(RADIATOR) AuthBy LSA Config Issues
Hugh Irvine
hugh at open.com.au
Tue Mar 18 16:19:22 CST 2008
Hello Steve -
Thanks for your mail.
The log file appears to show that LSA is not even being queried -
Radiator gets to the point of receiving the "inner" request and
sending back a challenge, but then hears nothing further from the
client.
More comments below.
On 19 Mar 2008, at 07:08, Caporossi, Stephen G. wrote:
> Mike and Hugh,
>
> I need help with authenticating to Active Directory. I have tried
> the default AuthByLSA config and cannot seem to get it to
> authenticate to the domain. If I add a local user on the machine,
> it works fine.
>
How are you adding the local user?
> Radiator Version: 4.2
> OS: Windows XP SP2 (fully patched)
> Perl Version: Active State 5.8.8 (All necessary Radiator modules
> installed)
> Laptop Client: Odyssey 4.51
> Trying to: use AuthBy LSA along with PEAP and MSCHAP-V2
>
> Questions:
>
> Does the workstation/server Radiator resides on need to be part of
> the AD domain? I don’t think it does since Radiator can handle
> requests to multiple domains (or at least the documentation leads
> me to believe this).
No - although it does require sufficient privileges.
> Assuming we can get this working, does every possible domain user
> name need to reside in the users file? If not, is it sufficient to
> just have ‘anonymous Encrypted-Password=nevermatch (assuming we
> don’t do anything too fancy)?
No. If you are using an AuthBy FILE for the outer requests you only
need what you show above.
> Do the passwords need to be stored using reversible encryption if
> using MSCHAP-V2?
No.
> If a working solution is found can radpwtst be used to test? I
> tried testing with it earlier but there does not seem to be a place
> to put the outer ‘anonymous’ user name.
>
I don't believe so - here is the help for radpwtst:
Radiator-4.2 hugh$ perl radpwtst -h
usage: radpwtst [-h] [-time] [-iterations n]
[-trace [level]] [-s server] [-secret secret]
[-noauth] [-noacct][-nostart] [-nostop] [-status]
[-chap] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] [-
eapgtc] [-sip]
[-eaphex xxxxxxxxxxxxx]
[-accton] [-acctoff] [-framed_ip_address address]
[-auth_port port] [-acct_port port] [-identifier n]
[-user username] [-password password]
[-nas_ip_address address] [-nas_identifier string]
[-nas_port port] [-nas_port_type type] [-service_type
service]
[-calling_station_id string] [-called_station_id string]
[-session_id string] [-interactive]
[-delay_time n] [-session_time n] [-input_octets n]
[-output_octets n] [-timeout n] [-dictionary file,file]
[-gui] [-class string] [-useoldascendpasswords]
[-code requestcode] [-raw data] [-rawfile filename]
[-rawfileseq filename]
[-outport port] [-bind_address dotted-ip-address]
[-options optionfile]
[attribute=value]...
regards
Hugh
>
> Thanks,
> Steve
> (Log file and radius.cfg attached)
>
>
> <logfile><radius.cfg>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list