Solved

Not authenticating against the domain or issuing an IP

Posted on 2009-04-06
8
662 Views
Last Modified: 2012-05-06
Hi All,
I just inherited a dialup project using Steel Belted Radius, which I am new to.  So far I am able to dial in and authenticate against Radius through a terminal window (this is where the IP is showing 0.0.0.0), I click done after authenticating, then it brings up the window " verifying user name and password" and fails ( I have triple checked the user name and password).

Is there an attribute I am missing?  Any help to point me in the correct direction would be appreciated.
0
Comment
Question by:goofball350
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Are you actually using an old version of Funk's SBR, or are you using Juniper's renamed version?

Does the SBR server show any errors?

Is SBR actually doing the authentication, or is it forwarding to something else?

What is (should be) doing the DHCP serving?

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do you have an option not to type in username/password but rather provide this information from the outset?

The way it sounds you are doing it now is a two step process, authenticate then authorize.  The system you have might be looking to a single process as a reply to valid authentication, an IP is assigned.  The issue might also be with the NAS boxes missing a pool of IPs to allocate if an IP assignment/authorization is not included in the radius access-accept reply packet.
0
 

Author Comment

by:goofball350
Comment Utility
Hi giltjr,
The version I am using is: 5.03.1532, and at this point I don't know if upgrading is an option.  
*****************************************************************************************************
When I run the radius test, this is what I get:
Skipping unknown attribute 'Annex-Transmit-Speed' in script file...
Skipping unknown attribute 'Annex-Receive-Speed' in script file...
Skipping unknown attribute 'Annex-Domain-Name' in script file...
Skipping unknown attribute 'Annex-SW-Version' in script file...
RadTest Initialized - Socket bound
|||||||||||||||||||||||||||||| SessionStarting ||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x0
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000000
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 0 NAS = NAS DEFAULT
### Authentication Request Timed out id = 0 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x1
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
  **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000001
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 1 NAS = NAS DEFAULT
### Authentication Request Timed out id = 1 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002
-----------------------------------
>>> Sending Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
>>> Resending Authentication Request id = 2 NAS = NAS DEFAULT
### Authentication Request Timed out id = 2 NAS = NAS DEFAULT ###
|||||||||||||||||||||||||||||||| End of Pass ||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||| SessionFinished ||||||||||||||||||||||||||||||
Authentication : Total = 3  Accept = 0  Reject = 0
    Failures = 0  Retries = 12  Timeouts = 3
Accounting : Starts 0  Stops 0
    Failures = 0  Retries = 0  Timeouts = 0
Average Response Times : Auth = 0  Acct Start = 0  Acct Stop = 0
*****************************************************************************************************

I have it setup so RADIUS is performing the authentication via a security group in Active Directory.  I know they are communicating, because I can add a user and it will authenticate the terminal window.  But I am assuming since I don't ahve an IP it is stonewalled.

*****************************************************************************************************

I belive the intension is to have Radius issuing IP's, I'm jsut trying to find the setting to confirm.

*****************************************************************************************************

Hi Arnold,

I'm sure this is something I could considder, however I am still trying to familureize my self as to where the setting is.  I belive it may be an ini file change.

You are correct, for added security we would like to have a 2 step authentication process.  We do have the IP pools created.  

I did just come accross the following from the user guid regarding attributes that I am going to try and I will let you know:

"A check list is a set of attributes that must accompany the authentication request
before the request can be accepted. The RAS must send attributes that match the
check list associated with a user entry; otherwise, Steel-Belted Radius rejects the
user even if the users name and password are valid."

I should have an update in the next day or 2.  I need to wait on another group to supply the attribute information from the NAS\RAS.


0
 
LVL 76

Accepted Solution

by:
arnold earned 350 total points
Comment Utility
You have all the information you need to configure Radius:
Fixup attribute 5 = 0x2
>>> Authentication...
------ Packet: AUTH REQUEST   Length: 66 ------
User-Name = tcidial
CHAP-Password = Encrypted 17 bytes:
 **** Encryption code Removed****


NAS-IP-Address = *.*.*.*
NAS-Port = 0x00000002
NAS-Port-Type = 0x00000002

You are not using two forms of authentication, you are using two steps to authenticate/authorize with the same set of credentials.
I.e. the terminal session: username/password.
At which point the, radius server simply says accept.
The second step is that NAS box now needs to determine what IP to allocate.

A single step I.e. using PAP, the NAS box passes the username/password to the Radius server with a Non-interactive session I still think it is a Framed-User=PPP instead of a Framed-USER: user something (interactive session).
The radius server in this case responds with:
access acce[ted
Use Pool 2 for IP assigment.

The NAS upon receipt of response, allocates an IP from Pool 2.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:goofball350
Comment Utility
Hi All,

No update to report yet.
0
 

Author Comment

by:goofball350
Comment Utility
Due to not having direct access to the RAS.  Is there a way that I can see what attributes are being sent to my Radius server from the RAS?  
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
If you have a point where you can run a packet capture you can always do that.  I use and recommend wireshark (http://www.wireshark.org).
0
 

Author Comment

by:goofball350
Comment Utility
Hi All,

Thank you to all.  The issue was identified through attribute 5.  What happened was attribute 5 lead me to a NAS issue which in turn lead me to an authentication issue.  On my workstation we had enabled using a terminal window for authentication, the request would then send the authentication and work.  Then once the terminal window is closed the dialup GUI would show authenticating the ID and PW and it would then fail.  Through a Radius debug i was determined that the dialup GUI was attempting to authenticate my windows credentials.

The terminal windows was disabled and we are using the windows GUI and everything is working.  Thank you for putting me in the right direction.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now