(RADIATOR) AuthBy LSA Config Issues

Caporossi, Stephen G. capoross at musc.edu
Tue Mar 25 11:17:14 CST 2008


Hugh,

It fails without EAP as well. I asked the AD guys to look and they do not see any failures. Almost as if the request is not getting to the DC.

I setup another handler and client using our VPN for testing. The message changed a bit, it is now " Could not LogonUserNetworkPAP"

Tue Mar 25 11:21:39 2008: WARNING: Could not LogonUserNetworkPAP: Logon failure: unknown user name or bad password.
Tue Mar 25 11:21:39 2008: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA Password check failed: testuser [testuser]
Tue Mar 25 11:21:39 2008: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA Password check failed
Tue Mar 25 11:21:39 2008: INFO: Access rejected for testuser: AuthBy LSA Password check failed

I have attached the logs and radius config I am using. I also verified that the permissions are set for "Access this
computer from the network" on the machine Radiator is running on.

Steve

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Monday, March 24, 2008 8:15 PM
To: Caporossi, Stephen G.
Subject: Re: (RADIATOR) AuthBy LSA Config Issues


Hi Steve -

Thanks for the additional information.

This looks like a problem with the way the AuthBy LSA clause is
configured (or the permissions of the workstation).

I suggest you set up a simple test configuration file that only does
AuthBy LSA for a normal user (no EAP) and get that working first.

BTW - what version of Windows XP are you using? You need XP Pro, not
XP Home.

For full details see section 5.51 in the Radiator 4.2 reference
manual ("doc/ref.pdf").

regards

Hugh




On 25 Mar 2008, at 02:27, Caporossi, Stephen G. wrote:
> Hugh,
>
> I've been out sick and am just now getting back to work.
>
> I did do some research and found some other config examples to work
> with. I am now getting to the handler but, still am not having any
> luck.
>
> Mon Mar 24 11:13:08 2008: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Mar 24 11:13:08 2008: DEBUG:  Deleting session for anonymous,
> 10.24.70.26, 29
> Mon Mar 24 11:13:08 2008: DEBUG: Handling with Radius::AuthLSA:
> Mon Mar 24 11:13:09 2008: DEBUG: Handling with EAP: code 2, 12, 63, 26
> Mon Mar 24 11:13:09 2008: DEBUG: Response type 26
> Mon Mar 24 11:13:09 2008: DEBUG: Radius::AuthLSA looks for match
> with testuser [anonymous]
> Mon Mar 24 11:13:09 2008: DEBUG: Radius::AuthLSA ACCEPT: : testuser
> [anonymous]
> Mon Mar 24 11:13:09 2008: WARNING: Could not LogonUserNetworkMSCHAP
> (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
>
>
> Mon Mar 24 11:13:09 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Mon Mar 24 11:13:09 2008: DEBUG: AuthBy LSA result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Mon Mar 24 11:13:09 2008: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
>
>
>
> I attached the config and logs.
>
> Thanks,
> Steve
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Wednesday, March 19, 2008 5:52 PM
> To: Caporossi, Stephen G.
> Subject: Re: (RADIATOR) AuthBy LSA Config Issues
>
>
> Hello Steve -
>
> This usually indicates that not all prerequisites have been installed.
>
> You should run radiusd like this from a terminal window so you can
> see what is happening:
>
>         cd C:\Radiator\Radiator-4.2
>
>         perl radiusd -foreground -log_stdout -trace 4 -config_file
> your_configuration_file
>
>         .....
>
> You will then see the trace 4 debug as well as any Perl error
> messages.
>
> regards
>
> Hugh
>
>
> On 20 Mar 2008, at 03:23, Caporossi, Stephen G. wrote:
>> Hugh,
>>
>> I changed the config and now it seems to be hitting the AuthBy LSA.
>> However, I get the following message:
>>
>> Wed Mar 19 10:57:09 2008: ERR: TLS could not
>> load_verify_locations , :
>> Wed Mar 19 10:57:09 2008: DEBUG: EAP result: 1, EAP TLS Could not
>> initialise context
>> Wed Mar 19 10:57:09 2008: DEBUG: AuthBy LSA result: REJECT, EAP TLS
>> Could not initialise context
>> Wed Mar 19 10:57:09 2008: INFO: Access rejected for anonymous: EAP
>> TLS Could not initialise context
>> Wed Mar 19 10:57:09 2008: DEBUG: Returned PEAP tunnelled packet dump:
>> Code:       Access-Reject
>>
>> Config is attached.
>>
>> I did some google searches on the site, and tried tweaking the
>> certificate path and file but still did not get past this.
>>
>> Thanks,
>> Steve
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, March 18, 2008 6:19 PM
>> To: Caporossi, Stephen G.
>> Cc: radiator (radiator at open.com.au)
>> Subject: Re: (RADIATOR) AuthBy LSA Config Issues
>>
>>
>> Hello Steve -
>>
>> Thanks for your mail.
>>
>> The log file appears to show that LSA is not even being queried -
>> Radiator gets to the point of receiving the "inner" request and
>> sending back a challenge, but then hears nothing further from the
>> client.
>>
>> More comments below.
>>
>>
>> On 19 Mar 2008, at 07:08, Caporossi, Stephen G. wrote:
>>
>>> Mike and Hugh,
>>>
>>> I need help with authenticating to Active Directory. I have tried
>>> the default AuthByLSA config and cannot seem to get it to
>>> authenticate to the domain. If I add a local user on the machine,
>>> it works fine.
>>>
>>
>> How are you adding the local user?
>>
>>> Radiator Version:  4.2
>>> OS:  Windows XP SP2 (fully patched)
>>> Perl Version:  Active State 5.8.8 (All necessary Radiator modules
>>> installed)
>>> Laptop Client:  Odyssey 4.51
>>> Trying to:  use AuthBy LSA along with PEAP and MSCHAP-V2
>>>
>>> Questions:
>>>
>>> Does the workstation/server Radiator resides on need to be part of
>>> the AD domain?  I don't think it does since Radiator can handle
>>> requests to multiple domains (or at least the documentation leads
>>> me to believe this).
>>
>> No - although it does require sufficient privileges.
>>
>>> Assuming we can get this working, does every possible domain user
>>> name need to reside in the users file?  If not, is it sufficient to
>>> just have 'anonymous Encrypted-Password=nevermatch (assuming we
>>> don't do anything too fancy)?
>>
>> No. If you are using an AuthBy FILE for the outer requests you only
>> need what you show above.
>>
>>> Do the passwords need to be stored using reversible encryption if
>>> using MSCHAP-V2?
>>
>> No.
>>
>>> If a working solution is found can radpwtst be used to test?  I
>>> tried testing with it earlier but there does not seem to be a place
>>> to put the outer 'anonymous' user name.
>>>
>>
>> I don't believe so - here is the help for radpwtst:
>>
>> Radiator-4.2 hugh$ perl radpwtst -h
>>
>> usage: radpwtst [-h] [-time] [-iterations n]
>>            [-trace [level]] [-s server] [-secret secret]
>>            [-noauth] [-noacct][-nostart] [-nostop] [-status]
>>            [-chap] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] [-
>> eapgtc] [-sip]
>>            [-eaphex xxxxxxxxxxxxx]
>>            [-accton] [-acctoff] [-framed_ip_address address]
>>            [-auth_port port] [-acct_port port] [-identifier n]
>>            [-user username] [-password password]
>>            [-nas_ip_address address] [-nas_identifier string]
>>            [-nas_port port] [-nas_port_type type] [-service_type
>> service]
>>            [-calling_station_id string] [-called_station_id string]
>>            [-session_id string] [-interactive]
>>            [-delay_time n] [-session_time n] [-input_octets n]
>>            [-output_octets n] [-timeout n] [-dictionary file,file]
>>            [-gui] [-class string] [-useoldascendpasswords]
>>            [-code requestcode] [-raw data] [-rawfile filename]
>>            [-rawfileseq filename]
>>            [-outport port] [-bind_address dotted-ip-address]
>>            [-options optionfile]
>>            [attribute=value]...
>>
>> regards
>>
>> Hugh
>>
>>
>>>
>>> Thanks,
>>> Steve
>>> (Log file and radius.cfg attached)
>>>
>>>
>>> <logfile><radius.cfg>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> <radius.cfg>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> <032408.log><radius.cfg>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logs.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080325/5a12e671/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiuscfg.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080325/5a12e671/attachment-0001.txt>


More information about the radiator mailing list