Hugh, Looks like my logging configuration may have been incorrect. Let me keep tinkering with it and if I can't figure it out I'll start a new thread.
Unfortunately because of the issues that host authentication is causing we've had to move over to an NTLM-based authentication configuration for now. Do you know of a way to create a fake machine-authentication scenario so that I can test Radiator and then get you a Trace 4? I can't figure out a way to mimic a machine-auth request using either radpwtst or eapol_test. Thoughts? Thanks! -james On Wed, Oct 17, 2012 at 8:59 PM, Hugh Irvine <[email protected]> wrote: > > Hello James - > > As long as the User-Name contains "host/.…." this Handler should be called > provided another Handler doesn't catch it. > > Without seeing the debug and the corresponding configuration file I can't > really say much else. > > If you have "Trace 4" in your configuration file you will see the debug in > the log file. What exactly do you want to log? > > regards > > Hugh > > > On 18 Oct 2012, at 11:10, James Zee <[email protected]> wrote: > >> Hugh, >> >> Yes, that is correct. This capture was taken before the change (second link >> that contains configuration in m previous post). Now I have this handler: >> >> >> <Handler User-Name=/^host\//> >> <AuthBy RADIUS> >> Host 10.136.234.80 >> Secret mysecret >> AuthPort 1812 >> AcctPort 1813 >> </AuthBy> >> </Handler> >> >> >> The Trace 4 shows that the RADIUS request is being proxied. NPS is still >> sending an ACCESS-REJECT, though. >> >> Is the handler configuration above appropriate for NPS / >> machine-authentication? Also, is there a way to log RADIUS requests that hit >> this handler? No matter what log directives I put in the handler, Radiator >> doesn't seem to log anything and simply sends the RADIUS request to NPS >> without touching it / logging. >> >> Thoughts? >> >> Thanks! >> -james >> >> >> >> On Wed, Oct 17, 2012 at 6:39 PM, Hugh Irvine <[email protected]> wrote: >> >> Hello James - >> >> The problem is here: >> >> >> • Mon Oct 15 01:20:47 2012 564812: DEBUG: Packet dump: >> • *** Received from 10.136.235.240 port 32768 .... >> • Code: Access-Request >> • Identifier: 47 >> • Authentic: %wa<14><212>v<209>S<143>a<132>z<21><194>5` >> • Attributes: >> >> • User-Name = "/DLAR-PBBZNB8.some.tld" >> >> >> The User-Name attribute does not have "host" at the beginning, so you never >> use the host-specific Handler. >> >> What is happening in the debug is this inner authentication is being >> converted and only the MS-CHAP is being proxied, leading to the problem I >> have described previously with NPS thinking this is a user not a machine. >> >> regards >> >> Hugh >> >> >> On 18 Oct 2012, at 05:05, James Zee <[email protected]> wrote: >> >> > Hugh, >> > >> > I had previously responded to the thread with the requested information, >> > but the email response was too large and seems to have gotten lost in the >> > mailing list approval process. >> > >> > I've pasted the requested information here: >> > >> > http://pastebin.com/rbXq2Y5Y >> > >> > It's worth noting I've made some progress. The link below has the >> > requested information (new configuration file) where a username beginning >> > with "host" is immediately proxied to NPS. >> > >> > http://pastebin.com/059A7Zk7 >> > >> > I feel I'm getting closer. >> > >> > Two questions: >> > >> > (a) is anything wrong with this machine authentication handler or does it >> > look like the correct way to proxy these sorts of requests? >> > >> > (b) is there a way to force Radiator to log information about the RADIUS >> > request even though we're proxying it via RADIUS to NPS? >> > >> > I'm still not having luck with machine-based authentication, but I believe >> > this may be a configuration issue on NPS. >> > >> > Thoughts appreciated. >> > >> > Thanks! >> > -james >> > _______________________________________________ >> > radiator mailing list >> > [email protected] >> > http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> >> Hugh Irvine >> [email protected] >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >> >> >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > [email protected] > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
