(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Matthew Alexander mra4d at virginia.edu
Mon Oct 3 22:59:16 CDT 2005


----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Matthew Alexander" <mra4d at virginia.edu>
Cc: <radiator at open.com.au>
Sent: Monday, October 03, 2005 11:48 PM
Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication


> Hi Matt,
>
>
> On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
>> Hi Mike,
>> Installed latest patch.  I can now authenticate successfully after a 
>> failed
>> attempt.  Thanks for getting that worked out.
>
> No problem.
>
>>
>> The machine auth issue is still there, however.  Even though ntlm_auth is
>> reporting the wrong password, I am sending it the correct password.  I 
>> can
>> change the RADIUS server on my test switch to a production ACS/Win2k box
>> and pass machine auth with the same PC 100% of the time.
>
> Hmmm, I though I saw in the logs you sent before some cases where machine 
> auth
> succeeded?

Maybe 1 out of every 20 attempts will result in a success, although I 
haven't seen it in a while.  And even if ntlm_auth reports a success, it 
looks as if the client doesn't like the authenticator and terminates the 
connection - from what you found below.  Thanks.

>
>
>>
>> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even though 
>> it
>> does work great for normal user auth.
>>
>> Thanks for your help.  Please let me know if you have any ideas.
>
> OK, we are still trying to reproduce this. Hope to have more later in our 
> day.
> Cheers.
>
>>
>> Matt Alexander
>>
>>
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "Matthew Alexander" <mra4d at virginia.edu>
>> Cc: <radiator at open.com.au>
>> Sent: Monday, October 03, 2005 7:16 PM
>> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>>
>> > Hello Matthew,
>> >
>> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
>> >> Thanks Mike,
>> >>
>> >> I have the latest patch installed, but am still seeing the issue.
>> >> Please take a look at my config and traces.  The file
>> >> second_machine_auth_failure
>> >> was of particular interest to me because it looked like ntlm_auth came
>> >> back
>> >> with a successful authentication, but Radiator rejected it.  That is 
>> >> one
>> >> of
>> >> only three times I have seen that happen - most of the time auth fails
>> >> completely with ntlm_auth reporting either unknown username or wrong
>> >> password.  I made no mods to the config during any of these tests and
>> >> have
>> >> no idea why I am getting different results on subsequent attempts.  I
>> >> noticed that after a failed machine auth, my user auth would fail as
>> >> well.
>> >> Once I restarted Radiator, user auth would succeed - until I tried a
>> >> machine auth.  Then I would have to restart Radiator.
>> >
>> > Thanks for your note and logs.
>> > Here are my observations:
>> >
>> > user_auth_fail_and_success
>> > In this one the first user auth failed with unknown username and the
>> > second
>> > succeeded, but the first was for username mra4d and the second for
>> > HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
>> > configuration file.
>> >
>> > first_machine_auth_failure
>> > In this one the first auth is a mchine auth that gets rejected with a
>> > wrong
>> > password. The second one seems to receive no sensible reply from
>> > ntlm_auth,
>> > just a '.'. It turns out that this is broken behaviour in some versions
>> > of ntlm_auth. We have now made a change to AuthBy NTLM to avoid this
>> > problem. This would cause a failed authentication to interfere with the
>> > following authentication, whether or not it was correct. The fix is now
>> > in the latest
>> > patch set.
>> >
>> > second_machine_auth_failure
>> > In this one both NTLM machine authentications appear to succeed, but 
>> > the
>> > client does not seem to like the authenticator and terminates the
>> > authentication.
>> > We are investigating this one now. I will keep you posted.
>> >
>> > Please try the latest patch set and report your findings.
>> > Cheers.
>> >
>> >> Matt Alexander
>> >>
>> >> LogDir /var/log/radius/
>> >>
>> >> DbDir /etc/radiator/
>> >>
>> >> Trace 4
>> >>
>> >> AuthPort 1645,1812
>> >>
>> >> AcctPort 1646,1813
>> >>
>> >> <Client DEFAULT>
>> >>
>> >> Secret xxxxx
>> >>
>> >> DupInterval 0
>> >>
>> >> </Client>
>> >>
>> >> <Handler TunnelledByPEAP=1>
>> >>
>> >> <AuthBy NTLM>
>> >>
>> >> Domain HSCDOM
>> >>
>> >> DefaultDomain HSCDOM
>> >>
>> >> EAPType MSCHAP-V2
>> >>
>> >> </AuthBy>
>> >>
>> >> </Handler>
>> >>
>> >>
>> >>
>> >> <Handler>
>> >>
>> >> <AuthBy FILE>
>> >>
>> >> Filename %D/users
>> >>
>> >> EAPType PEAP
>> >>
>> >> EAPTLS_CAFile %D/certificates/cacert.pem
>> >>
>> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
>> >>
>> >> EAPTLS_CertificateType PEM
>> >>
>> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
>> >>
>> >> EAPTLS_PrivateKeyPassword whatever
>> >>
>> >> EAPTLS_MaxFragmentSize 1000
>> >>
>> >> AutoMPPEKeys
>> >>
>> >> SSLeayTrace 4
>> >>
>> >> EAPTLS_PEAPVersion 0
>> >>
>> >> </AuthBy>
>> >>
>> >> </Handler>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: "Mike McCauley" <mikem at open.com.au>
>> >> To: "Matthew Alexander" <mra4d at virginia.edu>
>> >> Cc: <radiator at open.com.au>
>> >> Sent: Sunday, October 02, 2005 11:10 PM
>> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>> >>
>> >> > Hello Matthew,
>> >> >
>> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
>> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2 Machine
>> >> >> Authentication?  Is it possible with Radiator?  I have AD user
>> >> >> authentication set up and it works great, but machine 
>> >> >> authentication
>> >> >> fails
>> >> >> every time.  I am trying to migrate from Cisco ACS where machine 
>> >> >> auth
>> >> >> works
>> >> >> fine, but I can't seem to get it to work with Radiator.  Maybe it 
>> >> >> is
>> >> >> a limitation of ntlm_auth?
>> >> >
>> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
>> >> > provided
>> >> > your ntlm_auth does, but....
>> >> >
>> >> > Can you send to me a Radiator log file at trace level 4 showing what
>> >> > happens
>> >> > when you try this?
>> >> > Also your Radiator configuration file (no secrets)?
>> >> >
>> >> > Cheers.
>> >> >
>> >> >> Thanks,
>> >> >> Matt
>> >> >
>> >> > --
>> >> > Mike McCauley                               mikem at open.com.au
>> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
>> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> >> > http://www.open.com.au
>> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>> >> >
>> >> > Radiator: the most portable, flexible and configurable RADIUS server
>> >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>> >> > TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >> >
>> >> > --
>> >> > Archive at http://www.open.com.au/archives/radiator/
>> >> > Announcements on radiator-announce at open.com.au
>> >> > To unsubscribe, email 'majordomo at open.com.au' with
>> >> > 'unsubscribe radiator' in the body of the message.
>> >
>> > --
>> > Mike McCauley                               mikem at open.com.au
>> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
>> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> > http://www.open.com.au
>> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>> >
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >
>> > --
>> > Archive at http://www.open.com.au/archives/radiator/
>> > Announcements on radiator-announce at open.com.au
>> > To unsubscribe, email 'majordomo at open.com.au' with
>> > 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list