Powered by Jitbit Forum free trial version.
home recent topics recent posts search faq  

TekRADIUS Forum


register | lost password   open id
Messages in this topic - RSS

Home » Interoperability » Vyatta V6.3 authentication problem

Interoperability with RADIUS clients & servers
show rated messages only |
10.09.2011 21:34:41

grahamwright1
grahamwright1
Posts: 3 		Hello,

I'm trying to get Windows Domain authentication working for PPTP users coming in to my Vyetta V6.3 system. The PPTP service on the Vyatta is working fine when I use local authentication on it, but when I change it to Radius the test account I'm using appears to authenticate correctly on TekRADIUS but causes the pppd service on Vyatta to throw an error.


User is gwright in group 'HandshakeStaff'. Attributes are 'Authentication-Method', value 'Windows', and 'Windows-Domain', value 'hs' where HS is the domain gwright belongs to.

Group 'HandshakeStaff' has attributes 'Authentication-Method', value 'Windows', and 'Windows-Domain', value 'hs'.

Clients - '127.0.0.1' is vendor IETF, with the Secret defined in Vyatta, and Default is the same.

Settings - Authentication Proxies / Windows Auth Proxy Enabled, Windows Domain 'hs'.

Is it a problem having the same attributes defined in both the user and group entries?

Does anyone have a similar configuration and have any ideas on how to debug this further?



9/10/2011 12:01:03 PM - TekRADIUS Service 4.3.0.0 is being started (Microsoft Windows NT 6.1.7601 Service Pack 1).

9/10/2011 12:01:05 PM - Registration Key is valid; running in commercial mode.

9/10/2011 12:01:05 PM - TekRADIUS Service is listening on : 10.0.0.85 (3 client(s))

9/10/2011 12:01:05 PM - Sending alert message...

9/10/2011 12:01:10 PM - Alert message sent...

RadAuth req. from : 10.0.0.2:48470 - 9/10/2011 13:56:52 PM
Size : 141 / 141
Identifier : 98
Attributes :

Service-Type = 2
Framed-Protocol = 1
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Calling-Station-Id = pptp
User-Name = gwright

9/10/2011 13:56:52 PM - Windows Authentication (NTLM) commencing for user 'gwright'

9/10/2011 13:56:52 PM - Check items control - Start (Group : HandshakeStaff).

9/10/2011 13:56:52 PM - Check items control - Stop (Group : HandshakeStaff).

9/10/2011 13:56:52 PM - Windows authentication successfull for user 'gwright'

9/10/2011 13:56:52 PM - Fetching Success-Reply items - Start.

9/10/2011 13:56:52 PM - Fetching Success-Reply items - Stop.

9/10/2011 13:56:52 PM - Generating Reply Packet - Start.

9/10/2011 13:56:52 PM - Generating Reply Packet - Stop.

RadAuth reply to : 10.0.0.2:48470 - 9/10/2011 13:56:52 PM
Size : 71
Identifier : 98
Attributes :

MS-CHAP2-Success = 00533D44414235304534363931354437



So that looks like the 'gwright' account was correctly authenticated, but the router log shows the following:



Sep 10 13:56:51 router1 kernel: [530949.089486] [ALLOW-ESTABLISHED-20-A] IN=eth0 OUT= MAC=00:25:90:39:e2:2c:00:26:f3:2a:94:2a:08:00 SRC=y.y.y.y DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x20 TTL=51 ID=21904 DF PROTO=TCP SPT=55462 DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0
Sep 10 13:56:52 router1 pppd[19825]: pppd 2.4.4 started by root, uid 0
Sep 10 13:56:52 router1 zebra[1487]: interface ppp0 index 93 <POINTOPOINT,NOARP,MULTICAST> added.
Sep 10 13:56:52 router1 pppd[19825]: Connect: ppp0 <--> /dev/pts/1
Sep 10 13:56:52 router1 pptpd[19824]: GRE: Discarding packet by header check
Sep 10 13:57:22 router1 pptpd[19824]: CTRL: EOF or bad error reading ctrl packet length.
Sep 10 13:57:22 router1 pptpd[19824]: CTRL: couldn't read packet header (exit)
Sep 10 13:57:22 router1 pptpd[19824]: CTRL: CTRL read failed
Sep 10 13:57:22 router1 pppd[19825]: Modem hangup
Sep 10 13:57:22 router1 pppd[19825]: Connection terminated: no multilink.
Sep 10 13:57:22 router1 zebra[1487]: interface ppp0 index 93 deleted.
Sep 10 13:57:22 router1 ripngd[1508]: interface delete ppp0 index 93 flags 0x1090 metric 1 mtu 1500
Sep 10 13:57:22 router1 ripd[1498]: interface delete ppp0 index 93 flags 0x1090 metric 1 mtu 1500
<em>edited by grahamwright1 on 11.09.2011</em>
0 permalink
11.09.2011 10:28:02

Admin
Admin
Administrator
Posts: 1833 		Hi,

Can you send me a wireshark trace for a sample session?

Best regards,

Yasim KAPLAN
0 permalink
11.09.2011 14:38:12

grahamwright1
grahamwright1
Posts: 3 		Here's the capture.
0 permalink
11.09.2011 14:42:18

grahamwright1
grahamwright1
Posts: 3 		I don't have permission to post to this forum and got an ASP error when I tried. I've sent the error and the PCAP file to your email address.

Thanks,
Graham
0 permalink
14.09.2011 13:28:32

Admin
Admin
Administrator
Posts: 1833 		Hi,

TekRADIUS automatically generates Encryption Keys for authenticated L2TP and PPTP
sessions when incoming RADIUS Access-Request has Tunnel-Type (64) attribute with value PPTP
or L2TP. You can alter this behavior by adding Generate-MS-MPPE-Keys attribute to user or group
profiles as a check attribute. If this attribute exists in user or group profiles and its value set to
NOT-Generate TekRADIUS will not generate encryption keys. If this attribute exists in user
or group profile and its value set to VPN-Generate, even TekRADIUS does not receive Tunnel-
Type attribute in Access-Request, TekRADIUS will generate encryption keys if user is
authenticated via Microsoft authentication methods.

Best regards,

Yasin KAPLAN

<em>edited by Admin on 14.09.2011</em>
0 permalink
show rated messages only |

Home » Interoperability » Vyatta V6.3 authentication problem




Powered by Jitbit Forum 7.2.13.0 © 2006-2011 Jitbit Software