[RADIATOR] help with AuthBy LSA failure

Mike McCauley mikem at open.com.au
Fri Aug 8 22:29:59 CDT 2008


Hello Jason,

Tests here with a similar config and the same username and password work fine 
for PAP, MSCHAP and MSCHAPV2. So it appears that the problem is something 
unique to your installation or AD configuration.

One possibility is that there is a problem with one of the MSCHAPV2 support 
modules used by Radiator. You may want to try configuring Radiator on that 
machine to auth from a flat file (AuthBy FILE) and authenticate against that 
with radpwtst using both PAP and MSCHAPV2. 

Another possibility is some unusual configuration issue in your AD 
configuraiton. Is there anything unusual about it, or is it 'out of the box'?

Another possibility is that maybe you need to set DefaultDomain in your AuthBy 
LSA.

Cheers.

On Saturday 09 August 2008 04:14, Jason Mueller wrote:
> Hugh and list,
>
> As quick reminder of our problem, we cannot authenticate users in
> Active Directory with the MS-CHAPv2 protocol using the <AuthBy LSA>
> module.
>
> Sorry for the hiatus . . . I had several obligations on the road, and
> we rebuilt our system from the ground up to correct other OS-related
> errors to eliminate the possibility that these were related to our
> failure. Here is the basic environment: Windows 2003 SP2 fully-
> patched, ActiveState Perl v5.8.8, Radiator 4.3.1 patched. The Windows
> box is joined to the same domain where the users exist that we need to
> authenticate.
>
> In order to eliminate issues related to our NAS (HP ProCurve 5400zl,
> which also continues to fail), I am using the radpwtst application to
> verify basic functions. I have found that <AuthBy LSA> works, if I use
> PAP. If I attempt to use MS-CHAPv2 with radpwtst with the same user/
> password, I receive an authentication failure. The error indicates
> that there is an incorrect password (see output below), so I assume
> there is a failure in the hash comparison. Based on the lsa.cfg
> example provided in the distribution, I do not need to specify that MS-
> CHAPv2 is the authentication protocol, but I might be missing
> something. However, I am open to the possibility that I have a
> misconfiguration or that I am using the client incorrectly.
>
> In my original post, I was also using PEAP with an inner
> authentication type of MS-CHAPv2. I have removed PEAP to eliminate
> that as an issue, so we can focus on the LSA module.
>
> Here is my main question: How can I get MS-CHAPv2 authentication to
> work with the LSA module? Am I missing a configuration component? As
> you can see from the test client output below, the only difference
> between the successful and failed requests is the use of MS-CHAPv2 (I
> left the password in as well, because this is only a test user and it
> does not exist in our production environment). Any help is appreciated.
>
> Thanks.
>
> -Jason
>
>
>
> Here is the current configuration:
> ----------
> Foreground
> LogStdout
> LogDir		c:/Program Files/Radiator
> DbDir		c:/Program Files/Radiator
>
> AuthPort 1812
> AcctPort 1813
> Trace 		5
>
> #localhost client for testing
> <Client 127.0.0.1>
> 	Secret	mysecret
> 	DupInterval 0
> </Client>
>
> # Authenticate all realms with this
> <Realm DEFAULT>
> 	<AuthBy LSA>
> 		Domain MSSGTEST
> 	</AuthBy>
> </Realm>
> ----------
>
>
> Below is the syntax and output of the two requests with the radpwtst
> client (first successful, second failure):
> ----------
> C:\Perl\bin>perl radpwtst -user 00-16-cb-8a-a8-7e -password 00-16-
> cb-8a-a8-7e -auth_port 1812 -acct_port 1813
> sending Access-Request...
> OK
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
> C:\Perl\bin>perl radpwtst -user 00-16-cb-8a-a8-7e -password 00-16-
> cb-8a-a8-7e -auth_port 1812 -acct_port 1813 -mschapv2
> sending Access-Request...
> Rejected: Request Denied
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
>
> Here is the radiusd output from the successful authentication using PAP:
> ----------
> C:\Perl\bin>perl radiusd -config_file "c:\Program Files\Radiator
> \radius-lsa.cfg"
> Fri Aug  8 13:50:48 2008: DEBUG: Finished reading configuration file
> 'c:\Program Files\Radiator\radius-lsa.cfg'
> This Radiator license will expire on 2009-03-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Aug  8 13:50:48 2008: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Fri Aug  8 13:50:48 2008: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Fri Aug  8 13:50:48 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Aug  8 13:50:48 2008: NOTICE: Server started: Radiator 4.3.1 on
> iubiastest1 (LOCKED)
> Fri Aug  8 13:50:54 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4971 ....
>
> Packet length = 133
> 01 ea 00 85 79 4c a7 9c 99 bb 8b 81 cc c9 90 70
> 58 01 7e 57 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37
> 38 39 1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00
> 00 00 00 02 22 7b f6 64 7b f8 b7 21 b3 29 f5 d6
> 7f 0d 0e c3 6d cf 2d 43 0e d5 32 f4 d6 6e 36 51
> 2d 4c 03 ba df
> Code:       Access-Request
> Identifier: 234
> Authentic:  yL<167><156><153><187><139><129><204><201><144>pX<1>~W
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          NAS-Port-Type = Async
>          User-Password = {<246>d{<248><183>!
> <179>)<245><214><127><13><14><195>m<207>-C<14><213>2<244><214>n6Q-
> L<3><186><2
> 23>
>
> Fri Aug  8 13:50:54 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:50:54 2008: DEBUG:  Deleting session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:50:54 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:50:54 2008: DEBUG: Radius::AuthLSA looks for match with
> 00-16-cb-8a-a8-7e [00-16-cb-8a-a8-7e]
> Fri Aug  8 13:50:54 2008: DEBUG: Radius::AuthLSA ACCEPT: : 00-16-cb-8a-
> a8-7e [00-16-cb-8a-a8-7e]
> Fri Aug  8 13:50:54 2008: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug  8 13:50:54 2008: DEBUG: Access accepted for 00-16-cb-8a-a8-7e
> Fri Aug  8 13:50:54 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4971 ....
>
> Packet length = 20
> 02 ea 00 14 0f 6e e2 cf 8d 59 0e 5d 7a 45 81 b5
> 67 32 02 f8
> Code:       Access-Accept
> Identifier: 234
> Authentic:  <15>n<226><207><141>Y<14>]zE<129><181>g2<2><248>
> Attributes:
>
> Fri Aug  8 13:50:54 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4971 ....
>
> Packet length = 121
> 04 eb 00 79 2d cf c0 5b 8b 17 47 d5 09 b0 dd d3
> 26 b3 7e 2c 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
> 30 30 30 31 32 33 34 28 06 00 00 00 01 1e 0b 31
> 32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
> 33 32 31 29 06 00 00 00 00
> Code:       Accounting-Request
> Identifier: 235
> Authentic:  -<207><192>[<139><23>G<213><9><176><221><211>&<179>~,
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          NAS-Port-Type = Async
>          Acct-Session-Id = "00001234"
>          Acct-Status-Type = Start
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          Acct-Delay-Time = 0
>
> Fri Aug  8 13:50:54 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:50:54 2008: DEBUG:  Adding session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:50:54 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:50:54 2008: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug  8 13:50:54 2008: DEBUG: Accounting accepted
> Fri Aug  8 13:50:54 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4971 ....
>
> Packet length = 20
> 05 eb 00 14 14 ff 96 4a 92 a0 e5 93 6a be fb ae
> 62 b9 13 5e
> Code:       Accounting-Response
> Identifier: 235
> Authentic:
> <20><255><150>J<146><160><229><147>j<190><251><174>b<185><19>^
> Attributes:
>
> Fri Aug  8 13:50:54 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4971 ....
>
> Packet length = 139
> 04 ec 00 8b 7e 71 ab 76 d7 70 8c 40 fd aa 2d c7
> 92 92 4c 19 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
> 30 30 30 31 32 33 34 28 06 00 00 00 02 1e 0b 31
> 32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
> 33 32 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a
> 06 00 00 4e 20 2b 06 00 00 75 30
> Code:       Accounting-Request
> Identifier: 236
> Authentic:  ~q<171>v<215>p<140>@<253><170>-<199><146><146>L<25>
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          NAS-Port-Type = Async
>          Acct-Session-Id = "00001234"
>          Acct-Status-Type = Stop
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          Acct-Delay-Time = 0
>          Acct-Session-Time = 1000
>          Acct-Input-Octets = 20000
>          Acct-Output-Octets = 30000
>
> Fri Aug  8 13:50:55 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:50:55 2008: DEBUG:  Deleting session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:50:55 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:50:55 2008: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug  8 13:50:55 2008: DEBUG: Accounting accepted
> Fri Aug  8 13:50:55 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4971 ....
>
> Packet length = 20
> 05 ec 00 14 be 71 36 5d 4a 44 80 8c f6 87 78 35
> da 1a a6 00
> Code:       Accounting-Response
> Identifier: 236
> Authentic:  <190>q6]JD<128><140><246><135>x5<218><26><166><0>
> Attributes:
> ----------
>
>
> Here is the radiusd output from the failed authentication using MS-
> CHAPv2:
> ----------
> C:\Perl\bin>perl radiusd -config_file "c:\Program Files\Radiator
> \radius-lsa.cfg"
> Fri Aug  8 13:52:46 2008: DEBUG: Finished reading configuration file
> 'c:\Program Files\Radiator\radius-lsa.cfg'
> This Radiator license will expire on 2009-03-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Aug  8 13:52:46 2008: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Fri Aug  8 13:52:46 2008: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Fri Aug  8 13:52:46 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Aug  8 13:52:46 2008: NOTICE: Server started: Radiator 4.3.1 on
> iubiastest1 (LOCKED)
> Fri Aug  8 13:53:01 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4984 ....
>
> Packet length = 181
> 01 6a 00 b5 bc a1 f6 23 00 16 c4 7f c7 a3 04 56
> 8b 41 22 e6 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37
> 38 39 1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00
> 00 00 00 1a 18 00 00 01 37 0b 12 5b 5d 7c 7d 7b
> 3f 2f 3e 3c 2c 60 21 32 26 26 28 1a 3a 00 00 01
> 37 19 34 01 00 21 40 23 24 25 5e 26 2a 28 29 5f
> 2b 3a 33 7c 7e 00 00 00 00 00 00 00 00 b2 5a 93
> ca 1a 8d aa cd fe 0b 74 5c 75 4b 02 c4 c2 f7 3c
> 24 6c 1b 55 a4
> Code:       Access-Request
> Identifier: 106
> Authentic:  <188><161><246>#<0><22><196><127><199><163><4>V<139>A"<230>
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          NAS-Port-Type = Async
>          MS-CHAP-Challenge = []|}{?/><,`!2&&(
>          MS-CHAP2-Response = <1><0>!@#$%^&*()_+:3|
> ~<0><0><0><0><0><0><0><0><178>Z<147><202><26><141><170><205><254><11>t\
> uK<2><196><194><247><$l<27>U<164>
>
> Fri Aug  8 13:53:01 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:53:01 2008: DEBUG:  Deleting session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:53:01 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:53:01 2008: DEBUG: Radius::AuthLSA looks for match with
> 00-16-cb-8a-a8-7e [00-16-cb-8a-a8-7e]
> Fri Aug  8 13:53:01 2008: WARNING: Could not LogonUserNetworkMSCHAP
> (V2): 3221225581, 0, Logon failure: unknown user nam
> e or bad password.
>
> Fri Aug  8 13:53:01 2008: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> Password check failed: 00-16-cb-8a-a8-7e [00-16-cb-8
> a-a8-7e]
> Fri Aug  8 13:53:02 2008: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA
> Password check failed
> Fri Aug  8 13:53:02 2008: INFO: Access rejected for 00-16-cb-8a-a8-7e:
> AuthBy LSA Password check failed
> Fri Aug  8 13:53:02 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4984 ....
>
> Packet length = 36
> 03 6a 00 24 4f f7 99 39 a1 ae 4b a4 49 22 82 62
> 11 b9 cd 5d 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 106
> Authentic:  O<247><153>9<161><174>K<164>I"<130>b<17><185><205>]
> Attributes:
>          Reply-Message = "Request Denied"
>
> Fri Aug  8 13:53:02 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4984 ....
>
> Packet length = 121
> 04 6b 00 79 63 b1 70 60 21 29 c7 7b 12 cf aa 5a
> 9e b3 d8 94 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
> 30 30 30 31 32 33 34 28 06 00 00 00 01 1e 0b 31
> 32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
> 33 32 31 29 06 00 00 00 00
> Code:       Accounting-Request
> Identifier: 107
> Authentic:  c<177>p`!)<199>{<18><207><170>Z<158><179><216><148>
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          NAS-Port-Type = Async
>          Acct-Session-Id = "00001234"
>          Acct-Status-Type = Start
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          Acct-Delay-Time = 0
>
> Fri Aug  8 13:53:02 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:53:02 2008: DEBUG:  Adding session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:53:02 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:53:02 2008: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug  8 13:53:02 2008: DEBUG: Accounting accepted
> Fri Aug  8 13:53:02 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4984 ....
>
> Packet length = 20
> 05 6b 00 14 15 a2 6f bf 5e b5 16 37 f8 ee 7d a0
> f2 55 bc ba
> Code:       Accounting-Response
> Identifier: 107
> Authentic:  <21><162>o<191>^<181><22>7<248><238>}<160><242>U<188><186>
> Attributes:
>
> Fri Aug  8 13:53:02 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4984 ....
>
> Packet length = 139
> 04 6c 00 8b 4a f5 15 77 c3 d6 39 ad ff 6f d8 3c
> 93 1a d5 0e 01 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 06 06 00 00 00 02 04 06 cb
> 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31 35 34 2e
> 31 05 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30
> 30 30 30 31 32 33 34 28 06 00 00 00 02 1e 0b 31
> 32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
> 33 32 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a
> 06 00 00 4e 20 2b 06 00 00 75 30
> Code:       Accounting-Request
> Identifier: 108
> Authentic:  J<245><21>w<195><214>9<173><255>o<216><<147><26><213><14>
> Attributes:
>          User-Name = "00-16-cb-8a-a8-7e"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Identifier = "203.63.154.1"
>          NAS-Port = 1234
>          NAS-Port-Type = Async
>          Acct-Session-Id = "00001234"
>          Acct-Status-Type = Stop
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          Acct-Delay-Time = 0
>          Acct-Session-Time = 1000
>          Acct-Input-Octets = 20000
>          Acct-Output-Octets = 30000
>
> Fri Aug  8 13:53:02 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  8 13:53:02 2008: DEBUG:  Deleting session for 00-16-cb-8a-
> a8-7e, 203.63.154.1, 1234
> Fri Aug  8 13:53:02 2008: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug  8 13:53:02 2008: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug  8 13:53:02 2008: DEBUG: Accounting accepted
> Fri Aug  8 13:53:02 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4984 ....
>
> Packet length = 20
> 05 6c 00 14 0b cd bc d8 b0 5c 94 b3 b0 ac f4 25
> 29 4a 19 96
> Code:       Accounting-Response
> Identifier: 108
> Authentic:  <11><205><188><216><176>\<148><179><176><172><244>
> %)J<25><150>
> Attributes:
> ----------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc 
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list