(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Mike McCauley mikem at open.com.au
Mon Oct 3 18:16:48 CDT 2005 

Hello Matthew,


On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> Thanks Mike,
>
> I have the latest patch installed, but am still seeing the issue.  Please
> take a look at my config and traces.  The file second_machine_auth_failure
> was of particular interest to me because it looked like ntlm_auth came back
> with a successful authentication, but Radiator rejected it.  That is one of
> only three times I have seen that happen - most of the time auth fails
> completely with ntlm_auth reporting either unknown username or wrong
> password.  I made no mods to the config during any of these tests and have
> no idea why I am getting different results on subsequent attempts.  I
> noticed that after a failed machine auth, my user auth would fail as well.
> Once I restarted Radiator, user auth would succeed - until I tried a
> machine auth.  Then I would have to restart Radiator.

Thanks for your note and logs.
Here are my observations:

user_auth_fail_and_success
In this one the first user auth failed with unknown username and the second 
succeeded, but the first was for username mra4d and the second for 
HSCDOM\mra4d. This indicates that you need a DefaultRealm in your 
configuration file.

first_machine_auth_failure
In this one the first auth is a mchine auth that gets rejected with a wrong 
password. The second one seems to receive no sensible reply from ntlm_auth, 
just a '.'. It turns out that this is broken behaviour in some versions of 
ntlm_auth. We have now made a change to AuthBy NTLM to avoid this problem. 
This would cause a failed authentication to interfere with the following 
authentication, whether or not it was correct. The fix is now in the latest 
patch set.

second_machine_auth_failure
In this one both NTLM machine authentications appear to succeed, but the 
client does not seem to like the authenticator and terminates the 
authentication.
We are investigating this one now. I will keep you posted.

Please try the latest patch set and report your findings.
Cheers.


>
> Matt Alexander
>
> LogDir /var/log/radius/
>
> DbDir /etc/radiator/
>
> Trace 4
>
> AuthPort 1645,1812
>
> AcctPort 1646,1813
>
> <Client DEFAULT>
>
> Secret xxxxx
>
> DupInterval 0
>
> </Client>
>
> <Handler TunnelledByPEAP=1>
>
> <AuthBy NTLM>
>
> Domain HSCDOM
>
> DefaultDomain HSCDOM
>
> EAPType MSCHAP-V2
>
> </AuthBy>
>
> </Handler>
>
>
>
> <Handler>
>
> <AuthBy FILE>
>
> Filename %D/users
>
> EAPType PEAP
>
> EAPTLS_CAFile %D/certificates/cacert.pem
>
> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
>
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
>
> EAPTLS_PrivateKeyPassword whatever
>
> EAPTLS_MaxFragmentSize 1000
>
> AutoMPPEKeys
>
> SSLeayTrace 4
>
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
> </Handler>
>
>
>
>
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Matthew Alexander" <mra4d at virginia.edu>
> Cc: <radiator at open.com.au>
> Sent: Sunday, October 02, 2005 11:10 PM
> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>
> > Hello Matthew,
> >
> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> >> Does anyone have any info about how to set up PEAP/MSCHAPv2 Machine
> >> Authentication?  Is it possible with Radiator?  I have AD user
> >> authentication set up and it works great, but machine authentication
> >> fails
> >> every time.  I am trying to migrate from Cisco ACS where machine auth
> >> works
> >> fine, but I can't seem to get it to work with Radiator.  Maybe it is a
> >> limitation of ntlm_auth?
> >
> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
> > provided
> > your ntlm_auth does, but....
> >
> > Can you send to me a Radiator log file at trace level 4 showing what
> > happens
> > when you try this?
> > Also your Radiator configuration file (no secrets)?
> >
> > Cheers.
> >
> >> Thanks,
> >> Matt
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list