[RADIATOR] help with AuthBy LSA failure

Hugh Irvine hugh at open.com.au
Thu Jul 10 20:56:00 CDT 2008 

Hello Jason -

The relevant line in the debug is the first:

> Thu Jul 10 11:35:31 2008: ERR: Could not AdjustPrivilege  
> SE_TCB_PRIVILEGE: A required privilege is not held by the client.
>

See section 5.51 in the Radiator 4.2 reference manual ("doc/ref.pdf").

regards

Hugh


On 11 Jul 2008, at 03:39, Jason Mueller wrote:

> All,
>
> I am having a problem getting an <AuthBy LSA> clause to work  
> properly with Active Directory (I think). I am using the LSA module  
> for inner authentication of a PEAPv0 authentication request. I  
> don't think there is anything wrong with the certificate setup or  
> handling the PEAP portion of the authentication dialogue. In order  
> to verify that, I I used an <AuthBy FILE> clause instead of the LSA  
> module, and authentication was successful. I did this because of a  
> few error messages that I did not understand.
>
> There is only one domain in are AD configuration, which is named  
> ADS. By system policy, we cannot use LM or NTLMv1 authentication  
> protocols, only NTLMv2. I found a very old hit regarding NTLMv2  
> issues and the LSA module from 2004 (http://www.open.com.au/ 
> pipermail/radiator/2004-December/010607.html), but I have no idea  
> if that is relevant. I do not have the authority to allow NTLMv1 or  
> LM authentication even on a temporary basis to see if that might be  
> the issue.
>
> Any help or suggestions are appreciated.
>
> Here is the configuration file using LSA:
> ----------
> Foreground
> LogStdout
> LogDir		E:/Radiator
> DbDir		E:/Radiator
> AuthPort 1812
> AcctPort 1813
> Trace 		4
>
> # test HP switch
> <Client 129.79.9.37>
> 	Secret [removed]
> 	DupInterval 0
> </Client>
>
> # Allow MS-CHAPv2 inner authentication for PEAP requests
> <Handler TunnelledByPEAP=1>
> 	<AuthBy LSA>
> 		Domain ADS
> 		EAPType MSCHAP-V2
> 	</AuthBy>
> </Handler>
>
> # Allow PEAP authentication via handler
> <Handler>
> 	<AuthBy FILE>
> 		Filename %D/users
> 		EAPType PEAP	
> 		EAPTLS_CAFile %D/certificates/radtest/ThawtePremiumServerCA.crt
> 		EAPTLS_CertificateFile %D/certificates/radtest/radtest.crt
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile %D/certificates/radtest/radtest.key
> 		EAPTLS_PrivateKeyPassword [removed]	
> 		EAPTLS_MaxFragmentSize 1000
> 		AutoMPPEKeys
> 		EAPTLS_PEAPVersion 0
> 	</AuthBy>
> </Handler>
> ----------
>
>
> Here is the log when when using the above configuration:
> ----------
> Thu Jul 10 11:35:31 2008: ERR: Could not AdjustPrivilege  
> SE_TCB_PRIVILEGE: A required privilege is not held by the client.
>
> Thu Jul 10 11:35:31 2008: DEBUG: Finished reading configuration  
> file 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2008-08-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Thu Jul 10 11:35:31 2008: DEBUG: Reading dictionary file 'E:/ 
> Radiator/dictionary'
> Thu Jul 10 11:35:32 2008: DEBUG: Creating authentication port  
> 0.0.0.0:1812
> Thu Jul 10 11:35:32 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jul 10 11:35:32 2008: NOTICE: Server started: Radiator 4.2 on  
> iubiastest (LOCKED)
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Thu Jul 10 11:36:07 2008: DEBUG: Packet dump:
> *** Received from 129.79.9.37 port 1025 ....
> Code:       Access-Request
> Identifier: 79
> Authentic:  a-<197><224><14>@<234><156><179><176>N<153>"<136>{<200>
> Attributes:
>         Framed-MTU = 1466
>         NAS-IP-Address = 129.79.9.37
>         NAS-Identifier = "jcm-test"
>         User-Name = "jasmuell"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 24
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "A24"
>         Called-Station-Id = "00-17-a4-bb-07-00"
>         Calling-Station-Id = "00-16-cb-8a-a8-7e"
>         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 100
>         EAP-Message = <2>+<0><13><1>jasmuell
>         Message-Authenticator =  
> <157><191><211>V<168><17><11>b<153>L<18>QM<128><130><168>
>         MS-RAS-Vendor = 11
>
> Thu Jul 10 11:36:07 2008: DEBUG: Handling request with Handler ''
> Thu Jul 10 11:36:07 2008: DEBUG:  Deleting session for jasmuell,  
> 129.79.9.37, 24
> Thu Jul 10 11:36:07 2008: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 10 11:36:07 2008: DEBUG: Handling with EAP: code 2, 43, 13, 1
> Thu Jul 10 11:36:07 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at  
> (eval 49) line 1.
> Thu Jul 10 11:36:07 2008: ERR: TLS could not load_verify_locations , :
> Thu Jul 10 11:36:07 2008: DEBUG: EAP result: 1, EAP TLS Could not  
> initialise context
> Thu Jul 10 11:36:07 2008: DEBUG: AuthBy FILE result: REJECT, EAP  
> TLS Could not initialise context
> Thu Jul 10 11:36:08 2008: INFO: Access rejected for jasmuell: EAP  
> TLS Could not initialise context
> Thu Jul 10 11:36:08 2008: DEBUG: Packet dump:
> *** Sending to 129.79.9.37 port 1025 ....
> Code:       Access-Reject
> Identifier: 79
> Authentic:  nq<141><199><144><219><223><231><22><3>+<150><241>8<184>:
> Attributes:
>         Reply-Message = "Request Denied"
> ----------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list