(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Matthew Alexander mra4d at virginia.edu
Mon Oct 3 22:25:50 CDT 2005


Hi Mike,
Installed latest patch.  I can now authenticate successfully after a failed 
attempt.  Thanks for getting that worked out.

The machine auth issue is still there, however.  Even though ntlm_auth is 
reporting the wrong password, I am sending it the correct password.  I can 
change the RADIUS server on my test switch to a production ACS/Win2k box and 
pass machine auth with the same PC 100% of the time.

Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even though it 
does work great for normal user auth.

Thanks for your help.  Please let me know if you have any ideas.

Matt Alexander


----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Matthew Alexander" <mra4d at virginia.edu>
Cc: <radiator at open.com.au>
Sent: Monday, October 03, 2005 7:16 PM
Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication


> Hello Matthew,
>
>
> On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
>> Thanks Mike,
>>
>> I have the latest patch installed, but am still seeing the issue.  Please
>> take a look at my config and traces.  The file 
>> second_machine_auth_failure
>> was of particular interest to me because it looked like ntlm_auth came 
>> back
>> with a successful authentication, but Radiator rejected it.  That is one 
>> of
>> only three times I have seen that happen - most of the time auth fails
>> completely with ntlm_auth reporting either unknown username or wrong
>> password.  I made no mods to the config during any of these tests and 
>> have
>> no idea why I am getting different results on subsequent attempts.  I
>> noticed that after a failed machine auth, my user auth would fail as 
>> well.
>> Once I restarted Radiator, user auth would succeed - until I tried a
>> machine auth.  Then I would have to restart Radiator.
>
> Thanks for your note and logs.
> Here are my observations:
>
> user_auth_fail_and_success
> In this one the first user auth failed with unknown username and the 
> second
> succeeded, but the first was for username mra4d and the second for
> HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
> configuration file.
>
> first_machine_auth_failure
> In this one the first auth is a mchine auth that gets rejected with a 
> wrong
> password. The second one seems to receive no sensible reply from 
> ntlm_auth,
> just a '.'. It turns out that this is broken behaviour in some versions of
> ntlm_auth. We have now made a change to AuthBy NTLM to avoid this problem.
> This would cause a failed authentication to interfere with the following
> authentication, whether or not it was correct. The fix is now in the 
> latest
> patch set.
>
> second_machine_auth_failure
> In this one both NTLM machine authentications appear to succeed, but the
> client does not seem to like the authenticator and terminates the
> authentication.
> We are investigating this one now. I will keep you posted.
>
> Please try the latest patch set and report your findings.
> Cheers.
>
>
>>
>> Matt Alexander
>>
>> LogDir /var/log/radius/
>>
>> DbDir /etc/radiator/
>>
>> Trace 4
>>
>> AuthPort 1645,1812
>>
>> AcctPort 1646,1813
>>
>> <Client DEFAULT>
>>
>> Secret xxxxx
>>
>> DupInterval 0
>>
>> </Client>
>>
>> <Handler TunnelledByPEAP=1>
>>
>> <AuthBy NTLM>
>>
>> Domain HSCDOM
>>
>> DefaultDomain HSCDOM
>>
>> EAPType MSCHAP-V2
>>
>> </AuthBy>
>>
>> </Handler>
>>
>>
>>
>> <Handler>
>>
>> <AuthBy FILE>
>>
>> Filename %D/users
>>
>> EAPType PEAP
>>
>> EAPTLS_CAFile %D/certificates/cacert.pem
>>
>> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
>>
>> EAPTLS_CertificateType PEM
>>
>> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
>>
>> EAPTLS_PrivateKeyPassword whatever
>>
>> EAPTLS_MaxFragmentSize 1000
>>
>> AutoMPPEKeys
>>
>> SSLeayTrace 4
>>
>> EAPTLS_PEAPVersion 0
>>
>> </AuthBy>
>>
>> </Handler>
>>
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "Matthew Alexander" <mra4d at virginia.edu>
>> Cc: <radiator at open.com.au>
>> Sent: Sunday, October 02, 2005 11:10 PM
>> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>>
>> > Hello Matthew,
>> >
>> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
>> >> Does anyone have any info about how to set up PEAP/MSCHAPv2 Machine
>> >> Authentication?  Is it possible with Radiator?  I have AD user
>> >> authentication set up and it works great, but machine authentication
>> >> fails
>> >> every time.  I am trying to migrate from Cisco ACS where machine auth
>> >> works
>> >> fine, but I can't seem to get it to work with Radiator.  Maybe it is a
>> >> limitation of ntlm_auth?
>> >
>> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
>> > provided
>> > your ntlm_auth does, but....
>> >
>> > Can you send to me a Radiator log file at trace level 4 showing what
>> > happens
>> > when you try this?
>> > Also your Radiator configuration file (no secrets)?
>> >
>> > Cheers.
>> >
>> >> Thanks,
>> >> Matt
>> >
>> > --
>> > Mike McCauley                               mikem at open.com.au
>> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
>> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> > http://www.open.com.au
>> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>> >
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >
>> > --
>> > Archive at http://www.open.com.au/archives/radiator/
>> > Announcements on radiator-announce at open.com.au
>> > To unsubscribe, email 'majordomo at open.com.au' with
>> > 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list