(RADIATOR) AuthBy LSA / Domain keyword
Hugh Irvine
hugh at open.com.au
Mon Sep 11 00:20:55 CDT 2006
Hello Stuart -
I must confess I don't understand the debug below, as the username is
this:
User-Name = "skendric at fhcrc.org"
but the debug says this:
Sun Sep 10 19:44:32 2006: DEBUG: Handling request with Handler
'Realm=company.com'
In any case I don't think the "Domain" you have specified is doing
the right thing because it doesn't match what you think.
The default is to just check the local machine.
regards
Hugh
On 11 Sep 2006, at 12:59, Stuart Kendrick wrote:
> hi,
>
> my question:
>
> What is it about LEAP which makes using the 'Domain' keyword in the
> <AuthBy LSA> stanza unproductive?
>
>
> here's my story:
>
> i have a working Handler for LEAP clients:
>
> #### Wireless Clients using LEAP #####
> <Handler Realm=fhcrc.org>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> DomainController dc1
> EAPType LEAP
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
> where 'dc1' is the name of a domain controller
>
>
> but what happens if 'dc1' is down? how do i tell Radiator to
> consult other domain controllers?
>
> so i tried this:
>
> #### Wireless Clients using LEAP #####
> <Handler Realm=fhcrc.org>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> Domain company.com
> EAPType LEAP
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
> where 'company.com' is the name of my Active Directory domain. but
> now, LEAP clients fail to authenticate:
>
>
> Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
> *** Received from 10.2.3.4 port 1645 ....
> Code: Access-Request
> Identifier: 42
> Authentic: <181>q[...]
> <174>
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = z&1<200>[...]*<251><215>
> EAP-Message = <2><1><0><21><1>skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 274
> NAS-IP-Address = 10.2.3.4
> NAS-Identifier = "test-ap "
>
> Sun Sep 10 19:44:32 2006: DEBUG: Handling request with Handler
> 'Realm=company.com'
>
> Sun Sep 10 19:44:32 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 10.2.3.4, 274
> Sun Sep 10 19:44:32 2006: DEBUG: Handling with Radius::AuthLSA:
> Sun Sep 10 19:44:32 2006: DEBUG: Handling with EAP: code 2, 1, 21
> Sun Sep 10 19:44:32 2006: DEBUG: Response type 1
> Sun Sep 10 19:44:32 2006: DEBUG: EAP result: 3, EAP LEAP Challenge
> Sun Sep 10 19:44:32 2006: DEBUG: AuthBy LSA result: CHALLENGE, EAP
> LEAP Challenge
> Sun Sep 10 19:44:32 2006: DEBUG: Access challenged for
> skendric at fhcrc.org: EAP LEAP Challenge
> Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
> *** Sending to 10.2.3.4 port 1645 ....
> Code: Access-Challenge
> Identifier: 42
> Authentic: <181>q[...]<174>
> Attributes:
> EAP-Message = <1><2>[...]skendric at fhcrc.org
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
> *** Received from 10.2.3.4 port 1645 ....
> Code: Access-Request
> Identifier: 43
> Authentic: j([...]$<240>
> Attributes:
> User-Name = "skendric at fhcrc.org"
> Framed-MTU = 1400
> Called-Station-Id = "0013.c48a.e0e0"
> Calling-Station-Id = "000d.282e.7ca8"
> Service-Type = Login-User
> Message-Authenticator = <139>s[...]G<225>
> EAP-Message = <2><2><0>0[...]F<149>+9m+'skendric at fhcrc.org
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 274
> NAS-IP-Address = 10.2.3.4
> NAS-Identifier = "test-ap "
>
> Sun Sep 10 19:44:32 2006: DEBUG: Handling request with Handler
> 'Realm=company.com'
>
> Sun Sep 10 19:44:32 2006: DEBUG: Deleting session for
> skendric at fhcrc.org, 1.2.3.4, 274
> Sun Sep 10 19:44:32 2006: DEBUG: Handling with Radius::AuthLSA:
> Sun Sep 10 19:44:32 2006: DEBUG: Handling with EAP: code 2, 2, 48
> Sun Sep 10 19:44:32 2006: DEBUG: Response type 17
> Sun Sep 10 19:44:32 2006: DEBUG: Rewrote identity to skendric
> Sun Sep 10 19:44:32 2006: DEBUG: Radius::AuthLSA looks for match
> with skendric[skendric at fhcrc.org]
> Sun Sep 10 19:44:32 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
> [skendric at fhcrc.org]
> Sun Sep 10 19:44:32 2006: WARNING: Could not
> LogonUserNetworkMSCHAP: Logon failure: unknown user name or bad
> password.
>
> Sun Sep 10 19:44:32 2006: DEBUG: EAP result: 1, Bad LEAP Password
> Sun Sep 10 19:44:32 2006: DEBUG: AuthBy LSA result: REJECT, Bad
> LEAP Password
> Sun Sep 10 19:44:32 2006: INFO: Access rejected for
> skendric at fhcrc.org: Bad LEAP Password
> Sun Sep 10 19:44:32 2006: DEBUG: Packet dump:
> *** Sending to 10.2.3.4 port 1645 ....
> Code: Access-Reject
> Identifier: 43
> Authentic: j([...]$<240>
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Reply-Message = "Request Denied"
>
> ^C
> G:\Radiator\Logs>
>
>
> i also tried using the NetBIOS name for my domain, i.e. "COMPANY"
>
> #### Wireless Clients using LEAP #####
> <Handler Realm=fhcrc.org>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> Domain COMPANY
> EAPType LEAP
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
> but that didn't help.
>
>
> interestingly enough, i use the 'Domain COMPANY' keyword
> successfully elsewhere, for example see here ... a larger snippet
> of my radius.cfg file:
>
> [...]
> #### Wireless Clients using PEAP #####
> <Handler TunnelledByPEAP=1>
> <AuthBy LSA>
> Domain COMPANY
> EAPType MSCHAP-V2
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
>
> #### Wireless Clients using EAP-TLS #####
> <Handler TunnelledByTTLS=1>
> <AuthBy LSA>
> Domain COMPANY
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> #### Wireless Clients using LEAP #####
> <Handler Realm=fhcrc.org>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> RewriteUsername s/^([^@]+).*/$1/
> # Domain COMPANY
> DomainController dc1
> EAPType LEAP
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> #### Wireless Clients using PEAP and EAP-TTLS #####
> # This is also the default handler
> <Handler>
> AuthByPolicy ContinueUntilAccept
> <AuthBy FILE>
> Filename %D/users.anonymous
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
> EAPTLS_CAFile C:/[...]/cacert.pem
> EAPTLS_CertificateFile C:/[...]/straus.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/[...]/straus.pem
> EAPTLS_PrivateKeyPassword secret
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
>
> # Log it
> AuthLog wap-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
> What is it about LEAP which makes using the 'Domain' keyword in the
> <AuthBy LSA> stanza unproductive?
>
> --sk
>
> stuart kendrick
> fhcrc
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list