[RADIATOR] help with AuthBy LSA failure

Hugh Irvine hugh at open.com.au
Sat Jul 12 03:10:30 CDT 2008 

Hello Jason -

Can you please tell me what access server, what version of Windows,  
what version of Perl, and what version of OpenSSL you are running?

There appears to be a problem with whatever access server you are  
running, as the debug below seems to show a broken packet.

If you can send us a trace 5 debug it will help.

regards

Hugh


On 12 Jul 2008, at 01:37, Jason Mueller wrote:

> Hugh (or others),
>
> I am still having authentication issues with the <AuthBy LSA>  
> module and PEAP. The configuration file has not changed from the  
> initial post. I have corrected the SE_TCB_PRIVILEGE error per  
> Hugh's suggestion (thanks). I am not generally in the role of a  
> Windows admin, and I *thought* running the module with an  
> administrator account met the requirement (which is not the same as  
> using the Administrator account). I am not sure if the SSLeay error  
> is expected or not, but it also occurs when using <AuthBy FILE> for  
> the inner authentication, which is successful.
>
> Again . . . any help is appreciated. Thanks.
>
> -Jason
>
>
> Here is the output from the Radiator:
> ----------
> Fri Jul 11 11:09:54 2008: DEBUG: Finished reading configuration  
> file 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2008-08-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Jul 11 11:09:54 2008: DEBUG: Reading dictionary file 'E:/ 
> Radiator/dictionary'
> Fri Jul 11 11:09:54 2008: DEBUG: Creating authentication port  
> 0.0.0.0:1812
> Fri Jul 11 11:09:55 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Jul 11 11:09:55 2008: NOTICE: Server started: Radiator 4.2 on  
> iubiastest (LOCKED)
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Fri Jul 11 11:10:12 2008: DEBUG: Packet dump:
> *** Received from 129.79.9.37 port 1026 ....
> Code:       Access-Request
> Identifier: 27
> Authentic:  <222>@<149><222><243><30>z]CGr"$<18><132><166>
> Attributes:
>         Framed-MTU = 1466
>         NAS-IP-Address = 129.79.9.37
>         NAS-Identifier = "jcm-test"
>         User-Name = "jasmuell"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 24
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "A24"
>         Called-Station-Id = "00-17-a4-bb-07-00"
>         Calling-Station-Id = "00-16-cb-8a-a8-7e"
>         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 100
>         EAP-Message = <2><23><0><13><1>jasmuell
>         Message-Authenticator = <158><249><239><137><174>q 
> +<149><156>c<130>o"<203><146>C
>         MS-RAS-Vendor = 11
>
> Fri Jul 11 11:10:12 2008: DEBUG: Handling request with Handler ''
> Fri Jul 11 11:10:12 2008: DEBUG:  Deleting session for jasmuell,  
> 129.79.9.37, 24
> Fri Jul 11 11:10:12 2008: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 11 11:10:12 2008: DEBUG: Handling with EAP: code 2, 23, 13, 1
> Fri Jul 11 11:10:12 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at  
> (eval 48) line 1.
> Fri Jul 11 11:10:12 2008: ERR: TLS could not load_verify_locations , :
> Fri Jul 11 11:10:12 2008: DEBUG: EAP result: 1, EAP TLS Could not  
> initialise context
> Fri Jul 11 11:10:12 2008: DEBUG: AuthBy FILE result: REJECT, EAP  
> TLS Could not initialise context
> Fri Jul 11 11:10:12 2008: INFO: Access rejected for jasmuell: EAP  
> TLS Could not initialise context
> Fri Jul 11 11:10:12 2008: DEBUG: Packet dump:
> *** Sending to 129.79.9.37 port 1026 ....
> Code:       Access-Reject
> Identifier: 27
> Authentic:   
> h<253><192>z<193><153><159><147><27>_<148><224><20><26><0>z
> Attributes:
>         Reply-Message = "Request Denied"
> ----------
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list