[RADIATOR] Authby LSA and AD Groups (Redux)
Johnson, Neil M
neil-johnson at uiowa.edu
Wed Sep 29 10:03:17 CDT 2010
I making another attempt to get AuthbyLSA working on Windows Server 2008 R2.
As before, as long as I don't check for groups, the authentication works fine, but when I try to check for group membership the authentication fails.
Attached is the config file and trace 4 output.
# lsa_eap_peap.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# PEAP authentication as used by Windows XP (starting with SP1)
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate Wireless PEAP users from a Windows LSA, which
# permits authentication against any Windows Active Directory Domain
# or NT Domain.
# It will accept requests from any client and try to handle request
# for any realm.
# To use this LSA, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security policy
# enabled.
# Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not Home edition).
#
# To use this example, Radiator must be run on Windows as
# a user that has the 'Act as part of the operating system' security policy
# enabled. This is not possible with Windows XP Home edition.
#
# Requires the Win32-Lsa perl module from Open System Consultants.
# Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like this:
# ppm install --location=http://www.open.com.au/radiator/free-downloads Win32-Lsa
#
# Users will only be authenticated if they have the 'Access this computer from the network'
# security policy enabled. Their other account restrictions will also be checked
# CHAP passwords can only be authenticated if the user has their
# 'Store password using reversible encryption' option enabled in their Account
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires openssl and Net_SSLeay.
#
# You should consider this file to be a starting point only
# $Id: lsa_eap_peap.cfg,v 1.8 2010/08/10 22:37:25 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
# Ports to listen on
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret XXXXXXXXXXXXX
</Client>
# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
# Authenticate with Windows LSA
<AuthBy LSA>
# Specifies which Windows Domain is ALWAYS to be used to authenticate
# users (even if they specify a different domain in their username).
# Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#Domain OPEN
# Specifies the Windows Domain to use if the user does not
# specify a doain domain in their username.
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
DefaultDomain IOWA
# You can check whether each user is the member of a windows group
# with the Group parameter. If more than one Group is specified, then the
# user must be a member of at least one of them. Requires Win32::NetAdmin
# (which is installed by default with ActivePerl). If no Group
# parameters are specified, then Group checks will not be performed.
#Group Administrators
#Group Domain Users
Group ITS-WIRELESS
# You can specify which domain controller will be used to check group
# membership with the DomainController parameter. If no Group parameters
# are specified, DomainController wil not be used. Defaults to
# empty string, meaning the default controller of the host where this
# instance of Radaitor is running.
#DomainController zulu
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType MSCHAP-V2
</AuthBy>
</Handler>
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select
# a specific handler, or else you can use EAPAnonymous to set a username and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton request.
# In this basic example, both the inner and outer authentication are authenticated
# from a file by AuthBy FILE
<Handler>
<AuthBy FILE>
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard username
# in the outer requests, and it also requires an entry for the
# actual user name who is trying to connect (ie the 'Login name' entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a certificate
# then Radiator will look for a certificate revocation list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, or
# if the CRL says the certificate has neen revoked, the authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require you to specify
# MPPE send and receive keys. This _will_ be required if you select
# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can configure the User-Name that will be used for the inner
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, it can
# be used to choose a local Realm to handle the inner authentication.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
EAPAnonymous %0
# You can enable or disable support for TTLS Session Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
# You can control which version of the draft PEAP protocol to honour
# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
# such as Funk Odyssey Client 2.22 or later.
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Received from 128.255.11.74 port 32768 ....
Code: Access-Request
Identifier: 214
Authentic: <209><241>8<205><198><3><215>yeq<214>w<176><152>m<137>
Attributes:
User-Name = "IOWA\nmjoo"
NAS-IP-Address = 128.255.11.74
NAS-Port = 20481
Called-Station-Id = "00-90-0B-07-8C-89:UI-Test-ITSNT977"
Calling-Station-Id = "00-1F-3B-CC-09-ED"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT 802.11g"
EAP-Message = <2><7><0>k<25><0><23><3><1><0>`<228>v<226>\<233><246>I<23>
rf\k<17>I<20><136>p<5><229>a[<241><173>s<19>gI!<204><1>pS<228><191><225>`O<188><
171><230><2>s<133><143><31>$<159>R<154>f<189><154><26><169>!<9><156><142><239><1
43><1>a<30>v<159><178>{<140><192>%<241><204>(M<155><162><223><165>^<197>%<168><2
14><202><199>]D<245>:t<157><224><133><217><16><158>
Message-Authenticator = w<249><206><233><208>g<232>G<224><248>&<143>2<14
>|v
Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler '', Identifier ''
Wed Sep 29 09:53:25 2010: DEBUG: Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 7, 107, 25
Wed Sep 29 09:53:25 2010: DEBUG: Response type 25
Wed Sep 29 09:53:25 2010: DEBUG: EAP PEAP inner authentication request for IOWA\
nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: 0u<200><186><169><129><171><163>><188>K(<143><252>rs
Attributes:
EAP-Message = <2><7><0>A<26><2><7><0>@1,<24><4>apkL<134>I:<8><232>4L_<19
2><0><0><0><0><0><0><0><0><129>VJ"<182><148><155><161>:<19><22>"<16><157>)4<251>
VxT<130>l<156>g<0>IOWA\nmjoo
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 128.255.11.74
NAS-Port = 20481
Calling-Station-Id = "00-1F-3B-CC-09-ED"
User-Name = "IOWA\nmjoo"
Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=
1', Identifier ''
Wed Sep 29 09:53:25 2010: DEBUG: Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthLSA:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Wed Sep 29 09:53:25 2010: DEBUG: Response type 26
Wed Sep 29 09:53:25 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo
[IOWA\nmjoo]
Wed Sep 29 09:53:25 2010: DEBUG: Checking LSA Group membership for \\IOWADC1, IT
S-WIRELESS, nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not
a member of any Group: IOWA\nmjoo [IOWA\nmjoo]
Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such us
er IOWA\nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed
: no such user IOWA\nmjoo
Wed Sep 29 09:53:25 2010: INFO: Access rejected for IOWA\nmjoo: EAP MSCHAP V2 fa
iled: no such user IOWA\nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: 0u<200><186><169><129><171><163>><188>K(<143><252>rs
Attributes:
EAP-Message = <4><7><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication re
dispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner a
uthentication redispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: Access challenged for IOWA\nmjoo: EAP PEAP inne
r authentication redispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Sending to 128.255.11.74 port 32768 ....
Code: Access-Challenge
Identifier: 214
Authentic: /<252><164>E<16>}<181><19><230>Ra<136>K%<236><28>
Attributes:
EAP-Message = <1><8><0>+<25><0><23><3><1><0> <31><17><177>=O<174><187>=p
rx2<137>*<162><190><218><186>N<228>J<253>K<158><205><131><213>|/<239><2>+
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Received from 128.255.11.74 port 32768 ....
Code: Access-Request
Identifier: 215
Authentic: <205><154><137>5<25><186><19><28>v<202>F<134><175>x<179><230>
Attributes:
User-Name = "IOWA\nmjoo"
NAS-IP-Address = 128.255.11.74
NAS-Port = 20481
Called-Station-Id = "00-90-0B-07-8C-89:UI-Test-ITSNT977"
Calling-Station-Id = "00-1F-3B-CC-09-ED"
Framed-MTU = 1250
NAS-Port-Type = Wireless-IEEE-802-11
Framed-Compression = None
Connect-Info = "CONNECT 802.11g"
EAP-Message = <2><8><0>+<25><0><23><3><1><0> <242><187><24>[<200><11><19
2><131><152>Zr`h~^`<137><204><25><191>e<16><144><26><29>fl<161>dYv<17>
Message-Authenticator = <183><180><8><127><189><3><151><212><137><160><2
41>|<127><15>!<192>
Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler '', Identifier ''
Wed Sep 29 09:53:25 2010: DEBUG: Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 8, 43, 25
Wed Sep 29 09:53:25 2010: DEBUG: Response type 25
Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 1, PEAP Authentication Failure
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication
Failure
Wed Sep 29 09:53:25 2010: INFO: Access rejected for IOWA\nmjoo: PEAP Authenticat
ion Failure
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Sending to 128.255.11.74 port 32768 ....
Code: Access-Reject
Identifier: 215
Authentic: ]<229><7><5><31><26>'<30><240>x<11><144><210>w<255>E
Attributes:
EAP-Message = <4><8><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100929/9e433f69/attachment-0001.html
More information about the radiator
mailing list