[RADIATOR] Suggestion for Error Message in AuthByLSA / MSCHAPv2

Heikki Vatiainen hvn at open.com.au
Tue Dec 10 09:27:18 CST 2013 

On 12/09/2013 06:29 PM, Johnson, Neil M wrote:

> I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues.
> 
> Doing some testing:
> 
> Using an unknown user name I get one log message from the <AUTHLOG>:
> Dec  9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
> 10:21:35 | 02-00-00-00-00-01 | wlantest0X at uiowa.edu | FAIL: EAP MSCHAP V2
> failed: no such user wlantest0X |  | NAS-IP 127.0.0.1

Trying with AuthBy LSA I get these results without and with group check
option enabled:

Tue Dec 10 17:14:03 2013:test-useri::EAP MSCHAP-V2 Authentication
failure:FAIL
Tue Dec 10 17:14:53 2013:test-useri::EAP MSCHAP V2 failed: no such user
test-useri:FAIL

The username is invalid and when group check is enabled, this is flagged
as 'no such user ...'. However, this message does not go into authlog:

Tue Dec 10 17:14:03 2013: WARNING: Could not LogonUserNetworkMSCHAP
(V2): 3221225581, 0, The user name or password is incorrect.

> Using an bad password I get one message from the RADIUS server and one
> from the <AUTHLOG>:
> Dec  9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
> Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure:
> unknown user name or bad password.#015
> Dec  9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
> 10:21:57 | 02-00-00-00-00-01 | wlantest02 at uiowa.edu | FAIL: EAP MSCHAP V2
> failed: no such user wlantest02 |  | NAS-IP 127.0.0.1

This is where I get different results too. Are you perhaps using
multiple AuthBys for PEAP inner authentication? I'd say plain AuthBy LSA
does not return 'no such user' for bad password.

It does appear though, that there is room for improvement when logging
failures since e.g., NTLM and LSA subsystems may return more information
than what is currently logged by authlog. I'll see what can be done to
make this information available instead of just returning '...
Authentication failure ...'.k

> I was hoping that I could differentiate between an unknown user id and a
> bad password with out using a higher logging level so our security office
> can identify attack attempts.

I'm not sure if LSA will tell if the username or password was incorrect.
If LSA is used with e.g., AuthBy LDAP2, then the information should be
more easily available as LDAP search result.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list