(RADIATOR) Help setting up PEAP (with MSCHAP)
Mike McCauley
mikem at open.com.au
Wed Jun 22 05:44:23 CDT 2005
Hello Antonio,
On Wednesday 22 June 2005 19:46, António Fernandes wrote:
> Hi Mike,
>
> I already did. My first iteration was what you suggested:
> (near the end of the e-mail appears)
>
> > > AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > > Username, VLAN
> > > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> > > AuthColumnDef 0, Encrypted-Password, check
For that you would need:
AuthColumnDef 0, User-Password, check
not Encrypted-Password.
It should work fine.
>
> but it still doesn't work.
> I suspected (still do) that it has something to do with Challenge process:
>
> 1 - Access-Request
> 2 - Access-Challenge (it's "EAP TTLS Challenge")
> 3 - Access-Request (switching to "EAP PEAP")
> 4 - Access-Challenge (this time it's PEAP)
> 5 - Access-Request
> 6 - ......
Hmm, have you sent us a complete log of that?
>
>
> The strange part is that in the debug appears:
> Radius::AuthSQL ACCEPT
> but in the next line
> EAP result: 1, EAP MSCHAP-V2 Authentication failure
>
> Thank you again Mike,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: terça-feira, 21 de Junho de 2005 23:55
> To: António Fernandes
> Cc: 'Hugh Irvine'; radiator at open.com.au
> Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
>
> Hello Antonio,
>
> I think the problem is that you have specified that the SQL nthash is to be
> used as Encrypted-Password, but you have prefixed it with {nthash} as if it
> were to be used as User-Password. If the passwords have {nthash} in front,
> you should use User-Password like this:
>
> AuthColumnDef 0, User-Password, check
>
> Encryted-Pasword should only be used if there is no other indication that
> the
> password is encrypted.
>
> Actually I would think it would be better if you had:
>
> AuthSelect SELECT NTLM,\
> CONCAT(User,'@',Domain) AS Username, VLAN FROM users where\
> CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
> AuthColumnDef 0, Encrypted-Password, check
>
> and use the NTLM hash directly?
> Your choice.
>
> Cheers.
>
> On Tuesday 21 June 2005 18:36, António Fernandes wrote:
> > Hi Hugh,
> >
> > Thanks... I've done the changes but I can't seem to get it to work.
> > Can you help me?
> >
> > Yours,
> >
> > Antonio Fernandes
> > Oporto Management School
> > Oporto University
> >
> >
> >
> >
> > <AuthBy SQL>
> > #identificador
> > Identifier authby_MYSQL_PEAP_eu
> > # No default
> > NoDefault
> > NoDefaultIfFound
> > #EAP
> > EAPType MSCHAP-V2
> > EAPTLS_PEAPVersion 0
> > # Definicao da BD
> > DBSource dbi:mysql:EGP_Sistema:mysql.egp.up.pt
> > DBUsername XXXXXXXX
> > DBAuth XXXXXXXXX
> > #SQL de acesso
> > AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,
> > CONCAT(User,'@',Domain) AS Username, VLAN FROM users where
> > CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
> > AuthColumnDef 0, Encrypted-Password, check
> > AuthColumnDef 1, User-Name, reply
> > AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> > # Se nao tiver VLAN retorna para default
> > AllowInReply Tunnel-Private-Group-ID
> > AddToReplyIfNotExist Tunnel-Private-Group-ID = "1:5"
> > AddToReply Tunnel-Type = "1:VLAN",
> > Tunnel-Medium-Type = "1:Ether_802"
> > # Only one session per user at a time
> > DefaultSimultaneousUse 1
> > </AuthBy>
> > <Handler TunnelledByPEAP=1>
> > RewriteUsername s/^([^@]+).*/$1/
> > UsernameCharset a-zA-Z0-9\._\@-
> > SessionDatabase NULL
> > AuthByPolicy ContinueUntilAccept
> > AuthBy authby_MYSQL_PEAP_eu
> > # <AuthBy FILE>
> > # RewriteUsername s/^([^@]+).*/$1/
> > # Filename /etc/radiator/users_OK
> > # EAPType MSCHAP-V2
> > # AddToReply User-Name=%u
> > # </AuthBy>
> > AuthLog log_LocalUsers
> > </Handler>
> > <Handler Realm = /egp\.up\.pt.*/i>
> > # Stripoff de realm
> > RewriteUsername s/^([^@]+).*/$1/
> > SessionDatabase NULL
> > MaxSessions 1
> > AuthByPolicy ContinueUntilAccept
> > <AuthBy FILE>
> > EAPType TTLS, PEAP, TLS
> > EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> > EAPTLS_CertificateFile /etc/radiator/certEGP/radiator.pem
> > EAPTLS_CertificateType PEM
> > EAPTLS_PrivateKeyFile /etc/radiator/certEGP/radiator.pem
> > EAPTLS_PrivateKeyPassword XXXXXXXXXX
> > EAPTLS_MaxFragmentSize 1000
> > AutoMPPEKeys
> > SSLeayTrace 4
> > </AuthBy>
> > <Log SYSLOG>
> > Facility radius
> > </Log>
> > </Handler>
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: sábado, 18 de Junho de 2005 15:06
> > To: António Fernandes
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
> >
> >
> > Hello Antonio -
> >
> > Radiator supports NT hash passwords with a prefix of "{nthash}".
> >
> > See section 13.1.1 in the Radiator 3.13 reference manual ("doc/
> > ref.html").
> >
> > regards
> >
> > Hugh
> >
> > On 18 Jun 2005, at 19:46, António Fernandes wrote:
> > > I'm currently using Radiator for wireless authentication (EAP-TTLS)
> > > using
> > > SecureW2 in WinXP SP2. Since the beginning I would also like to add
> > > PEAP
> > > using MSCHAP. The problem with MSCHAP comes with the need of clear
> > > text
> > > passwords. Recently I've came across with a FreeRadius
> > > implementation that
> > > allows to do MSCHAP authentication using NTLM style passwords (NT/LM
> > > hashes). I understand that NTLM are reversible and if so, it should
> > > work
> > > also with Radiator?
> > >
> > > Is this possible with Radiator? I tried to get passwords from the
> > > MySQL with
> > > no success. When the password is in plain text it works fine but
> > > when I
> > > change it to NTLM it rejects...
> > >
> > > Any ideas?
> > >
> > >
> > > Yours,
> > >
> > > Antonio Fernandes
> > > Oporto Management School
> > > Oporto University
> > >
> > >
> > >
> > >
> > > Config:
> > > <AuthBy SQL>
> > > #identifier
> > > Identifier authby_MYSQL_PEAP_eu
> > > # No default
> > > NoDefault
> > > NoDefaultIfFound
> > > #EAP
> > > EAPType MSCHAP-V2
> > > # DB
> > > DBSource dbi:mysql:XXXXX:XXXXXX
> > > DBUsername XXXXXX
> > > DBAuth XXXXXXX
> > > # SQL
> > > AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > > Username, VLAN
> > > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> > > AuthColumnDef 0, Encrypted-Password, check
> > > AuthColumnDef 1, User-Name, reply
> > > AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> > > AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> > > "1:Ether_802"
> > > # Only one session per user at a time
> > > DefaultSimultaneousUse 1
> > > </AuthBy>
> > > <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
> > > UsernameCharset a-zA-Z0-9\._\@-
> > > SessionDatabase NULL
> > > AuthBy authby_MYSQL_PEAP_eu
> > > </Handler>
> > > <Handler Realm = /egp\.up\.pt.*/i>
> > > # Stripoff de realm
> > > RewriteUsername s/^([^@]+).*/$1/
> > >
> > > SessionDatabase NULL
> > >
> > > MaxSessions 1
> > > <AuthBy FILE>
> > > EAPType TTLS, PEAP, TLS
> > > EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> > > EAPTLS_CertificateFile /etc/radiator/certEGP/
> > > radiator.pem
> > > EAPTLS_CertificateType PEM
> > > EAPTLS_PrivateKeyFile /etc/radiator/certEGP/
> > > radiator.pem
> > > EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
> > > EAPTLS_MaxFragmentSize 1000
> > > AutoMPPEKeys
> > > SSLeayTrace 4
> > > </AuthBy>
> > > <Log SYSLOG>
> > > Facility radius
> > > </Log>
> > > </Handler>
> > >
> > >
> > >
> > >
> > >
> > > Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
> > >
> > > passwd etc_smbpasswd_with_domain {
> > > filename = /opt/etc/smbpasswd
> > > format = "*Stripped-User-Name:NT-Password"
> > > authtype = MS-CHAP
> > > hashsize = 100
> > > ignorenislike = no
> > > allowmultiplekeys = no
> > > }
> > >
> > > My "smbpasswd" (far from it now) looks like this:
> > > # Sample smbpasswd file.
> > > # To use this, set 'encrypt passwords = yes' in the [global]-section
> > > # of /etc/smb.conf
> > > Tommy:NTLMPASS
> > > Connie:NTLMPASS
> > > PocketPC:NTLMPASS
> >
> > NB: I am travelling this week, so there may be delays in our
> > correspondence.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list