[RADIATOR] Auth By LDAP against AD

McNealy, Justin S mcnealy at musc.edu
Tue Apr 20 15:16:06 CDT 2010 

Hugh,
                We’re having an issue getting our authby LDAP2 against AD working properly. We’re running version 4.5.1 on a RHEL 5 server. We see it doing the lookup but then we get ether a bad password (with TTLS) or "EAP result: 1, Not authenticated by this AuthBy" (with PEAP).  Seems like there’s a failure passing the password but authby NTLM works fine. Our config is below along with what we were seeing in the trace 4’s.

We’re doing this to stem worries that the hold caused by AuthBy NTLM could cause issues. How much havoc does that block cause. Are we chasing our tails to prevent an issue that we most likely will not notice?  We have roughly 2000-3000 users a day and are using WPA2 Enterprise.

Any thoughts


Thanks
Jay



<Client 10.24.97.0/24>
        IdenticalClients 10.24.238.41,10.24.238.42
        Secret                  fsdfsdfsd
        Identifier              wlan
        DupInterval             2
        NasType                 Cisco
        SNMPCommunity          private
        IgnoreAcctSignature     1

<AuthBy LDAP2>
        Identifier      LDAPAuthentication
        Host            aD.Host.clean
        AuthDN          CN=Radiator,OU=System Admin,OU=adsf,DC=adsf ,DC=local
        AuthPassword    asdfasdfasdf
        BaseDN          OU=AD Users,DC=clinlan,DC=local
        UsernameAttr    sAMAccountName
        ServerChecksPassword
        #Debug          255
        Timeout         2
        FailureBackoffTime 1
</AuthBy>

<AuthBy NTLM>
        Identifier      NTLMAuthentication
        Domain clinlan
        #Group Domain Users
        #DomainController zulu
        EAPType MSCHAP-V2
</AuthBy>



<Handler TunnelledByPEAP=1>
        AuthByPolicy ContinueUntilAccept
        RewriteUsername s/(.*)\\(.*)/$2/


        AuthBy LDAPAuthentication

        AuthBy NTLMAuthentication

        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
        #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
        PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
</Handler>

<Handler Client-Identifier=wlan>
        #AuthByPolicy ContinueUntilAccept
        AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
        StripFromRequest Class

        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP,TTLS
                EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
                EAPTLS_CertificateFile %D/certificates/production/%h.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
                EAPTLS_PrivateKeyPassword pass
                EAPTLS_VerifyDepth 3
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
                EAPTLS_PEAPVersion 1
                EAPTLS_PEAPBrokenV1Label
                EAPAnonymous %0
        </AuthBy>

        #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>





Tue Apr 20 14:51:29 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
Tue Apr 20 14:51:29 2010: DEBUG: Rewrote user name to Name
Tue Apr 20 14:51:29 2010: DEBUG:  Deleting session for Name, 10.24.238.42, 29
Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthLDAP2: LDAPAuthentication
Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 1, Not authenticated by this AuthBy
Tue Apr 20 14:51:29 2010: DEBUG: AuthBy LDAP2 result: REJECT, Not authenticated by this AuthBy
Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 0,
Tue Apr 20 14:51:29 2010: DEBUG: AuthBy NTLM result: ACCEPT,
Tue Apr 20 14:51:29 2010: DEBUG: Access accepted for Name
Tue Apr 20 14:51:29 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  1<234><183><138><210><208><170><248><161>=<164><249><150><209><26><238>
Attributes:
        EAP-Message = <3><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "Name"









Disabling NTLM


Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 looks for match with Name [Name]
Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Name [Name]
Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:15:47 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:15:47 2010: INFO: Access rejected for Name: EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:15:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <195>{l<182><252><138>m<151><134>E<225><157>i')M
Attributes:
        EAP-Message = <4><1><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:15:47 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:15:47 2010: DEBUG: Access challenged for Name: EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:15:47 2010: DEBUG: Packet dump:
*** Sending to 10.24.238.42 port 32769 ....
Code:       Access-Challenge
Identifier: 229
Authentic:  <178>]<220><177>d<250>W<220>'<145><174>$<199><2>h<19>
Attributes:
        EAP-Message = <1><11><0>+<25><1><23><3><1><0> <216>{<239><130>o3<138>+<129><223>t<130>7<19><171>A(<200><146><191><193>V<255>Z<208>mF<134><162>C<232><5>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>



TTLS Authentication



G: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: Nameoss [Nameoss]
Tue Apr 20 15:19:08 2010: INFO: Connecting to dc1.emr.co.edu:389
Tue Apr 20 15:19:08 2010: INFO: Attempting to bind to LDAP server dc1.emr.co.edu:389
Tue Apr 20 15:19:08 2010: DEBUG: No entries for DEFAULT found in LDAP database
Tue Apr 20 15:19:08 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password
Tue Apr 20 15:19:08 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM looks for match with Nameoss [Nameoss]
Tue Apr 20 15:19:08 2010: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute LANMAN-Challenge: 62fd1d38a76dc97e
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Response: 5fc23e2aa9e5c1401a805d10051f9c20bfeb2009b4065853
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Domain:: ;sdfjk
Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Username:: Yjklssdfjk
Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: Authenticated: Yes
Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: LANMAN-Session-Key: E8A85EB0FD85800C
Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: User-Session-Keykjkljkl;j;jk;jkl;j
Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: .
Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM ACCEPT: : Nameoss [Nameoss]
Tue Apr 20 15:19:08 2010: DEBUG: AuthBy NTLM result: ACCEPT,
Tue Apr 20 15:19:08 2010: DEBUG: Access accepted for Nameoss
Tue Apr 20 15:19:08 2010: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Code:       Access-Accept



PEAP auth.



Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Nameoss [Nameoss]
Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:27:05 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:27:05 2010: INFO: Access rejected for Nameoss: EAP MSCHAP-V2 Authentication failure
Tue Apr 20 15:27:05 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <136>z<135><133>X<162><215>:#C<186><148><31><224>{<165>
Attributes:
        EAP-Message = <4><1><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:27:05 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:27:05 2010: DEBUG: Access challenged for anonymous: EAP PEAP inner authentication redispatched to a Handler
Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
*** Sending to 10.24.238.42 port 32769 ....
Code:       Access-Challenge
Identifier: 0
Authentic:  <161>![j<183><224><248><130><161><2><175><207><186><179><195><131>
Attributes:
        EAP-Message = <1><10><0>+<25><1><23><3><1><0> <242>yF<225><136>E<211><198><134><178>Ka<213><220><247><229><171><150><30><227>e<0><151>N<213><15><254>tt<252><17><140>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Apr 20 15:27:05 2010: DEBUG: Calling-Station-Id = 0026.bb02.4b2b
Tue Apr 20 15:27:05 2010: DEBUG: Called-Station-Id = 0027.0d07.cc00:n
Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
*** Received from 10.24.238.42 port 32769 ....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100420/3c24bc15/attachment-0001.html

More information about the radiator mailing list