(RADIATOR) Help setting up PEAP (with MSCHAP)

António Fernandes afernandes at egp.up.pt
Wed Jun 22 04:46:35 CDT 2005


Hi Mike,

I already did. My first iteration was what you suggested:
(near the end of the e-mail appears)

> >         AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > Username, VLAN
> > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> >         AuthColumnDef 0, Encrypted-Password, check

but it still doesn't work.
I suspected (still do) that it has something to do with Challenge process:

1 - Access-Request
2 - Access-Challenge (it's "EAP TTLS Challenge")
3 - Access-Request (switching to "EAP PEAP")
4 - Access-Challenge (this time it's PEAP)
5 - Access-Request 
6 - ......


The strange part is that in the debug appears:
	Radius::AuthSQL ACCEPT
but in the next line
	EAP result: 1, EAP MSCHAP-V2 Authentication failure

Thank you again Mike,

Antonio Fernandes
Oporto Management School
Oporto University




-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: terça-feira, 21 de Junho de 2005 23:55
To: António Fernandes
Cc: 'Hugh Irvine'; radiator at open.com.au
Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)

Hello Antonio,

I think the problem is that you have specified that the SQL nthash is to be 
used as Encrypted-Password, but you have prefixed it with {nthash} as if it 
were to be used as User-Password. If the passwords have {nthash} in front, 
you should use User-Password like this:

         AuthColumnDef 0, User-Password, check

Encryted-Pasword should only be used if there is no other indication that
the 
password is encrypted.

Actually I would think it would be better if you had:

         AuthSelect SELECT NTLM,\
 CONCAT(User,'@',Domain) AS Username, VLAN FROM users where\
 CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
         AuthColumnDef 0, Encrypted-Password, check

and use the NTLM hash directly?
Your choice.

Cheers.


On Tuesday 21 June 2005 18:36, António Fernandes wrote:
> Hi Hugh,
>
> Thanks... I've done the changes but I can't seem to get it to work.
> Can you help me?
>
> Yours,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
>
> <AuthBy SQL>
>         #identificador
>         Identifier authby_MYSQL_PEAP_eu
>         # No default
>         NoDefault
>         NoDefaultIfFound
>         #EAP
>         EAPType MSCHAP-V2
>         EAPTLS_PEAPVersion 0
>         # Definicao da BD
>         DBSource dbi:mysql:EGP_Sistema:mysql.egp.up.pt
>         DBUsername XXXXXXXX
>         DBAuth XXXXXXXXX
>         #SQL de acesso
>         AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,
> CONCAT(User,'@',Domain) AS Username, VLAN FROM users where
> CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
>         AuthColumnDef 0, Encrypted-Password, check
>         AuthColumnDef 1, User-Name, reply
>         AuthColumnDef 2, Tunnel-Private-Group-ID, reply
>         # Se nao tiver VLAN retorna para default
>         AllowInReply            Tunnel-Private-Group-ID
>         AddToReplyIfNotExist    Tunnel-Private-Group-ID = "1:5"
>         AddToReply              Tunnel-Type = "1:VLAN", Tunnel-Medium-Type
> = "1:Ether_802"
>         # Only one session per user at a time
>         DefaultSimultaneousUse 1
> </AuthBy>
> <Handler TunnelledByPEAP=1>
>         RewriteUsername s/^([^@]+).*/$1/
>         UsernameCharset a-zA-Z0-9\._\@-
>         SessionDatabase NULL
>         AuthByPolicy ContinueUntilAccept
>         AuthBy authby_MYSQL_PEAP_eu
> #       <AuthBy FILE>
> #               RewriteUsername s/^([^@]+).*/$1/
> #               Filename /etc/radiator/users_OK
> #               EAPType MSCHAP-V2
> #               AddToReply User-Name=%u
> #       </AuthBy>
>         AuthLog log_LocalUsers
> </Handler>
> <Handler Realm = /egp\.up\.pt.*/i>
>         # Stripoff de realm
>         RewriteUsername s/^([^@]+).*/$1/
>         SessionDatabase NULL
>         MaxSessions 1
>         AuthByPolicy ContinueUntilAccept
>         <AuthBy FILE>
>                 EAPType TTLS, PEAP, TLS
>                 EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
>                 EAPTLS_CertificateFile /etc/radiator/certEGP/radiator.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile /etc/radiator/certEGP/radiator.pem
>                 EAPTLS_PrivateKeyPassword XXXXXXXXXX
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
>         <Log SYSLOG>
>                 Facility radius
>         </Log>
> </Handler>
>
>
>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: sábado, 18 de Junho de 2005 15:06
> To: António Fernandes
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
>
>
> Hello Antonio -
>
> Radiator supports NT hash passwords with a prefix of "{nthash}".
>
> See section 13.1.1 in the Radiator 3.13 reference manual ("doc/
> ref.html").
>
> regards
>
> Hugh
>
> On 18 Jun 2005, at 19:46, António Fernandes wrote:
> > I'm currently using Radiator for wireless authentication (EAP-TTLS)
> > using
> > SecureW2 in WinXP SP2. Since the beginning I would also like to add
> > PEAP
> > using MSCHAP. The problem with MSCHAP comes with the need of clear
> > text
> > passwords. Recently I've came across with a FreeRadius
> > implementation that
> > allows to do MSCHAP authentication using NTLM style passwords (NT/LM
> > hashes). I understand that NTLM are reversible and if so, it should
> > work
> > also with Radiator?
> >
> > Is this possible with Radiator? I tried to get passwords from the
> > MySQL with
> > no success. When the password is in plain text it works fine but
> > when I
> > change it to NTLM it rejects...
> >
> > Any ideas?
> >
> >
> > Yours,
> >
> > Antonio Fernandes
> > Oporto Management School
> > Oporto University
> >
> >
> >
> >
> > Config:
> > <AuthBy SQL>
> >         #identifier
> >         Identifier authby_MYSQL_PEAP_eu
> >         # No default
> >         NoDefault
> >         NoDefaultIfFound
> >         #EAP
> >         EAPType MSCHAP-V2
> >         # DB
> >         DBSource dbi:mysql:XXXXX:XXXXXX
> >         DBUsername XXXXXX
> >         DBAuth XXXXXXX
> >         # SQL
> >         AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > Username, VLAN
> > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> >         AuthColumnDef 0, Encrypted-Password, check
> >         AuthColumnDef 1, User-Name, reply
> >         AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> >         AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> > "1:Ether_802"
> >         # Only one session per user at a time
> >         DefaultSimultaneousUse 1
> > </AuthBy>
> > <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
> >         UsernameCharset a-zA-Z0-9\._\@-
> >         SessionDatabase NULL
> >         AuthBy authby_MYSQL_PEAP_eu
> > </Handler>
> > <Handler Realm = /egp\.up\.pt.*/i>
> >         # Stripoff de realm
> >         RewriteUsername s/^([^@]+).*/$1/
> >
> >         SessionDatabase NULL
> >
> >         MaxSessions 1
> >         <AuthBy FILE>
> >                 EAPType TTLS, PEAP, TLS
> >                 EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> >                 EAPTLS_CertificateFile /etc/radiator/certEGP/
> > radiator.pem
> >                 EAPTLS_CertificateType PEM
> >                 EAPTLS_PrivateKeyFile /etc/radiator/certEGP/
> > radiator.pem
> >                 EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
> >                 EAPTLS_MaxFragmentSize 1000
> >                 AutoMPPEKeys
> >                 SSLeayTrace 4
> >         </AuthBy>
> >         <Log SYSLOG>
> >                 Facility radius
> >         </Log>
> > </Handler>
> >
> >
> >
> >
> >
> > Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
> >
> > passwd etc_smbpasswd_with_domain {
> > filename = /opt/etc/smbpasswd
> > format = "*Stripped-User-Name:NT-Password"
> > authtype = MS-CHAP
> > hashsize = 100
> > ignorenislike = no
> > allowmultiplekeys = no
> > }
> >
> > My "smbpasswd" (far from it now) looks like this:
> > # Sample smbpasswd file.
> > # To use this, set 'encrypt passwords = yes' in the [global]-section
> > # of /etc/smb.conf
> > Tommy:NTLMPASS
> > Connie:NTLMPASS
> > PocketPC:NTLMPASS
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list