(RADIATOR) AuthBy LSA

Terry Simons galimore at mac.com
Tue Jan 13 23:20:19 CST 2004


Russell,

The bug you're referring to with OS X clients is simple to get around 
and have PAP work.

Here's the deal:

When you set up your profile, *ONLY* edit the settings for that 
connection *inside* the "Edit Configurations..." window.

If you create a connection, then change any of the settings in the 
regular Internet Connect 802.1x window, it will prompt you if you want 
to save then changes.  If you say yes, the TTLS inner authentication 
changes back to MSCHAPv2.  As long as you only edit the profile inside 
the Edit Configurations window, it won't switch back to MSCHAPv2.  ;)

I reported this bug to Apple, but they  haven't fixed it yet.

The problem with using MSCHAPv2 is that you need to have the passwords 
on your server set up to be reversibly encrypted (on the AD, that is).  
This is due to the way the MSCHAPv2 hash is calculated during 
authentication.  (The server has to have access to the clear text 
password to calculate the MSCHAPv2 hash, which is different for every 
authentication).

We have many students using TTLS->PAP with Panther, and we haven't had 
any complaints.  I also use it quite a bit.

The nice thing about TTLS->PAP is that you can leave your passwords 
encrypted/hashed/whatever on the server and not have to worry about 
that being a security vulnerability.

I've done extensive testing with Radiator and the Mac OS X Panther 
client, so if you have any questions feel free to let me know.

- Terry

On Jan 13, 2004, at 8:33 PM, Russell Owen wrote:

> Hi All,
> Does anyone know if there is a way to get AuthBy LSA to act in a 
> similar method to AuthBy ADSI against AD and also check group 
> membership. I had this working perfectly with AuthBy ADSI and the 
> GroupRequired command using PAP, but I now need to use MSCHAP-V2 due 
> to a bug with OSX always defaulting to MSCHAP-v2.
>  
> I have attached part of my config file. What I need to acheive is 
> authentication against AD that checks group membership and 
> assigns VLAN info (using AddToReply) based on group membership, that 
> also uses TTLS-MSCHAPv2 (to get arround a bug with the crappy OSX 
> clients). The attached config works fine with AuthBy ADSI, but only 
> when using TTLS-PAP. I need to somehow convert this to AuthBy LSA, so 
> I can use TTLS-MSCHAPv2.
>  
> Any assistance would be geatly appreciated.
> Russ.
>  
>  
> <Handler Client-Identifier=Wireless>
>  RejectHasReason
>  AuthByPolicy ContinueWhileReject
>  RewriteUsername s/^([^@]+).*/$1/
>  <AuthBy ADSI>
>          Identifier    Staff
>   EAPTLS_SessionResumption        0
>   AuthUser     %0 at intheforrest.wa.au
>   SearchAttribute     userPrincipalName
>   BindString   LDAP://ou=staff,dc=intheforrest,dc=wa,dc=au
>   GroupRequired   CN=Staff
> #  AddToReply   Cisco-AVpair="ssid=Staff"
>   AddToReply   Tunnel-Type="VLAN" \
>       Tunnel-Medium-Type="802" \
>       Tunnel-Private-Group-ID="2"
>  </AuthBy>
>  <AuthBy ADSI>
>          Identifier    Students
>   EAPTLS_SessionResumption        0
>   AuthUser     %0 at intheforrest.wa.au
>   SearchAttribute     userPrincipalName
>   BindString   LDAP://ou=students,dc=intheforrest,dc=wa,dc=au
>   GroupRequired   CN=Students  
> #  AddToReply   Cisco-AVpair="ssid=Student"
>   AddToReply   Tunnel-Type="VLAN" \
>       Tunnel-Medium-Type="802" \
>       Tunnel-Private-Group-ID="1"
>  </AuthBy>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 3602 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040113/0c59a3e1/attachment.bin>


More information about the radiator mailing list