[RADIATOR] help with AuthBy LSA failure
Jason Mueller
jasmuell at indiana.edu
Fri Aug 8 13:14:57 CDT 2008
Hugh and list,
As quick reminder of our problem, we cannot authenticate users in
Active Directory with the MS-CHAPv2 protocol using the <AuthBy LSA>
module.
Sorry for the hiatus . . . I had several obligations on the road, and
we rebuilt our system from the ground up to correct other OS-related
errors to eliminate the possibility that these were related to our
failure. Here is the basic environment: Windows 2003 SP2 fully-
patched, ActiveState Perl v5.8.8, Radiator 4.3.1 patched. The Windows
box is joined to the same domain where the users exist that we need to
authenticate.
In order to eliminate issues related to our NAS (HP ProCurve 5400zl,
which also continues to fail), I am using the radpwtst application to
verify basic functions. I have found that <AuthBy LSA> works, if I use
PAP. If I attempt to use MS-CHAPv2 with radpwtst with the same user/
password, I receive an authentication failure. The error indicates
that there is an incorrect password (see output below), so I assume
there is a failure in the hash comparison. Based on the lsa.cfg
example provided in the distribution, I do not need to specify that MS-
CHAPv2 is the authentication protocol, but I might be missing
something. However, I am open to the possibility that I have a
misconfiguration or that I am using the client incorrectly.
In my original post, I was also using PEAP with an inner
authentication type of MS-CHAPv2. I have removed PEAP to eliminate
that as an issue, so we can focus on the LSA module.
Here is my main question: How can I get MS-CHAPv2 authentication to
work with the LSA module? Am I missing a configuration component? As
you can see from the test client output below, the only difference
between the successful and failed requests is the use of MS-CHAPv2 (I
left the password in as well, because this is only a test user and it
does not exist in our production environment). Any help is appreciated.
Thanks.
-Jason
Here is the current configuration:
----------
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
AuthPort 1812
AcctPort 1813
Trace 5
#localhost client for testing
<Client 127.0.0.1>
Secret mysecret
DupInterval 0
</Client>
# Authenticate all realms with this
<Realm DEFAULT>
<AuthBy LSA>
Domain MSSGTEST
</AuthBy>
</Realm>
----------
Below is the syntax and output of the two requests with the radpwtst
client (first successful, second failure):
----------
C:\Perl\bin>perl radpwtst -user 00-16-cb-8a-a8-7e -password 00-16-
cb-8a-a8-7e -auth_port 1812 -acct_port 1813
sending Access-Request...
OK
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
C:\Perl\bin>perl radpwtst -user 00-16-cb-8a-a8-7e -password 00-16-
cb-8a-a8-7e -auth_port 1812 -acct_port 1813 -mschapv2
sending Access-Request...
Rejected: Request Denied
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
Here is the radiusd output from the successful authentication using PAP:
----------
C:\Perl\bin>perl radiusd -config_file "c:\Program Files\Radiator
\radius-lsa.cfg"
Fri Aug 8 13:50:48 2008: DEBUG: Finished reading configuration file
'c:\Program Files\Radiator\radius-lsa.cfg'
This Radiator license will expire on 2009-03-30
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au
Fri Aug 8 13:50:48 2008: DEBUG: Reading dictionary file 'c:/Program
Files/Radiator/dictionary'
Fri Aug 8 13:50:48 2008: DEBUG: Creating authentication port
0.0.0.0:1812
Fri Aug 8 13:50:48 2008: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Aug 8 13:50:48 2008: NOTICE: Server started: Radiator 4.3.1 on
iubiastest1 (LOCKED)
Fri Aug 8 13:50:54 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4971 ....
Packet length = 133
01 ea 00 85 79 4c a7 9c 99 bb 8b 81 cc c9 90 70
58 01 7e 57 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37
38 39 1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00
00 00 00 02 22 7b f6 64 7b f8 b7 21 b3 29 f5 d6
7f 0d 0e c3 6d cf 2d 43 0e d5 32 f4 d6 6e 36 51
2d 4c 03 ba df
Code: Access-Request
Identifier: 234
Authentic: yL<167><156><153><187><139><129><204><201><144>pX<1>~W
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = {<246>d{<248><183>!
<179>)<245><214><127><13><14><195>m<207>-C<14><213>2<244><214>n6Q-
L<3><186><2
23>
Fri Aug 8 13:50:54 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:50:54 2008: DEBUG: Deleting session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:50:54 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:50:54 2008: DEBUG: Radius::AuthLSA looks for match with
00-16-cb-8a-a8-7e [00-16-cb-8a-a8-7e]
Fri Aug 8 13:50:54 2008: DEBUG: Radius::AuthLSA ACCEPT: : 00-16-cb-8a-
a8-7e [00-16-cb-8a-a8-7e]
Fri Aug 8 13:50:54 2008: DEBUG: AuthBy LSA result: ACCEPT,
Fri Aug 8 13:50:54 2008: DEBUG: Access accepted for 00-16-cb-8a-a8-7e
Fri Aug 8 13:50:54 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4971 ....
Packet length = 20
02 ea 00 14 0f 6e e2 cf 8d 59 0e 5d 7a 45 81 b5
67 32 02 f8
Code: Access-Accept
Identifier: 234
Authentic: <15>n<226><207><141>Y<14>]zE<129><181>g2<2><248>
Attributes:
Fri Aug 8 13:50:54 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4971 ....
Packet length = 121
04 eb 00 79 2d cf c0 5b 8b 17 47 d5 09 b0 dd d3
26 b3 7e 2c 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
30 30 30 31 32 33 34 28 06 00 00 00 01 1e 0b 31
32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
33 32 31 29 06 00 00 00 00
Code: Accounting-Request
Identifier: 235
Authentic: -<207><192>[<139><23>G<213><9><176><221><211>&<179>~,
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Fri Aug 8 13:50:54 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:50:54 2008: DEBUG: Adding session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:50:54 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:50:54 2008: DEBUG: AuthBy LSA result: ACCEPT,
Fri Aug 8 13:50:54 2008: DEBUG: Accounting accepted
Fri Aug 8 13:50:54 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4971 ....
Packet length = 20
05 eb 00 14 14 ff 96 4a 92 a0 e5 93 6a be fb ae
62 b9 13 5e
Code: Accounting-Response
Identifier: 235
Authentic:
<20><255><150>J<146><160><229><147>j<190><251><174>b<185><19>^
Attributes:
Fri Aug 8 13:50:54 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4971 ....
Packet length = 139
04 ec 00 8b 7e 71 ab 76 d7 70 8c 40 fd aa 2d c7
92 92 4c 19 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
30 30 30 31 32 33 34 28 06 00 00 00 02 1e 0b 31
32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
33 32 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a
06 00 00 4e 20 2b 06 00 00 75 30
Code: Accounting-Request
Identifier: 236
Authentic: ~q<171>v<215>p<140>@<253><170>-<199><146><146>L<25>
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Fri Aug 8 13:50:55 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:50:55 2008: DEBUG: Deleting session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:50:55 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:50:55 2008: DEBUG: AuthBy LSA result: ACCEPT,
Fri Aug 8 13:50:55 2008: DEBUG: Accounting accepted
Fri Aug 8 13:50:55 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4971 ....
Packet length = 20
05 ec 00 14 be 71 36 5d 4a 44 80 8c f6 87 78 35
da 1a a6 00
Code: Accounting-Response
Identifier: 236
Authentic: <190>q6]JD<128><140><246><135>x5<218><26><166><0>
Attributes:
----------
Here is the radiusd output from the failed authentication using MS-
CHAPv2:
----------
C:\Perl\bin>perl radiusd -config_file "c:\Program Files\Radiator
\radius-lsa.cfg"
Fri Aug 8 13:52:46 2008: DEBUG: Finished reading configuration file
'c:\Program Files\Radiator\radius-lsa.cfg'
This Radiator license will expire on 2009-03-30
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au
Fri Aug 8 13:52:46 2008: DEBUG: Reading dictionary file 'c:/Program
Files/Radiator/dictionary'
Fri Aug 8 13:52:46 2008: DEBUG: Creating authentication port
0.0.0.0:1812
Fri Aug 8 13:52:46 2008: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Aug 8 13:52:46 2008: NOTICE: Server started: Radiator 4.3.1 on
iubiastest1 (LOCKED)
Fri Aug 8 13:53:01 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4984 ....
Packet length = 181
01 6a 00 b5 bc a1 f6 23 00 16 c4 7f c7 a3 04 56
8b 41 22 e6 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37
38 39 1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00
00 00 00 1a 18 00 00 01 37 0b 12 5b 5d 7c 7d 7b
3f 2f 3e 3c 2c 60 21 32 26 26 28 1a 3a 00 00 01
37 19 34 01 00 21 40 23 24 25 5e 26 2a 28 29 5f
2b 3a 33 7c 7e 00 00 00 00 00 00 00 00 b2 5a 93
ca 1a 8d aa cd fe 0b 74 5c 75 4b 02 c4 c2 f7 3c
24 6c 1b 55 a4
Code: Access-Request
Identifier: 106
Authentic: <188><161><246>#<0><22><196><127><199><163><4>V<139>A"<230>
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
MS-CHAP-Challenge = []|}{?/><,`!2&&(
MS-CHAP2-Response = <1><0>!@#$%^&*()_+:3|
~<0><0><0><0><0><0><0><0><178>Z<147><202><26><141><170><205><254><11>t\
uK<2><196><194><247><$l<27>U<164>
Fri Aug 8 13:53:01 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:53:01 2008: DEBUG: Deleting session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:53:01 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:53:01 2008: DEBUG: Radius::AuthLSA looks for match with
00-16-cb-8a-a8-7e [00-16-cb-8a-a8-7e]
Fri Aug 8 13:53:01 2008: WARNING: Could not LogonUserNetworkMSCHAP
(V2): 3221225581, 0, Logon failure: unknown user nam
e or bad password.
Fri Aug 8 13:53:01 2008: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
Password check failed: 00-16-cb-8a-a8-7e [00-16-cb-8
a-a8-7e]
Fri Aug 8 13:53:02 2008: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA
Password check failed
Fri Aug 8 13:53:02 2008: INFO: Access rejected for 00-16-cb-8a-a8-7e:
AuthBy LSA Password check failed
Fri Aug 8 13:53:02 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4984 ....
Packet length = 36
03 6a 00 24 4f f7 99 39 a1 ae 4b a4 49 22 82 62
11 b9 cd 5d 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 106
Authentic: O<247><153>9<161><174>K<164>I"<130>b<17><185><205>]
Attributes:
Reply-Message = "Request Denied"
Fri Aug 8 13:53:02 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4984 ....
Packet length = 121
04 6b 00 79 63 b1 70 60 21 29 c7 7b 12 cf aa 5a
9e b3 d8 94 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
30 30 30 31 32 33 34 28 06 00 00 00 01 1e 0b 31
32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
33 32 31 29 06 00 00 00 00
Code: Accounting-Request
Identifier: 107
Authentic: c<177>p`!)<199>{<18><207><170>Z<158><179><216><148>
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Fri Aug 8 13:53:02 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:53:02 2008: DEBUG: Adding session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:53:02 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:53:02 2008: DEBUG: AuthBy LSA result: ACCEPT,
Fri Aug 8 13:53:02 2008: DEBUG: Accounting accepted
Fri Aug 8 13:53:02 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4984 ....
Packet length = 20
05 6b 00 14 15 a2 6f bf 5e b5 16 37 f8 ee 7d a0
f2 55 bc ba
Code: Accounting-Response
Identifier: 107
Authentic: <21><162>o<191>^<181><22>7<248><238>}<160><242>U<188><186>
Attributes:
Fri Aug 8 13:53:02 2008: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4984 ....
Packet length = 139
04 6c 00 8b 4a f5 15 77 c3 d6 39 ad ff 6f d8 3c
93 1a d5 0e 01 13 30 30 2d 31 36 2d 63 62 2d 38
61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
30 30 30 31 32 33 34 28 06 00 00 00 02 1e 0b 31
32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
33 32 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a
06 00 00 4e 20 2b 06 00 00 75 30
Code: Accounting-Request
Identifier: 108
Authentic: J<245><21>w<195><214>9<173><255>o<216><<147><26><213><14>
Attributes:
User-Name = "00-16-cb-8a-a8-7e"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Fri Aug 8 13:53:02 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 8 13:53:02 2008: DEBUG: Deleting session for 00-16-cb-8a-
a8-7e, 203.63.154.1, 1234
Fri Aug 8 13:53:02 2008: DEBUG: Handling with Radius::AuthLSA:
Fri Aug 8 13:53:02 2008: DEBUG: AuthBy LSA result: ACCEPT,
Fri Aug 8 13:53:02 2008: DEBUG: Accounting accepted
Fri Aug 8 13:53:02 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4984 ....
Packet length = 20
05 6c 00 14 0b cd bc d8 b0 5c 94 b3 b0 ac f4 25
29 4a 19 96
Code: Accounting-Response
Identifier: 108
Authentic: <11><205><188><216><176>\<148><179><176><172><244>
%)J<25><150>
Attributes:
----------
More information about the radiator
mailing list