[ previous ] [ next ] [ threads ]
 
 From:  "S W" <lordboink at gmail dot com>
 To:  "Andrew Hibl" <a underscore blue underscore knight at yahoo dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive portal with Microsoft IAS
 Date:  Wed, 29 Mar 2006 02:06:44 +0200
Andrew,

Here's what worked for me (I assume you're using Win2k3 Server for this too,
and I am including all steps just for the record):

1. Ensure that CP works locally (ie, you get the logon prompt and can
connect outwards with a username defined *on the m0n0 itself*).  If you
don't get the logon page, check your DNS settings: first, attempt to connect
to a numeric website eg google at http://66.249.87.99/ - if this opens the
CP prompt dialog, but http://www.google.com does not, then make sure the DNS
forwarder is properly configured (or set your DNS server as an allowed
outbound IP while you're testing).
2. Start sniffing on your IAS box
3. Make sure your IAS box's security auditing will log authentication events

4. On the m0n0, define the IAS box as your radius server for the CP
5. Attempt to connect via the CP; ensure you see packets incoming on the IAS
from the m0n0 (have a look inside them, too)
6. Assuming that the packets you see arriving on your IAS box are from IP
10.1.2.254 <http://10.2.3.4>, configure a Radius client in IAS, where
    - friendly name is <FRIENDLY>
    - IP is 10.1.2.254 <http://10.2.3.4/>
    - Shared Secret is same as on the m0n0 (alphanumeric only IIRC)
    - Client-Vendor is 'RADIUS Standard'.

7. Next, configure a Remote Access Policy in IAS, where
    - Under the Policy Conditions, Client-IP-Address matches "
10.1.2.254<http://10.2.3.4/>
"
    - Connection response is 'Grant remote access permission'

It sounds like you're already at this point, so if authentication is
failing, it's probably due to the methods allowed for the authentication
(see the Authentication tab in the Policy Profile).

I did quite a few tests, and found that authentication only worked with
*only one* of the options selected - IIRC correctly, it was PAP, but looking
at the now inactive IAS (which I can't test), MS-CHAP is ticked... doh!

Sorry for that, but I'm sure that's where your problem is. Try both, but one
at a time (and whenever you modify the authentication settings, *restart the
IAS service*).

An incorrect authentication method will give you this in the IAS's System
Event Log:
Event Type:    Warning
Event Source:    IAS
Event Category:    None
Event ID:    2
Date:        02/02/2006
Time:        01:13:45
User:        N/A
Computer:    SERVER03
Description:
User server03\rad1 was denied access.
 Fully-Qualified-User-Name = SERVER03\rad1
 NAS-IP-Address = <not present>
 NAS-Identifier = <not present>
 Called-Station-Identifier = 00:0d:b9:11:3b:a4
 Calling-Station-Identifier = 00:0b:cd:6a:3d:18
 Client-Friendly-Name = FRIENDLY
 Client-IP-Address = 10.1.2.254
 NAS-Port-Type = Ethernet
 NAS-Port = 6
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to Microsoft Routing and Remote Access server
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.

A successful connection looks like this (note the PAP in both - I think the
unsucessful one happens when another option is selected):

Event Type:    Information
Event Source:    IAS
Event Category:    None
Event ID:    1
Date:        02/02/2006
Time:        01:14:03
User:        N/A
Computer:    SERVER03
Description:
User server03\rad1 was granted access.
 Fully-Qualified-User-Name = SERVER03\rad1
 NAS-IP-Address = <not present>
 NAS-Identifier = <not present>
 Client-Friendly-Name = FRIENDLY
 Client-IP-Address = 10.1.2.254
 Calling-Station-Identifier = 00:0b:cd:6a:3d:18
 NAS-Port-Type = Ethernet
 NAS-Port = 6
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to Microsoft Routing and Remote Access server
 Authentication-Type = PAP
 EAP-Type = <undetermined>

Comments:
- Above, server03 is a member server, so the account 'rad1' was local.  If
your IAS is also a domain controller, you may have to check for domain\user
style prefixes and such.
- If this still fails, check that the IAS isn't passing requests on to
another remote Radius group server
- Ethereal, and the event logs are your friends

As far as I can fathom, the difference between the PPTP and Radius
situations is that when a PPTP client is authenticated via IAS, the client
itself is talking directly to IAS, whereas via the CP, the m0n0 itself is
doing everything, and can't handle anything more robust than PAP.  (This is
supposition based on experminent, if someone more knowledgable can clarify,
please do so.)

Hope this helps,
boink