[RADIATOR] Using RADIUS with RDS Gateway

Tuure Vartiainen vartiait at open.com.au
Mon Jul 17 09:56:38 UTC 2017 

Hi,

> On 14 Jul 2017, at 20.16, S.Schwarz at lumc.nl wrote:
>    
> However once I do this, in my RADIUS server I receive the following error once I try to authenticate. I figurd I’d test out LSA first, and once I have that working I’d work on getting OTP’s working
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Received from 172.16.0.3 port 55428 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
> Attributes:
>                 Service-Type = Voice
>                 User-Name = "domain\username"
>                 Called-Station-Id = "UserAuthType:PW"
>                 MS-Machine-Name = "hostname.something"
>                 MS-Network-Access-Server-Type = Terminal-Server-Gateway
>                 NAS-Port-Type = Virtual
>                 Proxy-State = <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler 'Client-Identifier = From_NPS', Identifier 'Default'
> Mon Jul 10 03:36:41 2017: DEBUG:  Deleting session for domain\username, 172.16.0.3,
> Mon Jul 10 03:36:41 2017: DEBUG: Handling with Radius::AuthLSA:
> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, Authentication protocol Unknown not allowed by AuthenProto configuration parameter
> Mon Jul 10 03:36:41 2017: INFO: Access rejected for domain\username: Authentication protocol Unknown not allowed by AuthenProto configuration parameter
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Sending to 172.16.0.3 port 55428 ....
> Code:       Access-Reject
> Identifier: 2
> Authentic:  <168><196>1<151><190>*<174><132><177>*l<209>\NT~
> Attributes:
>                 Reply-Message = "Request Denied"
>                 Proxy-State = <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
>  
> I tried the following handler for LSA auth:
> <Handler Client-Identifier = From_NPS>
>                 Identifier Default
>                 <AuthBy LSA>
>                                 Domain domainname
>                                 UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 AuthLog                               Logfile_Dev
>                 AcctLogFileName %L/Dev_detail_%Y-%m-%d.log
> </Handler>
>  
> Any pointers would be appreciated. 
> It should be possible, since for example this guide shows how to do it with WikiD http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
> But I rather use 1 product instead of various products to achieve the same result..
>  
> We do actually have Azure MFA which can be used for this, but I actually don’t want to use it for this scenario.
>  

as the Access-Request does not contain any attribute carrying a password or a challenge-response, 
you will need to add following configuration options within AuthBy LSA:

AuthenProto Unknown
NoCheckPassword

http://www.open.com.au/radiator/ref/AuthenProto.html#AuthenProto
http://www.open.com.au/radiator/ref/NoCheckPassword.html#NoCheckPassword

E.g.

<AuthBy LSA>
    ...

    # Allow access requests without a password (required for Radiator 4.18 and later)
    AuthenProto Unknown

    # Do not try to check user’s password
    NoCheckPassword
</AuthBy>


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list