(RADIATOR) AuthBy LSA / Domain keyword

Stuart Kendrick skendric at fhcrc.org
Sun Sep 10 21:59:55 CDT 2006 

hi,

my question:

What is it about LEAP which makes using the 'Domain' keyword in the 
<AuthBy LSA> stanza unproductive?


here's my story:

i have a working Handler for LEAP clients:

#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
	AuthByPolicy ContinueWhileReject
	<AuthBy LSA>
		RewriteUsername s/^([^@]+).*/$1/
		DomainController dc1
		EAPType LEAP
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>

where 'dc1' is the name of a domain controller


but what happens if 'dc1' is down?  how do i tell Radiator to consult 
other domain controllers?

so i tried this:

#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
	AuthByPolicy ContinueWhileReject
	<AuthBy LSA>
		RewriteUsername s/^([^@]+).*/$1/
		Domain company.com
		EAPType LEAP
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>

where 'company.com' is the name of my Active Directory domain.  but now, 
LEAP clients fail to authenticate:


Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
*** Received from 10.2.3.4 port 1645 ....
Code:       Access-Request
Identifier: 42
Authentic:  <181>q[...]
<174>
Attributes:
         User-Name = "skendric at fhcrc.org"
         Framed-MTU = 1400
         Called-Station-Id = "0013.c48a.e0e0"
         Calling-Station-Id = "000d.282e.7ca8"
         Service-Type = Login-User
         Message-Authenticator = z&1<200>[...]*<251><215>
         EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
         NAS-Port-Type = Wireless-IEEE-802-11
         NAS-Port = 274
         NAS-IP-Address = 10.2.3.4
         NAS-Identifier = "test-ap               "

Sun Sep 10 19:44:32 2006: DEBUG: Handling request with Handler 
'Realm=company.com'

Sun Sep 10 19:44:32 2006: DEBUG:  Deleting session for 
skendric at fhcrc.org, 10.2.3.4, 274
Sun Sep 10 19:44:32 2006: DEBUG: Handling with Radius::AuthLSA:
Sun Sep 10 19:44:32 2006: DEBUG: Handling with EAP: code 2, 1, 21
Sun Sep 10 19:44:32 2006: DEBUG: Response type 1
Sun Sep 10 19:44:32 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
Sun Sep 10 19:44:32 2006: DEBUG: AuthBy LSA result: CHALLENGE, EAP LEAP 
Challenge
Sun Sep 10 19:44:32 2006: DEBUG: Access challenged for 
skendric at fhcrc.org: EAP LEAP Challenge
Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
*** Sending to 10.2.3.4 port 1645 ....
Code:       Access-Challenge
Identifier: 42
Authentic:  <181>q[...]<174>
Attributes:
         EAP-Message = <1><2>[...]skendric at fhcrc.org
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
*** Received from 10.2.3.4 port 1645 ....
Code:       Access-Request
Identifier: 43
Authentic:  j([...]$<240>
Attributes:
         User-Name = "skendric at fhcrc.org"
         Framed-MTU = 1400
         Called-Station-Id = "0013.c48a.e0e0"
         Calling-Station-Id = "000d.282e.7ca8"
         Service-Type = Login-User
         Message-Authenticator = <139>s[...]G<225>
         EAP-Message = <2><2><0>0[...]F<149>+9m+'skendric at fhcrc.org
         NAS-Port-Type = Wireless-IEEE-802-11
         NAS-Port = 274
         NAS-IP-Address = 10.2.3.4
         NAS-Identifier = "test-ap               "

Sun Sep 10 19:44:32 2006: DEBUG: Handling request with Handler 
'Realm=company.com'

Sun Sep 10 19:44:32 2006: DEBUG:  Deleting session for 
skendric at fhcrc.org, 1.2.3.4, 274
Sun Sep 10 19:44:32 2006: DEBUG: Handling with Radius::AuthLSA:
Sun Sep 10 19:44:32 2006: DEBUG: Handling with EAP: code 2, 2, 48
Sun Sep 10 19:44:32 2006: DEBUG: Response type 17
Sun Sep 10 19:44:32 2006: DEBUG: Rewrote identity to skendric
Sun Sep 10 19:44:32 2006: DEBUG: Radius::AuthLSA looks for match with 
skendric[skendric at fhcrc.org]
Sun Sep 10 19:44:32 2006: DEBUG: Radius::AuthLSA ACCEPT: : 
skendric[skendric at fhcrc.org]
Sun Sep 10 19:44:32 2006: WARNING: Could not LogonUserNetworkMSCHAP: 
Logon failure: unknown user name or bad password.

Sun Sep 10 19:44:32 2006: DEBUG: EAP result: 1, Bad LEAP Password
Sun Sep 10 19:44:32 2006: DEBUG: AuthBy LSA result: REJECT, Bad LEAP 
Password
Sun Sep 10 19:44:32 2006: INFO: Access rejected for skendric at fhcrc.org: 
Bad LEAP Password
Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
*** Sending to 10.2.3.4 port 1645 ....
Code:       Access-Reject
Identifier: 43
Authentic:  j([...]$<240>
Attributes:
         EAP-Message = <4><2><0><4>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

         Reply-Message = "Request Denied"

^C
G:\Radiator\Logs>


i also tried using the NetBIOS name for my domain, i.e. "COMPANY"

#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
	AuthByPolicy ContinueWhileReject
	<AuthBy LSA>
		RewriteUsername s/^([^@]+).*/$1/
		Domain COMPANY
		EAPType LEAP
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>

but that didn't help.


interestingly enough, i use the 'Domain COMPANY' keyword successfully 
elsewhere, for example see here ... a larger snippet of my radius.cfg file:

[...]
  #### Wireless Clients using PEAP #####
<Handler TunnelledByPEAP=1>
	<AuthBy LSA>
		Domain COMPANY
		EAPType MSCHAP-V2
	</AuthBy>	

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>



  #### Wireless Clients using EAP-TLS #####
<Handler TunnelledByTTLS=1>
	<AuthBy LSA>
		Domain COMPANY
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


#### Wireless Clients using LEAP #####
<Handler Realm=fhcrc.org>
	AuthByPolicy ContinueWhileReject
	<AuthBy LSA>
		RewriteUsername s/^([^@]+).*/$1/
#		Domain COMPANY
		DomainController dc1
		EAPType LEAP
	</AuthBy>

	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


#### Wireless Clients using PEAP and EAP-TTLS #####
# This is also the default handler
<Handler>	
	AuthByPolicy	ContinueUntilAccept
  	<AuthBy FILE>				
		Filename %D/users.anonymous
		EAPType PEAP,TTLS
		EAPTLS_PEAPVersion 0
		EAPTLS_CAFile C:/[...]/cacert.pem		
		EAPTLS_CertificateFile C:/[...]/straus.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile C:/[...]/straus.pem
		EAPTLS_PrivateKeyPassword secret
		EAPTLS_MaxFragmentSize 1024
		AutoMPPEKeys
		SSLeayTrace 4							
  	</AuthBy>
	
	# Log it
	AuthLog			wap-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>


What is it about LEAP which makes using the 'Domain' keyword in the 
<AuthBy LSA> stanza unproductive?

--sk

stuart kendrick
fhcrc

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list