[RADIATOR] AD Authentication Problem

Hugh Irvine hugh at open.com.au
Wed Mar 10 18:10:29 CST 2010


Hello Corey -

The Handler list is evaluated in the order it appears in the configuration file and the debug shows that you are hitting the DEFAULT Handler:


> Thu Mar 11 09:30:29 2010: DEBUG: Handling request with Handler 'DEFAULT'


You should change the order of the Handlers like this:

.....

<Handler TunnelledByTTLS=1,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>
 #Get Rid of the AD bit
        RewriteUsername s/^ad//
        #Auth against AD with ntlm_auth
                <AuthBy NTLM>
                        EAPType MSCHAP-V2
                        Domain TSA
                        NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
                        UsernameMatchesWithoutRealm
                </AuthBy>
                StripFromReply cisco-avpair
                AddToReply cisco-avpair="ssid=Radius1"
</Handler>

<Handler DEFAULT>
        #Get Rid of the AD bit
#       RewriteUsername s/^ad//
        #Auth against AD with ntlm_auth
                <AuthBy NTLM>
                        EAPType MSCHAP-V2
                        Domain TSA
                        NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
                        UsernameMatchesWithoutRealm
                </AuthBy>
                StripFromReply cisco-avpair
                AddToReply cisco-avpair="ssid=Radius1"
</Handler>


hope that helps

regards

Hugh


On 11 Mar 2010, at 10:35, Corey Gray wrote:

> Hi,
>  
> Im having a problem with the Authentication to AD I have a Inner and outer authentication But it seems to to not use the outer and go straight for the inner. While this isn’t really a problem (id rather one Auth method if possible)  it just keeps on repeating itself without Accepting Denying the connection
>  
> Here is the trace from Radiator
>  
> --Begin Trace
> Thu Mar 11 09:30:23 2010: DEBUG: Reading dictionary file '/usr/local/etc/raddb/dictionary'
> Thu Mar 11 09:30:23 2010: DEBUG: Creating authentication port 192.168.201.103:1645
> Thu Mar 11 09:30:23 2010: DEBUG: Creating accounting port 192.168.201.103:1646
> Thu Mar 11 09:30:23 2010: NOTICE: Server started: Radiator 4.6 on tsa-radius-bne.TSA.COM.AU (LOCKED)
> Thu Mar 11 09:30:29 2010: DEBUG: Packet dump:
> *** Received from 192.168.201.74 port 1030 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:  <173><27>]<159><161><214>M<31><206>e5b<236>B<22>'
> Attributes:
>         User-Name = "*****"
>         NAS-IP-Address = 192.168.201.74
>         Called-Station-Id = "00226b5c4bc8"
>         Calling-Station-Id = "0025bcc3229a"
>         NAS-Identifier = "00226b5c4bc8"
>         NAS-Port = 59
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         EAP-Message = <2><0><0><10><1>*****
>         Message-Authenticator = *G<133><141><146>y<19>7<168><231><161><141><252><236><219>o
>  
> Thu Mar 11 09:30:29 2010: DEBUG: Handling request with Handler 'DEFAULT'
> Thu Mar 11 09:30:29 2010: DEBUG:  Deleting session for *****, 192.168.201.74, 59
> Thu Mar 11 09:30:29 2010: DEBUG: Handling with Radius::AuthNTLM:
> Thu Mar 11 09:30:29 2010: DEBUG: Handling with EAP: code 2, 0, 10, 1
> Thu Mar 11 09:30:29 2010: DEBUG: Response type 1
> Thu Mar 11 09:30:30 2010: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Thu Mar 11 09:30:30 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
> Thu Mar 11 09:30:30 2010: DEBUG: Access challenged for corey: EAP MSCHAP-V2 Challenge
> Thu Mar 11 09:30:30 2010: DEBUG: Packet dump:
> *** Sending to 192.168.201.74 port 1030 ....
> Code:       Access-Challenge
> Identifier: 0
> Authentic:  Z#<162>&#<255>1P1<0><189>.<20><204><217>1
> Attributes:
>         EAP-Message = <1><1><0>3<26><1><1><0>.<16>d<158><205><209><247>M<228><196><129><18><132>i<9><183><14><13>tsa-radius-bne.TSA.COM.AU
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         cisco-avpair = "ssid=Radius1"
> --End Trace
>  
> --Begin Config File
> BindAddress 192.168.201.103
> Trace 4
> <Client DEFAULT>
>         Secret ***
> #Ouoter authentication.
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP, TTLS, TLS, LEAP
>                 EAPAnonymous %0
>                 #TSA Certificates
>                 EAPTLS_CAPath /etc/radiator/certificates
>                 EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem
>                 EAPTLS_MaxFragmentSize 1000
>         </AuthBy>
> </Client>
> #Not Used at the moment
> #<Handler Client-Identifier=wireless-8021x,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>
> #        <AuthBy FILE>
> #              Filename %D/users
> #                EAPType PEAP, TTLS, TLS, LEAP
> #              EAPAnonymous %0
> #             #TSA Certificates
> #                EAPTLS_CAPath /etc/radiator/certificates
> #                EAPTLS_CertificateFile /etc/radiator/certificates/tsa.crt
> #                EAPTLS_CertificateType PEM
> #                EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_key.pem
> #                EAPTLS_MaxFragmentSize 1000
> #                AutoMPPEKeys
> #        </AuthBy>
> #</Handler>
> #End Outer Authentication
>  
> <Handler DEFAULT>
>         #Get Rid of the AD bit
> #       RewriteUsername s/^ad//
>         #Auth against AD with ntlm_auth
>                 <AuthBy NTLM>
>                         EAPType MSCHAP-V2
>                         Domain TSA
>                         NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
>                         UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 StripFromReply cisco-avpair
>                 AddToReply cisco-avpair="ssid=Radius1"
> </Handler>
> <Handler TunnelledByTTLS=1,User-Name=/(^AD\\|@tsa\.com\.au|^host\/.*\.tsa\.com\.au)/>
>  #Get Rid of the AD bit
>         RewriteUsername s/^ad//
>         #Auth against AD with ntlm_auth
>                 <AuthBy NTLM>
>                         EAPType MSCHAP-V2
>                         Domain TSA
>                         NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/windindd.conf --helper-protocol=ntlm-server-1
>                         UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 StripFromReply cisco-avpair
>                 AddToReply cisco-avpair="ssid=Radius1"
> </Handler>
> --End Config
>  
> The Trace doesn’t tell me which handler it is using unfortunalty. Can anyone point out where im going wrong with this one? All help is greatly appreciated
>  
>  
> Regards
>  
> Corey Gray
> Support Engineer
> <image002.png> 
> Ph. 
> 1300 88 95 88
> Fax. 
> 07 3858 6313
> http://www.caab.net
>  
> This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify TSA Software Solutions immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of TSA Software Solutions Pty Ltd or its Subsidiaries. Your privacy is important to us. To view our privacy policy visit http://www.tsa.com.au/privacy
>  
> 
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4933 (20100310) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list