(RADIATOR) Windows LSA, LEAP, and RewriteUsername
Mike McCauley
mikem at open.com.au
Thu Sep 16 19:56:19 CDT 2004
Hi Ken,
On Friday 17 September 2004 08:42, Kawakubo, Ken wrote:
> Hi Mike,
>
> I downloaded the latest patch and copied EAP_17.pm of exactly 5760 bytes to
> C:\Perl\site\lib\Radius directory and my radiator "distribution" directory.
> I restarted radiator and tried LEAP authentication. I am getting the same
> authentication failure with a username with realm. I paste the log here
> again. The config is the same as bebore.
OK, sounds like you have the latest version.
>
> What I do not understand is that there is a line with "DEBUG:
> Radius::AuthLSA ACCEPT:" and then the next line says WARNING: Could not
> LogonUserNetworkMSCHAP: Logon failure: unknown user name or bad password."
That is a side effect of the way that module works. The one to believe is the
WARNING.
The problem here is that the RewriteUsername affects the Radius username, but
the LEAP authentication is done based on the LEAP identity. You cant muck
about with the LEAP identity and still have the LEAP mutual authentication
work correctly. Thats why RewriteUsername does not change the LEAP identity.
Therefore, your LEAP users will have to use their username without a realm.
Tests here show that if you dont force the domain with the Domain and
DefaultDomain parameters, AuthBy LSA can find the right domain if the
username contains the right realm. Therefore, if you comment out your Domain
and DefaultDomain, your users should be able to log in with both the bare
username and username at dns.domain.name, if your AD is configured corrrectly.
Alternative, you could have them log in with DOMAIN/username. Some LEAP
client allow you to set the User-Name different to the LEAP identity,
allowing you to control the Radius routing independently of the LEAP
authentication.
Hope that helps.
Cheers
>
> Ken Kawakubo
>
> Code: Access-Request
> Identifier: 150
> Authentic: <164><227>"<139><187>u<199><134>VL<14><249>Z<<138>q
> Attributes:
> User-Name = "wireless1 at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0011.21fd.20e0"
> Calling-Station-Id = "0030.6528.c3fa"
> Service-Type = Login-User
> Message-Authenticator =
> <160><134><240><159><201>U8<19><179>I<179><174>.<207><6><210>
> EAP-Message =
> <2><2><0>3<17><1><0><24><160><137>|<15><17><128><187><168><152><127><153><3
>1
>
> >/<159>|<147><231>$<127>S<168><197>k<215>wireless1 at fhcrc.org
>
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 436
> NAS-IP-Address = aaa.bbb.ccc.ddd
> NAS-Identifier = "test1g-ap "
>
> Thu Sep 16 15:22:00 2004: DEBUG: Handling request with Handler ''
> Thu Sep 16 15:22:00 2004: DEBUG: Deleting session for wireless1 at fhcrc.org,
> aaa.bbb.ccc.ddd, 436
> Thu Sep 16 15:22:00 2004: DEBUG: Handling with Radius::AuthLSA:
> Thu Sep 16 15:22:00 2004: DEBUG: Handling with EAP: code 2, 2, 51
> Thu Sep 16 15:22:00 2004: DEBUG: Response type 17
> Thu Sep 16 15:22:00 2004: DEBUG: Rewrote identity to wireless1
> Thu Sep 16 15:22:00 2004: DEBUG: Radius::AuthLSA looks for match with
> wireless1
> Thu Sep 16 15:22:00 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Thu Sep 16 15:22:00 2004: WARNING: Could not LogonUserNetworkMSCHAP: Logon
> failure: unknown user name or bad password.
>
>
> Thu Sep 16 15:22:00 2004: DEBUG: EAP result: 1, Bad LEAP Password
> Thu Sep 16 15:22:00 2004: INFO: Access rejected for wireless1 at fhcrc.org:
> Bad LEAP Password
> Thu Sep 16 15:22:00 2004: DEBUG: Packet dump:
> *** Sending to 140.107.74.146 port 21652 ....
> Code: Access-Reject
> Identifier: 150
> Authentic: <164><227>"<139><187>u<199><134>VL<14><249>Z<<138>q
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Thursday, September 16, 2004 2:47 PM
> To: Kawakubo, Ken
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Windows LSA, LEAP, and RewriteUsername
>
>
> Hello Ken,
>
> there was a recent problem with the 3.9 patch set: the EAP_17.pm that
> should
>
> have been included was inadvertently left out.
>
> You should confirm that you have the very latest patch set, including
> EAP_17.pm of exactly 5760 bytes.
>
> Cheers.
>
> On Friday 17 September 2004 02:46, Kawakubo, Ken wrote:
> > All,
> >
> > I am in the process of migrating Radiator 3.9 with the latest patches
> > from Linux to Windows platform to take advantage of Authby LSA for
> > PEAP, EAP-TTLS, and LEAP wireless access.
> >
> > I have managed to get PEAP and EAP-TTLS to work with LSA but having
> > problems with LEAP.
> >
> > I created a test radius.conf which is only concerned with LEAP LSA
> > authentication.
> >
> > Here is the snippet.
> >
> > <Handler>
> > <AuthBy LSA>
> >
> > RewriteUsername s/^([^@]+).*/$1/
> >
> > Domain fhcrc
> >
> > DefaultDomain fhcrc
> >
> > DomainController wluc01
> >
> > EAPType LEAP
> >
> > </AuthBy>
> >
> > AcctLogFileName %L/detail
> > AuthLog eap-authlog
> > </Handler>
> >
> > I tested with MacOSX Internet Connect. When I enter a username without
> > realm name, I get Access-Accept, but when I enter a username with a
> > realm name, I get Access-Reject.
> >
> > Here are the differences in Trace 4 logs.
> >
> > When I enter a username without realm name:
> >
> > Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> > *** Received from aaa.bbb.ccc.ddd port 21651 ....
> > Code: Access-Request
> > Identifier: 76
> > Authentic: <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> > Attributes:
> > User-Name = "wireless1"
> > Framed-MTU = 1400
> > Called-Station-Id = "0011.21fd.20e0"
> > Calling-Station-Id = "0030.6528.c3fa"
> > Service-Type = Login-User
> > Message-Authenticator = iED>@<170>H<0><138><9>b<8>T<136><6><179>
> > EAP-Message =
> > <1><2><0><25><17><1><0><8><2>x<186><196>4W<195>twireless1
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 319
> > NAS-IP-Address = aaa.bbb.ccc.ddd
> > NAS-Identifier = "test1g-ap "
> >
> > Thu Sep 16 09:31:53 2004: DEBUG: Handling request with Handler '' Thu
> >Sep 16 09:31:53 2004: DEBUG: Deleting session for wireless1,
> >aaa.bbb.ccc.ddd, 319 Thu Sep 16 09:31:53 2004: DEBUG: Handling with
> >Radius::AuthLSA: Thu Sep 16 09:31:53 2004: DEBUG: Handling with EAP:
> >code 1, 2, 25 Thu Sep 16 09:31:53 2004: DEBUG: EAP Request 17
> > Thu Sep 16 09:31:53 2004: DEBUG: Rewrote identity to wireless1
> > Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA looks for match with
> > wireless1
> > Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA ACCEPT:
> > Thu Sep 16 09:31:53 2004: DEBUG: EAP result: 0, EAP LEAP Accept
> > Thu Sep 16 09:31:53 2004: DEBUG: Access accepted for wireless1
> > Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> > *** Sending to 140.107.74.146 port 21651 ....
> > Code: Access-Accept
> > Identifier: 76
> > Authentic: <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> > Attributes:
> > EAP-Message =
>
> <2><2><0>)<17><1><0><24><159><186><226>2<7>l<17><215><192>F)<217><231><23><
>
> >1 54><136><144><158><218><145><216>k[<185>wireless1
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > cisco-avpair =
>
> "leap:session-key=<181>ga<8><185>,a<166>;H2<182><152>"<150><206>k<28><10>"n
>
> >G <10><11><5>^<12><127>K7<168><13><127>~
> >
> >
> > when I enter a username with realm name:
> >
> > Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> > *** Received from aaa.bbb.ccc.ddd port 21651 ....
> > Code: Access-Request
> > Identifier: 80
> > Authentic: Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> > Attributes:
> > User-Name = "wireless1 at fhcrc.org"
> > Framed-MTU = 1400
> > Called-Station-Id = "0011.21fd.20e0"
> > Calling-Station-Id = "0030.6528.c3fa"
> > Service-Type = Login-User
> > Message-Authenticator =
> >hvEQ<241><200>`<176><130><27><201><217><20><178><245><165>
> > EAP-Message =
> ><2><2><0>3<17><1><0><24><186><242><144><131><174><188>7,l;<150><206>!G<
> >3><2
> >0
> >
> > ><133>W<147>ln<214>])wireless1 at fhcrc.org
> >
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 320
> > NAS-IP-Address = aaa.bbb.ccc.ddd
> > NAS-Identifier = "test1g-ap "
> >
> > Thu Sep 16 09:32:25 2004: DEBUG: Handling request with Handler '' Thu
> > Sep 16 09:32:25 2004: DEBUG: Deleting session for
> > wireless1 at fhcrc.org, aaa.bbb.ccc.ddd, 320 Thu Sep 16 09:32:25 2004:
> > DEBUG: Handling with Radius::AuthLSA: Thu Sep 16 09:32:25 2004: DEBUG:
> > Handling with EAP: code 2, 2, 51 Thu Sep 16 09:32:25 2004: DEBUG:
> > Response type 17 Thu Sep 16 09:32:25 2004: DEBUG: Rewrote identity to
> > wireless1 Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA looks for
> > match with wireless1
> > Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA ACCEPT:
> > Thu Sep 16 09:32:25 2004: WARNING: Could not LogonUserNetworkMSCHAP:
> > Logon failure: unknown user name or bad password.
> >
> >
> > Thu Sep 16 09:32:25 2004: DEBUG: EAP result: 1, Bad LEAP Password Thu
> > Sep 16 09:32:25 2004: INFO: Access rejected for wireless1 at fhcrc.org:
> > Bad LEAP Password Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> > *** Sending to 140.107.74.146 port 21651 ....
> > Code: Access-Reject
> > Identifier: 80
> > Authentic: Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> > Attributes:
> > EAP-Message = <4><2><0><4>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Reply-Message = "Request Denied"
> >
> > Please note that RewriteUsername appears to be removing realm name in
> > either case. I made sure that I used the same password in both cases.
> > I read in the mailing archive that a patch was issued for LEAP to
> > accept RewriteUsername previously, but the patch does not seem to be
> > working. I am using EAP_17.pm dated 12/23/2003 3:40pm.
> >
> > Ken Kawakubo
> > FHCRC IT
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe
> > radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list