?
Solved

Not authenticating against the domain or issuing an IP

Posted on 2009-04-06
8
Medium Priority
?
669 Views
Last Modified: 2012-05-06
Hi All,
I just inherited a dialup project using Steel Belted Radius, which I am new to.  So far I am able to dial in and authenticate against Radius through a terminal window (this is where the IP is showing 0.0.0.0), I click done after authenticating, then it brings up the window " verifying user name and password" and fails ( I have triple checked the user name and password).

Is there an attribute I am missing?  Any help to point me in the correct direction would be appreciated.
0
Comment
Question by:goofball350
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24083502
Are you actually using an old version of Funk's SBR, or are you using Juniper's renamed version?

Does the SBR server show any errors?

Is SBR actually doing the authentication, or is it forwarding to something else?

What is (should be) doing the DHCP serving?

0
 
LVL 79

Expert Comment

by:arnold
ID: 24083556
Do you have an option not to type in username/password but rather provide this information from the outset?

The way it sounds you are doing it now is a two step process, authenticate then authorize.  The system you have might be looking to a single process as a reply to valid authentication, an IP is assigned.  The issue might also be with the NAS boxes missing a pool of IPs to allocate if an IP assignment/authorization is not included in the radius access-accept reply packet.
0
 

Author Comment

by:goofball350
ID: 24087896
Hi giltjr,
The version I am using is: 5.03.1532, and at this point I don't know if upgrading is an option.  
*****************************************************************************************************
When I run the radius test, this is what I get:
Skipping unknown attribute 'Annex-Transmit-Speed' in script file...
Skipping unknown attribute 'Annex-Receive-Speed' in script file...
Skipping unknown attribute 'Annex-Domain-Name' in script file...
Skipping unknown attribute 'Annex-SW-Version' in script file...
RadTest Initialized - Socket bound
|||||||||||||||||||||||||||||| SessionStarting ||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x0
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000000
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
### Authentication Request Timed out id = 0 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x1
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
  **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000001
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
### Authentication Request Timed out id = 1 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
### Authentication Request Timed out id = 2 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||| SessionFinished ||||||||||||||||||||||||||||||
Authentication : Total = 3  Accept = 0  Reject = 0
    Failures = 0  Retries = 12  Timeouts = 3
Accounting : Starts 0  Stops 0
    Failures = 0  Retries = 0  Timeouts = 0
Average Response Times : Auth = 0  Acct Start = 0  Acct Stop = 0
*****************************************************************************************************

I have it setup so RADIUS is performing the authentication via a security group in Active Directory.  I know they are communicating, because I can add a user and it will authenticate the terminal window.  But I am assuming since I don't ahve an IP it is stonewalled.

*****************************************************************************************************

I belive the intension is to have Radius issuing IP's, I'm jsut trying to find the setting to confirm.

*****************************************************************************************************

Hi Arnold,

I'm sure this is something I could considder, however I am still trying to familureize my self as to where the setting is.  I belive it may be an ini file change.

You are correct, for added security we would like to have a 2 step authentication process.  We do have the IP pools created.  

I did just come accross the following from the user guid regarding attributes that I am going to try and I will let you know:

"A check list is a set of attributes that must accompany the authentication request
before the request can be accepted. The RAS must send attributes that match the
check list associated with a user entry; otherwise, Steel-Belted Radius rejects the
user even if the users name and password are valid."

I should have an update in the next day or 2.  I need to wait on another group to supply the attribute information from the NAS\RAS.


0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 79

Accepted Solution

by:
arnold earned 1400 total points
ID: 24088550
You have all the information you need to configure Radius:
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002

You are not using two forms of authentication, you are using two steps to authenticate/authorize with the same set of credentials.
I.e. the terminal session: username/password.
At which point the, radius server simply says accept.
The second step is that NAS box now needs to determine what IP to allocate.

A single step I.e. using PAP, the NAS box passes the username/password to the Radius server with a Non-interactive session I still think it is a Framed-User=PPP instead of a Framed-USER: user something (interactive session).
The radius server in this case responds with:
access acce[ted
Use Pool 2 for IP assigment.

The NAS upon receipt of response, allocates an IP from Pool 2.
0
 

Author Comment

by:goofball350
ID: 24193367
Hi All,

No update to report yet.
0
 

Author Comment

by:goofball350
ID: 24204713
Due to not having direct access to the RAS.  Is there a way that I can see what attributes are being sent to my Radius server from the RAS?  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24206048
If you have a point where you can run a packet capture you can always do that.  I use and recommend wireshark (http://www.wireshark.org).
0
 

Author Comment

by:goofball350
ID: 24493802
Hi All,

Thank you to all.  The issue was identified through attribute 5.  What happened was attribute 5 lead me to a NAS issue which in turn lead me to an authentication issue.  On my workstation we had enabled using a terminal window for authentication, the request would then send the authentication and work.  Then once the terminal window is closed the dialup GUI would show authenticating the ID and PW and it would then fail.  Through a Radius debug i was determined that the dialup GUI was attempting to authenticate my windows credentials.

The terminal windows was disabled and we are using the windows GUI and everything is working.  Thank you for putting me in the right direction.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question