[RADIATOR] accessing ntlm_auth Authentication-Error attribute

David Zych dmrz at illinois.edu
Tue Oct 5 19:23:36 CDT 2010 

Hi,

I'm using AuthBy NTLM to authenticate Active Directory users from a linux Radiator instance.  When an authentication fails, ntlm_auth seems to give a useful error message in the "Authentication-Error" attribute which would be helpful for distinguishing different types of problems.  This attribute is clearly visible both in the DEBUG output and in a WARNING log message that is generated by the module, but I can't figure out how to reference it afterward to do other things with it (such as include it in my AuthLog FailureFormat, store it in a database where it can assist our help desk in troubleshooting, return it as the reject reason, etc).  Is there any way to get at this value short of modifying the module?

Below are sample debug output snippets from two failed ntlm_auth login attempts.  In both cases the AuthBy NTLM reject reason is simply "AuthBy NTLM Password check failed" which is not nearly as helpful in troubleshooting as the Authentication-Error message ("Wrong Password" vs "No such user") would be.  Note also that unfortunately the WARNING message doesn't include the username, so even that wouldn't be terribly helpful in a production environment with lots of requests.

Tue Oct  5 18:55:09 2010: DEBUG: Radius::AuthNTLM looks for match with dmrz [dmrz]
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute LANMAN-Challenge: 551ad887cef366ce
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute NT-Response: ef76db2128d03a9789133c333175ac5aaad6acedd8c17f44
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw==
Tue Oct  5 18:55:09 2010: DEBUG: Passing attribute Username:: ZG1yeg==
Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: .
Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: Authenticated: No
Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: Authentication-Error: Wrong Password
Tue Oct  5 18:55:09 2010: DEBUG: Received attribute: .
Tue Oct  5 18:55:09 2010: WARNING: NTLM Could not authenticate user: Wrong Password
Tue Oct  5 18:55:09 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: dmrz [dmrz]
Tue Oct  5 18:55:09 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed
Tue Oct  5 18:55:09 2010: INFO: Access rejected for dmrz: AuthBy NTLM Password check failed

vs

Tue Oct  5 18:55:38 2010: DEBUG: Radius::AuthNTLM looks for match with bogususer [bogususer]
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute LANMAN-Challenge: f706118f18863992
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute NT-Response: 3667e0f1e6a08365d587d54f8a7889357f36e94da008e8cf
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw==
Tue Oct  5 18:55:38 2010: DEBUG: Passing attribute Username:: Ym9ndXN1c2Vy
Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: .
Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: Authenticated: No
Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: Authentication-Error: No such user
Tue Oct  5 18:55:38 2010: DEBUG: Received attribute: .
Tue Oct  5 18:55:38 2010: WARNING: NTLM Could not authenticate user: No such user
Tue Oct  5 18:55:38 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: bogususer [bogususer]
Tue Oct  5 18:55:38 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed
Tue Oct  5 18:55:38 2010: INFO: Access rejected for bogususer: AuthBy NTLM Password check failed

Thanks,
David

More information about the radiator mailing list