(RADIATOR) Radiator and Watchguard Firewall VPN

Hugh Irvine hugh at open.com.au
Mon Apr 19 18:47:09 CDT 2004


Hello Chuck -

You should use a single AddToReply as follows:

	AddToReply Filter-Id = pptp_users, \
                    MS-MPPE-Recv-Key = ....., \
                    MS-MPPE-Send-Key = ........

You will need to set the keys as required by your client.

See sections 13.2.5 and 13.2.6 in the Radiator 3.9 reference manual  
("doc/ref.html").

regards

Hugh



On 20 Apr 2004, at 02:03, Bostic, Chuck wrote:

>
> Hugh,
> I added the AddToReply as you suggested and then got another error  
> from my
> Watchguard box asking for two additional parameters..
> I then added 2 additional AddToReply statements as shown in my config.  
> I got
> the following error in the trace. My config is quite simple as I am  
> still
> testing and evaluating the product.
> Chuck
>
> Foreground
> LogStdout
> LogDir		c:/program files/radiator
> DbDir		c:/program files/radiator
> # User a lower trace level in production systems:
> Trace 		4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	
> 	DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> 	<AuthBy LSA>
> 		# Specifies which Windows Domain is to be used to
> authenticate
> 		# users. Empty string means the local machine only
> 		# Special characters are supported. Can be an Active
> 		# directory domain or a Windows NT domain controller
>
> 	Domain nmhgmcz1
> 	AddToReply Filter-Id = pptp_users
>         AddToReply MS-MPPE-Recv-Key
>         AddToReply MS-MPPE-Send-Key
>
> 		# Empty string (the default) means the local machine
> 		#Domain OPEN
>
> 		# This specifies the workstation to the LSA. It might be
> used to check
> 		# whether the the user is permitted to log in. If the user
> has any
> 		# workstation logon restrictions, this is the name that it
> 		# will be checked against. Defaults to 'Radiator'
> 		#Workstation WLAN
>
> 		# If you specify EAPType LEAP, you can also handle
> 		# Cisco LEAP with any LSA native authentication
> 		EAPType LEAP
> 	</AuthBy>
> </Realm>
>
> Mon Apr 19 10:44:57 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Apr 19 10:44:57 2004: DEBUG:  Deleting session for accbosti,
> 172.19.12.5, 216
> Mon Apr 19 10:44:57 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA looks for match with
> accbosti
> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Apr 19 10:44:57 2004: DEBUG: Access accepted for accbosti
> Mon Apr 19 10:44:57 2004: DEBUG: Packet dump:
> *** Sending to 172.19.12.5 port 1241 ....
> Code:       Access-Accept
> Identifier: 116
> Authentic:  t<147><155>y<29>%kk<231>op<186><163>7=@
> Attributes:
> 	MS-CHAP2-Success = "<129>S=B9C1E1458CB11D3A2A189350CC834FEE21C60AA5"
> 	Filter-Id = "pptp_users"
>
> Mon Apr 19 10:47:42 2004: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Mon Apr 19 10:47:42 2004: DEBUG: Reading dictionary file 'c:/program
> files/radiator/dictionary'
> Mon Apr 19 10:47:43 2004: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Mon Apr 19 10:47:43 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Apr 19 10:47:43 2004: NOTICE: Server started: Radiator 3.8 on  
> acmutil
> (EVALUATION)
> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
> *** Received from 172.19.12.5 port 1249 ....
> Code:       Access-Request
> Identifier: 40
> Authentic:  (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
> Attributes:
> 	User-Name = "accbosti"
> 	MS-CHAP-Challenge = "<133><177>^`<15><9>_Xa<13><155><189>NH<141>M"
> 	MS-CHAP2-Response =
> "<129><0><211><133><211>5+<9><163>Z<128>Gc<221><5><229><208>g<0><0><0>< 
> 0><0>
> <0><0><0><179><255><6>;f<156>EX/0<156>- 
> <239><157><137>|i<193><23><30>b<206>^
> <8>"
> 	NAS-Identifier = "firebox"
> 	NAS-Port = 224
> 	NAS-Port-Type = Virtual
> 	Service-Type = Authenticate-Only
>
> Mon Apr 19 10:48:03 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Apr 19 10:48:03 2004: DEBUG:  Deleting session for accbosti,
> 172.19.12.5, 224
> Mon Apr 19 10:48:03 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA looks for match with
> accbosti
> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Apr 19 10:48:03 2004: ERR: Bad attribute=value pair:  
> MS-MPPE-Send-Key
> Mon Apr 19 10:48:03 2004: DEBUG: Access accepted for accbosti
> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
> *** Sending to 172.19.12.5 port 1249 ....
> Code:       Access-Accept
> Identifier: 40
> Authentic:  (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
> Attributes:
> 	MS-CHAP2-Success = "<129>S=6AB960FA6FA3203ABB8C423B5C8C7CBD594464D3"
>
> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
> *** Received from 172.19.12.5 port 1271 ....
> Code:       Access-Request
> Identifier: 219
> Authentic:
> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
> Attributes:
> 	User-Name = "accbosti"
> 	MS-CHAP-Challenge =
> "<29>s<194>o<187><23>P<7>p<187><133>D<200><199><163><152>"
> 	MS-CHAP2-Response =
> "<129><0>M<180><199><166><149><212><166>wW<149>j<153>U5<255><243><0><0> 
> <0><0
>> <0><0><0><0><178>s<234><28><23><17>G<253><253><9>4`S<136><159><249><27 
>> ><134
>> <191>e<167><179><249><197>"
> 	NAS-Identifier = "firebox"
> 	NAS-Port = 246
> 	NAS-Port-Type = Virtual
> 	Service-Type = Authenticate-Only
>
> Mon Apr 19 10:48:26 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Apr 19 10:48:26 2004: DEBUG:  Deleting session for accbosti,
> 172.19.12.5, 246
> Mon Apr 19 10:48:26 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA looks for match with
> accbosti
> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Apr 19 10:48:26 2004: ERR: Bad attribute=value pair:  
> MS-MPPE-Send-Key
> Mon Apr 19 10:48:26 2004: DEBUG: Access accepted for accbosti
> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
> *** Sending to 172.19.12.5 port 1271 ....
> Code:       Access-Accept
> Identifier: 219
> Authentic:
> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
> Attributes:
> 	MS-CHAP2-Success = "<129>S=3B934C54628133FC74EA3CE923416DDA5CA74873"
>
> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
> *** Received from 172.19.12.5 port 1289 ....
> Code:       Access-Request
> Identifier: 91
> Authentic:   
> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
> Attributes:
> 	User-Name = "accbosti"
> 	MS-CHAP-Challenge =
> "<28>+<29><138><7>E;<223>h<219>G<13><141><159><186>l"
> 	MS-CHAP2-Response =
> "<129><0><211>(a<133>dO<247><171><250><177>a5<199><221>`<221><0><0><0>< 
> 0><0>
> <0><0><0><162>i<159><166><215><221><22><139><17>%9<208><150>?,7<249>$<1 
> 46><1
> 4><148><128><221>z"
> 	NAS-Identifier = "firebox"
> 	NAS-Port = 264
> 	NAS-Port-Type = Virtual
> 	Service-Type = Authenticate-Only
>
> Mon Apr 19 10:49:23 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Apr 19 10:49:23 2004: DEBUG:  Deleting session for accbosti,
> 172.19.12.5, 264
> Mon Apr 19 10:49:23 2004: DEBUG: Handling with Radius::AuthLSA:
> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA looks for match with
> accbosti
> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Mon Apr 19 10:49:23 2004: ERR: Bad attribute=value pair:  
> MS-MPPE-Send-Key
> Mon Apr 19 10:49:23 2004: DEBUG: Access accepted for accbosti
> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
> *** Sending to 172.19.12.5 port 1289 ....
> Code:       Access-Accept
> Identifier: 91
> Authentic:   
> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
> Attributes:
> 	MS-CHAP2-Success = "<129>S=AC0BC372584D6D4F71CF3F8B023C2F2FEC6285CC"
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, April 16, 2004 6:22 PM
> To: Bostic, Chuck
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
>
>
>
> Hello Chuck -
>
> I will need to see a copy of your configuration file and a trace 4
> debug from Radiator showing what is happening.
>
> You can return a Filter-Id with something like this:
>
> 	<AuthBy LSA>
> 		.....
> 		AddToReply Filter-Id = pptp_user
> 	</AuthBy>
>
> regards
>
> Hugh
>
>
> On 17 Apr 2004, at 05:56, Bostic, Chuck wrote:
>
>> I have Radiator installed on a Win2k server using Authby LSA
>> validating user
>> on an NT4.0 Primary Domain controller. I am trying to use a dial-up
>> connection to a Watchguard firewall VPN. The error I see is on the
>> Watchguard log, rejecting the connection because something is not
>> matching a
>> filter-id of pptp_user. Has any one experienced this and is there a
>> solution?
>> Chuck
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list