After ntlm_auth VSA is not sent. Without HTML this time
I hit send a little too quickly last time, before I changed the format to text. I am having two problems and not sure where to look
From the Users file
userjeff Cleartext-Password := "BADPASS" Juniper-Local-User-Name = "engineer", Service-Type = Login-User, Reply-Message = "Hello, %{User-Name}", Fall-Through = Yes 1. With the DEFAULT Auth-Type = ntlm_auth The nas gets an accept back but the attribute Juniper-Local-User-Name is not passed back ad_recv: Access-Request packet from host 10.34.250.14 port 51941, id=158, length=71 User-Name = "userjeff" User-Password = "some_password" NAS-Identifier = "LKWDCO93S14-lab" NAS-IP-Address = 10.34.250.14 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] expand: %t -> Tue Nov 23 15:44:34 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "userjeff", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=userjeff [ntlm_auth] expand: --password=%{User-Password} -> --password=some_password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [userjeff] (from client default-network port 0) +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/reply-detail-20101123 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/reply-detail-20101123 [reply_log] expand: %t -> Tue Nov 23 15:44:34 2010 ++[reply_log] returns ok ++[exec] returns noop Sending Access-Accept of id 158 to 10.34.250.14 port 51941 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 158 with timestamp +15 Ready to process requests. 2. With the DEFAULT Auth-Type = ntlm_auth commented out PAP isn't happy and I get eady to process requests. rad_recv: Access-Request packet from host 10.34.250.14 port 62435, id=126, length=71 User-Name = "userjeff" User-Password = "some_password" NAS-Identifier = "LKWDCO93S14-lab" NAS-IP-Address = 10.34.250.14 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] expand: %t -> Tue Nov 23 15:57:13 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "userjeff", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry userjeff at line 107 [files] expand: Hello, %{User-Name} -> Hello, userjeff ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. Login incorrect: [userjeff/some_password] (from client default-network port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> userjeff attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 126 to 10.34.250.14 port 62435 Reply-Message = "Hello, userjeff"
From radius -X
Nathan Sipes Sr. Network Design Specialist Tel: 303-914-4996 FAX: 303-763-3510 Kinder Morgan 370 Van Gordon St Lakewood, CO 80228 Nathan_Sipes@kindermorgan.com
participants (1)
-
Sipes, Nathan