Solved

Not authenticating against the domain or issuing an IP

Posted on 2009-04-06
8
668 Views
Last Modified: 2012-05-06
Hi All,
I just inherited a dialup project using Steel Belted Radius, which I am new to.  So far I am able to dial in and authenticate against Radius through a terminal window (this is where the IP is showing 0.0.0.0), I click done after authenticating, then it brings up the window " verifying user name and password" and fails ( I have triple checked the user name and password).

Is there an attribute I am missing?  Any help to point me in the correct direction would be appreciated.
0
Comment
Question by:goofball350
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24083502
Are you actually using an old version of Funk's SBR, or are you using Juniper's renamed version?

Does the SBR server show any errors?

Is SBR actually doing the authentication, or is it forwarding to something else?

What is (should be) doing the DHCP serving?

0
 
LVL 78

Expert Comment

by:arnold
ID: 24083556
Do you have an option not to type in username/password but rather provide this information from the outset?

The way it sounds you are doing it now is a two step process, authenticate then authorize.  The system you have might be looking to a single process as a reply to valid authentication, an IP is assigned.  The issue might also be with the NAS boxes missing a pool of IPs to allocate if an IP assignment/authorization is not included in the radius access-accept reply packet.
0
 

Author Comment

by:goofball350
ID: 24087896
Hi giltjr,
The version I am using is: 5.03.1532, and at this point I don't know if upgrading is an option.  
*****************************************************************************************************
When I run the radius test, this is what I get:
Skipping unknown attribute 'Annex-Transmit-Speed' in script file...
Skipping unknown attribute 'Annex-Receive-Speed' in script file...
Skipping unknown attribute 'Annex-Domain-Name' in script file...
Skipping unknown attribute 'Annex-SW-Version' in script file...
RadTest Initialized - Socket bound
|||||||||||||||||||||||||||||| SessionStarting ||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x0
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000000
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
### Authentication Request Timed out id = 0 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x1
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
  **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000001
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
### Authentication Request Timed out id = 1 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
### Authentication Request Timed out id = 2 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||| SessionFinished ||||||||||||||||||||||||||||||
Authentication : Total = 3  Accept = 0  Reject = 0
    Failures = 0  Retries = 12  Timeouts = 3
Accounting : Starts 0  Stops 0
    Failures = 0  Retries = 0  Timeouts = 0
Average Response Times : Auth = 0  Acct Start = 0  Acct Stop = 0
*****************************************************************************************************

I have it setup so RADIUS is performing the authentication via a security group in Active Directory.  I know they are communicating, because I can add a user and it will authenticate the terminal window.  But I am assuming since I don't ahve an IP it is stonewalled.

*****************************************************************************************************

I belive the intension is to have Radius issuing IP's, I'm jsut trying to find the setting to confirm.

*****************************************************************************************************

Hi Arnold,

I'm sure this is something I could considder, however I am still trying to familureize my self as to where the setting is.  I belive it may be an ini file change.

You are correct, for added security we would like to have a 2 step authentication process.  We do have the IP pools created.  

I did just come accross the following from the user guid regarding attributes that I am going to try and I will let you know:

"A check list is a set of attributes that must accompany the authentication request
before the request can be accepted. The RAS must send attributes that match the
check list associated with a user entry; otherwise, Steel-Belted Radius rejects the
user even if the users name and password are valid."

I should have an update in the next day or 2.  I need to wait on another group to supply the attribute information from the NAS\RAS.


0
Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

 
LVL 78

Accepted Solution

by:
arnold earned 350 total points
ID: 24088550
You have all the information you need to configure Radius:
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002

You are not using two forms of authentication, you are using two steps to authenticate/authorize with the same set of credentials.
I.e. the terminal session: username/password.
At which point the, radius server simply says accept.
The second step is that NAS box now needs to determine what IP to allocate.

A single step I.e. using PAP, the NAS box passes the username/password to the Radius server with a Non-interactive session I still think it is a Framed-User=PPP instead of a Framed-USER: user something (interactive session).
The radius server in this case responds with:
access acce[ted
Use Pool 2 for IP assigment.

The NAS upon receipt of response, allocates an IP from Pool 2.
0
 

Author Comment

by:goofball350
ID: 24193367
Hi All,

No update to report yet.
0
 

Author Comment

by:goofball350
ID: 24204713
Due to not having direct access to the RAS.  Is there a way that I can see what attributes are being sent to my Radius server from the RAS?  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24206048
If you have a point where you can run a packet capture you can always do that.  I use and recommend wireshark (http://www.wireshark.org).
0
 

Author Comment

by:goofball350
ID: 24493802
Hi All,

Thank you to all.  The issue was identified through attribute 5.  What happened was attribute 5 lead me to a NAS issue which in turn lead me to an authentication issue.  On my workstation we had enabled using a terminal window for authentication, the request would then send the authentication and work.  Then once the terminal window is closed the dialup GUI would show authenticating the ID and PW and it would then fail.  Through a Radius debug i was determined that the dialup GUI was attempting to authenticate my windows credentials.

The terminal windows was disabled and we are using the windows GUI and everything is working.  Thank you for putting me in the right direction.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question