(RADIATOR) AuthBy LSA / Domain keyword
Stuart Kendrick
skendric at fhcrc.org
Sun Oct 8 22:33:18 CDT 2006
hi hugh,
-alright, i agree that 'DomainController' isn't what i want ... i'm not
doing any Group checking
-i'm playing around now, removing the 'DomainController' keyword and not
bothering to replace it with anything ... that works ... and i can add
the 'Domain FHCRC' to each stanza ... until i reach the LEAP stanza ...
if i add the 'Domain FHCRC' line to that stanza, my LEAP client fails:
-ok, let's trying stripping this config file down ... nope, it still fails
ok, see below for my complete config file. if i remove the 'Domain
FHCRC' clause, then LEAP clients start working again. [take the
comments in the wireless section with salt ... i'm not confident of them]
obviously, i don't need to solve this problem to persuade LEAP clients
to work ... but i figure ... if i don't understand why the 'Domain
FHCRC' phrase breaks them ... then there's something lurking here which
may bite me in the future ... and that's what i'm after ... enough
understanding to reduce the chance of future teeth marks
do you see something else in the config file which could be influencing
the LEAP client / Domain FHCRC interaction?
--sk
########## GLOBAL PARAMETERS ############
# Misc
PidFile C:/Program Files/Radiator/radius.pid
DbDir C:/Program Files/Radiator
# Log error messages to the console [doesn't work --sk]
Foreground
LogStdout
# This defines the %L token
LogDir G:/Radiator/Logs
# Default logfile for startup and other general messages. In theory,
# the <Log FILE> directive below disables this ... but
# in practice, it does not
LogFile %L/logfile
# Set logging level
Trace 4
########## LOG FILE DEFINITIONS ##########
<Log FILE>
Identifier general-log
Filename %L/General/%Y-%m-%d-general
LogFormat %l: general: %1: %2: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</Log>
<AuthLog FILE>
Identifier rad-authlog
Filename G:/Radiator/Logs/RAD/%Y-%m-%d-rad
LogSuccess 1
SuccessFormat %l: rad: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: rad: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier shib-authlog
Filename %L/Shibboleth/%Y-%m-%d-shib
LogSuccess 1
SuccessFormat %l: shib: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: shib: FAIL: %{GlobalVar: eaptype}: %U: %n: %c:
%{NAS-Identifier}: %T: %{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier vpn-authlog
Filename %L/VPN/%Y-%m-%d-vpn
LogSuccess 1
SuccessFormat %l: vpn: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: vpn: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier wap-authlog
Filename %L/WAP/%Y-%m-%d-wap
LogSuccess 1
SuccessFormat %l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat %l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>
########## CLIENT DEFINITIONS ############
# Wireless access points
<Client DEFAULT>
Secret radius-secret
</Client>
########## AUTHENTICATION HANDLERS ###########
#### Wireless Clients using PEAP #####
<Handler TunnelledByPEAP=1>
<AuthBy LSA>
EAPType MSCHAP-V2
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using EAP-TLS #####
<Handler TunnelledByTTLS=1>
<AuthBy LSA>
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
AuthByPolicy ContinueWhileReject
<AuthBy LSA>
RewriteUsername s/^([^@]+).*/$1/
EAPType LEAP
Domain FHCRC
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
#### Wireless Clients using PEAP and EAP-TTLS #####
# This is also the default handler
<Handler>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CAFile %D/cacert.pem
EAPTLS_CertificateFile %D/daphne.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/daphne.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
# Log it
AuthLog wap-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
Hugh Irvine wrote:
>
> Hello Stuart -
>
> I would have thought that you could dispense with either parameter and
> just let the local machine sort out how to do the authentication and
> find a different domain controller if it needs to.
>
> From my reading of the manual, "DomainController" is only used for
> Group checking, and if you don't have any Group checks it is not used.
>
> The reason you are seeing different behaviour with different Domain's is
> because a different Handler is being used. In the first case <Handler
> Realm = fhcrc.org> is being used and in the second <Handler> is being
> used. This doesn't make sense to me as the username looks to be the same
> in both cases - I suspect there must be some other problem in the
> configuration file that is causing this behaviour.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 4 Oct 2006, at 11:44, Stuart Kendrick wrote:
>
>> hi,
>>
>> i'd like to better understand the 'Domain xyz' keyword, in an AuthBy
>> LSA stanza ... specifically, i'm wanting to take advantage of my
>> multiple domain controllers, and i'm concerned that i'm not doing that
>> currently
>>
>> i'm running Radiator-3.15 w/patches on a Windows Server 2003 machine,
>> authenticating against an Active Directory sitting on top of more
>> Windows 2003 machines
>>
>>
>> here's what my wireless stanzas look like currently. notice the use
>> of 'DomainController dc1'. i'm concerned that if 'dc1' goes down,
>> that Radiator won't use 'dc2' and 'dc3' for authentication
>>
>> CURRENT RADIUS.CFG
>> [...]
>> <Handler TunnelledByPEAP=1>
>> # Authenticate with Windows LSA
>> <AuthBy LSA>
>> DomainController dc1
>> EAPType MSCHAP-V2
>> </AuthBy>
>> AcctLogFileName %L/detail
>> </Handler>
>>
>>
>> <Handler TunnelledByTTLS=1>
>> # Authenticate with Windows LSA
>> <AuthBy LSA>
>> DomainController dc1
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>>
>> <Handler Realm=fhcrc.org>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueWhileReject
>> <AuthBy FILE>
>> RewriteUsername s/^([^@]+).*/$1/
>> Filename C:/[...]/users
>> </AuthBy>
>>
>> <AuthBy LSA>
>> RewriteUsername s/^([^@]+).*/$1/
>> DomainController dc1
>> EAPType LEAP
>> </AuthBy>
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>>
>> <Handler>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueUntilAccept
>> <AuthBy FILE>
>> Filename C:/[...]/users
>> EAPType PEAP,TTLS
>> EAPTLS_PEAPVersion 0
>> EAPTLS_CAFile C:/[...]/cacert.pem
>> EAPTLS_CertificateFile C:/[...]/doozle.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
>> EAPTLS_PrivateKeyPassword secret
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>> SSLeayTrace 4
>> </AuthBy>
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>>
>>
>> and here's what my users file looks like:
>>
>> mikem User-Password=secret
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP,
>> Framed-IP-Netmask = 255.255.255.255,
>> Framed-Routing = None,
>> Framed-MTU = 1500,
>> Framed-Compression = Van-Jacobson-TCP-IP
>>
>>
>>
>> here's what a typical authentication session looks like with debugging
>> cranked up. this is a Cisco wireless phone employing LEAP, powering
>> up, authenticating, and then powering down.
>>
>> Tue Oct 3 18:03:07 2006: DEBUG: Finished reading configuration file
>> 'C:\[...]\radius.cfg'
>> Tue Oct 3 18:03:07 2006: DEBUG: Reading dictionary file
>> 'C:/[...]/dictionary'
>> Tue Oct 3 18:03:07 2006: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Tue Oct 3 18:03:07 2006: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Oct 3 18:03:07 2006: NOTICE: Server started: Radiator 3.15 on Doozle
>> Tue Oct 3 18:03:08 2006: DEBUG: Packet dump:
>>
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 44
>> Authentic: <163><251>jJ%<241><131><181>}<209>i<2><192><242><175>w
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 273
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP authentication is
>> not permitted.
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct 3 18:03:24 2006: DEBUG: Response type 1
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
>> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
>> LEAP Challenge
>> Tue Oct 3 18:03:24 2006: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP LEAP Challenge
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 44
>> Authentic: [...]
>> Attributes:
>> EAP-Message = [...]skendric at fhcrc.org
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 45
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = [...]skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 273
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
>> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Reading users file C:/Program
>> Files/Radiator/users
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
>> such user skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct 3 18:03:24 2006: DEBUG: Response type 17
>> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
>> [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0,
>> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Accept
>> Identifier: 45
>> Authentic: #<197><205><130>{`<31><23>"X<191>s<173>,e5
>> Attributes:
>> EAP-Message = <3><2><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 46
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <1><2><0>
>> <17><1><0><8><131><13>,,<196>L2Uskendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 273
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:03:24 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
>> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
>> such user skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP Request 17
>> Tue Oct 3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
>> [skendric at fhcrc.org]
>> Tue Oct 3 18:03:24 2006: DEBUG: EAP result: 0, EAP LEAP Accept
>> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT, EAP LEAP
>> Accept
>> Tue Oct 3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Accept
>> Identifier: 46
>> Authentic: [...]
>> Attributes:
>> EAP-Message = [...]ILsskendric at fhcrc.org
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> cisco-avpair = "leap:session-key=[...]"
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1646 ....
>> Code: Accounting-Request
>> Identifier: 18
>> Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
>> Attributes:
>> Acct-Session-Id = "00000019"
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> cisco-avpair = "ssid=Marconi"
>> cisco-avpair = "nas-location=unspecified"
>> User-Name = "skendric at fhcrc.org"
>> Acct-Authentic = RADIUS
>> Acct-Status-Type = Start
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Cisco-NAS-Port = "273"
>> NAS-Port = 273
>> Service-Type = Framed-User
>> NAS-IP-Address = 10.10.31.3
>> Acct-Delay-Time = 0
>>
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:03:24 2006: DEBUG: Adding session for
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct 3 18:03:24 2006: DEBUG: Accounting accepted
>> Tue Oct 3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1646 ....
>> Code: Accounting-Response
>> Identifier: 18
>> Authentic: f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
>> Attributes:
>>
>> Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1646 ....
>> Code: Accounting-Request
>> Identifier: 19
>> Authentic: <11><207><255><176><213><246>|<14>G2<229>(<6><198><218><191>
>> Attributes:
>> Acct-Session-Id = "00000019"
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> cisco-avpair = "ssid=Marconi"
>> cisco-avpair = "nas-location=unspecified"
>> cisco-avpair = "vlan-id=0"
>> cisco-avpair = "auth-algo-type=eap-leap"
>> User-Name = "skendric at fhcrc.org"
>> Acct-Authentic = RADIUS
>> cisco-avpair = "connect-progress=Call Up"
>> Acct-Session-Time = 15
>> Acct-Input-Octets = 7936
>> Acct-Output-Octets = 16962
>> Acct-Input-Packets = 98
>> Acct-Output-Packets = 92
>> Acct-Terminate-Cause = Lost-Carrier
>> cisco-avpair = "disc-cause-ext=No Reason"
>> Acct-Status-Type = Stop
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Cisco-NAS-Port = "273"
>> NAS-Port = 273
>> Service-Type = Framed-User
>> NAS-IP-Address = 10.10.31.3
>> Acct-Delay-Time = 0
>>
>> Tue Oct 3 18:03:39 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:03:39 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:03:39 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:03:39 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct 3 18:03:39 2006: DEBUG: Accounting accepted
>> Tue Oct 3 18:03:39 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1646 ....
>> Code: Accounting-Response
>> Identifier: 19
>> Authentic: [...]
>> Attributes:
>>
>>
>>
>>
>>
>> ok, so far so good. now, i figure, let's use the 'Domain' keyword
>> instead of the 'DomainController' keyword ... i'm guessing that if i
>> use the 'Domain' keyword, that AuthBy LSA will rely on the local
>> machine's ability to locate domain controllers
>>
>>
>> PROPOSED CONFIG FILE
>> [...]
>> <Handler TunnelledByPEAP=1>
>> # Authenticate with Windows LSA
>> <AuthBy LSA>
>> Domain fhcrc.org
>> EAPType MSCHAP-V2
>> </AuthBy>
>> AcctLogFileName %L/detail
>> </Handler>
>>
>>
>> <Handler TunnelledByTTLS=1>
>> # Authenticate with Windows LSA
>> <AuthBy LSA>
>> Domain fhcrc.org
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>>
>> <Handler Realm=fhcrc.org>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueWhileReject
>> <AuthBy FILE>
>> RewriteUsername s/^([^@]+).*/$1/
>> Filename C:/[...]/users
>> </AuthBy>
>>
>> <AuthBy LSA>
>> RewriteUsername s/^([^@]+).*/$1/
>> Domain fhcrc.org
>> EAPType LEAP
>> </AuthBy>
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>>
>> <Handler>
>> <AuthBy GROUP>
>> AuthByPolicy ContinueUntilAccept
>> <AuthBy FILE>
>> Filename C:/[...]/users
>> EAPType PEAP,TTLS
>> EAPTLS_PEAPVersion 0
>> EAPTLS_CAFile C:/[...]/cacert.pem
>> EAPTLS_CertificateFile C:/[...]/doozle.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
>> EAPTLS_PrivateKeyPassword secret
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>> SSLeayTrace 4
>> </AuthBy>
>> </AuthBy>
>> AcctLogFileName %L/detail
>> AuthLog wap-authlog
>> </Handler>
>>
>> all i did was replace 'DomainController dc1' with 'Domain fhcrc.org'
>>
>>
>>
>>
>> now, many of my wireless devices continue to authenticate just fine
>> ... but not the Cisco phone:
>>
>> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 47
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 274
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 274
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
>> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP authentication is
>> not permitted.
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct 3 18:04:28 2006: DEBUG: Response type 1
>> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
>> Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
>> LEAP Challenge
>> Tue Oct 3 18:04:28 2006: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP LEAP Challenge
>> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 47
>> Authentic: [...]
>> Attributes:
>> EAP-Message = [...]skendric at fhcrc.org
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 48
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = [...]skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 274
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling request with Handler
>> 'Realm=fhcrc.org'
>> Tue Oct 3 18:04:28 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 274
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
>> Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:04:28 2006: DEBUG: Reading users file C:/[...]/users
>> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthFILE REJECT: No such
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, EAP LEAP failed: no
>> such user skendric
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct 3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct 3 18:04:28 2006: DEBUG: Response type 17
>> Tue Oct 3 18:04:28 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA looks for match with
>> skendric [skendric at fhcrc.org]
>> Tue Oct 3 18:04:28 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
>> [skendric at fhcrc.org]
>> Tue Oct 3 18:04:28 2006: WARNING: Could not LogonUserNetworkMSCHAP:
>> Logon failure: unknown user name or bad password.
>>
>>
>> Tue Oct 3 18:04:28 2006: DEBUG: EAP result: 1, Bad LEAP Password
>> Tue Oct 3 18:04:28 2006: DEBUG: AuthBy GROUP result: REJECT, Bad LEAP
>> Password
>> Tue Oct 3 18:04:28 2006: INFO: Access rejected for
>> skendric at fhcrc.org: Bad LEAP Password
>> Tue Oct 3 18:04:28 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Reject
>> Identifier: 48
>> Authentic: [...]
>> Attributes:
>> EAP-Message = <4><2><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Reply-Message = "Request Denied"
>>
>>
>>
>>
>> for grins, i tried using 'Domain FHCRC' (the NetBIOS name of my Active
>> Directory domain) ... and now i see PEAP messages, instead of LEAP
>> messages, in the debug output ... i don't understand that ...
>> authentication continues to fail
>>
>> Tue Oct 3 18:28:39 2006: DEBUG: Finished reading configuration file
>> 'C:\[...]\radius.cfg'
>> Tue Oct 3 18:28:39 2006: DEBUG: Reading dictionary file
>> 'C:/[...]/dictionary'
>> Tue Oct 3 18:28:39 2006: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Tue Oct 3 18:28:39 2006: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Oct 3 18:28:39 2006: NOTICE: Server started: Radiator 3.15 on Daphne
>> Tue Oct 3 18:28:40 2006: DEBUG: Packet dump:
>>
>>
>> Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 50
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <2><3><0><21><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 276
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:28:54 2006: DEBUG: Handling request with Handler ''
>> Tue Oct 3 18:28:54 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:28:54 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:28:54 2006: DEBUG: Handling with EAP: code 2, 3, 21
>> Tue Oct 3 18:28:54 2006: DEBUG: Response type 1
>> Tue Oct 3 18:28:54 2006: DEBUG: Resuming session for
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct 3 18:28:54 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct 3 18:28:54 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
>> PEAP Challenge
>> Tue Oct 3 18:28:54 2006: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct 3 18:28:54 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 50
>> Authentic: [...]
>> Attributes:
>> EAP-Message = <1><4><0><6><25>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>> Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 51
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <2><5><0><21><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 276
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:28:56 2006: DEBUG: Handling request with Handler ''
>> Tue Oct 3 18:28:56 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:28:56 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:28:56 2006: DEBUG: Handling with EAP: code 2, 5, 21
>> Tue Oct 3 18:28:56 2006: DEBUG: Response type 1
>> Tue Oct 3 18:28:56 2006: DEBUG: Resuming session for
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct 3 18:28:56 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct 3 18:28:56 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
>> PEAP Challenge
>> Tue Oct 3 18:28:56 2006: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct 3 18:28:56 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 51
>> Authentic: [...]
>> Attributes:
>> EAP-Message = <1><6><0><6><25>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code: Access-Request
>> Identifier: 52
>> Authentic: [...]
>> Attributes:
>> User-Name = "skendric at fhcrc.org"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.c48a.e0e0"
>> Calling-Station-Id = "000d.282e.7ca8"
>> Service-Type = Login-User
>> Message-Authenticator = [...]
>> EAP-Message = <2><7><0><21><1>skendric at fhcrc.org
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 276
>> NAS-IP-Address = 10.10.31.3
>> NAS-Identifier = "skendric-ap "
>>
>> Tue Oct 3 18:28:58 2006: DEBUG: Handling request with Handler ''
>> Tue Oct 3 18:28:58 2006: DEBUG: Deleting session for
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct 3 18:28:58 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct 3 18:28:58 2006: DEBUG: Handling with EAP: code 2, 7, 21
>> Tue Oct 3 18:28:58 2006: DEBUG: Response type 1
>> Tue Oct 3 18:28:58 2006: DEBUG: Resuming session for
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct 3 18:28:58 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct 3 18:28:58 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
>> PEAP Challenge
>> Tue Oct 3 18:28:58 2006: DEBUG: Access challenged for
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct 3 18:28:58 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code: Access-Challenge
>> Identifier: 52
>> Authentic: [...]
>> Attributes:
>> EAP-Message = <1><8><0><6><25>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>>
>> OK, so ...
>>
>> -am i on the right track? will the 'DomainController dc1' keyword
>> limit Radiator to employing the single domain controller, dc1, as the
>> authentication source?
>>
>> -why does the 'Domain' keyword break authentication for LEAP clients?
>>
>> -why does the NetBIOS name for my Active Directory domain give
>> different results than the DNS name, wrt to LEAP clients? [well, i
>> suppose the *result* is the same ... but the shift from LEAP to PEAP
>> in the debug output seems odd to me]
>>
>>
>> input appreciated,
>>
>> --sk
>>
>> stuart kendrick
>> fhcrc
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list