[RADIATOR] help with AuthBy LSA failure
Hugh Irvine
hugh at open.com.au
Thu Jul 10 20:56:00 CDT 2008
Hello Jason -
The relevant line in the debug is the first:
> Thu Jul 10 11:35:31 2008: ERR: Could not AdjustPrivilege
> SE_TCB_PRIVILEGE: A required privilege is not held by the client.
>
See section 5.51 in the Radiator 4.2 reference manual ("doc/ref.pdf").
regards
Hugh
On 11 Jul 2008, at 03:39, Jason Mueller wrote:
> All,
>
> I am having a problem getting an <AuthBy LSA> clause to work
> properly with Active Directory (I think). I am using the LSA module
> for inner authentication of a PEAPv0 authentication request. I
> don't think there is anything wrong with the certificate setup or
> handling the PEAP portion of the authentication dialogue. In order
> to verify that, I I used an <AuthBy FILE> clause instead of the LSA
> module, and authentication was successful. I did this because of a
> few error messages that I did not understand.
>
> There is only one domain in are AD configuration, which is named
> ADS. By system policy, we cannot use LM or NTLMv1 authentication
> protocols, only NTLMv2. I found a very old hit regarding NTLMv2
> issues and the LSA module from 2004 (http://www.open.com.au/
> pipermail/radiator/2004-December/010607.html), but I have no idea
> if that is relevant. I do not have the authority to allow NTLMv1 or
> LM authentication even on a temporary basis to see if that might be
> the issue.
>
> Any help or suggestions are appreciated.
>
> Here is the configuration file using LSA:
> ----------
> Foreground
> LogStdout
> LogDir E:/Radiator
> DbDir E:/Radiator
> AuthPort 1812
> AcctPort 1813
> Trace 4
>
> # test HP switch
> <Client 129.79.9.37>
> Secret [removed]
> DupInterval 0
> </Client>
>
> # Allow MS-CHAPv2 inner authentication for PEAP requests
> <Handler TunnelledByPEAP=1>
> <AuthBy LSA>
> Domain ADS
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> # Allow PEAP authentication via handler
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/radtest/ThawtePremiumServerCA.crt
> EAPTLS_CertificateFile %D/certificates/radtest/radtest.crt
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/radtest/radtest.key
> EAPTLS_PrivateKeyPassword [removed]
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
> ----------
>
>
> Here is the log when when using the above configuration:
> ----------
> Thu Jul 10 11:35:31 2008: ERR: Could not AdjustPrivilege
> SE_TCB_PRIVILEGE: A required privilege is not held by the client.
>
> Thu Jul 10 11:35:31 2008: DEBUG: Finished reading configuration
> file 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2008-08-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Thu Jul 10 11:35:31 2008: DEBUG: Reading dictionary file 'E:/
> Radiator/dictionary'
> Thu Jul 10 11:35:32 2008: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Thu Jul 10 11:35:32 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jul 10 11:35:32 2008: NOTICE: Server started: Radiator 4.2 on
> iubiastest (LOCKED)
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: DEBUG: Packet dump:
> *** Received from 129.79.9.37 port 1025 ....
> Code: Access-Request
> Identifier: 79
> Authentic: a-<197><224><14>@<234><156><179><176>N<153>"<136>{<200>
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 129.79.9.37
> NAS-Identifier = "jcm-test"
> User-Name = "jasmuell"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 24
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "A24"
> Called-Station-Id = "00-17-a4-bb-07-00"
> Calling-Station-Id = "00-16-cb-8a-a8-7e"
> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 100
> EAP-Message = <2>+<0><13><1>jasmuell
> Message-Authenticator =
> <157><191><211>V<168><17><11>b<153>L<18>QM<128><130><168>
> MS-RAS-Vendor = 11
>
> Thu Jul 10 11:36:07 2008: DEBUG: Handling request with Handler ''
> Thu Jul 10 11:36:07 2008: DEBUG: Deleting session for jasmuell,
> 129.79.9.37, 24
> Thu Jul 10 11:36:07 2008: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 11:36:07 2008: DEBUG: Handling with EAP: code 2, 43, 13, 1
> Thu Jul 10 11:36:07 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at
> (eval 49) line 1.
> Thu Jul 10 11:36:07 2008: ERR: TLS could not load_verify_locations , :
> Thu Jul 10 11:36:07 2008: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
> Thu Jul 10 11:36:07 2008: DEBUG: AuthBy FILE result: REJECT, EAP
> TLS Could not initialise context
> Thu Jul 10 11:36:08 2008: INFO: Access rejected for jasmuell: EAP
> TLS Could not initialise context
> Thu Jul 10 11:36:08 2008: DEBUG: Packet dump:
> *** Sending to 129.79.9.37 port 1025 ....
> Code: Access-Reject
> Identifier: 79
> Authentic: nq<141><199><144><219><223><231><22><3>+<150><241>8<184>:
> Attributes:
> Reply-Message = "Request Denied"
> ----------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list