[RADIATOR] Troubles trying to proxy NTLM

[Heikki Vatiainen]

On 10/30/2014 11:39 AM, Jethro R Binks wrote:

> It seems to be that the act of switching between testing the monolithic 
> and the frontend/backend is what causes problems.  I suspect it is an 
> interaction between the two ntlm_auth processes (one spawned from each 
> Radiator) and the winbindd socket.

I tried proxying the inner EAP-MSCHAP-V2 with hash balance to two
different instances. In this case all instances, front end and the two
back ends, run on the same machine. There were no problems with the two
instances starting up ntlm_auth and having them running at the same time
while serving the requests.

Also, I think that I have not seen problems with multiple ntlm_auth
processes running and being active at the same time.

In your previous message you pointed out this:

Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508

The elapsed time looks like zero minus the current time stamp meaning
the start_time was not initialised. The start time gets initialised when
the EAP Identity message is received. This is the first EAP message in
the authentication session and even if it is not strictly required, I
have seen all the clients to send it first.

In other words, are you sure you are proxying all inner EAP-MSCHAP-V2
requests?

> I will try and look into it further later, but if anyone has come across 
> anything like this or knows more about the ntlm_auth/winbindd interaction 
> I'd be interested in your comments.

I think multiple ntlm_auths should be fine.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.