[RADIATOR] AD Authentication Problem
Corey Gray
corey at tsa.com.au
Wed Mar 10 17:35:31 CST 2010
Hi<http://caab.net>,
Im having a problem with the Authentication to AD I have a Inner and outer authentication But it seems to to not use the outer and go straight for the inner. While this isn't really a problem (id rather one Auth method if possible) it just keeps on repeating itself without Accepting Denying the connection
Here is the trace from Radiator
--Begin Trace
Thu Mar 11 09:30:23 2010: DEBUG: Reading dictionary file '/usr/local/etc/raddb/dictionary'
Thu Mar 11 09:30:23 2010: DEBUG: Creating authentication port 192.168.201.103:1645
Thu Mar 11 09:30:23 2010: DEBUG: Creating accounting port 192.168.201.103:1646
Thu Mar 11 09:30:23 2010: NOTICE: Server started: Radiator 4.6 on tsa-radius-bne.TSA.COM.AU (LOCKED)
Thu Mar 11 09:30:29 2010: DEBUG: Packet dump:
*** Received from 192.168.201.74 port 1030 ....
Code: Access-Request
Identifier: 0
Authentic: <173><27>]<159><161><214>M<31><206>e5b<236>B<22>'
Attributes:
User-Name = "*****"
NAS-IP-Address = 192.168.201.74
Called-Station-Id = "00226b5c4bc8"
Calling-Station-Id = "0025bcc3229a"
NAS-Identifier = "00226b5c4bc8"
NAS-Port = 59
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message = <2><0><0><10><1>*****
Message-Authenticator = *G<133><141><146>y<19>7<168><231><161><141><252><236><219>o
Thu Mar 11 09:30:29 2010: DEBUG: Handling request with Handler 'DEFAULT'
Thu Mar 11 09:30:29 2010: DEBUG: Deleting session for *****, 192.168.201.74, 59
Thu Mar 11 09:30:29 2010: DEBUG: Handling with Radius::AuthNTLM:
Thu Mar 11 09:30:29 2010: DEBUG: Handling with EAP: code 2, 0, 10, 1
Thu Mar 11 09:30:29 2010: DEBUG: Response type 1
Thu Mar 11 09:30:30 2010: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Thu Mar 11 09:30:30 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Thu Mar 11 09:30:30 2010: DEBUG: Access challenged for corey: EAP MSCHAP-V2 Challenge
Thu Mar 11 09:30:30 2010: DEBUG: Packet dump:
*** Sending to 192.168.201.74 port 1030 ....
Code: Access-Challenge
Identifier: 0
Authentic: Z#<162>&#<255>1P1<0><189>.<20><204><217>1
Attributes:
EAP-Message = <1><1><0>3<26><1><1><0>.<16>d<158><205><209><247>M<228><196><129><18><132>i<9><183><14><13>tsa-radius-bne.TSA.COM.AU
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
cisco-avpair = "ssid=Radius1"
--End Trace
--Begin Config File
BindAddress 192.168.201.103
Trace 4
<Client DEFAULT>
Secret ***
#Ouoter authentication.
<AuthBy FILE>
Filename %D/users
EAPType PEAP, TTLS, TLS, LEAP
EAPAnonymous %0
#TSA Certificates
EAPTLS_CAPath /etc/radiator/certificates
EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem
EAPTLS_MaxFragmentSize 1000
</AuthBy>
</Client>
#Not Used at the moment
#<Handler Client-Identifier=wireless-8021x,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>
# <AuthBy FILE>
# Filename %D/users
# EAPType PEAP, TTLS, TLS, LEAP
# EAPAnonymous %0
# #TSA Certificates
# EAPTLS_CAPath /etc/radiator/certificates
# EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem
# EAPTLS_MaxFragmentSize 1000
# AutoMPPEKeys
# </AuthBy>
#</Handler>
#End Outer Authentication
<Handler DEFAULT>
#Get Rid of the AD bit
# RewriteUsername s/^ad//
#Auth against AD with ntlm_auth
<AuthBy NTLM>
EAPType MSCHAP-V2
Domain TSA
NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
UsernameMatchesWithoutRealm
</AuthBy>
StripFromReply cisco-avpair
AddToReply cisco-avpair="ssid=Radius1"
</Handler>
<Handler TunnelledByTTLS=1,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>
#Get Rid of the AD bit
RewriteUsername s/^ad//
#Auth against AD with ntlm_auth
<AuthBy NTLM>
EAPType MSCHAP-V2
Domain TSA
NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
UsernameMatchesWithoutRealm
</AuthBy>
StripFromReply cisco-avpair
AddToReply cisco-avpair="ssid=Radius1"
</Handler>
--End Config
The Trace doesn't tell me which handler it is using unfortunalty. Can anyone point out where im going wrong with this one? All help is greatly appreciated
Regards
Corey Gray
Support Engineer
http://caab.net/images/Cert_Partner_rgb.png
Ph.
1300 88 95 88
Fax.
07 3858 6313
http://www.caab.net
This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify TSA Software Solutions immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of TSA Software Solutions Pty Ltd or its Subsidiaries. Your privacy is important to us. To view our privacy policy visit http://www.tsa.com.au/privacy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8397 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4696 bytes
Desc: image002.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20100310/d4cc9e6b/attachment-0003.png
More information about the radiator
mailing list