(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Mike McCauley mikem at open.com.au
Mon Oct 3 23:07:59 CDT 2005


Hi Matt,


On Tuesday 04 October 2005 13:59, Matthew Alexander wrote:
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Matthew Alexander" <mra4d at virginia.edu>
> Cc: <radiator at open.com.au>
> Sent: Monday, October 03, 2005 11:48 PM
> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>
> > Hi Matt,
> >
> > On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
> >> Hi Mike,
> >> Installed latest patch.  I can now authenticate successfully after a
> >> failed
> >> attempt.  Thanks for getting that worked out.
> >
> > No problem.
> >
> >> The machine auth issue is still there, however.  Even though ntlm_auth
> >> is reporting the wrong password, I am sending it the correct password. 
> >> I can
> >> change the RADIUS server on my test switch to a production ACS/Win2k box
> >> and pass machine auth with the same PC 100% of the time.
> >
> > Hmmm, I though I saw in the logs you sent before some cases where machine
> > auth
> > succeeded?
>
> Maybe 1 out of every 20 attempts will result in a success, although I
> haven't seen it in a while.  And even if ntlm_auth reports a success, it
> looks as if the client doesn't like the authenticator and terminates the
> connection - from what you found below.  Thanks.

Can you send me some more log showing consecutive success and failure now you 
have the latest patches installed?

Cheers.


>
> >> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even though
> >> it
> >> does work great for normal user auth.
> >>
> >> Thanks for your help.  Please let me know if you have any ideas.
> >
> > OK, we are still trying to reproduce this. Hope to have more later in our
> > day.
> > Cheers.
> >
> >> Matt Alexander
> >>
> >>
> >> ----- Original Message -----
> >> From: "Mike McCauley" <mikem at open.com.au>
> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> Cc: <radiator at open.com.au>
> >> Sent: Monday, October 03, 2005 7:16 PM
> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >>
> >> > Hello Matthew,
> >> >
> >> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> >> >> Thanks Mike,
> >> >>
> >> >> I have the latest patch installed, but am still seeing the issue.
> >> >> Please take a look at my config and traces.  The file
> >> >> second_machine_auth_failure
> >> >> was of particular interest to me because it looked like ntlm_auth
> >> >> came back
> >> >> with a successful authentication, but Radiator rejected it.  That is
> >> >> one
> >> >> of
> >> >> only three times I have seen that happen - most of the time auth
> >> >> fails completely with ntlm_auth reporting either unknown username or
> >> >> wrong password.  I made no mods to the config during any of these
> >> >> tests and have
> >> >> no idea why I am getting different results on subsequent attempts.  I
> >> >> noticed that after a failed machine auth, my user auth would fail as
> >> >> well.
> >> >> Once I restarted Radiator, user auth would succeed - until I tried a
> >> >> machine auth.  Then I would have to restart Radiator.
> >> >
> >> > Thanks for your note and logs.
> >> > Here are my observations:
> >> >
> >> > user_auth_fail_and_success
> >> > In this one the first user auth failed with unknown username and the
> >> > second
> >> > succeeded, but the first was for username mra4d and the second for
> >> > HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
> >> > configuration file.
> >> >
> >> > first_machine_auth_failure
> >> > In this one the first auth is a mchine auth that gets rejected with a
> >> > wrong
> >> > password. The second one seems to receive no sensible reply from
> >> > ntlm_auth,
> >> > just a '.'. It turns out that this is broken behaviour in some
> >> > versions of ntlm_auth. We have now made a change to AuthBy NTLM to
> >> > avoid this problem. This would cause a failed authentication to
> >> > interfere with the following authentication, whether or not it was
> >> > correct. The fix is now in the latest
> >> > patch set.
> >> >
> >> > second_machine_auth_failure
> >> > In this one both NTLM machine authentications appear to succeed, but
> >> > the
> >> > client does not seem to like the authenticator and terminates the
> >> > authentication.
> >> > We are investigating this one now. I will keep you posted.
> >> >
> >> > Please try the latest patch set and report your findings.
> >> > Cheers.
> >> >
> >> >> Matt Alexander
> >> >>
> >> >> LogDir /var/log/radius/
> >> >>
> >> >> DbDir /etc/radiator/
> >> >>
> >> >> Trace 4
> >> >>
> >> >> AuthPort 1645,1812
> >> >>
> >> >> AcctPort 1646,1813
> >> >>
> >> >> <Client DEFAULT>
> >> >>
> >> >> Secret xxxxx
> >> >>
> >> >> DupInterval 0
> >> >>
> >> >> </Client>
> >> >>
> >> >> <Handler TunnelledByPEAP=1>
> >> >>
> >> >> <AuthBy NTLM>
> >> >>
> >> >> Domain HSCDOM
> >> >>
> >> >> DefaultDomain HSCDOM
> >> >>
> >> >> EAPType MSCHAP-V2
> >> >>
> >> >> </AuthBy>
> >> >>
> >> >> </Handler>
> >> >>
> >> >>
> >> >>
> >> >> <Handler>
> >> >>
> >> >> <AuthBy FILE>
> >> >>
> >> >> Filename %D/users
> >> >>
> >> >> EAPType PEAP
> >> >>
> >> >> EAPTLS_CAFile %D/certificates/cacert.pem
> >> >>
> >> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> >> >>
> >> >> EAPTLS_CertificateType PEM
> >> >>
> >> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> >> >>
> >> >> EAPTLS_PrivateKeyPassword whatever
> >> >>
> >> >> EAPTLS_MaxFragmentSize 1000
> >> >>
> >> >> AutoMPPEKeys
> >> >>
> >> >> SSLeayTrace 4
> >> >>
> >> >> EAPTLS_PEAPVersion 0
> >> >>
> >> >> </AuthBy>
> >> >>
> >> >> </Handler>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> ----- Original Message -----
> >> >> From: "Mike McCauley" <mikem at open.com.au>
> >> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> >> Cc: <radiator at open.com.au>
> >> >> Sent: Sunday, October 02, 2005 11:10 PM
> >> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >> >>
> >> >> > Hello Matthew,
> >> >> >
> >> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> >> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2
> >> >> >> Machine Authentication?  Is it possible with Radiator?  I have AD
> >> >> >> user authentication set up and it works great, but machine
> >> >> >> authentication
> >> >> >> fails
> >> >> >> every time.  I am trying to migrate from Cisco ACS where machine
> >> >> >> auth
> >> >> >> works
> >> >> >> fine, but I can't seem to get it to work with Radiator.  Maybe it
> >> >> >> is
> >> >> >> a limitation of ntlm_auth?
> >> >> >
> >> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
> >> >> > provided
> >> >> > your ntlm_auth does, but....
> >> >> >
> >> >> > Can you send to me a Radiator log file at trace level 4 showing
> >> >> > what happens
> >> >> > when you try this?
> >> >> > Also your Radiator configuration file (no secrets)?
> >> >> >
> >> >> > Cheers.
> >> >> >
> >> >> >> Thanks,
> >> >> >> Matt
> >> >> >
> >> >> > --
> >> >> > Mike McCauley                               mikem at open.com.au
> >> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> >> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> >> > http://www.open.com.au
> >> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> >> >
> >> >> > Radiator: the most portable, flexible and configurable RADIUS
> >> >> > server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> >> >> > Emerald, Platypus, Freeside, TACACS+, PAM, external, Active
> >> >> > Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> >> >
> >> >> > --
> >> >> > Archive at http://www.open.com.au/archives/radiator/
> >> >> > Announcements on radiator-announce at open.com.au
> >> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> >> > 'unsubscribe radiator' in the body of the message.
> >> >
> >> > --
> >> > Mike McCauley                               mikem at open.com.au
> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > http://www.open.com.au
> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> >
> >> > Radiator: the most portable, flexible and configurable RADIUS server
> >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> > TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> >
> >> > --
> >> > Archive at http://www.open.com.au/archives/radiator/
> >> > Announcements on radiator-announce at open.com.au
> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list