[RADIATOR] help with AuthBy LSA failure

Jason Mueller jasmuell at indiana.edu
Thu Jul 10 12:39:39 CDT 2008 

All,

I am having a problem getting an <AuthBy LSA> clause to work properly  
with Active Directory (I think). I am using the LSA module for inner  
authentication of a PEAPv0 authentication request. I don't think there  
is anything wrong with the certificate setup or handling the PEAP  
portion of the authentication dialogue. In order to verify that, I I  
used an <AuthBy FILE> clause instead of the LSA module, and  
authentication was successful. I did this because of a few error  
messages that I did not understand.

There is only one domain in are AD configuration, which is named ADS.  
By system policy, we cannot use LM or NTLMv1 authentication protocols,  
only NTLMv2. I found a very old hit regarding NTLMv2 issues and the  
LSA module from 2004 (http://www.open.com.au/pipermail/radiator/2004-December/010607.html 
), but I have no idea if that is relevant. I do not have the authority  
to allow NTLMv1 or LM authentication even on a temporary basis to see  
if that might be the issue.

Any help or suggestions are appreciated.

Here is the configuration file using LSA:
----------
Foreground
LogStdout
LogDir		E:/Radiator
DbDir		E:/Radiator
AuthPort 1812
AcctPort 1813
Trace 		4

# test HP switch
<Client 129.79.9.37>
	Secret [removed]
	DupInterval 0
</Client>

# Allow MS-CHAPv2 inner authentication for PEAP requests
<Handler TunnelledByPEAP=1>
	<AuthBy LSA>
		Domain ADS
		EAPType MSCHAP-V2
	</AuthBy>
</Handler>

# Allow PEAP authentication via handler
<Handler>
	<AuthBy FILE>
		Filename %D/users
		EAPType PEAP	
		EAPTLS_CAFile %D/certificates/radtest/ThawtePremiumServerCA.crt
		EAPTLS_CertificateFile %D/certificates/radtest/radtest.crt
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D/certificates/radtest/radtest.key
		EAPTLS_PrivateKeyPassword [removed]	
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
		EAPTLS_PEAPVersion 0
	</AuthBy>
</Handler>
----------


Here is the log when when using the above configuration:
----------
Thu Jul 10 11:35:31 2008: ERR: Could not AdjustPrivilege  
SE_TCB_PRIVILEGE: A required privilege is not held by the client.

Thu Jul 10 11:35:31 2008: DEBUG: Finished reading configuration file  
'C:\Program Files\Radiator\radius.cfg'
This Radiator license will expire on 2008-08-30
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au

Thu Jul 10 11:35:31 2008: DEBUG: Reading dictionary file 'E:/Radiator/ 
dictionary'
Thu Jul 10 11:35:32 2008: DEBUG: Creating authentication port  
0.0.0.0:1812
Thu Jul 10 11:35:32 2008: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jul 10 11:35:32 2008: NOTICE: Server started: Radiator 4.2 on  
iubiastest (LOCKED)
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is not  
defined in your dictionary
Thu Jul 10 11:36:07 2008: DEBUG: Packet dump:
*** Received from 129.79.9.37 port 1025 ....
Code:       Access-Request
Identifier: 79
Authentic:  a-<197><224><14>@<234><156><179><176>N<153>"<136>{<200>
Attributes:
         Framed-MTU = 1466
         NAS-IP-Address = 129.79.9.37
         NAS-Identifier = "jcm-test"
         User-Name = "jasmuell"
         Service-Type = Framed-User
         Framed-Protocol = PPP
         NAS-Port = 24
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "A24"
         Called-Station-Id = "00-17-a4-bb-07-00"
         Calling-Station-Id = "00-16-cb-8a-a8-7e"
         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
         Tunnel-Type = 0:VLAN
         Tunnel-Medium-Type = 0:802
         Tunnel-Private-Group-ID = 100
         EAP-Message = <2>+<0><13><1>jasmuell
         Message-Authenticator =  
<157><191><211>V<168><17><11>b<153>L<18>QM<128><130><168>
         MS-RAS-Vendor = 11

Thu Jul 10 11:36:07 2008: DEBUG: Handling request with Handler ''
Thu Jul 10 11:36:07 2008: DEBUG:  Deleting session for jasmuell,  
129.79.9.37, 24
Thu Jul 10 11:36:07 2008: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 10 11:36:07 2008: DEBUG: Handling with EAP: code 2, 43, 13, 1
Thu Jul 10 11:36:07 2008: DEBUG: Response type 1
Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at (eval  
49) line 1.
Thu Jul 10 11:36:07 2008: ERR: TLS could not load_verify_locations , :
Thu Jul 10 11:36:07 2008: DEBUG: EAP result: 1, EAP TLS Could not  
initialise context
Thu Jul 10 11:36:07 2008: DEBUG: AuthBy FILE result: REJECT, EAP TLS  
Could not initialise context
Thu Jul 10 11:36:08 2008: INFO: Access rejected for jasmuell: EAP TLS  
Could not initialise context
Thu Jul 10 11:36:08 2008: DEBUG: Packet dump:
*** Sending to 129.79.9.37 port 1025 ....
Code:       Access-Reject
Identifier: 79
Authentic:  nq<141><199><144><219><223><231><22><3>+<150><241>8<184>:
Attributes:
         Reply-Message = "Request Denied"
----------

More information about the radiator mailing list