identifier: 85
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         User-Password =
> > > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
> > >
> > > >"
> > >
> > > Fri Aug  8 22:44:40 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:40 2003: DEBUG:  Deleting session for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA:
> > > Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever
> > > Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > > Fri Aug  8 22:44:40 2003: DEBUG: Access accepted for stever
> > > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1120 ....
> > > Code:       Access-Accept
> > > Identifier: 85
> > > Authentic:  1234567890123456
> > > Attributes:
> > >
> > > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1121 ....
> > > Code:       Access-Request
> > > Identifier: 90
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
> > >         MS-CHAP-Response =
> > > "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> > > 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>1<
> > > 0>23
> > > 3><209><
> > > 156><188>O<234><205><243><24>sn"
> > >
> > > Fri Aug  8 22:44:46 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:46 2003: DEBUG:  Deleting session for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA:
> > > Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever
> > > Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > > Fri Aug  8 22:44:46 2003: DEBUG: Access accepted for stever
> > > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1121 ....
> > > Code:       Access-Accept
> > > Identifier: 90
> > > Authentic:  1234567890123456
> > > Attributes:
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1122 ....
> > > Code:       Access-Request
> > > Identifier: 95
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         CHAP-Password =
> > > 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> > > 19><163>i
> > >         CHAP-Challenge = 1234567890123456
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:51 2003: DEBUG:  Deleting session for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA:
> > > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever
> > > Fri Aug  8 22:44:51 2003: WARNING: Could not LogonUserNetworkCHAP: The
> > > specified
> > >  procedure could not be found.
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> > > Password che ck failed
> > > Fri Aug  8 22:44:51 2003: INFO: Access rejected for stever: AuthBy LSA
> > > Password
> > > check failed
> > > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1122 ....
> > > Code:       Access-Reject
> > > Identifier: 95
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         Reply-Message = "Request Denied"
> > >
> > >
> > > Can you help?
> > >
> > > Steve

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list