(RADIATOR) MS-Chap ver2 from a Watchguard Firebox

Hugh Irvine hugh at open.com.au
Tue Jan 4 01:24:34 CST 2005 

Hello Erik -

Have you checked the username and password using the "radpwtst" utility?

Can you please send me a copy of the user record from the database?

regards

Hugh


On 3 Jan 2005, at 23:48, Erik Wirring LE34 Trimble Center Danmark wrote:

> Hi
>
> I am trying to setup Radiator to validate VPN (pptp) users on a  
> Watchguard Firebox but I am getting no succes.
> I am pretty sure that it is not the password that is wrong.
>
> I have the un-encrypted password in the database field PASSWORD
> Her is the debug respons:
>
> Mon Jan  3 12:25:41 2005: DEBUG: Packet dump:
> *** Received from 192.168.34.200 port 16478 ....
> Code:       Access-Request
> Identifier: 31
> Authentic:   
> <31><228><205><211><130>V<136><239><31><198><224>ep<221><241>/
> Attributes:
> 	User-Name = "EW"
> 	MS-CHAP-Challenge = c~<140><222><2>?<247><185><4>tyQ<10>Y<175>J
> 	MS-CHAP2-Response =  
> <129><0><17><14>*<215>z'Qda<25><181>(<132><243>/ 
> N<0><0><0><0><0><0><0><0><239><227>~C/ 
> *a<171>e<225>{@<214>*ly<169>+%9<0><224><255><242>
> 	NAS-Identifier = "firebox"
> 	NAS-Port = 15453
> 	NAS-Port-Type = Virtual
> 	Service-Type = Authenticate-Only
>
> Mon Jan  3 12:25:41 2005: DEBUG: Handling request with Handler  
> 'Realm=DZONG'
> Mon Jan  3 12:25:41 2005: DEBUG: DZONGDB Deleting session for EW,  
> 192.168.34.200, 15453
> Mon Jan  3 12:25:41 2005: DEBUG: do query is: 'delete from RADONLINE  
> where NASIDENTIFIER='192.168.34.200' and NASPORT=015453':
> Mon Jan  3 12:25:41 2005: DEBUG: Handling with Radius::AuthSQL
> Mon Jan  3 12:25:41 2005: DEBUG: Handling with Radius::AuthSQL:
> Mon Jan  3 12:25:41 2005: DEBUG: Query is: 'select PASSWORD,  
> CHECKATTR, REPLYATTR from DzongLogin where BINARY  
> USERNAME='EW at DZONG'':
> Mon Jan  3 12:25:41 2005: DEBUG: Radius::AuthSQL looks for match with  
> EW at DZONG
> Mon Jan  3 12:25:41 2005: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Mon Jan  3 12:25:41 2005: DEBUG: Query is: 'select PASSWORD,  
> CHECKATTR, REPLYATTR from DzongLogin where BINARY USERNAME='DEFAULT'':
> Mon Jan  3 12:25:41 2005: INFO: Access rejected for EW at DZONG: Bad  
> Password
> Mon Jan  3 12:25:41 2005: DEBUG: Packet dump:
> *** Sending to 192.168.34.200 port 16478 ....
> Code:       Access-Reject
> Identifier: 31
> Authentic:   
> <31><228><205><211><130>V<136><239><31><198><224>ep<221><241>/
> Attributes:
> 	Reply-Message = "Request Denied"
>
> Here a part of the config:
>>
> # WatchGuard Firebox X700 Dzong
> <Client 192.168.34.200>
> 	Secret	*********
> 	DupInterval 2
> 	DefaultRealm DZONG
> </Client>
> .
> .
> .
> <SessionDatabase SQL>
>
> 	DBSource	dbi:mysql:radius
> 	DBUsername	ob
> 	DBAuth		*********
> 	Identifier  DZONGDB
> 	
> 	#AddQuery insert into DZONGONLINE (USERNAME, NASIDENTIFIER,  
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS) values  
> ('%{Calling-Station-Id}', '%N', '%{Acct-Session-Id}', %{Timestamp},  
> '%{Framed-IP-Address}')
> 	#DeleteQuery delete from DZONGONLINE where NASIDENTIFIER='%N' and  
> USERNAME='%{Calling-Station-Id}'
> 	#ClearNasQuery delete from DZONGONLINE where NASIDENTIFIER='%N'
> 	#CountQuery select NASIDENTIFIER, ACCTSESSIONID from GPRSONLINE where  
> USERNAME='%{Calling-Station-Id}'
>
> </SessionDatabase>
>
> # This will authenticate users from SUBSCRIBERS
> <Realm DEFAULT>
> .
> .
> .
> </Realm>
>
> <Realm DZONG>
>
>    <AuthBy SQL>
>
> 	#RewriteUsername s/^([^@]+).*/$1/
>
> 	DBSource	dbi:mysql:radius
> 	DBUsername	ob
> 	DBAuth		****************
>    AuthSelect select PASSWORD, CHECKATTR, REPLYATTR from DzongLogin  
> where BINARY USERNAME=%0
>
> 	AutoMPPEKeys
> 	AddToReply Filter-Id = pptp_users
>
> 	# You may want to tailor these for your ACCOUNTING table
> 	# You can add your own columns to store whatever you like
>
>
>     </AuthBy>
>     SessionDatabase DZONGDB
> </Realm>
>
> Best Regards
>
> Erik Wirring
> Chief Software Engineer
> Chartered Surveyor
>
> Email: EW at TrimbleCenter.Dk
> Direct tel: +45 77 332 257
> Mobile   : +45 51 314 257
>
> Trimble Center Danmark A/S
> Energivej 34
> DK-2750 Ballerup
> Denmark
> Tel: +45 77 332 233
> Fax.+45 77 332 299
> Http://www.TrimbleCenter.Dk
> Http://GPSnet.dk     The Electronic Referencenetwork of Denmark
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive  
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list