(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Hugh Irvine hugh at open.com.au
Thu Sep 8 22:59:12 CDT 2005 

Hello Virgil -

Quite right - I missed it when I read your mail (apologies).

See below.


On 9 Sep 2005, at 10:39, Virgil wrote:

> On 9/9/05 10:27 AM, "Hugh Irvine" <hugh at open.com.au> wrote:
>
>
>>
>> What version of Radiator are you running?
>> You should be running the latest Radiator 3.13 plus all patches.
>>
>
> 3.13 plus patches as of this Monday.  On Windows.
>
> Thu Sep  8 17:15:27 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Thu Sep  8 17:15:27 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Thu Sep  8 17:15:27 2005: DEBUG: Creating authentication port
> 172.26.100.2:1812
> Thu Sep  8 17:15:27 2005: DEBUG: Creating accounting port  
> 172.26.100.2:1813
> Thu Sep  8 17:15:27 2005: NOTICE: Server started: Radiator 3.13 on
> voipdctest
>
>
>
>> I'm not quite sure what your log files correspond to, so can you
>> download and install Radiator 3.13 (plus the latest patches) and
>> retry your tests?
>>
>
> I did include that in the first message, but I'm guessing it got  
> lost in the
> forest.
>
>
>> Please provide a bit more detail on what tests the log files
>> correspond to.
>>
>
>
>>> Trace 4 logs attached.
>>> xsupplicant: log1.txt
>>>
>
> Linux client, using xsupplicant in PEAP mode.
>


In this case Radiator is sending an access challenge in response to  
an access request and hears nothing further. This will be a problem  
with either the NAS or with the client.


>
>>> win2000 sp4 w/ "user" - ie no realm for UPN: log2.txt
>>>
>
> Win2k client, with "Wireless Authentication" service started for  
> native
> 802.1x support.
>
>

This one fails because "test10" is not found in the LDAP database.

Thu Sep  8 17:28:35 2005: INFO: Attempting to bind to LDAP server  
voipdctest:3268
Thu Sep  8 17:28:35 2005: DEBUG: No entries for test10 found in LDAP  
database
Thu Sep  8 17:28:35 2005: DEBUG: Radius::AuthLDAP2 looks for match  
with test10
Thu Sep  8 17:28:35 2005: DEBUG: AuthBy GROUP result: REJECT, No such  
user
Thu Sep  8 17:28:35 2005: INFO: Access rejected for test10: No such user



>>> win2000sp4 with UPN: log3a.txt and log3b.txt
>>>
>
> As above, but attempting to use userPrincipalName to authenticate.  
> Including
> commenting sAMAccountName in the config.
>

There was nothing in log3a.txt.

In log3b.txt you are rewriting the username and trying to  
authenticate with MSCHAPv2, which will not work as the full original  
username is required for the authentication (this is how MSCHAPv2  
works).

Thu Sep  8 17:33:48 2005: DEBUG:  Deleting session for test10 at server- 
voip.test, 172.26.100.1, 50002
Thu Sep  8 17:33:48 2005: DEBUG: Handling with Radius::AuthGROUP
Thu Sep  8 17:33:48 2005: DEBUG: Handling with Radius::AuthLSA: VOIP- 
LSA-MSCHAP
Thu Sep  8 17:33:48 2005: DEBUG: Handling with EAP: code 2, 7, 78
Thu Sep  8 17:33:48 2005: DEBUG: Response type 26
Thu Sep  8 17:33:48 2005: DEBUG: Rewrote identity to test10
Thu Sep  8 17:33:48 2005: DEBUG: Radius::AuthLSA looks for match with  
test10
Thu Sep  8 17:33:48 2005: DEBUG: Radius::AuthLSA ACCEPT:
Thu Sep  8 17:33:48 2005: WARNING: Could not LogonUserNetworkMSCHAP  
(V2): 3221225581, 0, Logon failure: unknown user name or bad password.


regards

Hugh


> Regards
> Virgil
>
> -- 
> virgil at webcentral.com.au
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list