[RADIATOR] Authby LSA help

Pearson, Mark mark.pearson at ntu.ac.uk
Fri Aug 20 10:10:35 CDT 2010 

Hi, I currently have Radiator for Windows 4.3.1 and I want to
authenticate clients against windows AD 2003. I am assuming that I use
Authby LSA to do this. I want to use PEAP as the authententication type.
The config below comes after all the client stuff etc and I have a user
Anonymous in the %D/users database. I have included a section of log
that includes the error. Any help on correct configuration will be
appreciated. 
 
 
<Handler TunnelledByPEAP=1>
 # Authenticate with Windows LSA
 <AuthBy LSA>
  UsernameMatchesWithoutRealm
  # This tells the PEAP client what types of inner EAP requests
  # we will honour
 EAPType MSCHAP-V2
 </AuthBy>
</Handler>
 

# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the
inner authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used
to select
# a specific handler, or else you can use EAPAnonymous to set a username
and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on
Realm, and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP
server, or also 
# act as the AAA/H home server, and authenticate PEAP requests locally
or proxy
# them to another remote server based on the realm of the inner
authenticaiton request.
# In this basic example, both the inner and outer authentication are
authenticated
# from a file by AuthBy FILE
 
<Handler Realm=ntu.ac.uk>
 <AuthBy FILE>
  # The username of the outer authentication
  #  must be in this file to get anywhere. In this example,
  # it requires an entry for 'anonymous' which is the standard username 
  # in the outer requests, and it also requires an entry for the
  # actual user name who is trying to connect (ie the 'Login name'
entered
  # in the Funk Odyssey 'Edit Profile Properties' page
  Filename %D/users
 
  # EAPType sets the EAP type(s) that Radiator will honour.
  # Options are: MD5-Challenge, One-Time-Password
  # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
  # Multiple types can be comma separated. With the default (most
  # preferred) type given first
  EAPType PEAP
 
  EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
  EAPTLS_CertificateFile %D/certificates/cert-srv.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
  EAPTLS_PrivateKeyPassword whatever
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
  SSLeayTrace 4
  EAPTLS_PEAPVersion 1
  EAPTLS_PEAPBrokenV1Label
 </AuthBy>
</Handler>
 
 
Section of log where error occurs
 
Thu Aug 19 16:37:40 2010: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Thu Aug 19 16:37:40 2010: DEBUG:  Deleting session for anonymous,
10.15.100.4, 29
Thu Aug 19 16:37:40 2010: DEBUG: Handling with Radius::AuthLSA: 
Thu Aug 19 16:37:40 2010: DEBUG: Handling with EAP: code 2, 8, 80, 26
Thu Aug 19 16:37:40 2010: DEBUG: Response type 26
Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA looks for match with
com3pearsmw [anonymous]
Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA ACCEPT: : com3pearsmw
[anonymous]
Thu Aug 19 16:37:40 2010: WARNING: Could not LogonUserNetworkMSCHAP
(V2): 3221225508, 2228600, The handle is invalid.
 

Thu Aug 19 16:37:40 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Thu Aug 19 16:37:40 2010: DEBUG: AuthBy LSA result: REJECT, EAP
MSCHAP-V2 Authentication failure
Thu Aug 19 16:37:40 2010: INFO: Access rejected for anonymous: EAP
MSCHAP-V2 Authentication failure
Thu Aug 19 16:37:40 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject


regards 
Mark Pearson 
Senior Technical Support Analyst 
Information Systems 
Nottingham Trent University 

tel: 0115 8488287 

 

regards 
Mark Pearson 
Senior Technical Support Analyst 
Information Systems 
Nottingham Trent University 

tel: 0115 8488287 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100820/7fadc277/attachment.html

More information about the radiator mailing list