(RADIATOR) Windows LSA, LEAP, and RewriteUsername

Kawakubo, Ken kkawakub at fhcrc.org
Thu Sep 16 17:42:29 CDT 2004 

Hi Mike,

I downloaded the latest patch and copied EAP_17.pm of exactly 5760 bytes to
C:\Perl\site\lib\Radius directory and my radiator "distribution" directory.
I restarted radiator and tried LEAP authentication. I am getting the same
authentication failure with a username with realm. I paste the log here
again. The config is the same as bebore.

What I do not understand is that there is a line with "DEBUG:
Radius::AuthLSA ACCEPT:" and then the next line says WARNING: Could not
LogonUserNetworkMSCHAP: Logon failure: unknown user name or bad password."

Ken Kawakubo

Code:       Access-Request
Identifier: 150
Authentic:  <164><227>"<139><187>u<199><134>VL<14><249>Z<<138>q
Attributes:
	User-Name = "wireless1 at fhcrc.org"
	Framed-MTU = 1400
	Called-Station-Id = "0011.21fd.20e0"
	Calling-Station-Id = "0030.6528.c3fa"
	Service-Type = Login-User
	Message-Authenticator =
<160><134><240><159><201>U8<19><179>I<179><174>.<207><6><210>
	EAP-Message =
<2><2><0>3<17><1><0><24><160><137>|<15><17><128><187><168><152><127><153><31
>/<159>|<147><231>$<127>S<168><197>k<215>wireless1 at fhcrc.org
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-Port = 436
	NAS-IP-Address = aaa.bbb.ccc.ddd
	NAS-Identifier = "test1g-ap                 "

Thu Sep 16 15:22:00 2004: DEBUG: Handling request with Handler ''
Thu Sep 16 15:22:00 2004: DEBUG:  Deleting session for wireless1 at fhcrc.org,
aaa.bbb.ccc.ddd, 436
Thu Sep 16 15:22:00 2004: DEBUG: Handling with Radius::AuthLSA: 
Thu Sep 16 15:22:00 2004: DEBUG: Handling with EAP: code 2, 2, 51
Thu Sep 16 15:22:00 2004: DEBUG: Response type 17
Thu Sep 16 15:22:00 2004: DEBUG: Rewrote identity to wireless1
Thu Sep 16 15:22:00 2004: DEBUG: Radius::AuthLSA looks for match with
wireless1
Thu Sep 16 15:22:00 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Thu Sep 16 15:22:00 2004: WARNING: Could not LogonUserNetworkMSCHAP: Logon
failure: unknown user name or bad password.


Thu Sep 16 15:22:00 2004: DEBUG: EAP result: 1, Bad LEAP Password
Thu Sep 16 15:22:00 2004: INFO: Access rejected for wireless1 at fhcrc.org: Bad
LEAP Password
Thu Sep 16 15:22:00 2004: DEBUG: Packet dump:
*** Sending to 140.107.74.146 port 21652 ....
Code:       Access-Reject
Identifier: 150
Authentic:  <164><227>"<139><187>u<199><134>VL<14><249>Z<<138>q
Attributes:
	EAP-Message = <4><2><0><4>
	Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	Reply-Message = "Request Denied"

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Thursday, September 16, 2004 2:47 PM
To: Kawakubo, Ken
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Windows LSA, LEAP, and RewriteUsername


Hello Ken,

there was a recent problem with the 3.9 patch set: the EAP_17.pm that should

have been included was inadvertently left out.

You should confirm that you have the very latest patch set, including 
EAP_17.pm of exactly 5760 bytes.

Cheers.

On Friday 17 September 2004 02:46, Kawakubo, Ken wrote:
> All,
>
> I am in the process of migrating Radiator 3.9 with the latest patches 
> from Linux to Windows platform to take advantage of Authby LSA for 
> PEAP, EAP-TTLS, and LEAP wireless access.
>
> I have managed to get PEAP and EAP-TTLS to work with LSA but having 
> problems with LEAP.
>
> I created a test radius.conf which is only concerned with LEAP LSA 
> authentication.
>
> Here is the snippet.
>
> <Handler>
> 	<AuthBy LSA>
>
> 		RewriteUsername s/^([^@]+).*/$1/
>
> 		Domain fhcrc
>
> 		DefaultDomain fhcrc
>
> 		DomainController wluc01
>
> 		EAPType LEAP
>
> 	</AuthBy>
>
> 	AcctLogFileName	%L/detail
> 	AuthLog	eap-authlog
> </Handler>
>
> I tested with MacOSX Internet Connect. When I enter a username without 
> realm name, I get Access-Accept, but when I enter a username with a 
> realm name, I get Access-Reject.
>
> Here are the differences in Trace 4 logs.
>
> When I enter a username without realm name:
>
> Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 21651 ....
> Code:       Access-Request
> Identifier: 76
> Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> Attributes:
> 	User-Name = "wireless1"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.21fd.20e0"
> 	Calling-Station-Id = "0030.6528.c3fa"
> 	Service-Type = Login-User
> 	Message-Authenticator = iED>@<170>H<0><138><9>b<8>T<136><6><179>
> 	EAP-Message = 
> <1><2><0><25><17><1><0><8><2>x<186><196>4W<195>twireless1
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 319
> 	NAS-IP-Address = aaa.bbb.ccc.ddd
> 	NAS-Identifier = "test1g-ap                 "
>
> Thu Sep 16 09:31:53 2004: DEBUG: Handling request with Handler ''  Thu 
>Sep 16 09:31:53 2004: DEBUG:  Deleting session for wireless1,  
>aaa.bbb.ccc.ddd, 319  Thu Sep 16 09:31:53 2004: DEBUG: Handling with 
>Radius::AuthLSA:  Thu Sep 16 09:31:53 2004: DEBUG: Handling with EAP: 
>code 1, 2, 25  Thu Sep 16 09:31:53 2004: DEBUG: EAP Request 17
> Thu Sep 16 09:31:53 2004: DEBUG: Rewrote identity to wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA looks for match with
> wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Thu Sep 16 09:31:53 2004: DEBUG: EAP result: 0, EAP LEAP Accept
> Thu Sep 16 09:31:53 2004: DEBUG: Access accepted for wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> *** Sending to 140.107.74.146 port 21651 ....
> Code:       Access-Accept
> Identifier: 76
> Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> Attributes:
> 	EAP-Message =
>
<2><2><0>)<17><1><0><24><159><186><226>2<7>l<17><215><192>F)<217><231><23><
>1 54><136><144><158><218><145><216>k[<185>wireless1
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	cisco-avpair =
>
"leap:session-key=<181>ga<8><185>,a<166>;H2<182><152>"<150><206>k<28><10>"n
>G <10><11><5>^<12><127>K7<168><13><127>~
>
>
> when I enter a username with realm name:
>
> Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 21651 ....
> Code:       Access-Request
> Identifier: 80
> Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> Attributes:
> 	User-Name = "wireless1 at fhcrc.org"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.21fd.20e0"
> 	Calling-Station-Id = "0030.6528.c3fa"
> 	Service-Type = Login-User
> 	Message-Authenticator =  
>hvEQ<241><200>`<176><130><27><201><217><20><178><245><165>
> 	EAP-Message =  
><2><2><0>3<17><1><0><24><186><242><144><131><174><188>7,l;<150><206>!G<
>3><2
>0
>
> ><133>W<147>ln<214>])wireless1 at fhcrc.org
>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 320
> 	NAS-IP-Address = aaa.bbb.ccc.ddd
> 	NAS-Identifier = "test1g-ap                 "
>
> Thu Sep 16 09:32:25 2004: DEBUG: Handling request with Handler '' Thu 
> Sep 16 09:32:25 2004: DEBUG:  Deleting session for 
> wireless1 at fhcrc.org, aaa.bbb.ccc.ddd, 320 Thu Sep 16 09:32:25 2004: 
> DEBUG: Handling with Radius::AuthLSA: Thu Sep 16 09:32:25 2004: DEBUG: 
> Handling with EAP: code 2, 2, 51 Thu Sep 16 09:32:25 2004: DEBUG: 
> Response type 17 Thu Sep 16 09:32:25 2004: DEBUG: Rewrote identity to 
> wireless1 Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA looks for 
> match with wireless1
> Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Thu Sep 16 09:32:25 2004: WARNING: Could not LogonUserNetworkMSCHAP: Logon
> failure: unknown user name or bad password.
>
>
> Thu Sep 16 09:32:25 2004: DEBUG: EAP result: 1, Bad LEAP Password Thu 
> Sep 16 09:32:25 2004: INFO: Access rejected for wireless1 at fhcrc.org: 
> Bad LEAP Password Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> *** Sending to 140.107.74.146 port 21651 ....
> Code:       Access-Reject
> Identifier: 80
> Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> Attributes:
> 	EAP-Message = <4><2><0><4>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Reply-Message = "Request Denied"
>
> Please note that RewriteUsername appears to be removing realm name in 
> either case. I made sure that I used the same password in both cases. 
> I read in the mailing archive that a patch was issued for LEAP to 
> accept RewriteUsername previously, but the patch does not seem to be 
> working. I am using EAP_17.pm dated 12/23/2003 3:40pm.
>
> Ken Kawakubo
> FHCRC IT
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe 
> radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list