Re:NT RAS 4.0 - Steelhead (final) & IEA RadiusNT 1.16.60

E. Bryan Hoover, AgriNorthwest ( (no email) )
Tue, 17 Jun 1997 16:12:53 -0700

Eric

I have been attempting the same. With similar results to date.

What is the operating system, OS version, and service pack on the client
you are dialing in with?

For you info I posted a similar message requesting assistance. The body
of that message is below.

Please let me know if you learn anything more about NT RAS compatibility.

Thanks
Bryan

X-Sender: bryan.hoovercom.com@hoovercom.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 b4 (32)
Date: Mon, 16 Jun 1997 21:49:50 -0400
To: "Dale E. Reed Jr." <daler@iea.com>
From: "Bryan Hoover, Senior Systems Analyst, AgriNorthwest, Inc"
<Bryan@HOOVERcom.com>
Subject: NT RAS 4.0, with Routing and RAS Update ( formerly Steelhead )
Cc: RadiusNT@emerald.iea.com

--------------------------------------------------------------------------
Your following message has been delivered to the 422 members of
the list RadiusNT@emerald.iea.com at 21:46:46 on 16 Jun 1997.
--------------------------------------------------------------------------

Mr. Reed and all:

I have installed RadiusNT on a Windows NT Server running:

Windows NT 4.0
with Service Pack 3
and the Ras and Routing Update
( formerly known as Steelhead )

It works fine with the test login client which comes with
RadiusNT as shown below. Both in ODBC and ASCII modes.

However when using it with the NT Remote Access Server (RAS) on that same
server and a Windows NT 3.51 Service Pack 5 RAS client dialing up, we
receive the following errors, also shown below. ( Please note that
RadiusNT is being run against the ASCII C:\Radius\Users file, not the ODBC
database, for all the below tests ).

We have experienced similar results with a Windows NT 3.51 Service Pack 4
client and a Macintosh client running the latest version of their OS and
Open Transport ( at least so the Macintosh administrator believes ).

Microsoft claims the new update ( commercial release of Stealhead ) is
fully compliant with RFC-2058. However other Microsoft documentation
discusses the differences between the CHAP RD4 and CHAP RD5 standards and
seems to imply this may not be the case - at least for previous versions of
NT RAS 4.0.

We have been unable to find a way to force our Microsoft RAS Server and/or
the clients to use PAP rather than whatever version of CHAP they are
attempting to use. We also have serious questions as to the advisability
of sending unencrypted passwords over dial-up public telepone networks or
the public internet. We would be using the product in conjunction with
Emerald and the ODBC database if we use RadiusNT.

Is anyone able to shed any light on what is happening or possible work
arounds?

Also will any of these problems go away with future versions ( 2.x? ) of
Radius NT.

When is the projected availability of the commercial product ( 2.x? ) and
who will be selling it?

Any and all suggestions or comments regarding the use of the Radius NT
product with Windows NT RAS as the Terminal Access Server would be
appreciated.

***************************************************************************
***************************************************************************
Debug Session Follows
***************************************************************************
***************************************************************************

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\users>cd \radius

C:\radius>radius -x15 -A

RadiusNT 1.16.60 2/7/97 Copyright (c) 1996 IEA Software, Inc.
All Rights Reserved, Worldwide

Some portions Copyright (c) 1992 Livingston Enterprises, Inc.
and Copyright (c) 1995 Ascend Communications, Inc.

0) EncryptPasswords: 0
1) IgnoreCase: 0
2) AuthPort: 1645
3) ReqAcctAuth: 0
4) AcctPort: 1646
5) Mode: 0
6) Options: 0
7) Debug: 15
8) ODBCDatasource: RADIUSNT
9) DataDirectory: \RADIUS
10) AcctDirectory: \RADIUS\acct
11) UsersFile: Users
12) Username:
13) Password:

Param: Debug Level: 15
Param: Require Authentication for Accounting packets
Initializing Winsock...
Client:198.136.195.63:198.136.195.63:NTRAS

Loading users...
User:test
1 users loaded!

Radius NT is ready to receive requests!
radrecv: Request from host c688c33f code=4, id=1, length=26
Acct-Status-Type = 7
Sending Accounting Ack of id 1 to c688c33f (198.136.195.63)

Response Time: 781
radrecv: Request from host c688c33f code=1, id=1, length=0
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
User-Name = "test"
Password = "HXA\300\320\326W5\006\300%k\005\203*E"
rad_authenticate()
Checking user record PW_PASSWORD type
authPapPwd
chkPwd->strvalue is test
decrypted pwd is test
Sending Ack of id 1 to c688c33f (198.136.195.63)
User-Service = Framed-User

Response Time: 60
radrecv: Request from host c688c33f code=1, id=2, length=63
User-Name = "test"
CHAP-Challenge = "\2559\370a\264\312\270\246\020\0301\016\243z\274\001"
Challenge-Response = ""
rad_authenticate()
Checking user record PW_PASSWORD type
authChapPwd
Sending Reject of id 2 to c688c33f (198.136.195.63)

Response Time: 51
radrecv: Request from host c688c33f code=1, id=3, length=63
User-Name = "test"
CHAP-Challenge = "aiz\204$\233)7P1\332z\243z\274\001"
Challenge-Response =
"\001\271V\034>{"\346\265\370\034\004\007\033w\245\340"
rad_authenticate()
Checking user record PW_PASSWORD type
authChapPwd
Sending Reject of id 3 to c688c33f (198.136.195.63)

Response Time: 40
radrecv: Request from host c688c33f code=1, id=4, length=63
User-Name = "test"
CHAP-Challenge = "\370\251\263n\244\341\267Y \005\300\317\243z\274\001"
Challenge-Response =
"\002{\234\263K\036\215\322Q\253\251\303\001\207\332\356e"
rad_authenticate()
Checking user record PW_PASSWORD type
authChapPwd
Sending Reject of id 4 to c688c33f (198.136.195.63)

Response Time: 30
radrecv: Request from host c688c33f code=1, id=5, length=63
User-Name = "test"
CHAP-Challenge = "H\021\205D\327\264G\032\360\354\\210\264z\274\001"
Challenge-Response =
"\003\276@J\243\364j\343\262\304\264\351\002\017]g\223"
rad_authenticate()
Checking user record PW_PASSWORD type
authChapPwd
Sending Reject of id 5 to c688c33f (198.136.195.63)

Response Time: 811
radrecv: Request from host c688c33f code=1, id=6, length=63
User-Name = "test"
CHAP-Challenge = ")\0*\203\265\356\364\320pJ%\270z\274\001"
Challenge-Response =
"\004\327\3610m\354\234h\235\373\244\015\273\026'\351\372"
rad_authenticate()
Checking user record PW_PASSWORD type
authChapPwd
Sending Reject of id 6 to c688c33f (198.136.195.63)

Response Time: 731

******************************************************************************
******************************************************************************
end contiguous copy from debug session
******************************************************************************
******************************************************************************

E. Bryan Hoover, Senior Systems Analyst
AgriNorthwest, Inc.
2810 W. Clearwater
Kennewick, WA 99336
voice telephone: (509) 735-6461
fax telephone: (509) 735-6471
e-mail: BryanHoover@AgriNorthwest.com

----------------------------------------------------------
RadiusNT Mailing List listserver@emerald.iea.com

At 03:25 PM 6/16/97 +0100, Eric Nguyen wrote:
>Are RadiusNT 1.16.60 and Steelhead (final) compatible ?
>
>
>I have tried to get it to work, but pretty unsuccessfully so far:
>
>Config NT4 server SP3 + Steelhead + RadiusNT1.16.60
>
>RAS modem with security and accounting set to Radius, Option "Require
>encrypted authentication"
>
>'RADLOGIN test test' works fine with user file
>
>test Password = "test"
> User-Service = "Framed-User",
> Framed-Protocol = "PPP"
>
>If I try to dial-in from another modem into the server, it does not work
>and rejects me.
>Can anybody help ?
>
>Below the answer from the radius server:
>
>D:\radius>radius -x15
>
>RadiusNT 1.16.60 2/7/97 Copyright (c) 1996 IEA Software, Inc.
>All Rights Reserved, Worldwide
>
>Some portions Copyright (c) 1992 Livingston Enterprises, Inc.
> and Copyright (c) 1995 Ascend Communications, Inc.
>
>
>
>0) Mode: 0
>1) EncryptPasswords: 0
>2) IgnoreCase: 0
>3) ReqAcctAuth: 0
>4) Options: 0
>5) Debug: 11
>6) ODBCDatasource: Radius
>7) DataDirectory: d:\radius\
>8) AcctDirectory: d:\radius\acct\
>9) UsersFile: users
>10) Username:
>11) Password:
>12) AuthPort: 1645
>13) AcctPort: 1646
>
>Param: Debug Level: 15
>Initializing Winsock...
> Client:r1.search-net.net:192.168.1.23:xxxxx
>
> Loading users...
> User:test
> User:DEFAULT
>2 users loaded!
>
>************************** radlogin test test
>************************************ OK
> Radius NT is ready to receive requests!
>radrecv: Request from host c0a80117 code=1, id=1, length=0
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> User-Name = "test"
> Password = "\027_<\026\031{\333\237J\271\005\242b\307|\341"
>rad_authenticate()
>Checking user record PW_PASSWORD type
>authPapPwd
>chkPwd->strvalue is test
>decrypted pwd is test
>Sending Ack of id 1 to c0a80117 (r1.search-net.net)
> User-Service = Framed-User
> Framed-Protocol = PPP
>*********************** From external modem
>**********************************OK
>Response Time: 310
>radrecv: Request from host c0a80117 code=1, id=3, length=74
> User-Name = "test"
> CHAP-Challenge = "5\304\243\023\014\235#\247 *\301n`z\274\001"
> Challenge-Response =
>"\001\022\224\310k`\247\034U\370'\227\217\253\271h\235"
> Ascend-MPP-Idle-Percent = 1397047634
>rad_authenticate()
>Checking user record PW_PASSWORD type
>authChapPwd
>Sending Reject of id 3 to c0a80117 (r1.search-net.net)
>
>Response Time: 220
>
>
>
>---
>Eric NGUYEN.
>I.T. Manager.
>Searchnet Associates Ltd.
>
>Tel: +44 (0) 131 466 7170
>Email: mailto:e.nguyen@search-net.net
>www: http://www.eece.napier.ac.uk/~eric_n
>ICQ: UIN#: 1155629
>
>
>
> ----------------------------------------------------------
> RadiusNT Mailing List listserver@emerald.iea.com
>
>

Regards,

E. Bryan Hoover, Senior Systems Analyst

AgriNorthwest, Inc.
2810 W. Clearwater, Kennewick WA 99336
Telephone: (509) 735-6461 Fax: (509) 735-6471
email: Bryan@HooverCOM.com