(RADIATOR) Authentication using LSA

Martin Berube MBerube at jeancoutu.com
Wed Apr 2 15:25:31 CST 2008 

Hello everyone !

I'm having a hard time figuring out why my wireless client is not getting 
information concerning a password that needs to be changed (either because 
it's expired, or first time login).

I get this warning for a first time login :

Wed Apr  2 17:05:40 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 
3221226020, 0, The user's password must be changed before logging on the 
first time.
Wed Apr  2 17:05:40 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2 
Authentication failure
Wed Apr  2 17:05:40 2008: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 
Authentication failure

And I get this warning for a password that is expired :

Mon Mar 31 09:04:39 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 
3221225582, 3221225585, Logon failure: the specified account password has 
expired.
Mon Mar 31 09:04:39 2008: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA 
Password check failed: DOM\username [DOM\username]
Mon Mar 31 09:04:39 2008: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA 
Password check failed

I'm talking LSA to my Active Directory server (win2K3)
And the client is Juniper Odyssey (funk) setup for WPA2/PEAP/MS-CHAP-V2.

Everything works fine, unless those two situations occur.
What am I missing ?


Config file (this is a test file) :

<Handler TunnelledByPEAP=1>
        # Authenticate with Windows LSA
        <AuthBy LSA>
                DefaultDomain DOM
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>

<Handler>
        <AuthBy FILE>
                EAPType PEAP
                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyPassword whatever
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                EAPTLS_PEAPVersion 0
        </AuthBy>
</Handler>


Thanks for the help !


Martin Bérubé
Architecture et Sécurité des Réseaux
Network Infrastructure and Security

Centre d'Information Rx Ltée / Rx Information Center Ltd
Groupe Jean Coutu (PJC) Inc.
2165 de la Province,
Longueuil, Qc  (Canada)    J4G 1Y6

Tél./Tel. : (450) 463-1890 x3362
                    (888) 463-1890 x3362

Courriel/e-mail : mberube at jeancoutu.com
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITE

Ce message, incluant ses pieces jointes, est strictement reserve a l'usage de l'individu ou de l'entite a qui il est
adresse et contient de l'information privilegiee et confidentielle. La dissemination, distribution ou copie de cette
communication est strictement prohibee.  Si vous n'etes pas le destinataire projete veuillez retourner
immediatement un courrier electronique a l'expediteur et effacez toutes les copies.


CONFIDENTIALITY WARNING

This message, including its attachments, is strictly intended for the use of the individual or the entity to which it is addressed
and contains privileged and confidential information. Disclosure, distribution or copy of this communication is strictly
prohibited. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator and
deleting all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080402/4c2364a5/attachment.html>

More information about the radiator mailing list