(RADIATOR) AuthBy LSA / Domain keyword

Stuart Kendrick skendric at fhcrc.org
Sun Oct 8 22:33:18 CDT 2006


hi hugh,

-alright, i agree that 'DomainController' isn't what i want ... i'm not 
doing any Group checking

-i'm playing around now, removing the 'DomainController' keyword and not 
bothering to replace it with anything ... that works ... and i can add 
the 'Domain FHCRC' to each stanza ... until i reach the LEAP stanza ... 
if i add the 'Domain FHCRC' line to that stanza, my LEAP client fails:

-ok, let's trying stripping this config file down ... nope, it still fails


ok, see below for my complete config file.  if i remove the 'Domain 
FHCRC' clause, then LEAP clients start working again.  [take the 
comments in the wireless section with salt ... i'm not confident of them]

obviously, i don't need to solve this problem to persuade LEAP clients 
to work ... but i figure ... if i don't understand why the 'Domain 
FHCRC' phrase breaks them ... then there's something lurking here which 
may bite me in the future ... and that's what i'm after ... enough 
understanding to reduce the chance of future teeth marks

do you see something else in the config file which could be influencing 
the LEAP client / Domain FHCRC interaction?

--sk


########## GLOBAL PARAMETERS ############

# Misc
PidFile		C:/Program Files/Radiator/radius.pid
DbDir           C:/Program Files/Radiator

# Log error messages to the console [doesn't work --sk]
Foreground
LogStdout

# This defines the %L token
LogDir          G:/Radiator/Logs

# Default logfile for startup and other general messages.  In theory,
# the <Log FILE> directive below disables this ... but
# in practice, it does not
LogFile		%L/logfile

# Set logging level
Trace   4



########## LOG FILE DEFINITIONS ##########

<Log FILE>
	Identifier	general-log
	Filename	%L/General/%Y-%m-%d-general
	LogFormat	%l: general: %1: %2: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
</Log>

<AuthLog FILE>
	Identifier	rad-authlog
	Filename	G:/Radiator/Logs/RAD/%Y-%m-%d-rad
	LogSuccess 1
	SuccessFormat	%l: rad: OK: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
	LogFailure 1
	FailureFormat	%l: rad: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>

<AuthLog FILE>
	Identifier	shib-authlog
	Filename	%L/Shibboleth/%Y-%m-%d-shib
	LogSuccess 1
	SuccessFormat	%l: shib: OK: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
	LogFailure 1
	FailureFormat	%l: shib: FAIL: %{GlobalVar: eaptype}: %U: %n: %c: 
%{NAS-Identifier}: %T: %{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>	

<AuthLog FILE>
	Identifier	vpn-authlog
	Filename	%L/VPN/%Y-%m-%d-vpn
	LogSuccess 1
	SuccessFormat	%l: vpn: OK: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
	LogFailure 1
	FailureFormat	%l: vpn: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>

<AuthLog FILE>
	Identifier	wap-authlog
	Filename	%L/WAP/%Y-%m-%d-wap
	LogSuccess 1
	SuccessFormat	%l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
	LogFailure 1
	FailureFormat	%l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: 
%{Calling-Station-Id}: %{Called-Station-Id}
</AuthLog>



########## CLIENT DEFINITIONS ############


# Wireless access points
<Client DEFAULT>
	Secret radius-secret
</Client>



########## AUTHENTICATION HANDLERS ###########


#### Wireless Clients using PEAP #####
<Handler TunnelledByPEAP=1>
	<AuthBy LSA>
		EAPType MSCHAP-V2
	</AuthBy>	

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


#### Wireless Clients using EAP-TLS #####
<Handler TunnelledByTTLS=1>
	<AuthBy LSA>
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
	AuthByPolicy ContinueWhileReject
	<AuthBy LSA>
		RewriteUsername s/^([^@]+).*/$1/
		EAPType LEAP
		Domain FHCRC
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


#### Wireless Clients using PEAP and EAP-TTLS #####
# This is also the default handler
<Handler>	
	AuthByPolicy	ContinueUntilAccept
  	<AuthBy FILE>				
		EAPType PEAP,TTLS
		EAPTLS_PEAPVersion 0
		EAPTLS_CAFile %D/cacert.pem		
		EAPTLS_CertificateFile %D/daphne.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D/daphne.pem
		EAPTLS_PrivateKeyPassword secret
		EAPTLS_MaxFragmentSize 1024
		AutoMPPEKeys
		SSLeayTrace 4							
  	</AuthBy>
	
	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>



Hugh Irvine wrote:
> 
> Hello Stuart -
> 
> I would have thought that you could dispense with either parameter and 
> just let the local machine sort out how to do the authentication and 
> find a different domain controller if it needs to.
> 
>  From my reading of the manual, "DomainController" is only used for 
> Group checking, and if you don't have any Group checks it is not used.
> 
> The reason you are seeing different behaviour with different Domain's is 
> because a different Handler is being used. In the first case <Handler 
> Realm = fhcrc.org> is being used and in the second <Handler> is being 
> used. This doesn't make sense to me as the username looks to be the same 
> in both cases - I suspect there must be some other problem in the 
> configuration file that is causing this behaviour.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> On 4 Oct 2006, at 11:44, Stuart Kendrick wrote:
> 
>> hi,
>>
>> i'd like to better understand the 'Domain xyz' keyword, in an AuthBy 
>> LSA stanza ... specifically, i'm wanting to take advantage of my 
>> multiple domain controllers, and i'm concerned that i'm not doing that 
>> currently
>>
>> i'm running Radiator-3.15 w/patches on a Windows Server 2003 machine, 
>> authenticating against an Active Directory sitting on top of more 
>> Windows 2003 machines
>>
>>
>> here's what my wireless stanzas look like currently.  notice the use 
>> of 'DomainController dc1'.  i'm concerned that if 'dc1' goes down, 
>> that Radiator won't use 'dc2' and 'dc3' for authentication
>>
>> CURRENT RADIUS.CFG
>> [...]
>> <Handler TunnelledByPEAP=1>
>>     # Authenticate with Windows LSA
>>     <AuthBy LSA>
>>         DomainController dc1
>>         EAPType MSCHAP-V2
>>     </AuthBy>   
>>     AcctLogFileName    %L/detail
>> </Handler>
>>
>>
>> <Handler TunnelledByTTLS=1>
>>     # Authenticate with Windows LSA
>>     <AuthBy LSA>
>>         DomainController dc1
>>     </AuthBy>
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>>
>> <Handler Realm=fhcrc.org>
>>     <AuthBy GROUP>
>>         AuthByPolicy ContinueWhileReject
>>         <AuthBy FILE>
>>             RewriteUsername s/^([^@]+).*/$1/
>>             Filename C:/[...]/users
>>         </AuthBy>
>>
>>         <AuthBy LSA>
>>             RewriteUsername s/^([^@]+).*/$1/
>>             DomainController dc1
>>             EAPType LEAP
>>         </AuthBy>
>>     </AuthBy>   
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>>
>> <Handler>   
>>     <AuthBy GROUP>
>>         AuthByPolicy    ContinueUntilAccept
>>          <AuthBy FILE>               
>>             Filename C:/[...]/users   
>>             EAPType PEAP,TTLS
>>             EAPTLS_PEAPVersion 0
>>             EAPTLS_CAFile C:/[...]/cacert.pem       
>>             EAPTLS_CertificateFile C:/[...]/doozle.pem
>>             EAPTLS_CertificateType PEM
>>             EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
>>             EAPTLS_PrivateKeyPassword secret
>>             EAPTLS_MaxFragmentSize 1024
>>             AutoMPPEKeys
>>             SSLeayTrace 4                           
>>          </AuthBy>
>>      </AuthBy>
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>>
>>
>> and here's what my users file looks like:
>>
>> mikem   User-Password=secret
>>         Service-Type = Framed-User,
>>         Framed-Protocol = PPP,
>>         Framed-IP-Netmask = 255.255.255.255,
>>         Framed-Routing = None,
>>         Framed-MTU = 1500,
>>         Framed-Compression = Van-Jacobson-TCP-IP
>>
>>
>>
>> here's what a typical authentication session looks like with debugging 
>> cranked up.  this is a Cisco wireless phone employing LEAP, powering 
>> up, authenticating, and then powering down.
>>
>> Tue Oct  3 18:03:07 2006: DEBUG: Finished reading configuration file 
>> 'C:\[...]\radius.cfg'
>> Tue Oct  3 18:03:07 2006: DEBUG: Reading dictionary file 
>> 'C:/[...]/dictionary'
>> Tue Oct  3 18:03:07 2006: DEBUG: Creating authentication port 
>> 0.0.0.0:1645
>> Tue Oct  3 18:03:07 2006: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Oct  3 18:03:07 2006: NOTICE: Server started: Radiator 3.15 on Doozle
>> Tue Oct  3 18:03:08 2006: DEBUG: Packet dump:
>>
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 44
>> Authentic:  <163><251>jJ%<241><131><181>}<209>i<2><192><242><175>w
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 273
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:03:24 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct  3 18:03:24 2006: DEBUG: Response type 1
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 1, EAP authentication is 
>> not permitted.
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct  3 18:03:24 2006: DEBUG: Response type 1
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
>> Tue Oct  3 18:03:24 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
>> LEAP Challenge
>> Tue Oct  3 18:03:24 2006: DEBUG: Access challenged for 
>> skendric at fhcrc.org: EAP LEAP Challenge
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 44
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = [...]skendric at fhcrc.org
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 45
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = [...]skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 273
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:03:24 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct  3 18:03:24 2006: DEBUG: Response type 17
>> Tue Oct  3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Reading users file C:/Program 
>> Files/Radiator/users
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such 
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no 
>> such user skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct  3 18:03:24 2006: DEBUG: Response type 17
>> Tue Oct  3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric 
>> [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 0,
>> Tue Oct  3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct  3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Accept
>> Identifier: 45
>> Authentic:  #<197><205><130>{`<31><23>"X<191>s<173>,e5
>> Attributes:
>>     EAP-Message = <3><2><0><4>
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 46
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <1><2><0> 
>> <17><1><0><8><131><13>,,<196>L2Uskendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 273
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:03:24 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP Request 17
>> Tue Oct  3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthFILE looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthFILE REJECT: No such 
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 1, EAP LEAP failed: no 
>> such user skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with EAP: code 1, 2, 32
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP Request 17
>> Tue Oct  3 18:03:24 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthLSA looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric 
>> [skendric at fhcrc.org]
>> Tue Oct  3 18:03:24 2006: DEBUG: EAP result: 0, EAP LEAP Accept
>> Tue Oct  3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT, EAP LEAP 
>> Accept
>> Tue Oct  3 18:03:24 2006: DEBUG: Access accepted for skendric at fhcrc.org
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Accept
>> Identifier: 46
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = [...]ILsskendric at fhcrc.org
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>     cisco-avpair = "leap:session-key=[...]"
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 18
>> Authentic:  f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
>> Attributes:
>>     Acct-Session-Id = "00000019"
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     cisco-avpair = "ssid=Marconi"
>>     cisco-avpair = "nas-location=unspecified"
>>     User-Name = "skendric at fhcrc.org"
>>     Acct-Authentic = RADIUS
>>     Acct-Status-Type = Start
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     Cisco-NAS-Port = "273"
>>     NAS-Port = 273
>>     Service-Type = Framed-User
>>     NAS-IP-Address = 10.10.31.3
>>     Acct-Delay-Time = 0
>>
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:03:24 2006: DEBUG:  Adding session for 
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:03:24 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:03:24 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct  3 18:03:24 2006: DEBUG: Accounting accepted
>> Tue Oct  3 18:03:24 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 18
>> Authentic:  f[<<128>(<190><229><201><212><209>H<231>Qv<242>c
>> Attributes:
>>
>> Tue Oct  3 18:03:39 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 19
>> Authentic:  <11><207><255><176><213><246>|<14>G2<229>(<6><198><218><191>
>> Attributes:
>>     Acct-Session-Id = "00000019"
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     cisco-avpair = "ssid=Marconi"
>>     cisco-avpair = "nas-location=unspecified"
>>     cisco-avpair = "vlan-id=0"
>>     cisco-avpair = "auth-algo-type=eap-leap"
>>     User-Name = "skendric at fhcrc.org"
>>     Acct-Authentic = RADIUS
>>     cisco-avpair = "connect-progress=Call Up"
>>     Acct-Session-Time = 15
>>     Acct-Input-Octets = 7936
>>     Acct-Output-Octets = 16962
>>     Acct-Input-Packets = 98
>>     Acct-Output-Packets = 92
>>     Acct-Terminate-Cause = Lost-Carrier
>>     cisco-avpair = "disc-cause-ext=No Reason"
>>     Acct-Status-Type = Stop
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     Cisco-NAS-Port = "273"
>>     NAS-Port = 273
>>     Service-Type = Framed-User
>>     NAS-IP-Address = 10.10.31.3
>>     Acct-Delay-Time = 0
>>
>> Tue Oct  3 18:03:39 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:03:39 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 273
>> Tue Oct  3 18:03:39 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:03:39 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:03:39 2006: DEBUG: AuthBy GROUP result: ACCEPT,
>> Tue Oct  3 18:03:39 2006: DEBUG: Accounting accepted
>> Tue Oct  3 18:03:39 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 19
>> Authentic:  [...]
>> Attributes:
>>
>>
>>
>>
>>
>> ok, so far so good. now, i figure, let's use the 'Domain' keyword 
>> instead of the 'DomainController' keyword ... i'm guessing that if i 
>> use the 'Domain' keyword, that AuthBy LSA will rely on the local 
>> machine's ability to locate domain controllers
>>
>>
>> PROPOSED CONFIG FILE
>> [...]
>> <Handler TunnelledByPEAP=1>
>>     # Authenticate with Windows LSA
>>     <AuthBy LSA>
>>         Domain fhcrc.org
>>         EAPType MSCHAP-V2
>>     </AuthBy>   
>>     AcctLogFileName    %L/detail
>> </Handler>
>>
>>
>> <Handler TunnelledByTTLS=1>
>>     # Authenticate with Windows LSA
>>     <AuthBy LSA>
>>         Domain fhcrc.org
>>     </AuthBy>
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>>
>> <Handler Realm=fhcrc.org>
>>     <AuthBy GROUP>
>>         AuthByPolicy ContinueWhileReject
>>         <AuthBy FILE>
>>             RewriteUsername s/^([^@]+).*/$1/
>>             Filename C:/[...]/users
>>         </AuthBy>
>>
>>         <AuthBy LSA>
>>             RewriteUsername s/^([^@]+).*/$1/
>>             Domain fhcrc.org
>>             EAPType LEAP
>>         </AuthBy>
>>     </AuthBy>   
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>>
>> <Handler>   
>>     <AuthBy GROUP>
>>         AuthByPolicy    ContinueUntilAccept
>>          <AuthBy FILE>               
>>             Filename C:/[...]/users   
>>             EAPType PEAP,TTLS
>>             EAPTLS_PEAPVersion 0
>>             EAPTLS_CAFile C:/[...]/cacert.pem       
>>             EAPTLS_CertificateFile C:/[...]/doozle.pem
>>             EAPTLS_CertificateType PEM
>>             EAPTLS_PrivateKeyFile C:/[...]/doozle.pem
>>             EAPTLS_PrivateKeyPassword secret
>>             EAPTLS_MaxFragmentSize 1024
>>             AutoMPPEKeys
>>             SSLeayTrace 4                           
>>          </AuthBy>
>>      </AuthBy>
>>     AcctLogFileName    %L/detail
>>     AuthLog        wap-authlog
>> </Handler>
>>
>> all i did was replace 'DomainController dc1' with 'Domain fhcrc.org'
>>
>>
>>
>>
>> now, many of my wireless devices continue to authenticate just fine 
>> ... but not the Cisco phone:
>>
>> Tue Oct  3 18:04:28 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 47
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 274
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:04:28 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 274
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct  3 18:04:28 2006: DEBUG: Response type 1
>> Tue Oct  3 18:04:28 2006: DEBUG: EAP result: 1, EAP authentication is 
>> not permitted.
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 1, 21
>> Tue Oct  3 18:04:28 2006: DEBUG: Response type 1
>> Tue Oct  3 18:04:28 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
>> Tue Oct  3 18:04:28 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
>> LEAP Challenge
>> Tue Oct  3 18:04:28 2006: DEBUG: Access challenged for 
>> skendric at fhcrc.org: EAP LEAP Challenge
>> Tue Oct  3 18:04:28 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 47
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = [...]skendric at fhcrc.org
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct  3 18:04:28 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 48
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = [...]skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 274
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling request with Handler 
>> 'Realm=fhcrc.org'
>> Tue Oct  3 18:04:28 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 274
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct  3 18:04:28 2006: DEBUG: Response type 17
>> Tue Oct  3 18:04:28 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:04:28 2006: DEBUG: Reading users file C:/[...]/users
>> Tue Oct  3 18:04:28 2006: DEBUG: Radius::AuthFILE looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:04:28 2006: DEBUG: Radius::AuthFILE REJECT: No such 
>> user: skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:04:28 2006: DEBUG: EAP result: 1, EAP LEAP failed: no 
>> such user skendric
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with Radius::AuthLSA:
>> Tue Oct  3 18:04:28 2006: DEBUG: Handling with EAP: code 2, 2, 48
>> Tue Oct  3 18:04:28 2006: DEBUG: Response type 17
>> Tue Oct  3 18:04:28 2006: DEBUG: Rewrote identity to skendric
>> Tue Oct  3 18:04:28 2006: DEBUG: Radius::AuthLSA looks for match with 
>> skendric [skendric at fhcrc.org]
>> Tue Oct  3 18:04:28 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric 
>> [skendric at fhcrc.org]
>> Tue Oct  3 18:04:28 2006: WARNING: Could not LogonUserNetworkMSCHAP: 
>> Logon failure: unknown user name or bad password.
>>
>>
>> Tue Oct  3 18:04:28 2006: DEBUG: EAP result: 1, Bad LEAP Password
>> Tue Oct  3 18:04:28 2006: DEBUG: AuthBy GROUP result: REJECT, Bad LEAP 
>> Password
>> Tue Oct  3 18:04:28 2006: INFO: Access rejected for 
>> skendric at fhcrc.org: Bad LEAP Password
>> Tue Oct  3 18:04:28 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Reject
>> Identifier: 48
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = <4><2><0><4>
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>     Reply-Message = "Request Denied"
>>
>>
>>
>>
>> for grins, i tried using 'Domain FHCRC' (the NetBIOS name of my Active 
>> Directory domain) ... and now i see PEAP messages, instead of LEAP 
>> messages, in the debug output ... i don't understand that ... 
>> authentication continues to fail
>>
>> Tue Oct  3 18:28:39 2006: DEBUG: Finished reading configuration file 
>> 'C:\[...]\radius.cfg'
>> Tue Oct  3 18:28:39 2006: DEBUG: Reading dictionary file 
>> 'C:/[...]/dictionary'
>> Tue Oct  3 18:28:39 2006: DEBUG: Creating authentication port 
>> 0.0.0.0:1645
>> Tue Oct  3 18:28:39 2006: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Oct  3 18:28:39 2006: NOTICE: Server started: Radiator 3.15 on Daphne
>> Tue Oct  3 18:28:40 2006: DEBUG: Packet dump:
>>
>>
>> Tue Oct  3 18:28:54 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 50
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <2><3><0><21><1>skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 276
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:28:54 2006: DEBUG: Handling request with Handler ''
>> Tue Oct  3 18:28:54 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct  3 18:28:54 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:28:54 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:28:54 2006: DEBUG: Handling with EAP: code 2, 3, 21
>> Tue Oct  3 18:28:54 2006: DEBUG: Response type 1
>> Tue Oct  3 18:28:54 2006: DEBUG: Resuming session for 
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct  3 18:28:54 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct  3 18:28:54 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
>> PEAP Challenge
>> Tue Oct  3 18:28:54 2006: DEBUG: Access challenged for 
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct  3 18:28:54 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 50
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = <1><4><0><6><25>
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>> Tue Oct  3 18:28:56 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 51
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <2><5><0><21><1>skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 276
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:28:56 2006: DEBUG: Handling request with Handler ''
>> Tue Oct  3 18:28:56 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct  3 18:28:56 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:28:56 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:28:56 2006: DEBUG: Handling with EAP: code 2, 5, 21
>> Tue Oct  3 18:28:56 2006: DEBUG: Response type 1
>> Tue Oct  3 18:28:56 2006: DEBUG: Resuming session for 
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct  3 18:28:56 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct  3 18:28:56 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
>> PEAP Challenge
>> Tue Oct  3 18:28:56 2006: DEBUG: Access challenged for 
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct  3 18:28:56 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 51
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = <1><6><0><6><25>
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Tue Oct  3 18:28:58 2006: DEBUG: Packet dump:
>> *** Received from 10.10.31.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 52
>> Authentic:  [...]
>> Attributes:
>>     User-Name = "skendric at fhcrc.org"
>>     Framed-MTU = 1400
>>     Called-Station-Id = "0013.c48a.e0e0"
>>     Calling-Station-Id = "000d.282e.7ca8"
>>     Service-Type = Login-User
>>     Message-Authenticator = [...]
>>     EAP-Message = <2><7><0><21><1>skendric at fhcrc.org
>>     NAS-Port-Type = Wireless-IEEE-802-11
>>     NAS-Port = 276
>>     NAS-IP-Address = 10.10.31.3
>>     NAS-Identifier = "skendric-ap               "
>>
>> Tue Oct  3 18:28:58 2006: DEBUG: Handling request with Handler ''
>> Tue Oct  3 18:28:58 2006: DEBUG:  Deleting session for 
>> skendric at fhcrc.org, 10.10.31.3, 276
>> Tue Oct  3 18:28:58 2006: DEBUG: Handling with Radius::AuthGROUP:
>> Tue Oct  3 18:28:58 2006: DEBUG: Handling with Radius::AuthFILE:
>> Tue Oct  3 18:28:58 2006: DEBUG: Handling with EAP: code 2, 7, 21
>> Tue Oct  3 18:28:58 2006: DEBUG: Response type 1
>> Tue Oct  3 18:28:58 2006: DEBUG: Resuming session for 
>> Radius::Context=HASH(0x1c77694)
>>
>> Tue Oct  3 18:28:58 2006: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Tue Oct  3 18:28:58 2006: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
>> PEAP Challenge
>> Tue Oct  3 18:28:58 2006: DEBUG: Access challenged for 
>> skendric at fhcrc.org: EAP PEAP Challenge
>> Tue Oct  3 18:28:58 2006: DEBUG: Packet dump:
>> *** Sending to 10.10.31.3 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 52
>> Authentic:  [...]
>> Attributes:
>>     EAP-Message = <1><8><0><6><25>
>>     Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>
>>
>> OK, so ...
>>
>> -am i on the right track?  will the 'DomainController dc1' keyword 
>> limit Radiator to employing the single domain controller, dc1, as the 
>> authentication source?
>>
>> -why does the 'Domain' keyword break authentication for LEAP clients?
>>
>> -why does the NetBIOS name for my Active Directory domain give 
>> different results than the DNS name, wrt to LEAP clients?  [well, i 
>> suppose the *result* is the same ... but the shift from LEAP to PEAP 
>> in the debug output seems odd to me]
>>
>>
>> input appreciated,
>>
>> --sk
>>
>> stuart kendrick
>> fhcrc
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list