(RADIATOR) Problem with rewriteusername and chap

Hugh Irvine hugh at open.com.au
Wed Jan 7 16:02:58 CST 2004 

Hello Chris -

I believe the problem is to do with MS-CHAP V2 which uses the full  
username to check the password.

Have a look at the comment header and the code in "Radius/MSCHAP.pm" in  
the Radiator 3.8 distribution.

regards

Hugh


On 08/01/2004, at 5:18 AM, Chris Simmons wrote:

> Dear all,
> First, I must say sorry for the log post (and html). Secondly, we have  
> a client  sending:
> username =user2 at rn1-all.sghms.ac.ukvia MS-CAHP V2 and the password  
> "password".
>
> We are running a simple config.file:
>
> RewriteUsername s/\@.*//
>
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>         <AuthBy FILE>
>                 Filename /usr/local/etc/users
>         </AuthBy>
> </Realm>
>
> the users file contains:
>
> user User-Password="password",     
> user2 User-Password="password",
>         
>
> But the following happens:
>
> Yeilds:
> Wed Jan  7 17:54:21 2004: DEBUG: Reading users file  
> /usr/local/etc/users
> Wed Jan  7 17:54:21 2004: DEBUG: Finished reading configuration file  
> '/usr/local/etc/simple.cfg'
> Wed Jan  7 17:54:21 2004: DEBUG: Reading dictionary file  
> '/var/log/radius/dictionary'
> Wed Jan  7 17:54:21 2004: DEBUG: Creating authentication port  
> 0.0.0.0:1813
> Wed Jan  7 17:54:21 2004: DEBUG: Creating accounting port 0.0.0.0:1812
> Wed Jan  7 17:54:21 2004: NOTICE: Server started: Radiator 3.8 on dns1
> Wed Jan  7 17:54:25 2004: DEBUG: Packet dump:
> *** Received from 172.16.1.52 port 1814 ....
> Code:       Access-Request
> Identifier: 13
> Authentic:  /s0<1><26><143><149><200>R<154><239><244>tu_<138>
> Attributes:
>         MS-CHAP-Challenge =  
> "o<167>k<193><136><128><203><138><26><214>&<160><230><127><0>K"
>         MS-CHAP2-Response =  
> "<1><0><145><228><250>/ 
> r<177>"E<13><148><236>%<25><182><230>Y<0><0><0><0><0><0><0><0>- 
> <147><0><246><129>b<18><153><188><3><202><178><193><165><4><143>@<249>s 
> <28>X<165>2<162>"
>         User-Name ="user at rn1-all.sghms.ac.uk"
>         NAS-IP-Address = 172.16.1.52
>         NAS-Identifier ="roam at 10.0.1.0/24"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Proxy-State = 208
>
> Wed Jan  7 17:54:25 2004: DEBUG: Rewrote user name to user
> Wed Jan  7 17:54:25 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jan  7 17:54:25 2004: DEBUG:  Deleting session  
> foruser2 at rn1-all.sghms.ac.uk, 172.16.1.52,
> Wed Jan  7 17:54:25 2004: DEBUG: Handling with Radius::AuthFILE:
> Wed Jan  7 17:54:25 2004: DEBUG: Radius::AuthFILE looks for match with  
> user2
> Wed Jan  7 17:54:25 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Wed Jan  7 17:54:25 2004: INFO: Access rejected for user: Bad Password
> Wed Jan  7 17:54:25 2004: DEBUG: Packet dump:
> *** Sending to 172.16.1.52 port 1814 ....
> Code:       Access-Reject
> Identifier: 13
> Authentic:  /s0<1><26><143><149><200>R<154><239><244>tu_<138>
> Attributes:
>         Reply-Message = "Request Denied"
>         Proxy-State = 208
>
>
> But if the follwoing is used:
>
> radpwtst -useruser2 at rn1-all.sghms.ac.uk-password password
>
> the output below:
>
> *** Received from 127.0.0.1 port 60973 ....
> Code:       Access-Request
> Identifier: 215
> Authentic:  1234567890123456
> Attributes:
>         User-Name ="user2 at rn1-all.sghms.ac.uk"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =  
> "<137><234>,<222><216>3v<146><188>8<9><160><216>}x<153>"
>
> Wed Jan  7 18:05:05 2004: DEBUG: Rewrote user name to user2
> Wed Jan  7 18:05:05 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jan  7 18:05:05 2004: DEBUG:  Deleting session  
> foruser2 at rn1-all.sghms.ac.uk, 203.63.154.1, 1234
> Wed Jan  7 18:05:05 2004: DEBUG: Handling with Radius::AuthFILE:
> Wed Jan  7 18:05:05 2004: DEBUG: Radius::AuthFILE looks for match with  
> user2
> Wed Jan  7 18:05:05 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Jan  7 18:05:05 2004: DEBUG: Access accepted for user2
> Wed Jan  7 18:05:05 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 60973 ....
> Code:       Access-Accept
> Identifier: 215
> Authentic:  1234567890123456
> Attributes:
>
>
> BUT With rewriteUsername OFF and using MS-CHAP V2, and chaging the  
> user anmes in the users file touser2 at rn1-all.sghms.ac.uk
> It works.
>
> *** Received from 172.16.1.52 port 1814 ....
> Code:       Access-Request
> Identifier: 14
> Authentic:  <20><227>JyPz<8><192><168><183><245>M<252>k<139>j
> Attributes:
>         MS-CHAP-Challenge =  
> "<14>l<158><25><209><199><205>a8J<137>u<4>02<146>"
>         MS-CHAP2-Response =  
> "<1><0>F<195>ps<4><160>|<250><200><176><3>q<213>c<244>2<0><0><0><0><0>< 
> 0><0><0><175><224><26><9>j<180>"<220>3<238>? 
> <157><230><231><206><184>*<192>K<<194><203>y<30>"
>         User-Name ="user2 at rn1-all.sghms.ac.uk"
>         NAS-IP-Address = 172.16.1.52
>         NAS-Identifier ="roam at 10.0.1.0/24"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Proxy-State = 80
>
> Wed Jan  7 18:08:21 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jan  7 18:08:21 2004: DEBUG:  Deleting session  
> foruser2 at rn1-all.sghms.ac.uk, 172.16.1.52,
> Wed Jan  7 18:08:21 2004: DEBUG: Handling with Radius::AuthFILE:
> Wed Jan  7 18:08:21 2004: DEBUG: Radius::AuthFILE looks for match  
> withuser2 at rn1-all.sghms.ac.uk
> Wed Jan  7 18:08:21 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Jan  7 18:08:21 2004: DEBUG: Access accepted  
> foruser2 at rn1-all.sghms.ac.uk
> Wed Jan  7 18:08:21 2004: DEBUG: Packet dump:
>
> Does anybody have any idea's where we would be going wrong?
>
> regards
>
> Chris.
>
> -- 
> Chris Simmons
> Network Engineer
> St Georges Hospital Medical School
>
> Tel: 020 8725 0234
> mail: chris at sghms.ac.uk
>
> -- 
> This message has been scanned for viruses and
> dangerous content byMailScanner, and is
> believed to be clean.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list