Re: [RADIATOR] question about machine based authentication
Ok, that's what I was looking for! putting DEFAULT in the file yields the desired behavior. Thanks! Joy On 12/8/11 5:47 PM, "Heikki Vatiainen" wrote: >On 12/09/2011 12:31 AM, Joy Veronneau wrote: >> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches >> the computer name. Seems like I would want the cert name checked? >> Is there a way I can still check the cert name? > >In this case you could try not enabling EAPTLS_NoCheckId and use >Filename %D/tls_anon with this single line: >DEFAULT > >Since NoDefault is not on, the DEFAULT entry will match and user lookup >should be successful. > >Another option is to have EAPTLS_NoCheckId enabled and do name matching >with EAPTLS_CertificateVerifyHook > >Thanks! >Heikki > > >> Sorry to have so many questionsŠ >> >> Thanks, >> Joy >> >> On 12/8/11 5:26 PM, "Heikki Vatiainen" wrote: >> >>> On 12/09/2011 12:15 AM, Joy Veronneau wrote: >>> >>>> But if I do that, I will still have to have the names of the machines >>>>in >>>> the tls_anon file, wouldn't I? >>> >>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46 >>> EAPTLS_NoCheckId". You can turn off the name check. >>> >>> Thanks! >>> Heikki >>> >>>> Thanks, >>>> >>>> Joy >>>> >>>> On 12/8/11 5:07 PM, "Heikki Vatiainen" wrote: >>>> >>>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote: >>>>> >>>>> Hello Joy, >>>>> >>>>>> I am still working on my machine based authentication config. >>>>>> >>>>>> Config1 (below) works fine but requires that the names of the >>>>>>machines >>>>>> be >>>>>> listed in the file tls_anon. >>>>> >>>>> Try with something like this: >>>>> >>>>> AuthByPolicy ContinueWhileAccept >>>>> AuthBy file-tls >>>>> AuthBy external-adcert >>>>> >>>>> >>>>> With the above EAP-TLS will run first and when it is done and returns >>>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the >>>>> outcome >>>>> of the whole authentication process. >>>>> >>>>> Please let us know of your results >> > > >-- >Heikki Vatiainen > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches the computer name. Seems like I would want the cert name checked? Is there a way I can still check the cert name? Sorry to have so many questionsŠ Thanks, Joy On 12/8/11 5:26 PM, "Heikki Vatiainen" wrote: >On 12/09/2011 12:15 AM, Joy Veronneau wrote: > >> But if I do that, I will still have to have the names of the machines in >> the tls_anon file, wouldn't I? > >Good point, I overlooked that part. Please see ref.pdf section "5.20.46 >EAPTLS_NoCheckId". You can turn off the name check. > >Thanks! >Heikki > >> Thanks, >> >> Joy >> >> On 12/8/11 5:07 PM, "Heikki Vatiainen" wrote: >> >>> On 12/07/2011 11:42 PM, Joy Veronneau wrote: >>> >>> Hello Joy, >>> >>>> I am still working on my machine based authentication config. >>>> >>>> Config1 (below) works fine but requires that the names of the machines >>>> be >>>> listed in the file tls_anon. >>> >>> Try with something like this: >>> >>> AuthByPolicy ContinueWhileAccept >>> AuthBy file-tls >>> AuthBy external-adcert >>> >>> >>> With the above EAP-TLS will run first and when it is done and returns >>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the >>>outcome >>> of the whole authentication process. >>> >>> Please let us know of your results ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I? Thanks, Joy On 12/8/11 5:07 PM, "Heikki Vatiainen" wrote: >On 12/07/2011 11:42 PM, Joy Veronneau wrote: > >Hello Joy, > >> I am still working on my machine based authentication config. >> >> Config1 (below) works fine but requires that the names of the machines >>be >> listed in the file tls_anon. > >Try with something like this: > > AuthByPolicy ContinueWhileAccept > AuthBy file-tls > AuthBy external-adcert > > >With the above EAP-TLS will run first and when it is done and returns >ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome >of the whole authentication process. > >Please let us know of your results > >> I need to modify this config so that I do not need to maintain a list of >> host names on the radiator server and so that I can execute an external >> script that formats a Filter-Id for a VLAN name to return with the >>ACCEPT. >> I thought this would be pretty straight forward, see config2 below. The >> problem is that just this minor change causes the client to hang or >> something during the negotiation. Once the accept is sent, nothing else >> happens - we've verified this looking at the traffic on the AP. I've >> included a debug log as well. >> >> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong >> or I just can't use AuthBy EXTERNAL in combination with TLS? >> >> TIA, >> Joy >> >> --- >> config1: (works if names of computers are in tis_anon file) >> >> Identifier TLS >> Filename %D/tls_anon >> EAPType TLS >> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >> EAPTLS_MaxFragmentSize 1000 >> AutoMPPEKeys >> >> >> >> Identifier ADCERT >> Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns >> Filter-Id) >> >> >> >> >> >> Identifier dot1x_tls >> AuthByPolicy ContinueWhileAccept >> AuthBy TLS >> >> >> >> AuthByPolicy ContinueAlways >> RewriteUsername s/^host\/// >> AuthBy dot1x_tls >> AuthBy ADCERT >> AcctLogFileName %L/%y%m%d-eduroam.log >> >> >> config2 (doesn't work. see log below.) >> # >> >> Identifier TLS >> #Filename %D/tls_anon >> EAPType TLS >> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >> EAPTLS_MaxFragmentSize 1000 >> Command /app/radius/scripts/authby.ADCERT >> AutoMPPEKeys >> >> >> >> Identifier dot1x_tls >> AuthByPolicy ContinueWhileAccept >> AuthBy TLS >> >> >> >> >> AuthByPolicy ContinueAlways >> RewriteUsername s/^host\/// >> AuthBy dot1x_tls >> # AuthBy ADCERT >> AcctLogFileName %L/%y%m%d-eduroam.log >> AuthLog QRadar_WIRELESS >> >> >> --- >> >> the debug log >> >> *** Received from 132.236.115.218 port 33004 >> Code: Access-Request >> Identifier: 186 >> Authentic: >><201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179> >> Attributes: >> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu" >> NAS-IP-Address = 132.236.115.218 >> NAS-Port = 1 >> NAS-Identifier = "cit.redrover.secure" >> NAS-Port-Type = Wireless-IEEE-802-11 >> Calling-Station-Id = "0014D1EA856B" >> Called-Station-Id = "000B866222B0" >> Service-Type = Login-User >> Framed-MTU = 1100 >> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu >> Aruba-Essid-Name = "eduroam-test" >> Aruba-Location-Id = "test-rhodes-745-ap" >> Message-Authenticator = >> <139><149>3<145><153>Z<4><192><210>[,<170>g&
Re: [RADIATOR] question about machine based authentication
Hi, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. I need to modify this config so that I do not need to maintain a list of host names on the radiator server and so that I can execute an external script that formats a Filter-Id for a VLAN name to return with the ACCEPT. I thought this would be pretty straight forward, see config2 below. The problem is that just this minor change causes the client to hang or something during the negotiation. Once the accept is sent, nothing else happens - we've verified this looking at the traffic on the AP. I've included a debug log as well. I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong or I just can't use AuthBy EXTERNAL in combination with TLS? TIA, Joy --- config1: (works if names of computers are in tis_anon file) Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys Identifier ADCERT Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns Filter-Id) Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log config2 (doesn't work. see log below.) # Identifier TLS #Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 Command /app/radius/scripts/authby.ADCERT AutoMPPEKeys Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls # AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log AuthLog QRadar_WIRELESS --- the debug log *** Received from 132.236.115.218 port 33004 Code: Access-Request Identifier: 186 Authentic: <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179> Attributes: User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu" NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = "cit.redrover.secure" NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = "0014D1EA856B" Called-Station-Id = "000B866222B0" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = "eduroam-test" Aruba-Location-Id = "test-rhodes-745-ap" Message-Authenticator = <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier '' Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls Wed Dec 7 16:32:46 2011: DEBUG: Running command: /app/radius/scripts/authby.ADCERT Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Accept Identifier: 186 Authentic: <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204> Attributes: Filter-Id = "eduroam-correct" (That's all that's in the logsŠ) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hi, I think I need some more help with my config. It is working ok for my machine cert based authentication, but only if I put the name of the machine in a file on the radius server. Here is my config snippet: Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy TLS and %D/tls_anon contains: CIT-JV11GTEST2.cit.cornell.edu I would like to avoid having to maintain all the machine names on the radius server. I would prefer to do some sort of NTLM auth that would read the machine cert and then check to see if the machine is in a certain group. I tried using but that really broke everything... I do have NTLM working for username/pw based authn but I need to do that AND machine based… I'd appreciate a hint. Thanks- Joy On 11/10/11 5:21 PM, "Heikki Vatiainen" mailto:h...@open.com.au>> wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hi, I've made some progress on this. The windows 7 machine is now contacting the radius server, but its username starts with "host/" and radiator doesn't seem to like that. Should the machine be sending some sort of different username? I don't think I can get the request to the correct handler until I fix this problem? The network settings on the windows 7 machine are: Security type: WPA2 Enterprise encryption type: TKIP Network authentication method: microsoft: smartcard or other certificate (Settings-> Use a certificate on this computer, use simple certificate selection) advanced settings: 802.1x Specify authentication mode: Computer authentication. Here is what I see on the radius logs: User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu" NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = "cit.redrover.secure" NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = "0014D1EA856B" Called-Station-Id = "000B866222B0" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = "eduroam-test" Aruba-Location-Id = "test-rhodes-745-ap" Message-Authenticator = ]<179>:f<223><241><242>Z<13>:<204><222><150><130>J<181> Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier '' Tue Nov 15 12:41:42 2011: INFO: Access rejected for host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name Tue Nov 15 12:41:42 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Reject Identifier: 219 Authentic: <138>5<9><254><236><131>3<184>xLU?N4<139><225> Attributes: Reply-Message = "Request Denied" Thanks again, Joy On 11/10/11 5:21 PM, "Heikki Vatiainen" mailto:h...@open.com.au>> wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. -- Heikki Vatiainen mailto:h...@open.com.au>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] question about machine based authentication
Hi, Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. Thanks in advance :) Joy ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] need help with radiator & winbindd running as user "radiator"
Hi, The solution that is working for me is to run winbindd as root - then with proper file permissions, radiator can run as user "radiator" and the ntlm authentication works. Thanks so much for the help!! Joy On 11/2/11 9:19 AM, "David Zych" wrote: >Joy Veronneau wrote: >> Hi, >> I am stumped! I have implemented samba and MSCHAPv2 and everything >>works when running as user root. (Winbindd and radiator running as >>root.) But I need to run the radiator process as user "radiator". I also >>had to install samba in an alternate directory. >> >> So ? when running radiator and winbindd as "root" everything works >>including ntlm_auth from command line and also MSCHAPv2 connections >>through radiator. When running radiator and winbindd as user "radiator" >>ntlm_auth from command line works but MCHAPv2 connection through >>radiator fails. The log file looks like this: >> >... >> Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg: >>/app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1 >... >> As user radiator, this works: >> >> /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL >>--username=jv11 --password=xx > >I had exactly the same problem when I first set up radiator. The gotcha >is that for some reason ntlm_auth actually requires more special >permissions to run with --helper-protocol=ntlm-server-1 than it does to >do a simple auth check from the command line. > >The best way to troubleshoot this is to invoke ntlm_auth from the command >line in the same way that Radiator actually invokes it to do MS-CHAPv2. > >For example, run > >ntlm_auth --helper-protocol=ntlm-server-1 > >And then paste as input: > >Username: yourusernamehere >NT-Domain: YOURDOMAINHERE >LANMAN-Challenge: 0102030405060708 >NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 >. > >(the dot on a line by itself followed by another newline tells the helper >protocol that you're done entering attributes) > >The desired output of this test, since the NT-Response value is >completely bogus, is: > >Authenticated: No >Authentication-Error: Wrong Password > >What it said for me instead, the first time I tried it, was: > >Authenticated: No >Authentication-Error: winbind client not authorized to use >winbindd_pam_auth_crap. Ensure permissions on >/var/cache/samba/winbindd_privileged are set correctly. > >which pointed me to the problem. The solution that worked for me was to >change the group ownership of this directory (which will of course be in >a different location for you): > >chgrp radiator /var/cache/samba/winbindd_privileged > >Note that (at least as of v3.0.33), samba is apparently very picky about >this directory's permissions; changing the group is okay, but it must be >owned by root and chmod 750 (drwxr-x---) in order to work. > >Finally, I've attached a perl script I wrote that performs this same test >using a *working* input file stored on disk (generated by running it once >with --create and giving it a real username and password); you'll >probably want to change the hardcoded location of this file ($queryfile) >to make sense for your system. On my radius servers I have a cron task >which runs this script with -q every few minutes and automatically >restarts winbind if it ever fails. :) > >Hope this helps! > >David > >P.S. Caveat: I'm running radiator as a regular user, but I'm running >winbind as root (launched via sudo). It sounds like you're trying to >avoid even that, so the chgrp may not be enough to solve your problem, >but if not then hopefully my troubleshooting approach will still get you >closer to understanding what's wrong. >___ >radiator mailing list >radiator@open.com.au >http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] need help with radiator & winbindd running as user "radiator"
Hi, I am stumped! I have implemented samba and MSCHAPv2 and everything works when running as user root. (Winbindd and radiator running as root.) But I need to run the radiator process as user "radiator". I also had to install samba in an alternate directory. So – when running radiator and winbindd as "root" everything works including ntlm_auth from command line and also MSCHAPv2 connections through radiator. When running radiator and winbindd as user "radiator" ntlm_auth from command line works but MCHAPv2 connection through radiator fails. The log file looks like this: Mon Oct 31 10:50:03 2011: DEBUG: Handling request with Handler 'TunnelledByPEAP=1, Client-Identifier=RRSec', Identifier '' Mon Oct 31 10:50:03 2011: DEBUG: Deleting session for anonymous, 132.236.115.218, 1 Mon Oct 31 10:50:03 2011: DEBUG: Handling with Radius::AuthNTLM: NTLM_Auth Mon Oct 31 10:50:03 2011: DEBUG: Handling with EAP: code 2, 12, 71, 26 Mon Oct 31 10:50:03 2011: DEBUG: Response type 26 Mon Oct 31 10:50:03 2011: DEBUG: Radius::AuthNTLM looks for match with jv11 [anonymous] Mon Oct 31 10:50:03 2011: DEBUG: Radius::AuthNTLM ACCEPT: : jv11 [anonymous] Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg: /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1 Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Request-User-Session-Key: Yes Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute LANMAN-Challenge: 127b94af6efbf1ef Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute NT-Response: 58275ba370f360657e0867e1d41f6412d8d07dd50e7a503b Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute NT-Domain:: Q09STkVMTA== Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Username:: anYxMQ== Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: Authenticated: No Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: Authentication-Error: Reading winbind reply failed! Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: . Mon Oct 31 10:50:03 2011: WARNING: NTLM Could not authenticate user: Reading winbind reply failed! Mon Oct 31 10:50:03 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Mon Oct 31 10:50:03 2011: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure Mon Oct 31 10:50:03 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure Mon Oct 31 10:50:04 2011: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Reject Identifier: UNDEF Authentic: <148>#<161>(<30><143><169><10><226><242>!<251>L<186><215><184> Attributes: EAP-Message = <4><12><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" Session-Timeout = 28800 As user radiator, this works: /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL --username=jv11 --password=xx doing parameter log file = /app/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter winbind enum groups = yes doing parameter winbind enum users = yes doing parameter winbind use default domain = yes doing parameter winbind nested groups = yes doing parameter dns proxy = no pm_process() returned Yes NT_STATUS_OK: Success (0x0) I have ntlm_auth set up as a script so that the proper libraries can be found - so the contents of /app/radius/samba/bin/ntlm_auth are: #!/bin/sh export LD_LIBRARY_PATH=/app/radius/samba/lib exec /app/radius/samba/bin/ntlm_auth.real "$@" Similar setup for the other samba executables of winbindd and wbinfo and net. I had to make sure that radiator is running the correct version of ntlm_auth, and used this in the radius config file: NtlmAuthProg /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1 I used this configure command for building samba: ./configure --prefix=/app/radius/samba/ --with-configdir=/app/radius/samba/conf --with-privatedir=/app/radius/samba/private --disable-cups --with-ads --with-ldap and in /app/radius/samba/conf I have the krb5.conf file and the smb.conf file I am changing the owner:group of these files when running as user radiator: /app/log/samba/* /app/radius/samba/var/* /tmp/.win* But I must be missing something somewhere!! What is it, any ideas? Thanks in advance- Joy ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Any known problems with Mac OS 10.6 and MSCHAPv2 and Aruba equipment?
Hi, thank you all for your suggestions. It turned out to be pretty simple - I had to add this line to the radius config file: EAPTLS_PEAPVersion 0 *and* correct the configuration on my mac. -- Joy From: Joy Veronneau mailto:j...@cornell.edu>> Date: Tue, 9 Aug 2011 16:31:08 -0400 Subject: Any known problems with Mac OS 10.6 and MSCHAPv2 and Aruba equipment? Hi, We are in the process of testing support for MSCHAPv2 on our wireless network. (We have been supporting only TTLS/PAP up to now.) I have a radiator/ntlm configuration that works with MSCHAPv2 and Windows7 and Windows Vista machines. We cannot get it to work with Mac OS 10.6 or MacOS Lion or iPhones or iPads. I have the radiator logs in debug mode and it looks like the ntlm authentication is working just fine. There are no error messages but the Mac OS X machine never gets an IP address. It seems that our problem might be related to the Aruba access points we are using because we have an engineer that has a different type of access point set up at home with a windows radius server and his Mac works ok there with MSCHAPv2. I'm wondering if there are any known problems with Aruba equipment and MSCHAPv2 and Mac OS 10.6 and higher? The Aruba equipment is showing a "mic failure" towards the end of the negotiation. We are running version 4.7 of radiator on a linux machine. Any ideas appreciated :) Thanks- Joy Veronneau Identity Management Cornell University ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Any known problems with Mac OS 10.6 and MSCHAPv2 and Aruba equipment?
Hi, We are in the process of testing support for MSCHAPv2 on our wireless network. (We have been supporting only TTLS/PAP up to now.) I have a radiator/ntlm configuration that works with MSCHAPv2 and Windows7 and Windows Vista machines. We cannot get it to work with Mac OS 10.6 or MacOS Lion or iPhones or iPads. I have the radiator logs in debug mode and it looks like the ntlm authentication is working just fine. There are no error messages but the Mac OS X machine never gets an IP address. It seems that our problem might be related to the Aruba access points we are using because we have an engineer that has a different type of access point set up at home with a windows radius server and his Mac works ok there with MSCHAPv2. I'm wondering if there are any known problems with Aruba equipment and MSCHAPv2 and Mac OS 10.6 and higher? The Aruba equipment is showing a "mic failure" towards the end of the negotiation. We are running version 4.7 of radiator on a linux machine. Any ideas appreciated :) Thanks- Joy Veronneau Identity Management Cornell University ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator