(RADIATOR) Help setting up PEAP (with MSCHAP)

Sat Jun 18 04:46:01 CDT 2005

I'm currently using Radiator for wireless authentication (EAP-TTLS) using
SecureW2 in WinXP SP2. Since the beginning I would also like to add PEAP
using MSCHAP. The problem with MSCHAP comes with the need of clear text
passwords. Recently I've came across with a FreeRadius implementation that
allows to do MSCHAP authentication using NTLM style passwords (NT/LM
hashes). I understand that NTLM are reversible and if so, it should work
also with Radiator?

Is this possible with Radiator? I tried to get passwords from the MySQL with
no success. When the password is in plain text it works fine but when I
change it to NTLM it rejects...

Any ideas?

Yours,

Antonio Fernandes
Oporto Management School
Oporto University

Config:
<AuthBy SQL>
        #identifier
        Identifier authby_MYSQL_PEAP_eu
        # No default
        NoDefault
        NoDefaultIfFound
        #EAP
        EAPType MSCHAP-V2
        # DB
        DBSource dbi:mysql:XXXXX:XXXXXX
        DBUsername XXXXXX
        DBAuth XXXXXXX
        # SQL
        AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS Username, VLAN
FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
        AuthColumnDef 0, Encrypted-Password, check
        AuthColumnDef 1, User-Name, reply
        AuthColumnDef 2, Tunnel-Private-Group-ID, reply
        AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
"1:Ether_802"
        # Only one session per user at a time
        DefaultSimultaneousUse 1
</AuthBy>
<Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
        UsernameCharset a-zA-Z0-9\._\@-
        SessionDatabase NULL
        AuthBy authby_MYSQL_PEAP_eu
</Handler>
<Handler Realm = /egp\.up\.pt.*/i>
        # Stripoff de realm
        RewriteUsername s/^([^@]+).*/$1/

        SessionDatabase NULL

        MaxSessions 1
        <AuthBy FILE>
                EAPType TTLS, PEAP, TLS
                EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
                EAPTLS_CertificateFile /etc/radiator/certEGP/radiator.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/certEGP/radiator.pem
                EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
        </AuthBy>
        <Log SYSLOG>
                Facility radius
        </Log>
</Handler>

Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)

passwd etc_smbpasswd_with_domain {
filename = /opt/etc/smbpasswd
format = "*Stripped-User-Name:NT-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

My "smbpasswd" (far from it now) looks like this:
# Sample smbpasswd file.
# To use this, set 'encrypt passwords = yes' in the [global]-section
# of /etc/smb.conf
Tommy:NTLMPASS
Connie:NTLMPASS
PocketPC:NTLMPASS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3030 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050618/8d366b5e/attachment.bin>