Symptoms
Authentication fails for no apparent reason even though the RADIUS server and the Citrix Access Gateway Enterprise Edition are configured correctly for Challenge Handshake Authentication Protocol (CHAP) with the Access Gateway. The user directory is Microsoft Active Directory.
When this failure occurs, the following error message appears in the Access Gateway audit log:
"08/28/2007:18:26:53 GMT ns Alert : AAA LOGIN_FAILED : User jeffsan - Client_ip 24.85.247.214 - Failure_reason "External authentication server denied access""
The following information might also appear on the RADIUS server Event Log, depending on server logging levels:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/28/2007
Time: 11:05:06 AM
User: N/A
Computer: NAFR-DC2
Description:
User jeffsan was denied access.
Fully-Qualified-User-Name = NAFR\jeffsan
NAS-IP-Address = 0.0.0.0
NAS-Identifier = NS2
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = NS2
Client-IP-Address = 192.168.70.102
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MD5-CHAP
EAP-Type = <undetermined>
Reason-Code = 19
Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
Cause
This error occurs when the user’s account is not stored in reversible encryption.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and a variable challenge value. The use of repeated challenges is intended to limit the time of exposure to any single attack. The authenticator is in control of the frequency and timing of the challenges. This authentication method depends upon a secret known only to the authenticator and that peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication.
Because CHAP may be used to authenticate many different systems, Name fields may be used as an index to locate the proper secret in a large table of secrets. This scheme also makes it possible to support more than one name/secret pair per system and change the secret in use at any time during the session.
CHAP requires that the secret be available in plaintext form. CHAP cannot use irreversibly encrypted password databases that are commonly available. If the RADIUS server does not have access to the plaintext password, it cannot perform the one-way hash to verify the user and the authentication will fail. By default, Microsoft Active Directory does not store user accounts with reversible encryption.
Resolution
Reversible encryption is a user class attribute and is not enabled by default in the Active Directory. You must enable this setting manually on each account (see Figure 1) or through Group Policy Objects (see Figure 2) when dealing with multiple users.
Figure 1 - User Account Property
Figure 2 - Group Policy Object Reference
Status
This issue occurs by design and is in accord with the RADIUS and CHAP specifications. However, storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
The Access Gateway does support more secure Microsoft-specific RADIUS authentication protocols such as MSCHAPv1 and MSCHAPv2. These protocols are preferable and offer better security with RADIUS implementations. Use the latter protocols if your RADIUS server technology supports them.
More Information
The following link contains information about RADIUS:
http://www.ietf.org/rfc/rfc2865.txt
The following link contains information about the CHAP protocol:
http://www.ietf.org/rfc/rfc2865.txt
The following link contains information about the reversible encryption Active Directory user property:
http://technet2.microsoft.com/windowsserver/en/library/eeff044c-d4a8-4699-a4b8-c5e563118c931033.mspx?mfr=true
