[RADIATOR] Authby LSA and AD Groups (Redux)

Johnson, Neil M neil-johnson at uiowa.edu
Wed Sep 29 10:03:17 CDT 2010


I making another attempt to get AuthbyLSA working on Windows Server 2008 R2.

As before, as long as I don't check for groups, the authentication works fine, but when I try to check for group membership the authentication fails.

Attached is the config file and trace 4 output.

# lsa_eap_peap.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# PEAP authentication as used by Windows XP (starting with SP1)
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate Wireless PEAP users from a Windows LSA, which
# permits authentication against any Windows Active Directory Domain
# or NT Domain.
# It will accept requests from any client and try to handle request
# for any realm.
# To use this LSA, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security policy
# enabled.
# Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not Home edition).
#
# To use this example, Radiator must be run on Windows as
# a user that has the 'Act as part of the operating system' security policy
# enabled. This is not possible with Windows XP Home edition.
#
# Requires the Win32-Lsa perl module from Open System Consultants.
# Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like this:
#   ppm install --location=http://www.open.com.au/radiator/free-downloads Win32-Lsa
#
# Users will only be authenticated if they have the 'Access this computer from the network'
# security policy enabled. Their other account restrictions will also be checked
# CHAP passwords can only be authenticated if the user has their
# 'Store password using reversible encryption' option enabled in their Account
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires openssl and Net_SSLeay.
#
# You should consider this file to be a starting point only
# $Id: lsa_eap_peap.cfg,v 1.8 2010/08/10 22:37:25 mikem Exp $

Foreground
LogStdout
LogDir                   .
DbDir                     .
# User a lower trace level in production systems:
Trace                     4

# Ports to listen on
AuthPort 1812
AcctPort 1813

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
                Secret   XXXXXXXXXXXXX
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
                # Authenticate with Windows LSA
                <AuthBy LSA>
                                # Specifies which Windows Domain is ALWAYS to be used to authenticate
                                # users (even if they specify a different domain in their username).
                                # Empty string means the local machine only
                                # Special characters are supported. Can be an Active
                                # directory domain or a Windows NT domain controller
                                # domain name
                                # Empty string (the default) means the local machine
                                #Domain OPEN

                                # Specifies the Windows Domain to use if the user does not
                                # specify a doain domain in their username.
                                # Special characters are supported. Can be an Active
                                # directory domain or a Windows NT domain controller
                                # domain name
                                # Empty string (the default) means the local machine
                                DefaultDomain IOWA

                                # You can check whether each user is the member of a windows group
                                # with the Group parameter. If more than one Group is specified, then the
                                # user must be a member of at least one of them. Requires Win32::NetAdmin
                                # (which is installed by default with ActivePerl). If no Group
                                # parameters are specified, then Group checks will not be performed.
                                #Group Administrators
                                #Group Domain Users
                                Group ITS-WIRELESS

                                # You can specify which domain controller will be used to check group
                                # membership with the DomainController parameter. If no Group parameters
                                # are specified, DomainController wil not be used. Defaults to
                                # empty string, meaning the default controller of the host where this
                                # instance of Radaitor is running.
                                #DomainController zulu

                                # This tells the PEAP client what types of inner EAP requests
                                # we will honour
                                EAPType MSCHAP-V2
                </AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select
# a specific handler, or else you can use EAPAnonymous to set a username and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton request.
# In this basic example, both the inner and outer authentication are authenticated
# from a file by AuthBy FILE
<Handler>
                <AuthBy FILE>
                                # The username of the outer authentication
                                #  must be in this file to get anywhere. In this example,
                                # it requires an entry for 'anonymous' which is the standard username
                                # in the outer requests, and it also requires an entry for the
                                # actual user name who is trying to connect (ie the 'Login name' entered
                                # in the Funk Odyssey 'Edit Profile Properties' page
                                Filename %D/users

                                # EAPType sets the EAP type(s) that Radiator will honour.
                                # Options are: MD5-Challenge, One-Time-Password
                                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                                # Multiple types can be comma separated. With the default (most
                                # preferred) type given first
                                EAPType PEAP

                                # EAPTLS_CAFile is the name of a file of CA certificates
                                # in PEM format. The file can contain several CA certificates
                                # Radiator will first look in EAPTLS_CAFile then in
                                # EAPTLS_CAPath, so there usually is no need to set both
                                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

                                # EAPTLS_CAPath is the name of a directory containing CA
                                # certificates in PEM format. The files each contain one
                                # CA certificate. The files are looked up by the CA
                                # subject name hash value
#                             EAPTLS_CAPath

                                # EAPTLS_CertificateFile is the name of a file containing
                                # the servers certificate. EAPTLS_CertificateType
                                # specifies the type of the file. Can be PEM or ASN1
                                # defaults to ASN1
                                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                                EAPTLS_CertificateType PEM

                                # EAPTLS_PrivateKeyFile is the name of the file containing
                                # the servers private key. It is sometimes in the same file
                                # as the server certificate (EAPTLS_CertificateFile)
                                # If the private key is encrypted (usually the case)
                                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                                EAPTLS_PrivateKeyPassword whatever

                                # EAPTLS_RandomFile is an optional file containing
                                # randdomness
#                             EAPTLS_RandomFile %D/certificates/random

                                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                                # size that will be replied by Radiator. It must be small
                                # enough to fit in a single Radius request (ie less than 4096)
                                # and still leave enough space for other attributes
                                # Aironet APs seem to need a smaller MaxFragmentSize
                                # (eg 1024) than the default of 2048. Others need even smaller sizes.
                                EAPTLS_MaxFragmentSize 1000

                                # EAPTLS_DHFile if set specifies the DH group file. It
                                # may be required if you need to use ephemeral DH keys.
#                             EAPTLS_DHFile %D/certificates/cert/dh


                                # If EAPTLS_CRLCheck is set  and the client presents a certificate
                                # then Radiator will look for a certificate revocation list (CRL)
                                # for the certificate issuer
                                # when authenticating each client. If a CRL file is not found, or
                                # if the CRL says the certificate has neen revoked, the authentication will
                                # fail with an error:
                                #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                                # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
                                # Alternatively, CRLs may follow a file naming convention:
                                #  the hash of the issuer subject name
                                # and a suffix that depends on the serial number.
                                # eg ab1331b2.r0, ab1331b2.r1 etc.
                                # You can find out the hash of the issuer name in a CRL with
                                #  openssl crl -in crl.pem -hash -noout
                                # CRLs with tis name convention
                                # will be searched in EAPTLS_CAPath, else in the openssl
                                # certificates directory typically /usr/local/openssl/certs/
                                # CRLs are expected to be in PEM format.
                                # A CRL files can be generated with openssl like this:
                                #  openssl ca -gencrl -revoke cert-clt.pem
                                #  openssl ca -gencrl -out crl.pem
                                # Use of these flags requires Net_SSLeay-1.21 or later
                                #EAPTLS_CRLCheck
                                #EAPTLS_CRLFile %D/certificates/crl.pem
                                #EAPTLS_CRLFile %D/certificates/revocations.pem

                                # Some clients, depending on their configuration, may require you to specify
                                # MPPE send and receive keys. This _will_ be required if you select
                                # 'Keys will be generated automatically for data privacy' in the Funk Odyssey
                                # client Network Properties dialog.
                                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                                # in the final Access-Accept
                                AutoMPPEKeys

                                # You can configure the User-Name that will be used for the inner
                                # authentication. Defaults to 'anonymous'. This can be useful
                                # when proxying the inner authentication. If tehre is a realm, it can
                                # be used to choose a local Realm to handle the inner authentication.
                                # %0 is replaced with the EAP identitiy
                                # EAPAnonymous anonymous at some.other.realm
                                EAPAnonymous %0

                                # You can enable or disable support for TTLS Session Resumption and
                                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                                # Default is enabled
                                #EAPTLS_SessionResumption 0

                                # You can limit how long after the initial session that a session can be resumed
                                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
                                # (12 hours)
                                #EAPTLS_SessionResumptionLimit 10

                                # You can control which version of the draft PEAP protocol to honour
                                # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
                                # such as Funk Odyssey Client 2.22 or later.
                                EAPTLS_PEAPVersion 0
                </AuthBy>
</Handler>

Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Received from 128.255.11.74 port 32768 ....
Code:       Access-Request
Identifier: 214
Authentic:  <209><241>8<205><198><3><215>yeq<214>w<176><152>m<137>
Attributes:
        User-Name = "IOWA\nmjoo"
        NAS-IP-Address = 128.255.11.74
        NAS-Port = 20481
        Called-Station-Id = "00-90-0B-07-8C-89:UI-Test-ITSNT977"
        Calling-Station-Id = "00-1F-3B-CC-09-ED"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11g"
        EAP-Message = <2><7><0>k<25><0><23><3><1><0>`<228>v<226>\<233><246>I<23>
rf\k<17>I<20><136>p<5><229>a[<241><173>s<19>gI!<204><1>pS<228><191><225>`O<188><
171><230><2>s<133><143><31>$<159>R<154>f<189><154><26><169>!<9><156><142><239><1
43><1>a<30>v<159><178>{<140><192>%<241><204>(M<155><162><223><165>^<197>%<168><2
14><202><199>]D<245>:t<157><224><133><217><16><158>
        Message-Authenticator = w<249><206><233><208>g<232>G<224><248>&<143>2<14
>|v

Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler '', Identifier ''

Wed Sep 29 09:53:25 2010: DEBUG:  Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 7, 107, 25
Wed Sep 29 09:53:25 2010: DEBUG: Response type 25
Wed Sep 29 09:53:25 2010: DEBUG: EAP PEAP inner authentication request for IOWA\
nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  0u<200><186><169><129><171><163>><188>K(<143><252>rs
Attributes:
        EAP-Message = <2><7><0>A<26><2><7><0>@1,<24><4>apkL<134>I:<8><232>4L_<19
2><0><0><0><0><0><0><0><0><129>VJ"<182><148><155><161>:<19><22>"<16><157>)4<251>
VxT<130>l<156>g<0>IOWA\nmjoo
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

        NAS-IP-Address = 128.255.11.74
        NAS-Port = 20481
        Calling-Station-Id = "00-1F-3B-CC-09-ED"
        User-Name = "IOWA\nmjoo"

Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=
1', Identifier ''
Wed Sep 29 09:53:25 2010: DEBUG:  Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthLSA:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Wed Sep 29 09:53:25 2010: DEBUG: Response type 26
Wed Sep 29 09:53:25 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo
 [IOWA\nmjoo]
Wed Sep 29 09:53:25 2010: DEBUG: Checking LSA Group membership for \\IOWADC1, IT
S-WIRELESS, nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not
a member of any Group: IOWA\nmjoo [IOWA\nmjoo]
Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such us
er IOWA\nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed
: no such user IOWA\nmjoo
Wed Sep 29 09:53:25 2010: INFO: Access rejected for IOWA\nmjoo: EAP MSCHAP V2 fa
iled: no such user IOWA\nmjoo
Wed Sep 29 09:53:25 2010: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  0u<200><186><169><129><171><163>><188>K(<143><252>rs
Attributes:
        EAP-Message = <4><7><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

        Reply-Message = "Request Denied"

Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication re
dispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner a
uthentication redispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: Access challenged for IOWA\nmjoo: EAP PEAP inne
r authentication redispatched to a Handler
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Sending to 128.255.11.74 port 32768 ....
Code:       Access-Challenge
Identifier: 214
Authentic:  /<252><164>E<16>}<181><19><230>Ra<136>K%<236><28>
Attributes:
        EAP-Message = <1><8><0>+<25><0><23><3><1><0> <31><17><177>=O<174><187>=p
rx2<137>*<162><190><218><186>N<228>J<253>K<158><205><131><213>|/<239><2>+
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Received from 128.255.11.74 port 32768 ....
Code:       Access-Request
Identifier: 215
Authentic:  <205><154><137>5<25><186><19><28>v<202>F<134><175>x<179><230>
Attributes:
        User-Name = "IOWA\nmjoo"
        NAS-IP-Address = 128.255.11.74
        NAS-Port = 20481
        Called-Station-Id = "00-90-0B-07-8C-89:UI-Test-ITSNT977"
        Calling-Station-Id = "00-1F-3B-CC-09-ED"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11g"
        EAP-Message = <2><8><0>+<25><0><23><3><1><0> <242><187><24>[<200><11><19
2><131><152>Zr`h~^`<137><204><25><191>e<16><144><26><29>fl<161>dYv<17>
        Message-Authenticator = <183><180><8><127><189><3><151><212><137><160><2
41>|<127><15>!<192>

Wed Sep 29 09:53:25 2010: DEBUG: Handling request with Handler '', Identifier ''

Wed Sep 29 09:53:25 2010: DEBUG:  Deleting session for IOWA\nmjoo, 128.255.11.74
, 20481
Wed Sep 29 09:53:25 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Sep 29 09:53:25 2010: DEBUG: Handling with EAP: code 2, 8, 43, 25
Wed Sep 29 09:53:25 2010: DEBUG: Response type 25
Wed Sep 29 09:53:25 2010: DEBUG: EAP result: 1, PEAP Authentication Failure
Wed Sep 29 09:53:25 2010: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication
 Failure
Wed Sep 29 09:53:25 2010: INFO: Access rejected for IOWA\nmjoo: PEAP Authenticat
ion Failure
Wed Sep 29 09:53:25 2010: DEBUG: Packet dump:
*** Sending to 128.255.11.74 port 32768 ....
Code:       Access-Reject
Identifier: 215
Authentic:  ]<229><7><5><31><26>'<30><240>x<11><144><210>w<255>E
Attributes:
        EAP-Message = <4><8><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

        Reply-Message = "Request Denied"


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100929/9e433f69/attachment-0001.html 


More information about the radiator mailing list