(RADIATOR) Error authenticating with Active Directory

Elena Alcantud Perez ealcantud at hotmail.com
Wed Sep 8 06:24:44 CDT 2004 

Hi,

I am configurating Radiator with EAP-TTLS/Active Directory authentication.My 
problem is that I can´t do rigth authentication with the tunneled user 
"anonymous", so th process stops and the real user of the domain can´t be 
authenticated.

We are running Radiator on Xp and we have a Windows 2000 server with Active 
Directory, both of them with in the same domain. In the container "Users", 
where we can find all users, I have entered an "anonymous" user.

Changing the configuration of radius and sniffing the packets sent between 
Radiator and W200 server we obtain different captures, neither of them with 
authentication success.

My server is named "w2k-ad.radius.local" and the BindString is associated 
with an existing user in the container.In the debug of the server I see that 
there is an error in "OpenDSObject".
-----------------------------------------------------------------------------------------------------------
Wed Sep  8 12:19:55 2004: DEBUG: Packet dump:
*** Received from xxxxxx port 1645 ....
Code:       Access-Request
Identifier: 52
Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
Attributes:
	User-Name = "anonymous at radius.local"
	Framed-MTU = 1400
	Called-Station-Id = "0002.8a78.b876"
	Calling-Station-Id = "0004.75bb.554c"
	NAS-Port-Type = Wireless-IEEE-802-11
	Message-Authenticator = 
<150><161>0<0><254><3><181>k<156>J<184><226>Z<144><207>x
	EAP-Message = <2><1><0><14><1>anonymous at radius.local
	NAS-Port-Type = Virtual
	NAS-Port = 212
	Service-Type = Login-User
	NAS-IP-Address = xxxxxxx
	NAS-Identifier = "ap1-cisco"

Fri Sep  3 13:03:08 2004: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Fri Sep  3 13:03:08 2004: DEBUG: Rewrote user name to anonymous
Fri Sep  3 13:03:08 2004: DEBUG:  Deleting session for 
anonymous at radius.local, xxxxxxxx, 212
Fri Sep  3 13:03:08 2004: DEBUG: Handling with ASDI
Fri Sep  3 13:03:08 2004: DEBUG: BindString converted to 
LDAP://w2k-ad.radius.local/cn=anonymous,cn=Users,dc=radius,dc=local
Fri Sep  3 13:03:08 2004: DEBUG: AuthUser converted to anonymous
Fri Sep  3 13:03:08 2004: DEBUG: Connecting to namespace: LDAP:
Fri Sep  3 13:03:08 2004: DEBUG: Running OpenDSObject on 
LDAP://w2k-ad.radius.local/cn=anonymous,cn=Users,dc=radius,dc=local
Fri Sep  3 13:03:08 2004: DEBUG: Could not get user object: 
Win32::OLE(0.1701) error 0x8002000f: "Parámetro no opcional"
    in METHOD/PROPERTYGET "OpenDSObject"
Fri Sep  3 13:03:08 2004: INFO: Access rejected for anonymous: Could not 
find user
Fri Sep  3 13:03:08 2004: DEBUG: Packet dump:
*** Sending to 147.84.115.17 port 1645 ....
Code:       Access-Reject
Identifier: 25
Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
Attributes:
	Reply-Message = "Could not find user"

---------------------------------------------------------------------------------------------------------------------------

my configuration file is:

---------------------------------------------------------------------------------------------------

Foreground
LogStdout
LogDir		c:/Program Files/Radiator
DbDir		c:/Program Files/Radiator
Trace           4

AuthPort 1812
AcctPort 1813
SocketQueueLength 1000000
#RewriteUsername	s/^(.*)\\(.*)/$2\@$1/


<Client DEFAULT>
         Secret romea
         DupInterval 0
	   DefaultRealm radius.local

</Client>



<Realm DEFAULT>

	# Strips the realm. You will want to do this if your database
	# contains usernames without realms
	RewriteUsername	s/^([^@]+).*/$1/

	MaxSessions	2
	AcctLogFileName	%L/detail
	WtmpFileName %L/wtmp

	<AuthLog FILE>
		Identifier myauthlogger
		Filename %L/authlog
		LogSuccess 1
		LogFailure 1
	</AuthLog>

	RejectHasReason

<AuthBy ADSI>
	Identifier ADSI

	SearchAttribute   userPrincipalName

	BindString LDAP://w2k-ad.radius.local/cn=%0,cn=Users,dc=radius,dc=local

	AuthUser  %0
	#AuthUser cn=%0,cn=Users,dc=radius,dc=local

	AuthFlags 0

	DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
      AddToReply Reply-Message=hello
	RcryptKey romea

     EAPType                         TTLS, TLS
      .....
   ***All  EAPTLS parameters are ok -->TTLS with Authby File works

      EAPAnonymous                	 anonymous
     AutoMPPEKeys

	</AuthBy>



</Realm>

<Handler TunnelledByTTLS=1>
     AuthBy ADSI
</Handler>

------------------------------------------------------------------------------------------------
With the mail,there are two Ethereal captures with diffreents results:

ldap-authuser%0 --> When in radius.cnf AuthUser 
cn=%0,cn=Users,dc=radius,dc=local is commented, it says  no object found

ldap-authuserdn (filter = ldap)--> When in radius.cnf AuthUser %0 is 
commented, seems a policy problem



It seems to me tha eveything is ok but .....not.


Thank you for your help

_________________________________________________________________
Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. 
http://astrocentro.msn.es/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-authuserDN
Type: application/octet-stream
Size: 6819 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040908/b4a9940d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-authuser%0
Type: application/octet-stream
Size: 6939 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040908/b4a9940d/attachment-0001.obj>

More information about the radiator mailing list