(RADIATOR) FW: Help with AuthBy LSA

Mike McCauley mikem at open.com.au
Sun Aug 10 17:40:08 CDT 2003 

Hi Steve,


On Sun, 10 Aug 2003 09:10 pm, Steve Rogers wrote:
> Hi Mike,
>
> Thanks for the reply.
>
> I've done some tests with MSCHAPv2 and that works.
> All the testing has been done with radpwtst from the Radiator dist.
>
> At the moment we are just testing by using the user accounts on the
> local machine that Radiator is running on. This is XP Pro.

OK, in that case, I am seeing similar behaviour here with XP PRO. I will keep 
looking for the solution, but the error message sounds a bit like something 
required in XP pro is missing.



Cheers.

>
> Cheers
> Steve
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Mike McCauley
> Sent: 10 August 2003 02:05
> To: Steve Rogers; radiator at open.com.au
> Subject: Re: (RADIATOR) FW: Help with AuthBy LSA
>
>
> Hello Steve,
>
> On Sun, 10 Aug 2003 12:47 am, Steve Rogers wrote:
> > Hello,
> >
> > I have changed the password a couple of times after the "store
> > passwords in reversible encryption" and still it fails. I've rebooted
> > the machine and tried creating new user accounts and authenticating
> > against those, but chap still fails.
>
> That should be enought to set the password properly.
>
> > Am I still missing something? I'd really appreciate any ideas.
>
> Hmmm.
> Is MSCHAPV2 working OK?
> Are you testing with radpwtst?
> What sort of host is your AD on?
>
> Cheers.
>
> > Steve
> >
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: 09 August 2003 01:06
> > To: Steve Rogers
> > Subject: Re: Help with AuthBy LSA
> >
> >
> > Hello Steve,
> >
> > On Sat, 9 Aug 2003 07:47 am, Steve Rogers wrote:
> > > Hi Mike,
> > >
> > > I've been trying out the new AuthBy LSA code and I can't get chap to
> > >
> > > work. Pap, mschap work flawlessly. The user accounts are on the
> > > local machine so there's no AD/NT domain.
> > >
> > > I'm using Radiator 3.6 on Windows XP Pro (SP1) with Activestate Perl
> > >
> > > 5.6.1 and the Win32-Lsa perl module. The config file is the lsa.cfg
> > > from goodies dir in the Radiator distribution.
> > >
> > > Radiator is running with Admin privs, with act as part of operating
> > > system and the local computer policy has store passwords in
> > > reversible
> > >
> > > encryption enabled.
> >
> > Thats sounds all OK, but if you turned on "store passwords in
> > reversible
> >
> > encryption" _after_ the users password has been set in AD, you will
> > need to _reset_ the password in AD, else it does not really have the
> > reversible password stored.
> >
> > Hope that helps.
> >
> > BTW, it would be better if you address any future technical questions
> > you might have to the Radiator mailing list. That way others can learn
> > from the question and answer, and possibly contribute in areas where I
> > am not expert. Also, we have other staff on the mailing list who can
> > respond when I am not available.
> >
> > You can join the Radiator mailing list by sending email with the
> > single word subscribe in the body (not in the subject line) to
> > radiator-request at open.com.au There is an archive at
> > http://www.open.com.au/archives/radiator/
> > Cheers.
> >
> > > He's the debug - first is pap auth, then mschap and finally chap
> > > which
> > >
> > > has the following warning:
> > >
> > > WARNING: Could not LogonUserNetworkCHAP:
> > >
> > >
> > > D:\Radiator\Radiator-3.6>perl radiusd -config_file lsa.cfg Fri Aug
> > > 8 22:44:12 2003: DEBUG: Finished reading configuration file
> > > 'lsa.cfg' Fri Aug  8 22:44:12 2003: DEBUG: Reading dictionary file
> >
> > './dictionary'
> >
> > > Fri Aug  8 22:44:12 2003: DEBUG: Creating authentication port
> > > 0.0.0.0:1645 Fri Aug  8 22:44:12 2003: DEBUG: Creating accounting
> > > port 0.0.0.0:1646 Fri Aug  8 22:44:12 2003: NOTICE: Server started:
> > > Radiator 3.6 on ROGERSSLT1
> > > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1120 ....
> > > Code:       Access-Request
> > > Identifier: 85
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         User-Password =
> > > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153
> > >
> > > >"
> > >
> > > Fri Aug  8 22:44:40 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:40 2003: DEBUG:  Deleting session
> > > for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:40 2003: DEBUG: Handling with Radius::AuthLSA: Fri
> > > Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever Fri Aug  8 22:44:40 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > > Fri Aug  8 22:44:40 2003: DEBUG: Access accepted for stever
> > > Fri Aug  8 22:44:40 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1120 ....
> > > Code:       Access-Accept
> > > Identifier: 85
> > > Authentic:  1234567890123456
> > > Attributes:
> > >
> > > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1121 ....
> > > Code:       Access-Request
> > > Identifier: 90
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         MS-CHAP-Challenge = "<16>-<181><223><8>]0A"
> > >         MS-CHAP-Response =
> > > "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> > > 0><0><0><0><0><0><0><0><0><221><167>J<174>`<22><150>Md<11><177><185>
> > > 0>1<
> > > 0>23
> > > 3><209><
> > > 156><188>O<234><205><243><24>sn"
> > >
> > > Fri Aug  8 22:44:46 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:46 2003: DEBUG:  Deleting session
> > > for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:46 2003: DEBUG: Handling with Radius::AuthLSA: Fri
> > > Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever Fri Aug  8 22:44:46 2003: DEBUG: Radius::AuthLSA ACCEPT:
> > > Fri Aug  8 22:44:46 2003: DEBUG: Access accepted for stever
> > > Fri Aug  8 22:44:46 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1121 ....
> > > Code:       Access-Accept
> > > Identifier: 90
> > > Authentic:  1234567890123456
> > > Attributes:
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > > *** Received from 192.168.0.2 port 1122 ....
> > > Code:       Access-Request
> > > Identifier: 95
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         User-Name = "stever"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 203.63.154.1
> > >         NAS-Port = 1234
> > >         Called-Station-Id = "123456789"
> > >         Calling-Station-Id = "987654321"
> > >         NAS-Port-Type = Async
> > >         CHAP-Password =
> > > 5?<130>,<147><209><201><179><193><141><224><227>x<219><2
> > > 19><163>i
> > >         CHAP-Challenge = 1234567890123456
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Fri Aug  8 22:44:51 2003: DEBUG:  Deleting session
> > > for
> > >
> > > stever, 203.63.154.1, 123
> > > 4
> > > Fri Aug  8 22:44:51 2003: DEBUG: Handling with Radius::AuthLSA: Fri
> > > Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA looks for match with
> > > stever Fri Aug  8 22:44:51 2003: WARNING: Could not
> > > LogonUserNetworkCHAP: The specified
> > >  procedure could not be found.
> > >
> > > Fri Aug  8 22:44:51 2003: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> > > Password che ck failed Fri Aug  8 22:44:51 2003: INFO: Access
> > > rejected for stever: AuthBy LSA Password
> > > check failed
> > > Fri Aug  8 22:44:51 2003: DEBUG: Packet dump:
> > > *** Sending to 192.168.0.2 port 1122 ....
> > > Code:       Access-Reject
> > > Identifier: 95
> > > Authentic:  1234567890123456
> > > Attributes:
> > >         Reply-Message = "Request Denied"
> > >
> > >
> > > Can you help?
> > >
> > > Steve

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list