(RADIATOR) AuthBy LSA / Domain keyword
Hugh Irvine
hugh at open.com.au
Tue Oct 3 23:25:06 CDT 2006
Hello Stuart -
I would have thought that you could dispense with either parameter
and just let the local machine sort out how to do the authentication
and find a different domain controller if it needs to.
From my reading of the manual, "DomainController" is only used for
Group checking, and if you don't have any Group checks it is not used.
The reason you are seeing different behaviour with different Domain's
is because a different Handler is being used. In the first case
<Handler Realm = fhcrc.org> is being used and in the second <Handler>
is being used. This doesn't make sense to me as the username looks to
be the same in both cases - I suspect there must be some other
problem in the configuration file that is causing this behaviour.
hope that helps
regards
Hugh
On 4 Oct 2006, at 11:44, Stuart Kendrick wrote:
> hi,
>
> i'd like to better understand the 'Domain xyz' keyword, in an
> AuthBy LSA stanza ... specifically, i'm wanting to take advantage
> of my multiple domain controllers, and i'm concerned that i'm not
> doing that currently
>
> i'm running Radiator-3.15 w/patches on a Windows Server 2003
> machine, authenticating against an Active Directory sitting on top
> of more Windows 2003 machines
>
>
> here's what my wireless stanzas look like currently. notice the
> use of 'DomainController dc1'. i'm concerned that if 'dc1' goes
> down, that Radiator won't use 'dc2' and 'dc3' for authentication
>
> CURRENT RADIUS.CFG
> [...]
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> DomainController dc1
> EAPType MSCHAP-V2
> </AuthBy>
> AcctLogFileName %L/detail
> </Handler>
>
>
> <Handler TunnelledByTTLS=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> DomainController dc1
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
>
> <Handler Realm=fhcrc.org>
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
> <AuthBy FILE>
> RewriteUsername s/^([^@]+).*/$1/
> Filename C:/[...]/users
> </AuthBy>
>
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> DomainController dc1
> EAPType LEAP
> </AuthBy>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
>
> <Handler>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> <AuthBy FILE>
> Filename C:/[...]/users
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
> EAPTLS_CAFile C:/[...]/cacert.pem
> EAPTLS_CertificateFile C:/[...]/doozle.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
> EAPTLS_PrivateKeyPassword secret
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
>
>
> and here's what my users file looks like:
>
> mikem User-Password=secret
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> here's what a typical authentication session looks like with
> debugging cranked up. this is a Cisco wireless phone employing
> LEAP, powering up, authenticating, and then powering down.
>
> Tue Oct 3 18:03:07 2006: DEBUG: Finished reading configuration
> file 'C:\[...]\radius.cfg'
> Tue Oct 3 18:03:07 2006: DEBUG: Reading dictionary file 'C:/[...]/
> dictionary'
> Tue Oct 3 18:03:07 2006: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Tue Oct 3 18:03:07 2006: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Oct 3 18:03:07 2006: NOTICE: Server started: Radiator 3.15 on
> Doozle
> Tue Oct 3 18:03:08 2006: DEBUG: Packet dump:
>
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 44
> Authentic: <163><251>jJ%<241><131><181>}<209>i<2><192><242><175>w
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 273
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 273
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
> Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP authentication
> is not permitted.
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
> Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: CHALLENGE,
> EAP LEAP Challenge
> Tue Oct 3 18:03:24 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP LEAP Challenge
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Challenge
> Identifier: 44
> Authentic: [...]
> Attributes:
> EAP-Message = [...]skendric at fhcrc.org
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 45
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = [...]skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 273
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 273
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
> Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Reading users file C:/Program
> Files/Radiator/users
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
> such user skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
> Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
> [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0,
> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for
> skendric at fhcrc.org
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Accept
> Identifier: 45
> Authentic: #<197><205><130>{`<31><23>"X<191>s<173>,e5
> Attributes:
> EAP-Message = <3><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 46
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <1><2><0>
> <17><1><0><8><131><13>,,<196>L2Uskendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 273
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 273
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
> Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
> such user skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
> Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
> [skendric at fhcrc.org]
> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0, EAP LEAP Accept
> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT, EAP
> LEAP Accept
> Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for
> skendric at fhcrc.org
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Accept
> Identifier: 46
> Authentic: [...]
> Attributes:
> EAP-Message = [...]ILsskendric at fhcrc.org
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> cisco-avpair = "leap:session-key=[...]"
>
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1646 ....
> Code: Accounting-Request
> Identifier: 18
> Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
> Attributes:
> Acct-Session-Id = "00000019"
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> cisco-avpair = "ssid=Marconi"
> cisco-avpair = "nas-location=unspecified"
> User-Name = "skendric at fhcrc.org"
> Acct-Authentic = RADIUS
> Acct-Status-Type = Start
> NAS-Port-Type = Wireless-IEEE-802-11
> Cisco-NAS-Port = "273"
> NAS-Port = 273
> Service-Type = Framed-User
> NAS-IP-Address = 10.10.31.3
> Acct-Delay-Time = 0
>
> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:03:24 2006: DEBUG: Adding session for
> skendric at fhcrc.org, 10.10.31.3, 273
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Oct 3 18:03:24 2006: DEBUG: Accounting accepted
> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1646 ....
> Code: Accounting-Response
> Identifier: 18
> Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
> Attributes:
>
> Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1646 ....
> Code: Accounting-Request
> Identifier: 19
> Authentic: <11><207><255><176><213><246>|<14>G2<229>
> (<6><198><218><191>
> Attributes:
> Acct-Session-Id = "00000019"
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> cisco-avpair = "ssid=Marconi"
> cisco-avpair = "nas-location=unspecified"
> cisco-avpair = "vlan-id=0"
> cisco-avpair = "auth-algo-type=eap-leap"
> User-Name = "skendric at fhcrc.org"
> Acct-Authentic = RADIUS
> cisco-avpair = "connect-progress=Call Up"
> Acct-Session-Time = 15
> Acct-Input-Octets = 7936
> Acct-Output-Octets = 16962
> Acct-Input-Packets = 98
> Acct-Output-Packets = 92
> Acct-Terminate-Cause = Lost-Carrier
> cisco-avpair = "disc-cause-ext=No Reason"
> Acct-Status-Type = Stop
> NAS-Port-Type = Wireless-IEEE-802-11
> Cisco-NAS-Port = "273"
> NAS-Port = 273
> Service-Type = Framed-User
> NAS-IP-Address = 10.10.31.3
> Acct-Delay-Time = 0
>
> Tue Oct 3 18:03:39 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:03:39 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 273
> Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:03:39 2006: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Oct 3 18:03:39 2006: DEBUG: Accounting accepted
> Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1646 ....
> Code: Accounting-Response
> Identifier: 19
> Authentic: [...]
> Attributes:
>
>
>
>
>
> ok, so far so good. now, i figure, let's use the 'Domain' keyword
> instead of the 'DomainController' keyword ... i'm guessing that if
> i use the 'Domain' keyword, that AuthBy LSA will rely on the local
> machine's ability to locate domain controllers
>
>
> PROPOSED CONFIG FILE
> [...]
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> Domain fhcrc.org
> EAPType MSCHAP-V2
> </AuthBy>
> AcctLogFileName %L/detail
> </Handler>
>
>
> <Handler TunnelledByTTLS=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> Domain fhcrc.org
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
>
> <Handler Realm=fhcrc.org>
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
> <AuthBy FILE>
> RewriteUsername s/^([^@]+).*/$1/
> Filename C:/[...]/users
> </AuthBy>
>
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> Domain fhcrc.org
> EAPType LEAP
> </AuthBy>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
>
> <Handler>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> <AuthBy FILE>
> Filename C:/[...]/users
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
> EAPTLS_CAFile C:/[...]/cacert.pem
> EAPTLS_CertificateFile C:/[...]/doozle.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
> EAPTLS_PrivateKeyPassword secret
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog wap-authlog
> </Handler>
>
> all i did was replace 'DomainController dc1' with 'Domain fhcrc.org'
>
>
>
>
> now, many of my wireless devices continue to authenticate just
> fine ... but not the Cisco phone:
>
> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 47
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 274
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 274
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
> Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP authentication
> is not permitted.
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
> Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
> Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: CHALLENGE,
> EAP LEAP Challenge
> Tue Oct 3 18:04:28 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP LEAP Challenge
> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Challenge
> Identifier: 47
> Authentic: [...]
> Attributes:
> EAP-Message = [...]skendric at fhcrc.org
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 48
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = [...]skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 274
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
> 'Realm=fhcrc.org'
> Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 274
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
> Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
> Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:04:28 2006: DEBUG: Reading users file C:/[...]/users
> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: skendric [skendric at fhcrc.org]
> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
> such user skendric
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
> Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
> Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA looks for match
> with skendric [skendric at fhcrc.org]
> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
> [skendric at fhcrc.org]
> Tue Oct 3 18:04:28 2006: WARNING: Could not
> LogonUserNetworkMSCHAP: Logon failure: unknown user name or bad
> password.
>
>
> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, Bad LEAP Password
> Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: REJECT, Bad
> LEAP Password
> Tue Oct 3 18:04:28 2006: INFO: Access rejected for
> skendric at fhcrc.org: Bad LEAP Password
> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Reject
> Identifier: 48
> Authentic: [...]
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
>
> for grins, i tried using 'Domain FHCRC' (the NetBIOS name of my
> Active Directory domain) ... and now i see PEAP messages, instead
> of LEAP messages, in the debug output ... i don't understand
> that ... authentication continues to fail
>
> Tue Oct 3 18:28:39 2006: DEBUG: Finished reading configuration
> file 'C:\[...]\radius.cfg'
> Tue Oct 3 18:28:39 2006: DEBUG: Reading dictionary file 'C:/[...]/
> dictionary'
> Tue Oct 3 18:28:39 2006: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Tue Oct 3 18:28:39 2006: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Oct 3 18:28:39 2006: NOTICE: Server started: Radiator 3.15 on
> Daphne
> Tue Oct 3 18:28:40 2006: DEBUG: Packet dump:
>
>
> Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 50
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <2><3><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 276
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:28:54 2006: DEBUG: Handling request with Handler ''
> Tue Oct 3 18:28:54 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 276
> Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:28:54 2006: DEBUG: Handling with EAP: code 2, 3, 21
> Tue Oct 3 18:28:54 2006: DEBUG: Response type 1
> Tue Oct 3 18:28:54 2006: DEBUG: Resuming session for
> Radius::Context=HASH(0x1c77694)
>
> Tue Oct 3 18:28:54 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Oct 3 18:28:54 2006: DEBUG: AuthBy GROUP result: CHALLENGE,
> EAP PEAP Challenge
> Tue Oct 3 18:28:54 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP PEAP Challenge
> Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Challenge
> Identifier: 50
> Authentic: [...]
> Attributes:
> EAP-Message = <1><4><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 51
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <2><5><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 276
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:28:56 2006: DEBUG: Handling request with Handler ''
> Tue Oct 3 18:28:56 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 276
> Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:28:56 2006: DEBUG: Handling with EAP: code 2, 5, 21
> Tue Oct 3 18:28:56 2006: DEBUG: Response type 1
> Tue Oct 3 18:28:56 2006: DEBUG: Resuming session for
> Radius::Context=HASH(0x1c77694)
>
> Tue Oct 3 18:28:56 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Oct 3 18:28:56 2006: DEBUG: AuthBy GROUP result: CHALLENGE,
> EAP PEAP Challenge
> Tue Oct 3 18:28:56 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP PEAP Challenge
> Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Challenge
> Identifier: 51
> Authentic: [...]
> Attributes:
> EAP-Message = <1><6><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
> *** Received from 10.10.31.3 port 1645 ....
> Code: Access-Request
> Identifier: 52
> Authentic: [...]
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = [...]
> EAP-Message = <2><7><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 276
> NAS-IP-Address = 10.10.31.3
> NAS-Identifier = "skendric-ap "
>
> Tue Oct 3 18:28:58 2006: DEBUG: Handling request with Handler ''
> Tue Oct 3 18:28:58 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.10.31.3, 276
> Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 3 18:28:58 2006: DEBUG: Handling with EAP: code 2, 7, 21
> Tue Oct 3 18:28:58 2006: DEBUG: Response type 1
> Tue Oct 3 18:28:58 2006: DEBUG: Resuming session for
> Radius::Context=HASH(0x1c77694)
>
> Tue Oct 3 18:28:58 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Oct 3 18:28:58 2006: DEBUG: AuthBy GROUP result: CHALLENGE,
> EAP PEAP Challenge
> Tue Oct 3 18:28:58 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP PEAP Challenge
> Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
> *** Sending to 10.10.31.3 port 1645 ....
> Code: Access-Challenge
> Identifier: 52
> Authentic: [...]
> Attributes:
> EAP-Message = <1><8><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> OK, so ...
>
> -am i on the right track? will the 'DomainController dc1' keyword
> limit Radiator to employing the single domain controller, dc1, as
> the authentication source?
>
> -why does the 'Domain' keyword break authentication for LEAP clients?
>
> -why does the NetBIOS name for my Active Directory domain give
> different results than the DNS name, wrt to LEAP clients? [well, i
> suppose the *result* is the same ... but the shift from LEAP to
> PEAP in the debug output seems odd to me]
>
>
> input appreciated,
>
> --sk
>
> stuart kendrick
> fhcrc
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list