Hello Mark - Can you please send me a copy of the full configuration file and a trace 4 debug showing the startup messages and a more complete log showing the whole sequence?
thanks and regards Hugh On 21 Aug 2010, at 01:10, Pearson, Mark wrote: > Hi, I currently have Radiator for Windows 4.3.1 and I want to authenticate > clients against windows AD 2003. I am assuming that I use Authby LSA to do > this. I want to use PEAP as the authententication type. The config below > comes after all the client stuff etc and I have a user Anonymous in the > %D/users database. I have included a section of log that includes the error. > Any help on correct configuration will be appreciated. > > > <Handler TunnelledByPEAP=1> > # Authenticate with Windows LSA > <AuthBy LSA> > UsernameMatchesWithoutRealm > # This tells the PEAP client what types of inner EAP requests > # we will honour > EAPType MSCHAP-V2 > </AuthBy> > </Handler> > > > # The original PEAP request from a NAS will be sent to a matching > # Realm or Handler in the usual way, where it will be unpacked and the inner > authentication > # extracted. > # The inner authentication request will be sent again to a matching > # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to > select > # a specific handler, or else you can use EAPAnonymous to set a username and > realm > # which can be used to select a Realm clause for the inner request. > # This allows you to select an inner authentication method based on Realm, > and/or the > # fact that they were tunnelled. You can therfore act just as a PEAP server, > or also > # act as the AAA/H home server, and authenticate PEAP requests locally or > proxy > # them to another remote server based on the realm of the inner > authenticaiton request. > # In this basic example, both the inner and outer authentication are > authenticated > # from a file by AuthBy FILE > > <Handler Realm=ntu.ac.uk> > <AuthBy FILE> > # The username of the outer authentication > # must be in this file to get anywhere. In this example, > # it requires an entry for 'anonymous' which is the standard username > # in the outer requests, and it also requires an entry for the > # actual user name who is trying to connect (ie the 'Login name' entered > # in the Funk Odyssey 'Edit Profile Properties' page > Filename %D/users > > # EAPType sets the EAP type(s) that Radiator will honour. > # Options are: MD5-Challenge, One-Time-Password > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 > # Multiple types can be comma separated. With the default (most > # preferred) type given first > EAPType PEAP > > EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > EAPTLS_CertificateFile %D/certificates/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > SSLeayTrace 4 > EAPTLS_PEAPVersion 1 > EAPTLS_PEAPBrokenV1Label > </AuthBy> > </Handler> > > > Section of log where error occurs > > Thu Aug 19 16:37:40 2010: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1' > Thu Aug 19 16:37:40 2010: DEBUG: Deleting session for anonymous, > 10.15.100.4, 29 > Thu Aug 19 16:37:40 2010: DEBUG: Handling with Radius::AuthLSA: > Thu Aug 19 16:37:40 2010: DEBUG: Handling with EAP: code 2, 8, 80, 26 > Thu Aug 19 16:37:40 2010: DEBUG: Response type 26 > Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA looks for match with > com3pearsmw [anonymous] > Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA ACCEPT: : com3pearsmw > [anonymous] > Thu Aug 19 16:37:40 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): > 3221225508, 2228600, The handle is invalid. > > > Thu Aug 19 16:37:40 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication > failure > Thu Aug 19 16:37:40 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 > Authentication failure > Thu Aug 19 16:37:40 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 > Authentication failure > Thu Aug 19 16:37:40 2010: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Reject > regards > Mark Pearson > Senior Technical Support Analyst > Information Systems > Nottingham Trent University > > tel: 0115 8488287 > > > regards > Mark Pearson > Senior Technical Support Analyst > Information Systems > Nottingham Trent University > > tel: 0115 8488287 > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
