(RADIATOR) Inner Auth MSCHAP-V2 failure
Hugh Irvine
hugh at open.com.au
Wed Apr 14 03:25:18 CDT 2004
Hello Alexandre -
Thanks for sending the configuration file and debug.
I suspect the problem is due to your RewriteUsername, which will not
work with MS-CHAPv2.
Have a look at the header block in "Radius/MSCHAP.pm":
# MSCHAP.pm
# Implements MSCHAP algorithms as described in
# draft-ietf-pppext-mschap-00.txt and RFC3079
# Requires Digest-MD4-1.0 or better, available from CPAN and
# ActiveState
#
# The basic algorithms and how they are used by MS
#
# PeerChallenge Username Password
# | AuthChallenge | |
# | | | |0-256
# ------------ | |0-256 v
# | | | ASCIIToUnicode
# |16 |16 | |
# | | | ------ 0-256
# v v v v
# MSCHAPV2--> GenerateNTResponse
# | | | |
# |16 |16 |0-256 |0-256
# v v v |
# ChallengeHash |
# | |
# |8 |
# | |
# v v
# MSCHAP--> NtChallengeResponse
# | |
# |8 |0-256
# | |
# | NTPasswordHash
# | |
# ------- |16
# | |
# v v
# ChallengeResponse
# |
# |24
# v
#
# Author: Mike McCauley (mikem at open.com.au)
#
# This code is offered on the same terms as
draft-ietf-pppext-mschap-00.txt
# $Id: MSCHAP.pm,v 1.7 2003/12/23 22:40:17 mikem Exp $
As you can see, the full username is used as part of the authentication.
regards
Hugh
On 13 Apr 2004, at 00:27, Alexandre Frederico de Sousa wrote:
> I have a Radius environment in which I have set Radius to get the
> authentication information from the Active Directory LDAP server using
> AuthBy LDAP2. The purpose is to have Cisco 1100 AP’s authenticate
> wireless users using 802.1x. The wireless clients are mostly running
> Windows XP, using PEAP and MSCHAP-V2 to authenticate on the wireless
> network.
>
> I have configured Radiator’s Handler for the local realm and the
> handler for the PEAP requests.
>
> I have ran through a series of problems and now I’m stuck with a PEAP
> Authentication problem regarding a MSCHAP-V2 Authentication Failure.
>
> Together with this email I’m sending a sample of my configuration and
> a level 4 trace file. I was wondering if someone could give me a hint
> at what’s wrong this time.
>
>
>
> Best Regards,
>
>
>
> Alexandre Sousa
>
>
>
> -----------------------------------------------------------------------
> ---
>
>
>
> Configuration File
>
>
>
> AuthPort 1812
>
> AcctPort 1813
>
> LogDir /var/log/radius
>
> DbDir /etc/radius
>
> DictionaryFile
> /etc/radius/dictionary,/etc/radius/dictionary.ascend,/etc/radius/
> dictionary.cisco
>
> PidFile /var/run/radius.pid
>
> Trace 4
>
>
>
> *** SKIPPED LOG SECTION ***
>
>
>
> ## Client for local tests
>
>
>
> <Client 10.0.0.209>
>
> Secret passwordgoeshere
>
> Identifier testelocal
>
> DupInterval 0
>
> </Client>
>
>
>
> ## Clients for local APs
>
>
>
> <Client 10.0.0.206>
>
> Secret passwordgoeshere
>
> Identifier localuser
>
> </Client>
>
>
>
> ####### Special Purpose Rewrites
>
> ####### In case the user has a DOMAIN\USER username, this takes care
> of it
>
>
>
> RewriteUsername s/^(.+)\\(.+)$/$2\@$1/
>
>
>
> ####### HANDLERS
>
>
>
> ## To local LDAP (W2K AD Server)
>
>
>
> <Handler Realm=SAMPLE.ORG>
>
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy LDAP2>
>
> Host 10.0.0.10
>
> AuthDN
> cn=Administrator,cn=Users,dc=SAMPLE,dc=ORG
>
> AuthPassword passwordgoeshere
>
> BaseDN cn=Users,dc=SAMPLE,dc=ORG
>
> ServerChecksPassword
>
> UsernameAttr sAMAccountName
>
> AuthAttrDef logonHours,MS-Login-Hours,check
>
> Version 3
>
> EAPType PEAP
>
> EAPAnonymous %n
>
> EAPTLS_CAFile /etc/certificates/demoCA/cacert.pem
>
> EAPTLS_CertificateFile /etc/certificates/servername.pem
>
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile /etc/certificates/servername.pem
>
> EAPTLS_PrivateKeyPassword passwordgoeshere
>
> EAPTLS_MaxFragmentSize 1000
>
> AutoMPPEKeys
>
> SSLeayTrace 4
>
> </AuthBy>
>
> </Realm>
>
>
>
> <Handler TunnelledByPEAP=1>
>
> <AuthBy LDAP2>
>
> Host 10.0.0.10
>
> AuthDN
> cn=Administrator,cn=Users,dc=SAMPLE,dc=ORG
>
> AuthPassword passwordgoeshere
>
> BaseDN cn=Users,dc=SAMPLE,dc=ORG
>
> ServerChecksPassword
>
> UsernameAttr sAMAccountName
>
> AuthAttrDef logonHours,MS-Login-Hours,check
>
> Version 3
>
> EAPType MSCHAP-V2
>
> RewriteUsername s/^([^@]+).*/$1/
>
> </AuthBy>
>
> </Realm>
>
>
>
> The level 4 tracefile is on the attached file.
>
>
>
>
>
>
>
>
> <logfile>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list