(RADIATOR) initial run using simple.cfg with NAS client added fails

Jeff Wolfe wolfe at ems.psu.edu
Thu Dec 22 18:37:43 CST 2005 

Mike McCauley wrote:
> Hi,

> 
> Im sorry that I am not expert enough in Kerberos to answer your question. All 
> I can say is that the error message you are seeing makes me think the 
> Kerberos client code does not trust the answer from the Kerberos server.

Decrypt Integrity Check failures 99% of the time point to a bad password.


>>>>*** Received from 128.32.231.212 port 32870 ....
>>>>Code:       Access-Request
>>>>Identifier: 226
>>>>Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
>>>>Attributes:
>>>>         NAS-IP-Address = 128.32.231.212
>>>>         User-Name = "joon"
>>>>         User-Password =
>>>><148><214><241><253><11>Q<246><22><214>wB<14><0><140><203><127><0>9<23
>>>>0>
>>>>=cq<201><147><177><11><174><12><3><31>Z<173>

This smells like an MSCHAP encrypted password. Are you sure your 
EAP-TTLS client is configured to use PAP as the inner authentication 
protocol?

>>>>Wed Dec 21 13:56:28 2005: DEBUG: Handling request with Handler
>>>>'Realm=DEFAULT'
>>>>Wed Dec 21 13:56:28 2005: DEBUG:  Deleting session for joon,
>>>>128.32.231.212,
>>>>Wed Dec 21 13:56:28 2005: DEBUG: Handling with Radius::AuthKRB5:
>>>>Wed Dec 21 13:56:28 2005: DEBUG: Radius::AuthKRB5 looks for match with
>>>>joon [joon]
>>>>Wed Dec 21 13:56:28 2005: DEBUG: Building Kerberos principal:
>>>>joon at BERKELEY.EDU
>>>>Wed Dec 21 13:56:29 2005: DEBUG: Radius::AuthKRB5 REJECT: Kinit
>>>>failed:
>>>>Decrypt integrity check failed: joon [joon]
>>>>Wed Dec 21 13:56:29 2005: DEBUG: AuthBy KRB5 result: REJECT, Kinit
>>>>failed: Decrypt integrity check failed
>>>>Wed Dec 21 13:56:29 2005: INFO: Access rejected for joon: Kinit
>>>>failed:
>>>>Decrypt integrity check failed

>>>>[ndrl5] ~> kinit
>>>>joon at BERKELEY.EDU's Password:
>>>>kinit: NOTICE: ticket renewable lifetime is 1 week
>>>>[ndrl5] ~> klist
>>>>Credentials cache: FILE:/tmp/krb5cc_5696
>>>>         Principal: joon at BERKELEY.EDU

The AuthKRB5 module tells you the principal it's using 
"joon at BERKELY.EDU" which is consistent with what you get when you use 
kinit. I don't think it's a principal problem.

$0.02

-JEff

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list