[RADIATOR] Suggestion for Error Message in AuthByLSA / MSCHAPv2

Johnson, Neil M neil-johnson at uiowa.edu
Mon Dec 9 10:29:48 CST 2013 

I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues.

Doing some testing:

Using an unknown user name I get one log message from the <AUTHLOG>:
Dec  9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
10:21:35 | 02-00-00-00-00-01 | wlantest0X at uiowa.edu | FAIL: EAP MSCHAP V2
failed: no such user wlantest0X |  | NAS-IP 127.0.0.1

Using an bad password I get one message from the RADIUS server and one
from the <AUTHLOG>:
Dec  9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure:
unknown user name or bad password.#015
Dec  9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
10:21:57 | 02-00-00-00-00-01 | wlantest02 at uiowa.edu | FAIL: EAP MSCHAP V2
failed: no such user wlantest02 |  | NAS-IP 127.0.0.1


I was hoping that I could differentiate between an unknown user id and a
bad password with out using a higher logging level so our security office
can identify attack attempts.

-Neil


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938 <tel:+13193840938>
Fax: +1 319 335-2951 <tel:+13193352951>
E-Mail: neil-johnson at uiowa.edu

Lync: neil-johnson at uiowa.edu <sip:neil-johnson at uiowa.edu>






On 11/26/13 3:27 AM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 11/22/2013 05:53 PM, Johnson, Neil M wrote:
>
>> We are using AuthByLSA and EAP/PEAP/MSCHAPv2 for wireless
>>authentication.
>> 
>> The only message we see in our AuthLog when a user is either
>> non-existiant or has a bad password is:
>> Nov 22 03:33:13 itsnt552.iowa.uiowa.edu <http://itsnt552.iowa.uiowa.edu>
>> c: \Perl64\bin\radiusd[2056]: 03:33:13 | A0-F4-50-AF-8A-76 |
>> Pheneghan at uiowa.edu <mailto:Pheneghan at uiowa.edu> | FAIL: EAP MSCHAP V2
>> failed: no such user Pheneghan at uiowa.edu <mailto:Pheneghan at uiowa.edu> |
>>  | NAS-IP 128.255.11.136
>> 
>> However right before the AuthLog message we get the following Trace 2
>> message Logged.
>> Nov 22 03:33:13 itsnt552.iowa.uiowa.edu <http://itsnt552.iowa.uiowa.edu>
>> c: \Perl64\bin\radiusd[2056]: Could not LogonUserNetworkMSCHAP (V2):
>> 3221225581, 0, Logon failure: unknown user name or bad password.#015
>
>Hello Neil,
>
>the status (return) value from the logon call is 3221225581, or
>0xC000006D in hex. The MS NTSTATUS list:
>http://msdn.microsoft.com/en-us/library/cc704588.aspx tells:
>
>'... bad username or authentication information.'
>
>The substatus code in the error message is 0. If you look at the error
>logs, do you see different values for status and substatus values? For
>example, 0xC000006D and 0xC0000064 for 'bad username or authentication
>information' and 'no such user'.
>
>> Is there away to differentiate  between "unknown user name" and "bad
>> password" in the logs.
>
>The logon call returns just status, and substatus can be fetched
>separately, so the two values in the log message is the only information
>available. However, you may want to check if the values change based on
>the real reason such has bad password or non-existing user.
>
>> It would help us track down users with misconfigured wireless devices.
>
>Please let us know if the above helps. It may depend on the windows
>environment, so I can not tell for sure what the status codes will tell.
>
>Thanks,
>Heikki
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list