(RADIATOR) Radiator and Watchguard Firewall VPN
Bostic, Chuck
ACCBosti at nmhg.com
Mon Apr 19 11:03:43 CDT 2004
Hugh,
I added the AddToReply as you suggested and then got another error from my
Watchguard box asking for two additional parameters..
I then added 2 additional AddToReply statements as shown in my config. I got
the following error in the trace. My config is quite simple as I am still
testing and evaluating the product.
Chuck
Foreground
LogStdout
LogDir c:/program files/radiator
DbDir c:/program files/radiator
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy LSA>
# Specifies which Windows Domain is to be used to
authenticate
# users. Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
Domain nmhgmcz1
AddToReply Filter-Id = pptp_users
AddToReply MS-MPPE-Recv-Key
AddToReply MS-MPPE-Send-Key
# Empty string (the default) means the local machine
#Domain OPEN
# This specifies the workstation to the LSA. It might be
used to check
# whether the the user is permitted to log in. If the user
has any
# workstation logon restrictions, this is the name that it
# will be checked against. Defaults to 'Radiator'
#Workstation WLAN
# If you specify EAPType LEAP, you can also handle
# Cisco LEAP with any LSA native authentication
EAPType LEAP
</AuthBy>
</Realm>
Mon Apr 19 10:44:57 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:44:57 2004: DEBUG: Deleting session for accbosti,
172.19.12.5, 216
Mon Apr 19 10:44:57 2004: DEBUG: Handling with Radius::AuthLSA:
Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA ACCEPT:
Mon Apr 19 10:44:57 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:44:57 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1241 ....
Code: Access-Accept
Identifier: 116
Authentic: t<147><155>y<29>%kk<231>op<186><163>7=@
Attributes:
MS-CHAP2-Success = "<129>S=B9C1E1458CB11D3A2A189350CC834FEE21C60AA5"
Filter-Id = "pptp_users"
Mon Apr 19 10:47:42 2004: DEBUG: Finished reading configuration file
'C:\Program Files\Radiator\radius.cfg'
Mon Apr 19 10:47:42 2004: DEBUG: Reading dictionary file 'c:/program
files/radiator/dictionary'
Mon Apr 19 10:47:43 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Mon Apr 19 10:47:43 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Mon Apr 19 10:47:43 2004: NOTICE: Server started: Radiator 3.8 on acmutil
(EVALUATION)
Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1249 ....
Code: Access-Request
Identifier: 40
Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
Attributes:
User-Name = "accbosti"
MS-CHAP-Challenge = "<133><177>^`<15><9>_Xa<13><155><189>NH<141>M"
MS-CHAP2-Response =
"<129><0><211><133><211>5+<9><163>Z<128>Gc<221><5><229><208>g<0><0><0><0><0>
<0><0><0><179><255><6>;f<156>EX/0<156>-<239><157><137>|i<193><23><30>b<206>^
<8>"
NAS-Identifier = "firebox"
NAS-Port = 224
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Mon Apr 19 10:48:03 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:48:03 2004: DEBUG: Deleting session for accbosti,
172.19.12.5, 224
Mon Apr 19 10:48:03 2004: DEBUG: Handling with Radius::AuthLSA:
Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA ACCEPT:
Mon Apr 19 10:48:03 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:48:03 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1249 ....
Code: Access-Accept
Identifier: 40
Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
Attributes:
MS-CHAP2-Success = "<129>S=6AB960FA6FA3203ABB8C423B5C8C7CBD594464D3"
Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1271 ....
Code: Access-Request
Identifier: 219
Authentic:
<219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
Attributes:
User-Name = "accbosti"
MS-CHAP-Challenge =
"<29>s<194>o<187><23>P<7>p<187><133>D<200><199><163><152>"
MS-CHAP2-Response =
"<129><0>M<180><199><166><149><212><166>wW<149>j<153>U5<255><243><0><0><0><0
><0><0><0><0><178>s<234><28><23><17>G<253><253><9>4`S<136><159><249><27><134
><191>e<167><179><249><197>"
NAS-Identifier = "firebox"
NAS-Port = 246
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Mon Apr 19 10:48:26 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:48:26 2004: DEBUG: Deleting session for accbosti,
172.19.12.5, 246
Mon Apr 19 10:48:26 2004: DEBUG: Handling with Radius::AuthLSA:
Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA ACCEPT:
Mon Apr 19 10:48:26 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:48:26 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1271 ....
Code: Access-Accept
Identifier: 219
Authentic:
<219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
Attributes:
MS-CHAP2-Success = "<129>S=3B934C54628133FC74EA3CE923416DDA5CA74873"
Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
*** Received from 172.19.12.5 port 1289 ....
Code: Access-Request
Identifier: 91
Authentic: [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
Attributes:
User-Name = "accbosti"
MS-CHAP-Challenge =
"<28>+<29><138><7>E;<223>h<219>G<13><141><159><186>l"
MS-CHAP2-Response =
"<129><0><211>(a<133>dO<247><171><250><177>a5<199><221>`<221><0><0><0><0><0>
<0><0><0><162>i<159><166><215><221><22><139><17>%9<208><150>?,7<249>$<146><1
4><148><128><221>z"
NAS-Identifier = "firebox"
NAS-Port = 264
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Mon Apr 19 10:49:23 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Apr 19 10:49:23 2004: DEBUG: Deleting session for accbosti,
172.19.12.5, 264
Mon Apr 19 10:49:23 2004: DEBUG: Handling with Radius::AuthLSA:
Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA looks for match with
accbosti
Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA ACCEPT:
Mon Apr 19 10:49:23 2004: ERR: Bad attribute=value pair: MS-MPPE-Send-Key
Mon Apr 19 10:49:23 2004: DEBUG: Access accepted for accbosti
Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
*** Sending to 172.19.12.5 port 1289 ....
Code: Access-Accept
Identifier: 91
Authentic: [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
Attributes:
MS-CHAP2-Success = "<129>S=AC0BC372584D6D4F71CF3F8B023C2F2FEC6285CC"
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, April 16, 2004 6:22 PM
To: Bostic, Chuck
Cc: 'radiator at open.com.au'
Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
Hello Chuck -
I will need to see a copy of your configuration file and a trace 4
debug from Radiator showing what is happening.
You can return a Filter-Id with something like this:
<AuthBy LSA>
.....
AddToReply Filter-Id = pptp_user
</AuthBy>
regards
Hugh
On 17 Apr 2004, at 05:56, Bostic, Chuck wrote:
> I have Radiator installed on a Win2k server using Authby LSA
> validating user
> on an NT4.0 Primary Domain controller. I am trying to use a dial-up
> connection to a Watchguard firewall VPN. The error I see is on the
> Watchguard log, rejecting the connection because something is not
> matching a
> filter-id of pptp_user. Has any one experienced this and is there a
> solution?
> Chuck
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list