Solved

Not authenticating against the domain or issuing an IP

Posted on 2009-04-06
8
667 Views
Last Modified: 2012-05-06
Hi All,
I just inherited a dialup project using Steel Belted Radius, which I am new to.  So far I am able to dial in and authenticate against Radius through a terminal window (this is where the IP is showing 0.0.0.0), I click done after authenticating, then it brings up the window " verifying user name and password" and fails ( I have triple checked the user name and password).

Is there an attribute I am missing?  Any help to point me in the correct direction would be appreciated.
0
Comment
Question by:goofball350
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24083502
Are you actually using an old version of Funk's SBR, or are you using Juniper's renamed version?

Does the SBR server show any errors?

Is SBR actually doing the authentication, or is it forwarding to something else?

What is (should be) doing the DHCP serving?

0
 
LVL 78

Expert Comment

by:arnold
ID: 24083556
Do you have an option not to type in username/password but rather provide this information from the outset?

The way it sounds you are doing it now is a two step process, authenticate then authorize.  The system you have might be looking to a single process as a reply to valid authentication, an IP is assigned.  The issue might also be with the NAS boxes missing a pool of IPs to allocate if an IP assignment/authorization is not included in the radius access-accept reply packet.
0
 

Author Comment

by:goofball350
ID: 24087896
Hi giltjr,
The version I am using is: 5.03.1532, and at this point I don't know if upgrading is an option.  
*****************************************************************************************************
When I run the radius test, this is what I get:
Skipping unknown attribute 'Annex-Transmit-Speed' in script file...
Skipping unknown attribute 'Annex-Receive-Speed' in script file...
Skipping unknown attribute 'Annex-Domain-Name' in script file...
Skipping unknown attribute 'Annex-SW-Version' in script file...
RadTest Initialized - Socket bound
|||||||||||||||||||||||||||||| SessionStarting ||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x0
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000000
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
### Authentication Request Timed out id = 0 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x1
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
  **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000001
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
### Authentication Request Timed out id = 1 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
### Authentication Request Timed out id = 2 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||| SessionFinished ||||||||||||||||||||||||||||||
Authentication : Total = 3  Accept = 0  Reject = 0
    Failures = 0  Retries = 12  Timeouts = 3
Accounting : Starts 0  Stops 0
    Failures = 0  Retries = 0  Timeouts = 0
Average Response Times : Auth = 0  Acct Start = 0  Acct Stop = 0
*****************************************************************************************************

I have it setup so RADIUS is performing the authentication via a security group in Active Directory.  I know they are communicating, because I can add a user and it will authenticate the terminal window.  But I am assuming since I don't ahve an IP it is stonewalled.

*****************************************************************************************************

I belive the intension is to have Radius issuing IP's, I'm jsut trying to find the setting to confirm.

*****************************************************************************************************

Hi Arnold,

I'm sure this is something I could considder, however I am still trying to familureize my self as to where the setting is.  I belive it may be an ini file change.

You are correct, for added security we would like to have a 2 step authentication process.  We do have the IP pools created.  

I did just come accross the following from the user guid regarding attributes that I am going to try and I will let you know:

"A check list is a set of attributes that must accompany the authentication request
before the request can be accepted. The RAS must send attributes that match the
check list associated with a user entry; otherwise, Steel-Belted Radius rejects the
user even if the users name and password are valid."

I should have an update in the next day or 2.  I need to wait on another group to supply the attribute information from the NAS\RAS.


0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 78

Accepted Solution

by:
arnold earned 350 total points
ID: 24088550
You have all the information you need to configure Radius:
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002

You are not using two forms of authentication, you are using two steps to authenticate/authorize with the same set of credentials.
I.e. the terminal session: username/password.
At which point the, radius server simply says accept.
The second step is that NAS box now needs to determine what IP to allocate.

A single step I.e. using PAP, the NAS box passes the username/password to the Radius server with a Non-interactive session I still think it is a Framed-User=PPP instead of a Framed-USER: user something (interactive session).
The radius server in this case responds with:
access acce[ted
Use Pool 2 for IP assigment.

The NAS upon receipt of response, allocates an IP from Pool 2.
0
 

Author Comment

by:goofball350
ID: 24193367
Hi All,

No update to report yet.
0
 

Author Comment

by:goofball350
ID: 24204713
Due to not having direct access to the RAS.  Is there a way that I can see what attributes are being sent to my Radius server from the RAS?  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24206048
If you have a point where you can run a packet capture you can always do that.  I use and recommend wireshark (http://www.wireshark.org).
0
 

Author Comment

by:goofball350
ID: 24493802
Hi All,

Thank you to all.  The issue was identified through attribute 5.  What happened was attribute 5 lead me to a NAS issue which in turn lead me to an authentication issue.  On my workstation we had enabled using a terminal window for authentication, the request would then send the authentication and work.  Then once the terminal window is closed the dialup GUI would show authenticating the ID and PW and it would then fail.  Through a Radius debug i was determined that the dialup GUI was attempting to authenticate my windows credentials.

The terminal windows was disabled and we are using the windows GUI and everything is working.  Thank you for putting me in the right direction.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing "From" field - Exchange 2013 5 49
Checking Network connectivity 3 78
connect to cisco 2690 series 6 63
is a device online 4 32
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question