(RADIATOR) FW: Help with AuthBy LSA

Steve Rogers steve.rogers at fjserv.net
Sun Aug 10 06:10:28 CDT 2003 

Hi Mike,

Thanks for the reply.

I've done some tests with MSCHAPv2 and that works.
All the testing has been done with radpwtst from the Radiator dist.

At the moment we are just testing by using the user accounts on the
local machine that Radiator is running on. This is XP Pro.

Cheers
Steve


-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Mike McCauley
Sent: 10 August 2003 02:05
To: Steve Rogers; radiator at open.com.au
Subject: Re: (RADIATOR) FW: Help with AuthBy LSA


Hello Steve,

On Sun, 10 Aug 2003 12:47 am, Steve Rogers wrote:
> Hello,
>
> I have changed the password a couple of times after the "store 
> passwords in reversible encryption" and still it fails. I've rebooted 
> the machine and tried creating new user accounts and authenticating 
> against those, but chap still fails.

That should be enought to set the password properly.

>
> Am I still missing something? I'd really appreciate any ideas.

Hmmm.
Is MSCHAPV2 working OK?
Are you testing with radpwtst?
What sort of host is your AD on?

Cheers.

>
> Steve
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: 09 August 2003 01:06
> To: Steve Rogers
> Subject: Re: Help with AuthBy LSA
>
>
> Hello Steve,
>
> On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> > Hi Mike,
> >
> > I've been trying out the new AuthBy LSA code and I can't get chap to

> > work. Pap, mschap work flawlessly. The user accounts are on the 
> > local machine so there's no AD/NT domain.
> >
> > I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl

> > 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg 
> > from goodies dir in the Radiator distribution.
> >
> > Radiator is running with Admin privs, with act as part of operating 
> > system and the local computer policy has store passwords in 
> > reversible
> >
> > encryption enabled.
>
> Thats sounds all OK, but if you turned on "store passwords in 
> reversible
>
> encryption" _after_ the users password has been set in AD, you will 
> need to _reset_ the password in AD, else it does not really have the 
> reversible password stored.
>
> Hope that helps.
>
> BTW, it would be better if you address any future technical questions 
> you might have to the Radiator mailing list. That way others can learn
> from the question and answer, and possibly contribute in areas where I
> am not expert. Also, we have other staff on the mailing list who can
> respond when I am not available.
>
> You can join the Radiator mailing list by sending email with the 
> single word subscribe in the body (not in the subject line) to 
> radiator-request at open.com.au There is an archive at 
> http://www.open.com.au/archives/radiator/
> Cheers.
>
> > He's the debug - first is pap auth, then mschap and finally chap 
> > which
> >
> > has the following warning:
> >
> > WARNING: Could not LogonUserNetworkCHAP:
> >
> >
> > D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug  
> > 8 22:44:12 2003: DEBUG: Finished reading configuration file 
> > 'lsa.cfg' Fri Aug  8 22:44:12 2003: DEBUG: Reading dictionary file
>
> './dictionary'
>
> > Fri Aug  8 22:44:12 2003: DEBUG: Creating authentication port 
> > 0.0.0.0:1645 Fri Aug  8 22:44:12 2003: DEBUG: Creating accounting 
> > port 0.0.0.0:1646 Fri Aug  8 22:44:12 2003: NOTICE: Server started: 
> > Radiator 3.6 on ROGERSSLT1
> > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1120 ....
> > Code:       Access-Request
> > Identifier: 85
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password =
> > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
> >
> > >"
> >
> > Fri Aug  8 22:44:40 2003: DEBUG: Handling request with Handler 
> > 'Realm=DEFAULT' Fri Aug  8 22:44:40 2003: DEBUG:  Deleting session 
> > for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA: Fri 
> > Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with 
> > stever Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug  8 22:44:40 2003: DEBUG: Access accepted for stever
> > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1120 ....
> > Code:       Access-Accept
> > Identifier: 85
> > Authentic:  1234567890123456
> > Attributes:
> >
> > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1121 ....
> > Code:       Access-Request
> > Identifier: 90
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
> >         MS-CHAP-Response = 
> > "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> > 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>
> > 0>1<
> > 0>23
> > 3><209><
> > 156><188>O<234><205><243><24>sn"
> >
> > Fri Aug  8 22:44:46 2003: DEBUG: Handling request with Handler 
> > 'Realm=DEFAULT' Fri Aug  8 22:44:46 2003: DEBUG:  Deleting session 
> > for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA: Fri 
> > Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with 
> > stever Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > Fri Aug  8 22:44:46 2003: DEBUG: Access accepted for stever
> > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1121 ....
> > Code:       Access-Accept
> > Identifier: 90
> > Authentic:  1234567890123456
> > Attributes:
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > *** Received from 192.168.0.2 port 1122 ....
> > Code:       Access-Request
> > Identifier: 95
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "stever"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         CHAP-Password = 
> > 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> > 19><163>i
> >         CHAP-Challenge = 1234567890123456
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Handling request with Handler 
> > 'Realm=DEFAULT' Fri Aug  8 22:44:51 2003: DEBUG:  Deleting session 
> > for
> >
> > stever, 203.63.154.1, 123
> > 4
> > Fri Aug  8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA: Fri 
> > Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with 
> > stever Fri Aug  8 22:44:51 2003: WARNING: Could not 
> > LogonUserNetworkCHAP: The specified
> >  procedure could not be found.
> >
> > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA 
> > Password che ck failed Fri Aug  8 22:44:51 2003: INFO: Access 
> > rejected for stever: AuthBy LSA Password
> > check failed
> > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > *** Sending to 192.168.0.2 port 1122 ....
> > Code:       Access-Reject
> > Identifier: 95
> > Authentic:  1234567890123456
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> >
> > Can you help?
> >
> > Steve

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list