• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 678
  • Last Modified:

Not authenticating against the domain or issuing an IP

Hi All,
I just inherited a dialup project using Steel Belted Radius, which I am new to.  So far I am able to dial in and authenticate against Radius through a terminal window (this is where the IP is showing 0.0.0.0), I click done after authenticating, then it brings up the window " verifying user name and password" and fails ( I have triple checked the user name and password).

Is there an attribute I am missing?  Any help to point me in the correct direction would be appreciated.
0
goofball350
Asked:
goofball350
  • 4
  • 2
  • 2
1 Solution
 
giltjrCommented:
Are you actually using an old version of Funk's SBR, or are you using Juniper's renamed version?

Does the SBR server show any errors?

Is SBR actually doing the authentication, or is it forwarding to something else?

What is (should be) doing the DHCP serving?

0
 
arnoldCommented:
Do you have an option not to type in username/password but rather provide this information from the outset?

The way it sounds you are doing it now is a two step process, authenticate then authorize.  The system you have might be looking to a single process as a reply to valid authentication, an IP is assigned.  The issue might also be with the NAS boxes missing a pool of IPs to allocate if an IP assignment/authorization is not included in the radius access-accept reply packet.
0
 
goofball350Author Commented:
Hi giltjr,
The version I am using is: 5.03.1532, and at this point I don't know if upgrading is an option.  
*****************************************************************************************************
When I run the radius test, this is what I get:
Skipping unknown attribute 'Annex-Transmit-Speed' in script file...
Skipping unknown attribute 'Annex-Receive-Speed' in script file...
Skipping unknown attribute 'Annex-Domain-Name' in script file...
Skipping unknown attribute 'Annex-SW-Version' in script file...
RadTest Initialized - Socket bound
|||||||||||||||||||||||||||||| SessionStarting ||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x0
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000000
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
### Authentication Request Timed out id = 0 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x1
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
  **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000001
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
### Authentication Request Timed out id = 1 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
### Authentication Request Timed out id = 2 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||| SessionFinished ||||||||||||||||||||||||||||||
Authentication : Total = 3  Accept = 0  Reject = 0
    Failures = 0  Retries = 12  Timeouts = 3
Accounting : Starts 0  Stops 0
    Failures = 0  Retries = 0  Timeouts = 0
Average Response Times : Auth = 0  Acct Start = 0  Acct Stop = 0
*****************************************************************************************************

I have it setup so RADIUS is performing the authentication via a security group in Active Directory.  I know they are communicating, because I can add a user and it will authenticate the terminal window.  But I am assuming since I don't ahve an IP it is stonewalled.

*****************************************************************************************************

I belive the intension is to have Radius issuing IP's, I'm jsut trying to find the setting to confirm.

*****************************************************************************************************

Hi Arnold,

I'm sure this is something I could considder, however I am still trying to familureize my self as to where the setting is.  I belive it may be an ini file change.

You are correct, for added security we would like to have a 2 step authentication process.  We do have the IP pools created.  

I did just come accross the following from the user guid regarding attributes that I am going to try and I will let you know:

"A check list is a set of attributes that must accompany the authentication request
before the request can be accepted. The RAS must send attributes that match the
check list associated with a user entry; otherwise, Steel-Belted Radius rejects the
user even if the users name and password are valid."

I should have an update in the next day or 2.  I need to wait on another group to supply the attribute information from the NAS\RAS.


0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
arnoldCommented:
You have all the information you need to configure Radius:
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002

You are not using two forms of authentication, you are using two steps to authenticate/authorize with the same set of credentials.
I.e. the terminal session: username/password.
At which point the, radius server simply says accept.
The second step is that NAS box now needs to determine what IP to allocate.

A single step I.e. using PAP, the NAS box passes the username/password to the Radius server with a Non-interactive session I still think it is a Framed-User=PPP instead of a Framed-USER: user something (interactive session).
The radius server in this case responds with:
access acce[ted
Use Pool 2 for IP assigment.

The NAS upon receipt of response, allocates an IP from Pool 2.
0
 
goofball350Author Commented:
Hi All,

No update to report yet.
0
 
goofball350Author Commented:
Due to not having direct access to the RAS.  Is there a way that I can see what attributes are being sent to my Radius server from the RAS?  
0
 
giltjrCommented:
If you have a point where you can run a packet capture you can always do that.  I use and recommend wireshark (http://www.wireshark.org).
0
 
goofball350Author Commented:
Hi All,

Thank you to all.  The issue was identified through attribute 5.  What happened was attribute 5 lead me to a NAS issue which in turn lead me to an authentication issue.  On my workstation we had enabled using a terminal window for authentication, the request would then send the authentication and work.  Then once the terminal window is closed the dialup GUI would show authenticating the ID and PW and it would then fail.  Through a Radius debug i was determined that the dialup GUI was attempting to authenticate my windows credentials.

The terminal windows was disabled and we are using the windows GUI and everything is working.  Thank you for putting me in the right direction.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now