(RADIATOR) AuthBy LSA using Windows Server 2003 & AD.

Mark Holgate mark.holgate at ssds.com.au
Sun May 16 21:12:55 CDT 2004 

G'day folks, hope you all had a good weekend! Unfortunately mine had far
too much work involved, which leads me on to my current problem! I'm
wondering if anyone has some advice on the following problem:

We're currently running a single Radiator 3.8 server on a domain member
Win2k box. Up until this weekend we were successfully using AuthBy LSA
to authenticate to our AD from a number of different clients, including
our own ISDN onramps, Comindico private dial network and Telstra GPRS
network. Our users are almost entirely Windows (NT,2K,XP,PocketPC) based
with analogue or GSM dial-ups.

The authentication requests Radiator receives are mostly CHAP requests
(due to the third-parties who are proxying these requests to us) and
these were authenticating with the AD OK, i.e. 'reversible encryption'
was enabled, the servers were communicating OK and the Radiator service
account had the correct rights.

At the weekend we upgraded our DCs to Windows Server 2003 and had a bit
of a tidy up on them (including removing the RRaS service).

The issue we now have is that all CHAP access requests are failing with
a similar message (this one was a radpwtst request):

--------------------------------------------------------- RADIATOR LOG
*** Received from 127.0.0.1 port 1473 ....
Code:       Access-Request
Identifier: 2
Authentic:  1234567890123456
Attributes:
	User-Name = "britney.spears"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	CHAP-Password =
5<191><216>:<181><243><159><10>Y<215>T<127>!s<5><221><179>
	CHAP-Challenge = 1234567890123456

Mon May 17 05:05:02 2004: DEBUG: Handling request with Handler ''
Mon May 17 05:05:02 2004: DEBUG:  Deleting session for britney.spears,
203.63.154.1, 1234
Mon May 17 05:05:02 2004: DEBUG: Handling with Radius::AuthSQL
Mon May 17 05:05:02 2004: DEBUG: Handling with Radius::AuthLSA:
SSDSAuthByAD
Mon May 17 05:05:02 2004: DEBUG: Radius::AuthLSA looks for match with
britney.spears
Mon May 17 05:05:02 2004: WARNING: Could not LogonUserNetworkCHAP: The
parameter is incorrect. 
Mon May 17 05:05:02 2004: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
Password check failed
Mon May 17 05:05:03 2004: INFO: Access rejected for britney.spears:
AuthBy LSA Password check failed
---------------------------------------------------------

Authentication using PAP, MSCHAP or MSCHAPv2 all still work fine.

I know this isn't strictly a Radiator issue (it hasn't changed) but I'm
wondering if anyone has any suggestions about how to go about resolving
this? To me it looks like the AD server has 'forgotten' CHAP.

Here are some of the things I've tried:

 - Reinstalling the RRaS service in Win2003 (and IAS for good measure)
based on advice from an MS KB article (Q254172) which Mike linked to in
an archived email. (Didn't seem to make a difference.)
 - Looked for registry keys to do with CHAP and remote access (found a
NTLMv1 key which another article mentioned.)
 - updated and applied domain GPOs for reversible encryption and reset
some passwords (in case it had been modified during the upgrade)

I notice from browsing previous emails that a few people are using
AuthByLSA and Windows 2003... did you have to do anything special to get
CHAP working? Unfortunately we have to use it as that is all that
Comindico's NASs will send.

Attached are the relevant parts of the current config and a partial
trace 4 logfile if anyone is interested.

Many, many thanks in advance if anyone can shine some light on this.

Cheers,
Mark

Mark Holgate 
IT Support Manager
Serco Sodexho Defence Services




**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 6131 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040517/a49844f2/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace4.log
Type: application/octet-stream
Size: 20508 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040517/a49844f2/attachment-0001.obj>

More information about the radiator mailing list