(RADIATOR) MSCHAPv2

Hugh Irvine hugh at open.com.au
Wed Jul 2 20:32:07 CDT 2003 

Hello Jon -

I suggest you put a packet sniffer on the wire to see what goes on with 
the NT radius server.

Once you know what radius attributes are going back and forth, you can 
easily configure Radiator to do the same thing.

regards

Hugh


On Thursday, Jul 3, 2003, at 00:47 Australia/Melbourne, 
Jon.Zuilkowski at equifax.com wrote:

> Hi.
>
> I have a need to implement mschapv2 so that I can use the password
> expiration feature of the cisco client/vpn concentrator 3000 series.
>
> The problem is, I have no idea how to do this and I can't seem to find 
> what
> I need on google, and Cisco refuses to help or give me any info...
>
>
> I have a fairly elaborate setup now (thanks to cisco's marketing
> promises)...
>
> I have all of my users in a central LDAP database with a web front end.
>
> I currently use xtradius to authenticate the vpn device because it 
> allowed
> me to write auth scripts in perl.
>
> A second instance of radius runs also as an LDAP gateway for dialup 
> auth.
>
> The cisco client/device support password expiration via mschapv2 like 
> so:
>
>
>   client   ---->  username/password ---> vpn device ---> radius (NT 
> Server)
>
>   radius (NT Server) ---> (some attribute) ---> vpn device ---> client
> (opens dialog for password change)
>
>   client   ---->  (password change attributes) ---> vpn device ---> 
> radius
> (NT Server)
>
>
> The way I want this to look is like so:
>
>   client   ---->  username/password ---> vpn device ---> radius --> 
> LDAP
> (determines expired password)
>
>  LDAP  -->  radius  ---> (some attribute) ---> vpn device ---> client
> (opens dialog for password change)
>
>   client   ---->  (password change attributes) ---> vpn device ---> 
> radius
> -->  LDAP (password is changed)
>
>
> Is there anyone that knows how to do this or can point me to some good 
> info
> on how to use the mschapv2 attributes?
>
> Additional info:
>
> radius/ldap servers:  2xsparc v100, solaris 9
> ldap:  sun ONE directory v5.1
>
> Thanks.
> -Jon
>
>
> This message contains information from Equifax Inc. which may be
> confidential and privileged.  If you are not an intended recipient, 
> please
> refrain from any disclosure, copying, distribution or use of this
> information and note that such actions are prohibited.  If you have
> received this transmission in error, please notify by e-mail
> postmaster at equifax.com.
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list