(RADIATOR) PEAP/MSCHAPv2 Machine Authentication
Mike McCauley
mikem at open.com.au
Mon Oct 3 22:48:05 CDT 2005
Hi Matt,
On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
> Hi Mike,
> Installed latest patch. I can now authenticate successfully after a failed
> attempt. Thanks for getting that worked out.
No problem.
>
> The machine auth issue is still there, however. Even though ntlm_auth is
> reporting the wrong password, I am sending it the correct password. I can
> change the RADIUS server on my test switch to a production ACS/Win2k box
> and pass machine auth with the same PC 100% of the time.
Hmmm, I though I saw in the logs you sent before some cases where machine auth
succeeded?
>
> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even though it
> does work great for normal user auth.
>
> Thanks for your help. Please let me know if you have any ideas.
OK, we are still trying to reproduce this. Hope to have more later in our day.
Cheers.
>
> Matt Alexander
>
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Matthew Alexander" <mra4d at virginia.edu>
> Cc: <radiator at open.com.au>
> Sent: Monday, October 03, 2005 7:16 PM
> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>
> > Hello Matthew,
> >
> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> >> Thanks Mike,
> >>
> >> I have the latest patch installed, but am still seeing the issue.
> >> Please take a look at my config and traces. The file
> >> second_machine_auth_failure
> >> was of particular interest to me because it looked like ntlm_auth came
> >> back
> >> with a successful authentication, but Radiator rejected it. That is one
> >> of
> >> only three times I have seen that happen - most of the time auth fails
> >> completely with ntlm_auth reporting either unknown username or wrong
> >> password. I made no mods to the config during any of these tests and
> >> have
> >> no idea why I am getting different results on subsequent attempts. I
> >> noticed that after a failed machine auth, my user auth would fail as
> >> well.
> >> Once I restarted Radiator, user auth would succeed - until I tried a
> >> machine auth. Then I would have to restart Radiator.
> >
> > Thanks for your note and logs.
> > Here are my observations:
> >
> > user_auth_fail_and_success
> > In this one the first user auth failed with unknown username and the
> > second
> > succeeded, but the first was for username mra4d and the second for
> > HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
> > configuration file.
> >
> > first_machine_auth_failure
> > In this one the first auth is a mchine auth that gets rejected with a
> > wrong
> > password. The second one seems to receive no sensible reply from
> > ntlm_auth,
> > just a '.'. It turns out that this is broken behaviour in some versions
> > of ntlm_auth. We have now made a change to AuthBy NTLM to avoid this
> > problem. This would cause a failed authentication to interfere with the
> > following authentication, whether or not it was correct. The fix is now
> > in the latest
> > patch set.
> >
> > second_machine_auth_failure
> > In this one both NTLM machine authentications appear to succeed, but the
> > client does not seem to like the authenticator and terminates the
> > authentication.
> > We are investigating this one now. I will keep you posted.
> >
> > Please try the latest patch set and report your findings.
> > Cheers.
> >
> >> Matt Alexander
> >>
> >> LogDir /var/log/radius/
> >>
> >> DbDir /etc/radiator/
> >>
> >> Trace 4
> >>
> >> AuthPort 1645,1812
> >>
> >> AcctPort 1646,1813
> >>
> >> <Client DEFAULT>
> >>
> >> Secret xxxxx
> >>
> >> DupInterval 0
> >>
> >> </Client>
> >>
> >> <Handler TunnelledByPEAP=1>
> >>
> >> <AuthBy NTLM>
> >>
> >> Domain HSCDOM
> >>
> >> DefaultDomain HSCDOM
> >>
> >> EAPType MSCHAP-V2
> >>
> >> </AuthBy>
> >>
> >> </Handler>
> >>
> >>
> >>
> >> <Handler>
> >>
> >> <AuthBy FILE>
> >>
> >> Filename %D/users
> >>
> >> EAPType PEAP
> >>
> >> EAPTLS_CAFile %D/certificates/cacert.pem
> >>
> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> >>
> >> EAPTLS_CertificateType PEM
> >>
> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> >>
> >> EAPTLS_PrivateKeyPassword whatever
> >>
> >> EAPTLS_MaxFragmentSize 1000
> >>
> >> AutoMPPEKeys
> >>
> >> SSLeayTrace 4
> >>
> >> EAPTLS_PEAPVersion 0
> >>
> >> </AuthBy>
> >>
> >> </Handler>
> >>
> >>
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "Mike McCauley" <mikem at open.com.au>
> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> Cc: <radiator at open.com.au>
> >> Sent: Sunday, October 02, 2005 11:10 PM
> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >>
> >> > Hello Matthew,
> >> >
> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2 Machine
> >> >> Authentication? Is it possible with Radiator? I have AD user
> >> >> authentication set up and it works great, but machine authentication
> >> >> fails
> >> >> every time. I am trying to migrate from Cisco ACS where machine auth
> >> >> works
> >> >> fine, but I can't seem to get it to work with Radiator. Maybe it is
> >> >> a limitation of ntlm_auth?
> >> >
> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
> >> > provided
> >> > your ntlm_auth does, but....
> >> >
> >> > Can you send to me a Radiator log file at trace level 4 showing what
> >> > happens
> >> > when you try this?
> >> > Also your Radiator configuration file (no secrets)?
> >> >
> >> > Cheers.
> >> >
> >> >> Thanks,
> >> >> Matt
> >> >
> >> > --
> >> > Mike McCauley mikem at open.com.au
> >> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > http://www.open.com.au
> >> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> >> >
> >> > Radiator: the most portable, flexible and configurable RADIUS server
> >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> > TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> >
> >> > --
> >> > Archive at http://www.open.com.au/archives/radiator/
> >> > Announcements on radiator-announce at open.com.au
> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list