[RADIATOR] AD Authentication Problem

Corey Gray corey at tsa.com.au
Wed Mar 10 17:35:31 CST 2010


Hi<http://caab.net>,



Im having a problem with the Authentication to AD I have a Inner and outer authentication But it seems to to not use the outer and go straight for the inner. While this isn't really a problem (id rather one Auth method if possible)  it just keeps on repeating itself without Accepting Denying the connection



Here is the trace from Radiator



--Begin Trace

Thu Mar 11 09:30:23 2010: DEBUG: Reading dictionary file '/usr/local/etc/raddb/dictionary'

Thu Mar 11 09:30:23 2010: DEBUG: Creating authentication port 192.168.201.103:1645

Thu Mar 11 09:30:23 2010: DEBUG: Creating accounting port 192.168.201.103:1646

Thu Mar 11 09:30:23 2010: NOTICE: Server started: Radiator 4.6 on tsa-radius-bne.TSA.COM.AU (LOCKED)

Thu Mar 11 09:30:29 2010: DEBUG: Packet dump:

*** Received from 192.168.201.74 port 1030 ....

Code:       Access-Request

Identifier: 0

Authentic:  <173><27>]<159><161><214>M<31><206>e5b<236>B<22>'

Attributes:

        User-Name = "*****"

        NAS-IP-Address = 192.168.201.74

        Called-Station-Id = "00226b5c4bc8"

        Calling-Station-Id = "0025bcc3229a"

        NAS-Identifier = "00226b5c4bc8"

        NAS-Port = 59

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-IEEE-802-11

        EAP-Message = <2><0><0><10><1>*****

        Message-Authenticator = *G<133><141><146>y<19>7<168><231><161><141><252><236><219>o



Thu Mar 11 09:30:29 2010: DEBUG: Handling request with Handler 'DEFAULT'

Thu Mar 11 09:30:29 2010: DEBUG:  Deleting session for *****, 192.168.201.74, 59

Thu Mar 11 09:30:29 2010: DEBUG: Handling with Radius::AuthNTLM:

Thu Mar 11 09:30:29 2010: DEBUG: Handling with EAP: code 2, 0, 10, 1

Thu Mar 11 09:30:29 2010: DEBUG: Response type 1

Thu Mar 11 09:30:30 2010: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge

Thu Mar 11 09:30:30 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge

Thu Mar 11 09:30:30 2010: DEBUG: Access challenged for corey: EAP MSCHAP-V2 Challenge

Thu Mar 11 09:30:30 2010: DEBUG: Packet dump:

*** Sending to 192.168.201.74 port 1030 ....

Code:       Access-Challenge

Identifier: 0

Authentic:  Z#<162>&#<255>1P1<0><189>.<20><204><217>1

Attributes:

        EAP-Message = <1><1><0>3<26><1><1><0>.<16>d<158><205><209><247>M<228><196><129><18><132>i<9><183><14><13>tsa-radius-bne.TSA.COM.AU

        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

        cisco-avpair = "ssid=Radius1"

--End Trace



--Begin Config File

BindAddress 192.168.201.103

Trace 4

<Client DEFAULT>

        Secret ***

#Ouoter authentication.

        <AuthBy FILE>

                Filename %D/users

                EAPType PEAP, TTLS, TLS, LEAP

                EAPAnonymous %0

                #TSA Certificates

                EAPTLS_CAPath /etc/radiator/certificates

                EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt

                EAPTLS_CertificateType PEM

                EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem

                EAPTLS_MaxFragmentSize 1000

        </AuthBy>

</Client>

#Not Used at the moment

#<Handler Client-Identifier=wireless-8021x,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>

#        <AuthBy FILE>

#              Filename %D/users

#                EAPType PEAP, TTLS, TLS, LEAP

#              EAPAnonymous %0

#             #TSA Certificates

#                EAPTLS_CAPath /etc/radiator/certificates

#                EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt

#                EAPTLS_CertificateType PEM

#                EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem

#                EAPTLS_MaxFragmentSize 1000

#                AutoMPPEKeys

#        </AuthBy>

#</Handler>

#End Outer Authentication



<Handler DEFAULT>

        #Get Rid of the AD bit

#       RewriteUsername s/^ad//

        #Auth against AD with ntlm_auth

                <AuthBy NTLM>

                        EAPType MSCHAP-V2

                        Domain TSA

                        NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1

                        UsernameMatchesWithoutRealm

                </AuthBy>

                StripFromReply cisco-avpair

                AddToReply cisco-avpair="ssid=Radius1"

</Handler>

<Handler TunnelledByTTLS=1,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>

 #Get Rid of the AD bit

        RewriteUsername s/^ad//

        #Auth against AD with ntlm_auth

                <AuthBy NTLM>

                        EAPType MSCHAP-V2

                        Domain TSA

                        NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1

                        UsernameMatchesWithoutRealm

                </AuthBy>

                StripFromReply cisco-avpair

                AddToReply cisco-avpair="ssid=Radius1"

</Handler>

--End Config



The Trace doesn't tell me which handler it is using unfortunalty. Can anyone point out where im going wrong with this one? All help is greatly appreciated





Regards



Corey Gray
Support Engineer

http://caab.net/images/Cert_Partner_rgb.png

Ph.

1300 88 95 88

Fax.

07 3858 6313

http://www.caab.net



This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify TSA Software Solutions immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of TSA Software Solutions Pty Ltd or its Subsidiaries. Your privacy is important to us. To view our privacy policy visit http://www.tsa.com.au/privacy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8397 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4696 bytes
Desc: image002.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0003.png 


More information about the radiator mailing list