Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords

[Richard_Challinor]

Hugh

 

Here is the copy the trace 4 debug. As you can see we are using a user called "radius". This user is not a member of the group "Dialup" and should be rejected.

 

We downloaded the updated file AuthNT.pm. We have not tested this yet but will soon and I will feed back our success to you for expired passwords.

 

Thanks

Richard 

 

 

Fri Jul 12 15:05:37 2002: DEBUG: Reading users file /usr/local/etc/radius/users

Fri Jul 12 15:05:38 2002: INFO: Server started: Radiator 3.1 on KWGENLX01

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Received from 127.0.0.1 port 32903 ....

Code: Access-Request

Identifier: 96

Authentic: 1234567890123456

Attributes:

User-Name = "radius"

Service-Type = Framed-User

NAS-IP-Address = 203.63.154.1

NAS-Port = 1234

Called-Station-Id = "123456789"

Calling-Station-Id = "987654321"

NAS-Port-Type = Async

User-Password = "<137><234>,<222><216>3v<146><188>8<9><160><216>}x<153>"

Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234

Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with radius

Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT

Wed Jul 17 20:18:22 2002: DEBUG: Handling with NT

Wed Jul 17 20:18:22 2002: DEBUG: Radius::AuthFILE ACCEPT:

Wed Jul 17 20:18:22 2002: DEBUG: Access accepted for radius

Wed Jul 17 20:18:22 2002: WARNING: No such attribute Framed-Protocal

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Sending to 127.0.0.1 port 32903 ....

Code: Access-Accept

Identifier: 96

Authentic: 1234567890123456

Attributes:

Service-Type = Framed-User

Framed-Protocal = PPP

Framed-IP-Address = 255.255.255.254

Framed-IP-Netmask = 255.255.255.255

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Received from 127.0.0.1 port 32903 ....

Code: Accounting-Request

Identifier: 97

Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p

Attributes:

User-Name = "radius"

Service-Type = Framed-User

NAS-IP-Address = 203.63.154.1

NAS-Port = 1234

NAS-Port-Type = Async

Acct-Session-Id = "00001234"

Acct-Status-Type = Start

Called-Station-Id = "123456789"

Calling-Station-Id = "987654321"

Framed-IP-Address = 255.255.255.254

Acct-Delay-Time = 0

Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

Wed Jul 17 20:18:22 2002: DEBUG: Adding session for radius, 203.63.154.1, 1234

Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Sending to 127.0.0.1 port 32903 ....

Code: Accounting-Response

Identifier: 97

Authentic: <216>!<211><234><146><8>!<231><131>DC<4>-<214><16>p

Attributes:

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Received from 127.0.0.1 port 32903 ....

Code: Accounting-Request

Identifier: 98

Authentic: <180><189><208><251><201>\5A@K<0>f<210><186>n<217>

Attributes:

User-Name = "radius"

Service-Type = Framed-User

NAS-IP-Address = 203.63.154.1

NAS-Port = 1234

NAS-Port-Type = Async

Acct-Session-Id = "00001234"

Acct-Status-Type = Stop

Called-Station-Id = "123456789"

Calling-Station-Id = "987654321"

Framed-IP-Address = 255.255.255.254

Acct-Delay-Time = 0

Acct-Session-Time = 1000

Acct-Input-Octets = 20000

Acct-Output-Octets = 30000

Wed Jul 17 20:18:22 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'

Wed Jul 17 20:18:22 2002: DEBUG: Deleting session for radius, 203.63.154.1, 1234

Wed Jul 17 20:18:22 2002: DEBUG: Handling with Radius::AuthFILE: CheckUsers

Wed Jul 17 20:18:22 2002: DEBUG: Accounting accepted

Wed Jul 17 20:18:22 2002: DEBUG: Packet dump:

*** Sending to 127.0.0.1 port 32903 ....

Code: Accounting-Response

Identifier: 98

Authentic: <180><189><208><251><201>\5A@K<0>f<210><186>n<217>

Attributes:

 

 

 

-----Forwarded by Richard Challinor/Perth/KAZ/AU on 07/18/2002 09:39AM -----

To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: 07/11/2002 05:15PM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords

Hugh

 

I made the changes as sugested. I used the sample cfg file you sent me previouly and used the examples Ash provided us. When using radius pwtest it checks the username and password aganist NT domain OK. But still dose not check if the user is in the NT group. Could you have a look at our new config files attached and tell us were we are going wrong.

 

Thanks

Richard Challinor 

 

# define AuthBy clauses

 

 

<AuthBy NT>

Identifier CheckPrimary

Domain KWI_CSBP

DomainController KWI_NT5

</AuthBy>

<AuthBy NT>

Identifier CheckBackup

Domain KWI_CSBP

DomainController KWDRPNT01

</AuthBy>

 

<AuthBy FILE>

Identifier CheckUsers

Filename /usr/local/etc/radius/users

AddToReply Service-Type = Framed-User, \

Framed-Protocal = PPP, \

Framed-IP-Address = 255.255.255.254, \

Framed-IP-Netmask = 255.255.255.255

</AuthBy>

<Realm DEFAULT>

AuthBy CheckUsers

# Log accounting to a detail file

AcctLogFileName %L/detail

</Realm>

 

 

# Full copy of users our "users" file below

DEFAULT Auth-Type = CheckPrimary, Group = Dialup

DEFAULT Auth-Type = CheckBackup, Group = Dialup

 

[EMAIL PROTECTED] wrote: -----

To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: 06/29/2002 09:00AM
Subject: Re: (RADIATOR) Auth by NT group & Radius rejects expired passwords

Hello Richard -I notice that Ashley Kent has already sent you an example (thanks Ash).You should also note that there is a patched version of AuthNT.pm for Radiator 3.1 that implements a number of new flags for dealing with password expiry, etc.Finally, there is usually no way to prompt a client for anything as the dialup client doesn't display any return messages (ie: Microsoft).regardsHughOn Fri, 28 Jun 2002 15:16, [EMAIL PROTECTED] wrote:> We would like Radiator to auth to an NT group on the Domain. But we are> unsure of how to get it working. We have been trying to use the Group => XXX, but we must have the syntax wrong. If we could get an example> Radius.cfg to copy from someone it would help heaps.>> We also have an issue were Radiator rejects expired passwords for clients> logging on. Is there a way to have the client prompted to change the> expired password when dialing in.>> I have included a copy of our radius.cfg. Please make explanations simple> as we are newbies. :-)>> Thanks> Richard>>> # define AuthBy clauses>> <Realm DEFAULT>> <AuthBy NT>>> Identifier CheckPrimary>           Domain KWI_CSBP>           DomainController KWI_NT5>>      </AuthBy>>> <AuthBy NT>> Identifier CheckBackup>           Domain KWI_CSBP>           DomainController KWDRPNT01>>      </AuthBy>>>>         <AuthBy NT>>                 AddToReply Service-Type = Framed-User, \>           Framed-Protocal = PPP, \>           Framed-IP-Address = 255.255.255.254, \>           Framed-IP-Netmask = 255.255.255.255>      </AuthBy>>> # Log accounting to a detail file>      AcctLogFileName %L/detail>> </Realm>>>>> ===> Archive at http://www.open.com.au/archives/radiator/> Announcements on [EMAIL PROTECTED]> To unsubscribe, email '[EMAIL PROTECTED]' with> 'unsubscribe radiator' in the body of the message.-- Radiator: the most portable, flexible and configurable RADIUS serveranywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.-Nets: internetwork inventory and management - graphical, extensible,flexible with hardware, software, platform and database independence.===Archive at http://www.open.com.au/archives/radiator/Announcements on [EMAIL PROTECTED] unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.

==Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.