[RADIATOR] Problems with NTLM Auth
Hugh Irvine
hugh at open.com.au
Fri Jan 29 01:20:08 CST 2010
Hello Corey -
Your configuration file is set up to expect username strings of the form "corey at tsa.com.au", but the username you are using is just "corey".
Either enter your username as "corey at tsa.com.au" or change your Handler to just:
,,,,,
<Handler>
.....
</Handler>
regards
Hugh
On 29 Jan 2010, at 15:56, Corey Gray wrote:
> I have been trying to authenticate our wireless network against AD with radius. When I try to log on to the network it responds with incorrect username or password for “network1” ywt when running
> Ntlm_auth –username user –domain tsa –password password
> It returns a status of OK. I was wondering if there is anything I am missing from my configuration file.
>
> My router is set to use Radius authentication on port 1645
>
> Shared secret = one in config file
> Encryption 40/64-bit
> Passphrase = same as shared secret for testing
> Key 1 as TX key
>
> Now for the radiator settings.
>
> LogDir /var/log/radius
> BindAddress 10.0.0.1 ßradius server ip
> DbDir /etc/radiator
> DictionaryFile %D/dictionary
> LogFile /var/log/radius/%y%m-radius.log
> Trace 5
> #Trace 3
> <Client DEFAULT>
> Secret shh…itssecret
> DupInterval 0
> </Client>
> #Log Success and failed login attempts
> <AuthLog FILE>
> Filename /var/log/radius/%y%m-authlog.log
> LogSuccess 0
> LogFailure 0
> SuccessFormat %l:Client-ip=%c:%U:OK
> FailureFormat %l:Client-ip=%c:%U:FAIL
> </AuthLog>
> # requests will be processed here
> # define Realm(s) or Handler(s)
> # use AuthBy NTLM for AD
> <Handler Realm=tsa.com.au>
> <AuthBy NTLM>
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> DefaultDomain tsa.com.au
> UsernameMatchesWithoutRealm
> </AuthBy>
> </Handler>
>
> Here is my trace 5
>
> Fri Jan 29 14:43:49 2010: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
> Fri Jan 29 14:43:49 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> Fri Jan 29 14:43:49 2010: DEBUG: Creating authentication port 192.168.201.165:1645
> Fri Jan 29 14:43:49 2010: DEBUG: Creating accounting port 192.168.201.165:1646
> Fri Jan 29 14:43:49 2010: NOTICE: Server started: Radiator 4.5.1 on Radiator (LOCKED)
> Fri Jan 29 14:47:53 2010: DEBUG: Packet dump:
> *** Received from 192.168.201.74 port 1032 ....
> Packet length = 123
> 01 00 00 7b d6 dc 0e bb 98 ff 55 2e 83 29 ab fd *** Received from 192.168.201.74 port 1032 ....
> NAS-Identifier = "00226b5c4bc8"
> NAS-Port = 59
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><0><0><10><1>corey
> Message-Authenticator = <246><234><131><156><207><243><139><156><246><14><16><183><144><167><243>\
>
> Fri Jan 29 14:47:53 2010: WARNING: Could not find a handler for corey: request is ignored
> Fri Jan 29 14:48:23 2010: DEBUG: Packet dump:
> *** Received from 192.168.201.74 port 1032 ....
>
> Packet length = 123
> 01 00 00 7b 12 dc 22 68 9b 0b 85 1f 6c 4d 2c 2d
> 09 43 22 8e 01 07 63 6f 72 65 79 04 06 c0 a8 c9
> 4a 1e 0e 30 30 32 32 36 62 35 63 34 62 63 38 1f
> 0e 30 30 32 35 62 63 63 33 32 32 39 61 20 0e 30
> 30 32 32 36 62 35 63 34 62 63 38 05 06 00 00 00
> 3b 0c 06 00 00 05 78 3d 06 00 00 00 13 4f 0c 02
> 01 00 0a 01 63 6f 72 65 79 50 12 3a d8 d8 34 85
> 3b 0c 06 00 00 05 78 3d 06 00 00 00 13 4f 0c 02
> 01 00 0a 01 63 6f 72 65 79 50 12 3a d8 d8 34 85
> b6 3d 3e cc 6f c9 31 6c 42 05 26
> Code: Access-Request
> Identifier: 0
> Authentic: <18><220>"h<155><11><133><31>lM,-<9>C"<142>
> Attributes:
> User-Name = "corey"
> NAS-IP-Address = 192.168.201.74
> Called-Station-Id = "00226b5c4bc8"
> Calling-Station-Id = "0025bcc3229a"
> NAS-Identifier = "00226b5c4bc8"
> NAS-Port = 59
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><1><0><10><1>corey
> Message-Authenticator = :<216><216>4<133><182>=><204>o<201>1lB<5>&
>
> Fri Jan 29 14:48:23 2010: WARNING: Could not find a handler for corey: request is ignored
>
> So it keeps trying and radius is getting my attempts… But im not sure why it cant handle the request
>
> Any help would be greatly appreciated
> Regards
>
> Corey Gray
> Support Engineer
> <image003.png>
> Ph.
> 1300 88 95 88
> Fax.
> 07 3858 6318
> http://www.caab.net
>
> This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify TSA Software Solutions immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of TSA Software Solutions Pty Ltd or its Subsidiaries. Your privacy is important to us. To view our privacy policy visit http://www.tsa.com.au/privacy
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list