(RADIATOR) Radiator and Watchguard Firewall VPN

Bostic, Chuck ACCBosti at nmhg.com
Mon Apr 19 11:03:43 CDT 2004 

Hugh,
I added the AddToReply as you suggested and then got another error from my
Watchguard box asking for two additional parameters..
I then added 2 additional AddToReply statements as shown in my config. I got
the following error in the trace. My config is quite simple as I am still
testing and evaluating the product.
Chuck

Foreground
LogStdout
LogDir		c:/program files/radiator
DbDir		c:/program files/radiator
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	
	DupInterval 0
</Client>

<Realm DEFAULT>
	<AuthBy LSA>
		# Specifies which Windows Domain is to be used to
authenticate
		# users. Empty string means the local machine only
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 

	Domain nmhgmcz1
	AddToReply Filter-Id = pptp_users
        AddToReply MS-MPPE-Recv-Key
        AddToReply MS-MPPE-Send-Key

		# Empty string (the default) means the local machine
		#Domain OPEN

		# This specifies the workstation to the LSA. It might be
used to check
		# whether the the user is permitted to log in. If the user
has any
		# workstation logon restrictions, this is the name that it
		# will be checked against. Defaults to 'Radiator'
		#Workstation WLAN

		# If you specify EAPType LEAP, you can also handle
		# Cisco LEAP with any LSA native authentication
		EAPType LEAP
	</AuthBy>
</Realm>

Mon Apr 19 10:44:57 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:44:57 2004: DEBUG:  Deleting session for accbosti,
172.19.12.5, 216
Mon Apr 19 10:44:57 2004: DEBUG: Handling with Radius::AuthLSA: 
Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Mon Apr 19 10:44:57 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:44:57 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1241 ....
Code:       Access-Accept
Identifier: 116
Authentic:  t<147><155>y<29>%kk<231>op<186><163>7=@
Attributes:
	MS-CHAP2-Success = "<129>S=B9C1E1458CB11D3A2A189350CC834FEE21C60AA5"
	Filter-Id = "pptp_users"

Mon Apr 19 10:47:42 2004: DEBUG: Finished reading configuration file
'C:\Program Files\Radiator\radius.cfg'
Mon Apr 19 10:47:42 2004: DEBUG: Reading dictionary file 'c:/program
files/radiator/dictionary'
Mon Apr 19 10:47:43 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Mon Apr 19 10:47:43 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Mon Apr 19 10:47:43 2004: NOTICE: Server started: Radiator 3.8 on acmutil
(EVALUATION)
Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1249 ....
Code:       Access-Request
Identifier: 40
Authentic:  (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
Attributes:
	User-Name = "accbosti"
	MS-CHAP-Challenge = "<133><177>^`<15><9>_Xa<13><155><189>NH<141>M"
	MS-CHAP2-Response =
"<129><0><211><133><211>5+<9><163>Z<128>Gc<221><5><229><208>g<0><0><0><0><0>
<0><0><0><179><255><6>;f<156>EX/0<156>-<239><157><137>|i<193><23><30>b<206>^
<8>"
	NAS-Identifier = "firebox"
	NAS-Port = 224
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only

Mon Apr 19 10:48:03 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:48:03 2004: DEBUG:  Deleting session for accbosti,
172.19.12.5, 224
Mon Apr 19 10:48:03 2004: DEBUG: Handling with Radius::AuthLSA: 
Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Mon Apr 19 10:48:03 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:48:03 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1249 ....
Code:       Access-Accept
Identifier: 40
Authentic:  (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
Attributes:
	MS-CHAP2-Success = "<129>S=6AB960FA6FA3203ABB8C423B5C8C7CBD594464D3"

Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1271 ....
Code:       Access-Request
Identifier: 219
Authentic:
<219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
Attributes:
	User-Name = "accbosti"
	MS-CHAP-Challenge =
"<29>s<194>o<187><23>P<7>p<187><133>D<200><199><163><152>"
	MS-CHAP2-Response =
"<129><0>M<180><199><166><149><212><166>wW<149>j<153>U5<255><243><0><0><0><0
><0><0><0><0><178>s<234><28><23><17>G<253><253><9>4`S<136><159><249><27><134
><191>e<167><179><249><197>"
	NAS-Identifier = "firebox"
	NAS-Port = 246
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only

Mon Apr 19 10:48:26 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:48:26 2004: DEBUG:  Deleting session for accbosti,
172.19.12.5, 246
Mon Apr 19 10:48:26 2004: DEBUG: Handling with Radius::AuthLSA: 
Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Mon Apr 19 10:48:26 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:48:26 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1271 ....
Code:       Access-Accept
Identifier: 219
Authentic:
<219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
Attributes:
	MS-CHAP2-Success = "<129>S=3B934C54628133FC74EA3CE923416DDA5CA74873"

Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1289 ....
Code:       Access-Request
Identifier: 91
Authentic:  [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
Attributes:
	User-Name = "accbosti"
	MS-CHAP-Challenge =
"<28>+<29><138><7>E;<223>h<219>G<13><141><159><186>l"
	MS-CHAP2-Response =
"<129><0><211>(a<133>dO<247><171><250><177>a5<199><221>`<221><0><0><0><0><0>
<0><0><0><162>i<159><166><215><221><22><139><17>%9<208><150>?,7<249>$<146><1
4><148><128><221>z"
	NAS-Identifier = "firebox"
	NAS-Port = 264
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only

Mon Apr 19 10:49:23 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:49:23 2004: DEBUG:  Deleting session for accbosti,
172.19.12.5, 264
Mon Apr 19 10:49:23 2004: DEBUG: Handling with Radius::AuthLSA: 
Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Mon Apr 19 10:49:23 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:49:23 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1289 ....
Code:       Access-Accept
Identifier: 91
Authentic:  [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
Attributes:
	MS-CHAP2-Success = "<129>S=AC0BC372584D6D4F71CF3F8B023C2F2FEC6285CC"

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, April 16, 2004 6:22 PM
To: Bostic, Chuck
Cc: 'radiator at open.com.au'
Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN



Hello Chuck -

I will need to see a copy of your configuration file and a trace 4 
debug from Radiator showing what is happening.

You can return a Filter-Id with something like this:

	<AuthBy LSA>
		.....
		AddToReply Filter-Id = pptp_user
	</AuthBy>

regards

Hugh


On 17 Apr 2004, at 05:56, Bostic, Chuck wrote:

> I have Radiator installed on a Win2k server using Authby LSA 
> validating user
> on an NT4.0 Primary Domain controller. I am trying to use a dial-up
> connection to a Watchguard firewall VPN. The error I see is on the
> Watchguard log, rejecting the connection because something is not 
> matching a
> filter-id of pptp_user. Has any one experienced this and is there a
> solution?
> Chuck
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list