(RADIATOR) AuthBy LSA and Lan Manager Auth Level

Hugh Irvine hugh at open.com.au
Wed Dec 1 15:26:00 CST 2004 

Hello Kirk -

I have just been discussing this issue with Mike here in the office.

Unfortunately the Win32-LSA module does not currently support NTLMv2.

Mike will look at adding support for it in the new year.

Our apologies for the inconvenience.

regards

Hugh


On 2 Dec 2004, at 04:25, Kirk T Byers wrote:

> Hugh,
>
> OK, I have upgraded to Radiator 3.11 (plus patches).  I still have the
> same issue.  The error message is the same as before, "WARNING: Could
> not LogonUserNetworkMSCHAP  (V2): 3221225581, 0, Logon failure: unknown
> user name or bad password".  I tried this both with and without  
> specifying
> the domain in my PEAP supplicant (i.e. both with and without the "NT\"
> prefix).  I looked at the new lsa_eap_peap.cfg, and didn't see any
> meaningful differences between my configuration and the example
> configuration.  The only difference was that I had the "DefaultDomain  
> NT"
> set (although I tried it both with and without this).  I also looked  
> at the
> example lsa.cfg, but this didn't look applicable since I am using PEAP.
>
> Here is the end of the logfile from my last attempt.  This is with
> "DefaultDomain NT" set, and without specifying the domain in the
> supplicant.
>
>
> Kirk
>
>
>
> Wed Dec  1 08:55:38 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 72
> Authentic:   
> SM=<209><9><155><231><227><204><167><184><220><135>h<171><204>
> Attributes:
>         User-Name = "testuser"
>         Framed-MTU = 1400
>         Called-Station-Id = "0011.931f.57c0"
>         Calling-Station-Id = "000c.41a9.930f"
>         Message-Authenticator =
> <208><249><209><7><236>x<<217><203><169><167><19
> 7><142>*<192>L
>         EAP-Message =
> <2><9><0>Y<25><0><23><3><1><0>N<244>m<140><21><218>p<29>i<
> 208>q<218><212><142><1>M<231><174><168>L<246><168><155><225><227>K<144> 
> <225><248
>> <250><150><228>! 
>> <0><228><138><178><204><159>V<186><31>e<135><242><129><244>u6><
> 149>
> 8<229><229><211><193>++<20><154><192><216>2<14><203><25>l<172>.<178>^<2 
> 1><2
> 09>Z<169><154>#<189>
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Port = 322
>         Service-Type = Framed-User
>         NAS-IP-Address = 171.64.19.234
>         NAS-Identifier = "ap"
>
> Wed Dec  1 08:55:38 2004: DEBUG: Handling request with Handler ''
> Wed Dec  1 08:55:38 2004: DEBUG:  Deleting session for testuser,
> 171.64.19.234, 322
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with Radius::AuthFILE:
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with EAP: code 2, 9, 89
> Wed Dec  1 08:55:38 2004: DEBUG: Response type 25
> Wed Dec  1 08:55:38 2004: DEBUG: EAP PEAP inner authentication request  
> for
> anonymous
> Wed Dec  1 08:55:38 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <138><198><252><222>nI<23>$X<219><221><2>3<217>s<224>
> Attributes:
>         EAP-Message =
> <2><9><0>><26><2><9><0>=1<144><150><222>=<188><237>vB<173>
> <209><204><136>~D<215>~<0><0><0><0><0><0><0><0><23><255>q/ 
> <230><6><187><170>5w<1
> 9><198>5<180><154>A<183><137>M<150><148><3><225><253><0>testuser
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>         User-Name = "anonymous"
>         NAS-IP-Address = 171.64.19.234
>         NAS-Identifier = "ap"
>         NAS-Port = 322
>         Calling-Station-Id = "000c.41a9.930f"
>
> Wed Dec  1 08:55:38 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Dec  1 08:55:38 2004: DEBUG:  Deleting session for ,  
> 171.64.19.234, 322
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with Radius::AuthLSA:
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with EAP: code 2, 9, 62
> Wed Dec  1 08:55:38 2004: DEBUG: Response type 26
> Wed Dec  1 08:55:38 2004: DEBUG: Radius::AuthLSA looks for match with
> testuser
> Wed Dec  1 08:55:38 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Wed Dec  1 08:55:38 2004: WARNING: Could not LogonUserNetworkMSCHAP  
> (V2):
> 3221225581, 0, Logon failure: unknown user name or bad password.
>
> Wed Dec  1 08:55:38 2004: DEBUG: EAP result: 1, EAP MSCHAP-V2  
> Authentication
> failure
> Wed Dec  1 08:55:38 2004: INFO: Access rejected for anonymous: EAP  
> MSCHAP-V2
> Authentication failure
> Wed Dec  1 08:55:38 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Wed Dec  1 08:55:38 2004: DEBUG: Access challenged for testuser: EAP  
> PEAP
> inner authentication redespatched to a Handler
> Wed Dec  1 08:55:38 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Challenge
> Identifier: 72
> Authentic:   
> SM=<209><9><155><231><227><204><167><184><220><135>h<171><204>
> Attributes:
>         EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27><24><253><234>&~<10><15
> 2><<248><144><28><197>7<163>cF<147><215>~<139>i<141>z<215><165><177><13 
> 7>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> Wed Dec  1 08:55:38 2004: DEBUG: Packet dump:
> *** Received from 171.64.19.234 port 21645 ....
> Code:       Access-Request
> Identifier: 73
> Authentic:  <154><206><167>LM{<178><245><135>2/<l<18><144><28>
> Attributes:
>         User-Name = "testuser"
>         Framed-MTU = 1400
>         Called-Station-Id = "0011.931f.57c0"
>         Calling-Station-Id = "000c.41a9.930f"
>         Message-Authenticator =
> <239><166>xq!<215><23><198>)<175><29>@x@<210><18
> 3>
>         EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><244>lH<206>H88<254><15
> 0><182><132><24><216><10>9<7><202><240>}<244><244><188><240>=<165>Pm
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Port = 322
>         Service-Type = Framed-User
>         NAS-IP-Address = 171.64.19.234
>         NAS-Identifier = "ap"
>
> Wed Dec  1 08:55:38 2004: DEBUG: Handling request with Handler ''
> Wed Dec  1 08:55:38 2004: DEBUG:  Deleting session for testuser,
> 171.64.19.234, 322
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with Radius::AuthFILE:
> Wed Dec  1 08:55:38 2004: DEBUG: Handling with EAP: code 2, 10, 38
> Wed Dec  1 08:55:38 2004: DEBUG: Response type 25
> Wed Dec  1 08:55:38 2004: DEBUG: EAP result: 1, PEAP Authentication  
> Failure
> Wed Dec  1 08:55:38 2004: INFO: Access rejected for testuser: PEAP
> Authentication Failure
> Wed Dec  1 08:55:38 2004: DEBUG: Packet dump:
> *** Sending to 171.64.19.234 port 21645 ....
> Code:       Access-Reject
> Identifier: 73
> Authentic:  <154><206><167>LM{<178><245><135>2/<l<18><144><28>
> Attributes:
>         EAP-Message = <4><10><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>        Reply-Message = "Request Denied"
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive  
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list