(RADIATOR) Help setting up PEAP (with MSCHAP)

António Fernandes afernandes at egp.up.pt
Tue Jun 21 03:36:19 CDT 2005


Hi Hugh,

Thanks... I've done the changes but I can't seem to get it to work.
Can you help me?

Yours,

Antonio Fernandes
Oporto Management School
Oporto University




<AuthBy SQL>
        #identificador
        Identifier authby_MYSQL_PEAP_eu
        # No default
        NoDefault
        NoDefaultIfFound
        #EAP
        EAPType MSCHAP-V2
        EAPTLS_PEAPVersion 0
        # Definicao da BD
        DBSource dbi:mysql:EGP_Sistema:mysql.egp.up.pt
        DBUsername XXXXXXXX
        DBAuth XXXXXXXXX
        #SQL de acesso
        AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,
CONCAT(User,'@',Domain) AS Username, VLAN FROM users where
CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
        AuthColumnDef 0, Encrypted-Password, check
        AuthColumnDef 1, User-Name, reply
        AuthColumnDef 2, Tunnel-Private-Group-ID, reply
        # Se nao tiver VLAN retorna para default
        AllowInReply            Tunnel-Private-Group-ID
        AddToReplyIfNotExist    Tunnel-Private-Group-ID = "1:5"
        AddToReply              Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
"1:Ether_802"
        # Only one session per user at a time
        DefaultSimultaneousUse 1
</AuthBy>
<Handler TunnelledByPEAP=1>
        RewriteUsername s/^([^@]+).*/$1/
        UsernameCharset a-zA-Z0-9\._\@-
        SessionDatabase NULL
        AuthByPolicy ContinueUntilAccept
        AuthBy authby_MYSQL_PEAP_eu
#       <AuthBy FILE>
#               RewriteUsername s/^([^@]+).*/$1/
#               Filename /etc/radiator/users_OK
#               EAPType MSCHAP-V2
#               AddToReply User-Name=%u
#       </AuthBy>
        AuthLog log_LocalUsers
</Handler>
<Handler Realm = /egp\.up\.pt.*/i>
        # Stripoff de realm
        RewriteUsername s/^([^@]+).*/$1/
        SessionDatabase NULL
        MaxSessions 1
        AuthByPolicy ContinueUntilAccept
        <AuthBy FILE>
                EAPType TTLS, PEAP, TLS
                EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
                EAPTLS_CertificateFile /etc/radiator/certEGP/radiator.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/certEGP/radiator.pem
                EAPTLS_PrivateKeyPassword XXXXXXXXXX
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
        </AuthBy>
        <Log SYSLOG>
                Facility radius
        </Log>
</Handler>






-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: sábado, 18 de Junho de 2005 15:06
To: António Fernandes
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)


Hello Antonio -

Radiator supports NT hash passwords with a prefix of "{nthash}".

See section 13.1.1 in the Radiator 3.13 reference manual ("doc/ 
ref.html").

regards

Hugh


On 18 Jun 2005, at 19:46, António Fernandes wrote:

>
> I'm currently using Radiator for wireless authentication (EAP-TTLS)  
> using
> SecureW2 in WinXP SP2. Since the beginning I would also like to add  
> PEAP
> using MSCHAP. The problem with MSCHAP comes with the need of clear  
> text
> passwords. Recently I've came across with a FreeRadius  
> implementation that
> allows to do MSCHAP authentication using NTLM style passwords (NT/LM
> hashes). I understand that NTLM are reversible and if so, it should  
> work
> also with Radiator?
>
> Is this possible with Radiator? I tried to get passwords from the  
> MySQL with
> no success. When the password is in plain text it works fine but  
> when I
> change it to NTLM it rejects...
>
> Any ideas?
>
>
> Yours,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
>
> Config:
> <AuthBy SQL>
>         #identifier
>         Identifier authby_MYSQL_PEAP_eu
>         # No default
>         NoDefault
>         NoDefaultIfFound
>         #EAP
>         EAPType MSCHAP-V2
>         # DB
>         DBSource dbi:mysql:XXXXX:XXXXXX
>         DBUsername XXXXXX
>         DBAuth XXXXXXX
>         # SQL
>         AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS  
> Username, VLAN
> FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
>         AuthColumnDef 0, Encrypted-Password, check
>         AuthColumnDef 1, User-Name, reply
>         AuthColumnDef 2, Tunnel-Private-Group-ID, reply
>         AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> "1:Ether_802"
>         # Only one session per user at a time
>         DefaultSimultaneousUse 1
> </AuthBy>
> <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
>         UsernameCharset a-zA-Z0-9\._\@-
>         SessionDatabase NULL
>         AuthBy authby_MYSQL_PEAP_eu
> </Handler>
> <Handler Realm = /egp\.up\.pt.*/i>
>         # Stripoff de realm
>         RewriteUsername s/^([^@]+).*/$1/
>
>         SessionDatabase NULL
>
>         MaxSessions 1
>         <AuthBy FILE>
>                 EAPType TTLS, PEAP, TLS
>                 EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
>                 EAPTLS_CertificateFile /etc/radiator/certEGP/ 
> radiator.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile /etc/radiator/certEGP/ 
> radiator.pem
>                 EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
>         <Log SYSLOG>
>                 Facility radius
>         </Log>
> </Handler>
>
>
>
>
>
> Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
>
> passwd etc_smbpasswd_with_domain {
> filename = /opt/etc/smbpasswd
> format = "*Stripped-User-Name:NT-Password"
> authtype = MS-CHAP
> hashsize = 100
> ignorenislike = no
> allowmultiplekeys = no
> }
>
> My "smbpasswd" (far from it now) looks like this:
> # Sample smbpasswd file.
> # To use this, set 'encrypt passwords = yes' in the [global]-section
> # of /etc/smb.conf
> Tommy:NTLMPASS
> Connie:NTLMPASS
> PocketPC:NTLMPASS
>


NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile-2005-06-21.zip
Type: application/x-zip-compressed
Size: 5066 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050621/16ffa6d5/attachment.bin>


More information about the radiator mailing list