(RADIATOR) AuthBy LSA Issues still unresolved

Cottrell, Charles P. cottrell at musc.edu
Thu Apr 10 13:44:20 CDT 2008 

Hugh,

I have an update on our situation.  It appears that McAfee 8.0 was preventing authentication when I first tried adding the radius workstation to our AD domain.  I'm almost positive it is the port blocking portion of the McAfee product which was causing my issue.  Yesterday I ran a test where I removed McAfee (not ideal, and just for testing) and joined the workstation to the domain, and viola...successful radius authentication!

However, with or without McAfee, when the workstation is not part of our domain Radius authentication fails.

Are you familiar enough with Active Directory to know if there are specific logon policies that can be enabled or disabled when a workstation/server is not a member of the domain?  For instance, is there something in AD that says "allow users to access domain resources such as file shares, but don't allow an actual network login"?  Netware used to have a similar concept where "Network Logon" and "Network Authentication" were two different items.

Does this make sense?

Charles

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Wednesday, April 09, 2008 5:44 PM
To: Cottrell, Charles P.
Subject: Re: (RADIATOR) AuthBy LSA Issues still unresolved


Hello Charles -

Well, as I suggested to Steve, you can try just using a simple AuthBy
LSA clause without EAP to test that part of your infrastructure (see
"goodies/lsa.cfg").

Once you have the basic AuthBy LSA working properly you can go on to
adding EAP.

regards

Hugh


On 9 Apr 2008, at 20:26, Cottrell, Charles P. wrote:
> Hugh,
>
> I am using XP Pro.  Early in testing I even joined this workstation
> to our domain to see if that would resovle this issue (which it did
> not).  It has since been removed.
>
> Charles
> ________________________________________
> From: Hugh Irvine [hugh at open.com.au]
> Sent: Wednesday, April 09, 2008 12:28 AM
> To: Cottrell, Charles P.
> Subject: Re: (RADIATOR) AuthBy LSA Issues still unresolved
>
> Hello Charles -
>
> Are you using XP Home by any chance? XP Pro is required for LSA.
>
> See section 5.51 in the Radiator 4.2 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 9 Apr 2008, at 10:53, Cottrell, Charles P. wrote:
>> Hugh,
>>
>> This is the account I use to authenticate to other resources in the
>> domain (map drives from non domain workstation), as well as login
>> to computers that are in the domain.  Is there a policy setting in
>> active directory for my user account to have network login enabled?
>> Is it a setting on the users property page in AD users and computers?
>>
>> Thanks!  I thought I followed the instructions but I must be
>> overlooking something.
>>
>> Charles
>>
>>
>> ----- Original Message -----
>> From: Hugh Irvine <hugh at open.com.au>
>> To: Cottrell, Charles P.
>> Cc: radiator at open.com.au <radiator at open.com.au>; Caporossi,
>> Stephen G.
>> Sent: Tue Apr 08 20:34:08 2008
>> Subject: Re: (RADIATOR) AuthBy LSA Issues still unresolved
>>
>>
>> Hello Charles -
>>
>> Here is the section of the logfile:
>>
>>
>> Tue Apr  8 14:54:19 2008: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Tue Apr  8 14:54:19 2008: DEBUG:  Deleting session for anonymous,
>> 10.24.70.26, 29
>> Tue Apr  8 14:54:19 2008: DEBUG: Handling with Radius::AuthLSA:
>> Tue Apr  8 14:54:19 2008: DEBUG: Handling with EAP: code 2, 12,
>> 63, 26
>> Tue Apr  8 14:54:19 2008: DEBUG: Response type 26
>> Tue Apr  8 14:54:19 2008: DEBUG: Radius::AuthLSA looks for match with
>> cottrell [anonymous]
>> Tue Apr  8 14:54:19 2008: DEBUG: Radius::AuthLSA ACCEPT: : cottrell
>> [anonymous]
>>
>> Tue Apr  8 14:54:19 2008: WARNING: Could not LogonUserNetworkMSCHAP
>> (V2): 3221225581, 0, Logon failure: unknown user name or bad
>> password.
>>
>>
>> The AuthBy LSA is returning ACCEPT - but the MSCHAP-V2 part is
>> failing because Windows on the Radiator host could not log the user
>> onto the network.
>>
>> If defining the user on the local machine works correctly, then there
>> must be some problem with the machine talking to AD, or the user does
>> not in fact have network logon enabled.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 9 Apr 2008, at 05:06, Cottrell, Charles P. wrote:
>>> Greetings from South Carolina!  I am having a difficult time
>>> configuring radiator to authenticate against a Windows domain using
>>> the AuthBy LSA clause.  Several weeks ago Steve Caporossi posted
>>> about this same issue, and so far we've not been able to resolve
>>> this issue.  Help!
>>>
>>>
>>>
>>> Attached are both the log file and the radius.cfg file.  The
>>> configuration is very generic since we want to keep it simple for
>>> the time being.
>>>
>>>
>>>
>>> Some other info:
>>>
>>>
>>>
>>> Radiator is running on Windows XP and is running from a startup
>>> batch file.
>>>
>>>
>>>
>>> Odyssey v4.51 is the client on a Windows XP laptop.
>>>
>>>
>>>
>>> Towards the end of the log file there is a section where the EAP
>>> MSCHAP-V2 authentication fails due to unknown username/bad
>>> password, and of course access is rejected.  However, I use this
>>> combo daily and it is correct.
>>>
>>>
>>>
>>> Thanks in advance!
>>>
>>>
>>>
>>> Charles
>>>
>>>
>>>
>>> Charles P. Cottrell
>>>
>>> Network Administrator
>>>
>>> Medical University of South Carolina
>>>
>>> 843.792.9938
>>>
>>>
>>>
>>> <040808.log><radius.cfg>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list