[RADIATOR] Suggestion for Error Message in AuthByLSA / MSCHAPv2

Johnson, Neil M neil-johnson at uiowa.edu
Wed Dec 11 10:46:25 CST 2013 


Heikki,

You are correct, I'm using multiple AuthBy clauses with AuthByPolicy
ContinueUntilAcceptOrChallenge set.

I need to do this to check membership in multiple AD groups.

That could explain why I always get messages for the user not being found.

-Neil


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: +1 319 384-0938 <tel:+13193840938>
Fax: +1 319 335-2951 <tel:+13193352951>
E-Mail: neil-johnson at uiowa.edu

Lync: neil-johnson at uiowa.edu <sip:neil-johnson at uiowa.edu>






On 12/10/13 9:27 AM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 12/09/2013 06:29 PM, Johnson, Neil M wrote:
>
>> I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues.
>> 
>> Doing some testing:
>> 
>> Using an unknown user name I get one log message from the <AUTHLOG>:
>> Dec  9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
>> 10:21:35 | 02-00-00-00-00-01 | wlantest0X at uiowa.edu | FAIL: EAP MSCHAP
>>V2
>> failed: no such user wlantest0X |  | NAS-IP 127.0.0.1
>
>Trying with AuthBy LSA I get these results without and with group check
>option enabled:
>
>Tue Dec 10 17:14:03 2013:test-useri::EAP MSCHAP-V2 Authentication
>failure:FAIL
>Tue Dec 10 17:14:53 2013:test-useri::EAP MSCHAP V2 failed: no such user
>test-useri:FAIL
>
>The username is invalid and when group check is enabled, this is flagged
>as 'no such user ...'. However, this message does not go into authlog:
>
>Tue Dec 10 17:14:03 2013: WARNING: Could not LogonUserNetworkMSCHAP
>(V2): 3221225581, 0, The user name or password is incorrect.
>
>> Using an bad password I get one message from the RADIUS server and one
>> from the <AUTHLOG>:
>> Dec  9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
>> Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure:
>> unknown user name or bad password.#015
>> Dec  9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]:
>> 10:21:57 | 02-00-00-00-00-01 | wlantest02 at uiowa.edu | FAIL: EAP MSCHAP
>>V2
>> failed: no such user wlantest02 |  | NAS-IP 127.0.0.1
>
>This is where I get different results too. Are you perhaps using
>multiple AuthBys for PEAP inner authentication? I'd say plain AuthBy LSA
>does not return 'no such user' for bad password.
>
>It does appear though, that there is room for improvement when logging
>failures since e.g., NTLM and LSA subsystems may return more information
>than what is currently logged by authlog. I'll see what can be done to
>make this information available instead of just returning '...
>Authentication failure ...'.k
>
>> I was hoping that I could differentiate between an unknown user id and a
>> bad password with out using a higher logging level so our security
>>office
>> can identify attack attempts.
>
>I'm not sure if LSA will tell if the username or password was incorrect.
>If LSA is used with e.g., AuthBy LDAP2, then the information should be
>more easily available as LDAP search result.
>
>Thanks,
>Heikki
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.

More information about the radiator mailing list