Re: (usr-tc) Radius/TC's

Dale E. Reed Jr. ( (no email) )
Tue, 09 Jun 1998 13:25:58 -0700

Chuck wrote:
> >What is the error you receive from 2.5 in -x15 debug mode? Is the machine
> >you are running RadiusNT 2.5 on multi-homed? If so, please configure
> >RadiusNT 2.5 to only use one IP Address (rather than all).
> The primary machine has a single IP. In -x15 debug it tells me "Radius
> does not have sufficient rights to authenticate against the NT SAM"...

You did omit the most important part, which is in () after this
error. Is it an Access Denied or Privledge not held error?

This basically means RadiusNT is running in debug mode in the foreground
and does NOT have permissions to authenticate a user. This is a new
error message added in 2.5 to disinguish whether the user or RadiusNT
doesn't have rights.

> However, when run from the Control Panel Applet as a service, there
> is no prob with this (as long as auth is attempted from the 3Com ARC or Liv

Thats because when RadiusNT runs as a service, its running as the
system service, which does have sufficient permissions.

> PM's, but not the other NAS's mentioned). I am logged into this machine as
> the Administrator...have tried this both as local machine admin as well as
> domain admin. Last week I browsed through IEA's radiusnt digests and saw a
> few posts ( one or two from you as well) suggesting user rights settings,
> and I checked and changed these where needed. Radius as a service logs in
> under the system account, but once again, there is no prob in this mode.

These are 2.2 issues, which requires log on locally rights. RadiusNT 2.5
only requires access this computer from the network rights for the user.

> One other is a log entry from 2.5 using NT SAM, with an
> unsuccessful auth attempt from our TC/Netserver, valid user: Tue Jun 09
> 14:55:39 1998: CHAP WinNT Attempt: user xxx, NAS Once
> again, this auth was unsuccessful.

Ok. Now you are starting to give me information that I can use! :)

In order to authenticate against the NT SAM, the user can not use
CHAP. This is the same restriction as authenticating against a UNIX
passwd file.

Either have the client one PAP or disable CHAP on the Netserver and
it should work fine. Also, feel free to include all of the lines for
failed authentication attempts (from the radrecv() line to the resp line)
when you have an error, since it will help greatly to resolve you problem.

-- Dale E. Reed Jr.  (       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |