(RADIATOR) 3com 5500-SI + Radiator + AuthByLDAP2 + Redhat Directory Server 7.1 + WinXp Supplicant. EAP-MD5 challenge failed

Hugh Irvine hugh at open.com.au
Mon Apr 2 00:20:49 CDT 2007


Hello -

Could you please tell me the name of the registered company that has  
purchased this copy of Radiator?

Please reply to me directly.

In answer to your question, you will need to retrieve the cleartext  
password from your Directory Server to be able to do MD5-Challenge.

regards

Hugh


On 2 Apr 2007, at 03:43, firdauz mokhtar wrote:

> To whom it may concern,
>
> Hello sir.
>
> I am having trouble to authenticate based on user base in Redhat  
> Directory server (which is similar to LDAP).
>
> Below is the output while running Radiator in trace 4.
>
>
>
>  *** Received from 192.168.1.100 port 5001 ....
>
> Code:       Access-Request
>
> Identifier: 157
>
> Authentic:  <149><21><0><0><140>0<0><0><21>d<0><0><223>8<0><0>
>
> Attributes:
>
>             User-Name = "chris"
>
>             EAP-Message = <2><1><0><10><1>chris
>
>             Message-Authenticator = d<21><18><149><13><5>} 
> <180>5<18><207><175><133><243><210><161>
>
>             NAS-IP-Address = 192.168.1.100
>
>             NAS-Identifier = "0012a9904642"
>
>             NAS-Port = 268533761
>
>             NAS-Port-Type = Ethernet
>
>             Service-Type = Framed-User
>
>             Framed-Protocol = PPP
>
>             Calling-Station-Id = "0040-f47e-533f"
>
>
> Thu Mar 22 23:14:17 2007: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
>
> Thu Mar 22 23:14:17 2007: DEBUG:  Deleting session for chris,  
> 192.168.1.100, 268533761
>
> Thu Mar 22 23:14:17 2007: DEBUG: Handling with Radius::AuthLDAP2:
>
> Thu Mar 22 23:14:17 2007: DEBUG: Handling with EAP: code 2, 1, 10
>
> Thu Mar 22 23:14:17 2007: DEBUG: Response type 1
>
> Thu Mar 22 23:14:17 2007: DEBUG: EAP result: 3, EAP MD5-Challenge
>
> Thu Mar 22 23:14:17 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE,  
> EAP MD5-Challenge
>
> Thu Mar 22 23:14:17 2007: DEBUG: Access challenged for chris: EAP  
> MD5-Challenge
>
> Thu Mar 22 23:14:17 2007: DEBUG: Packet dump:
>
> *** Sending to 192.168.1.100 port 5001 ....
>
> Code:       Access-Challenge
>
> Identifier: 157
>
> Authentic:  <149><21><0><0><140>0<0><0><21>d<0><0><223>8<0><0>
>
> Attributes:
>
>             EAP-Message =  
> <1><2><0>.<4><16><147>W="Fd<150><203><163><242><136><133><169><167> 
> (<147>moddirecktori.mod.gov.my
>
>             Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> Thu Mar 22 23:14:18 2007: DEBUG: Packet dump:
>
> *** Received from 192.168.1.100 port 5001 ....
>
> Code:       Access-Request
>
> Identifier: 158
>
> Authentic:  <216>-<0><0><169>x<0><0><13><9><0><0>5<17><0><0>
>
> Attributes:
>
>             User-Name = "chris"
>
>             EAP-Message =  
> <2><2><0><27><4><16>L<4>'<142><197><193>_m<150>6<184>S<28><162>Vmchris
>
>             Message-Authenticator = <134>`<201><25> 
> (^<227><219>9<203>,<150><31><0>L5
>
>             NAS-IP-Address = 192.168.1.100
>
>             NAS-Identifier = "0012a9904642"
>
>             NAS-Port = 268533761
>
>             NAS-Port-Type = Ethernet
>
>             Service-Type = Framed-User
>
>             Framed-Protocol = PPP
>
>             Calling-Station-Id = "0040-f47e-533f"
>
>
> Thu Mar 22 23:14:18 2007: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
>
> Thu Mar 22 23:14:18 2007: DEBUG:  Deleting session for chris,  
> 192.168.1.100, 268533761
>
> Thu Mar 22 23:14:18 2007: DEBUG: Handling with Radius::AuthLDAP2:
>
> Thu Mar 22 23:14:18 2007: DEBUG: Handling with EAP: code 2, 2, 27
>
> Thu Mar 22 23:14:18 2007: DEBUG: Response type 4
>
> Thu Mar 22 23:14:18 2007: DEBUG: LDAP got result for  
> uid=chris,cn=IP,cn=IP,ou=group,dc=mod,dc=gov,dc=my
>
> Thu Mar 22 23:14:18 2007: DEBUG: Radius::AuthLDAP2 looks for match  
> with chris [chris]
>
> Thu Mar 22 23:14:18 2007: DEBUG: Radius::AuthLDAP2 ACCEPT: : chris  
> [chris]
>
> Thu Mar 22 23:14:18 2007: DEBUG: EAP result: 1, EAP MD5-Challenge  
> failed
>
> Thu Mar 22 23:14:18 2007: DEBUG: AuthBy LDAP2 result: REJECT, EAP  
> MD5-Challenge failed
>
> Thu Mar 22 23:14:18 2007: INFO: Access rejected for chris: EAP MD5- 
> Challenge failed
>
> Thu Mar 22 23:14:18 2007: DEBUG: Packet dump:
>
> *** Sending to 192.168.1.100 port 5001 ....
>
> Code:       Access-Reject
>
> Identifier: 158
>
> Authentic:  <216>-<0><0><169>x<0><0><13><9><0><0>5<17><0><0>
>
> Attributes:
>
>             EAP-Message = <4><2><0><4>
>
>             Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>             Reply-Message = "Request Denied"
>
>
>
>  And here is my radius.cfg:-
>
> ##########################
>
> LogDir          /var/log/radiator
>
> DbDir           /etc/radiator
>
> Trace           4
>
> AuthPort 1812
>
> AcctPort 1813
>
> <Client 192.168.1.100>
>
>         Secret  test123
>
>         DupInterval 0
>
> </Client>
>
>
> <Realm DEFAULT>
>
>
>         <AuthBy LDAP2>
>
>                 Host    moddirecktori.mod.gov.my
>
>                 Port    389
>
>                 BaseDN  ou=group,dc=mod,dc=gov,dc=my
>
>                 UsernameAttr    uid
>
>                 PasswordAttr   userPassword
>
>                 CheckAttr       checkitems
>
>                 ReplyAttr       replyitems
>
>                 HoldServerConnection
>
>                 ServerChecksPassword
>
>                 Timeout 4
>
>                 EAPType MD5-Challenge
>
>         </AuthBy>
>
>
> <Realm DEFAULT>
>
> #############################
>
>
> I've no idea why its failed. The 3com switch has been set o use the  
> similar key(secret) as well which was "test123"
>
>
> Please advice.
>
> I really appreciate your help.
>
> Thank you.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list