(RADIATOR) Help setting up PEAP (with MSCHAP)

António Fernandes afernandes at egp.up.pt
Thu Jun 23 07:15:35 CDT 2005


Hi Mike,

IT WORKED :)


Now something happens in log_LocalUsers:

Thu Jun 23 13:09:07 2005:Access-Request from anonymous at 192.168.1.231:OK

It should appear something like a0203003 at egp.up.pt (or, at least, a0203003).
I've tried with TTLS and it works fine..


Thank you,

Antonio Fernandes
Oporto Management School
Oporto University



-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: quinta-feira, 23 de Junho de 2005 11:00
To: António Fernandes
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)

Hello Antonio,

I think I may have told you the wrong thing at some stage. If so Im sorry.

I have just tested this here as the inner handler:

<Handler TunnelledByPEAP=1>
    <AuthBy SQL>
	# Adjust DBSource, DBUsername, DBAuth to suit your DB

	DBSource	dbi:mysql:radius
	DBUsername	mikem
	DBAuth		fred

	EAPType MSCHAP-V2

	AuthSelect SELECT CONCAT('{nthash}',PASSWORD) AS PASSWORD FROM
SUBSCRIBERS 
where USERNAME=%0
	AuthColumnDef 0, User-Password, check
    </AuthBy>
</Handler>

where the users record is 

+----------+----------------------------------+-------------------+---------
-------------------+--------------------------------------------------------
----------------------------------+----------+
| USERNAME | PASSWORD                         | ENCRYPTEDPASSWORD |
CHECKATTR                  
| REPLYATTR

| TIMELEFT |
+----------+----------------------------------+-------------------+---------
-------------------+--------------------------------------------------------
----------------------------------+----------+
| mikem    | DCB8E94AC7D0AADC8A81D9C895ACE5F4 | 1xMKc0GIVUNbE     | 
Service-Type = Framed-User | Framed-Protocol = PPP,Framed-IP-Netmask = 
255.255.255.0,cisco-avpair = "testing testing" |      100 |

(DCB8E94AC7D0AADC8A81D9C895ACE5F4 is the nthash of 'fred')
and this works fine for me.

You should use:
         AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,\
 CONCAT(User,'@',Domain) AS Username, VLAN FROM users where\
 CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
         AuthColumnDef 0, User-Password, check

in your inner handler.

BTW, I suspect that your select query wil be very slow as it has to do an 
exact match on a synthesized column.


Cheers.

On Thursday 23 June 2005 18:49, António Fernandes wrote:
> Hi Mike,
>
> I'm sending as attachment.
>
>
> Yours,
>
> Antonio Fernandes
> Oporto Management School
> Oporto University
>
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: quarta-feira, 22 de Junho de 2005 23:13
> To: António Fernandes
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
>
> Hello António,
>
> On Wednesday 22 June 2005 23:52, António Fernandes wrote:
> > I'm very sorry for not seeing the difference :)
> >
> > I've changed like you said (AuthColumnDef 0, User-Password, check) and
>
> also
>
> > changed the <Handler Realm = /egp\.up\.pt.*/i>
> > replacing
> > 	EAPType TTLS, PEAP, TLS
> > with
> > 	EAPType PEAP, TTLS, TLS
> > speeding Requests/Replies.
> >
> >
> > It still performs as previously:
> > Wed Jun 22 12:27:38 2005: DEBUG: Radius::AuthSQL ACCEPT:
> > Wed Jun 22 12:27:38 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
> > Authentication failure
>
> I think its now time for you to send us a complete level 4 log file and
> complete current configuration file.
>
> Cheers.
>
> > Yours,
> >
> > Antonio Fernandes
> > Oporto Management School
> > Oporto University
> >
> >
> >
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: quarta-feira, 22 de Junho de 2005 11:44
> > To: António Fernandes
> > Cc: 'Hugh Irvine'; radiator at open.com.au
> > Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
> >
> > Hello Antonio,
> >
> > On Wednesday 22 June 2005 19:46, António Fernandes wrote:
> > > Hi Mike,
> > >
> > > I already did. My first iteration was what you suggested:
> > > (near the end of the e-mail appears)
> > >
> > > > >         AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > > > > Username, VLAN
> > > > > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> > > > >         AuthColumnDef 0, Encrypted-Password, check
> >
> > For that you would need:
> > AuthColumnDef 0, User-Password, check
> >
> > not Encrypted-Password.
> > It should work fine.
> >
> > > but it still doesn't work.
> > > I suspected (still do) that it has something to do with Challenge
> > > process:
> > >
> > > 1 - Access-Request
> > > 2 - Access-Challenge (it's "EAP TTLS Challenge")
> > > 3 - Access-Request (switching to "EAP PEAP")
> > > 4 - Access-Challenge (this time it's PEAP)
> > > 5 - Access-Request
> > > 6 - ......
> >
> > Hmm, have you sent us a complete log of that?
> >
> > > The strange part is that in the debug appears:
> > > 	Radius::AuthSQL ACCEPT
> > > but in the next line
> > > 	EAP result: 1, EAP MSCHAP-V2 Authentication failure
> > >
> > > Thank you again Mike,
> > >
> > > Antonio Fernandes
> > > Oporto Management School
> > > Oporto University
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > Sent: terça-feira, 21 de Junho de 2005 23:55
> > > To: António Fernandes
> > > Cc: 'Hugh Irvine'; radiator at open.com.au
> > > Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
> > >
> > > Hello Antonio,
> > >
> > > I think the problem is that you have specified that the SQL nthash is
> > > to
> >
> > be
> >
> > > used as Encrypted-Password, but you have prefixed it with {nthash} as
> > > if
> >
> > it
> >
> > > were to be used as User-Password. If the passwords have {nthash} in
> > > front, you should use User-Password like this:
> > >
> > >          AuthColumnDef 0, User-Password, check
> > >
> > > Encryted-Pasword should only be used if there is no other indication
>
> that
>
> > > the
> > > password is encrypted.
> > >
> > > Actually I would think it would be better if you had:
> > >
> > >          AuthSelect SELECT NTLM,\
> > >  CONCAT(User,'@',Domain) AS Username, VLAN FROM users where\
> > >  CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
> > >          AuthColumnDef 0, Encrypted-Password, check
> > >
> > > and use the NTLM hash directly?
> > > Your choice.
> > >
> > > Cheers.
> > >
> > > On Tuesday 21 June 2005 18:36, António Fernandes wrote:
> > > > Hi Hugh,
> > > >
> > > > Thanks... I've done the changes but I can't seem to get it to work.
> > > > Can you help me?
> > > >
> > > > Yours,
> > > >
> > > > Antonio Fernandes
> > > > Oporto Management School
> > > > Oporto University
> > > >
> > > >
> > > >
> > > >
> > > > <AuthBy SQL>
> > > >         #identificador
> > > >         Identifier authby_MYSQL_PEAP_eu
> > > >         # No default
> > > >         NoDefault
> > > >         NoDefaultIfFound
> > > >         #EAP
> > > >         EAPType MSCHAP-V2
> > > >         EAPTLS_PEAPVersion 0
> > > >         # Definicao da BD
> > > >         DBSource dbi:mysql:EGP_Sistema:mysql.egp.up.pt
> > > >         DBUsername XXXXXXXX
> > > >         DBAuth XXXXXXXXX
> > > >         #SQL de acesso
> > > >         AuthSelect SELECT CONCAT('{nthash}',NTLM) AS NTLM,
> > > > CONCAT(User,'@',Domain) AS Username, VLAN FROM users where
> > > > CONCAT(User,'@',Domain)='%n' AND AccWiFi='1'
> > > >         AuthColumnDef 0, Encrypted-Password, check
> > > >         AuthColumnDef 1, User-Name, reply
> > > >         AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> > > >         # Se nao tiver VLAN retorna para default
> > > >         AllowInReply            Tunnel-Private-Group-ID
> > > >         AddToReplyIfNotExist    Tunnel-Private-Group-ID = "1:5"
> > > >         AddToReply              Tunnel-Type = "1:VLAN",
> > > > Tunnel-Medium-Type = "1:Ether_802"
> > > >         # Only one session per user at a time
> > > >         DefaultSimultaneousUse 1
> > > > </AuthBy>
> > > > <Handler TunnelledByPEAP=1>
> > > >         RewriteUsername s/^([^@]+).*/$1/
> > > >         UsernameCharset a-zA-Z0-9\._\@-
> > > >         SessionDatabase NULL
> > > >         AuthByPolicy ContinueUntilAccept
> > > >         AuthBy authby_MYSQL_PEAP_eu
> > > > #       <AuthBy FILE>
> > > > #               RewriteUsername s/^([^@]+).*/$1/
> > > > #               Filename /etc/radiator/users_OK
> > > > #               EAPType MSCHAP-V2
> > > > #               AddToReply User-Name=%u
> > > > #       </AuthBy>
> > > >         AuthLog log_LocalUsers
> > > > </Handler>
> > > > <Handler Realm = /egp\.up\.pt.*/i>
> > > >         # Stripoff de realm
> > > >         RewriteUsername s/^([^@]+).*/$1/
> > > >         SessionDatabase NULL
> > > >         MaxSessions 1
> > > >         AuthByPolicy ContinueUntilAccept
> > > >         <AuthBy FILE>
> > > >                 EAPType TTLS, PEAP, TLS
> > > >                 EAPTLS_CAFile /etc/radiator/certEGP/EGP-ROOT-CA.crt
> > > >                 EAPTLS_CertificateFile
> >
> > /etc/radiator/certEGP/radiator.pem
> >
> > > >                 EAPTLS_CertificateType PEM
> > > >                 EAPTLS_PrivateKeyFile
> > > > /etc/radiator/certEGP/radiator.pem EAPTLS_PrivateKeyPassword
>
> XXXXXXXXXX
>
> > > >                 EAPTLS_MaxFragmentSize 1000
> > > >                 AutoMPPEKeys
> > > >                 SSLeayTrace 4
> > > >         </AuthBy>
> > > >         <Log SYSLOG>
> > > >                 Facility radius
> > > >         </Log>
> > > > </Handler>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > > Sent: sábado, 18 de Junho de 2005 15:06
> > > > To: António Fernandes
> > > > Cc: radiator at open.com.au
> > > > Subject: Re: (RADIATOR) Help setting up PEAP (with MSCHAP)
> > > >
> > > >
> > > > Hello Antonio -
> > > >
> > > > Radiator supports NT hash passwords with a prefix of "{nthash}".
> > > >
> > > > See section 13.1.1 in the Radiator 3.13 reference manual ("doc/
> > > > ref.html").
> > > >
> > > > regards
> > > >
> > > > Hugh
> > > >
> > > > On 18 Jun 2005, at 19:46, António Fernandes wrote:
> > > > > I'm currently using Radiator for wireless authentication
(EAP-TTLS)
> > > > > using
> > > > > SecureW2 in WinXP SP2. Since the beginning I would also like to
add
> > > > > PEAP
> > > > > using MSCHAP. The problem with MSCHAP comes with the need of clear
> > > > > text
> > > > > passwords. Recently I've came across with a FreeRadius
> > > > > implementation that
> > > > > allows to do MSCHAP authentication using NTLM style passwords
> > > > > (NT/LM hashes). I understand that NTLM are reversible and if so,
it
> > > > > should work
> > > > > also with Radiator?
> > > > >
> > > > > Is this possible with Radiator? I tried to get passwords from the
> > > > > MySQL with
> > > > > no success. When the password is in plain text it works fine but
> > > > > when I
> > > > > change it to NTLM it rejects...
> > > > >
> > > > > Any ideas?
> > > > >
> > > > >
> > > > > Yours,
> > > > >
> > > > > Antonio Fernandes
> > > > > Oporto Management School
> > > > > Oporto University
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Config:
> > > > > <AuthBy SQL>
> > > > >         #identifier
> > > > >         Identifier authby_MYSQL_PEAP_eu
> > > > >         # No default
> > > > >         NoDefault
> > > > >         NoDefaultIfFound
> > > > >         #EAP
> > > > >         EAPType MSCHAP-V2
> > > > >         # DB
> > > > >         DBSource dbi:mysql:XXXXX:XXXXXX
> > > > >         DBUsername XXXXXX
> > > > >         DBAuth XXXXXXX
> > > > >         # SQL
> > > > >         AuthSelect SELECT NTLM, CONCAT(User,'@',Domain) AS
> > > > > Username, VLAN
> > > > > FROM users WHERE CONCAT(User,'@',Domain) = '%n' AND AccWiFi='1'
> > > > >         AuthColumnDef 0, Encrypted-Password, check
> > > > >         AuthColumnDef 1, User-Name, reply
> > > > >         AuthColumnDef 2, Tunnel-Private-Group-ID, reply
> > > > >         AddToReply Tunnel-Type = "1:VLAN", Tunnel-Medium-Type =
> > > > > "1:Ether_802"
> > > > >         # Only one session per user at a time
> > > > >         DefaultSimultaneousUse 1
> > > > > </AuthBy>
> > > > > <Handler TunnelledByPEAP=1, Client-Identifier=LocaL>
> > > > >         UsernameCharset a-zA-Z0-9\._\@-
> > > > >         SessionDatabase NULL
> > > > >         AuthBy authby_MYSQL_PEAP_eu
> > > > > </Handler>
> > > > > <Handler Realm = /egp\.up\.pt.*/i>
> > > > >         # Stripoff de realm
> > > > >         RewriteUsername s/^([^@]+).*/$1/
> > > > >
> > > > >         SessionDatabase NULL
> > > > >
> > > > >         MaxSessions 1
> > > > >         <AuthBy FILE>
> > > > >                 EAPType TTLS, PEAP, TLS
> > > > >                 EAPTLS_CAFile
/etc/radiator/certEGP/EGP-ROOT-CA.crt
> > > > >                 EAPTLS_CertificateFile /etc/radiator/certEGP/
> > > > > radiator.pem
> > > > >                 EAPTLS_CertificateType PEM
> > > > >                 EAPTLS_PrivateKeyFile /etc/radiator/certEGP/
> > > > > radiator.pem
> > > > >                 EAPTLS_PrivateKeyPassword XXXXXXXXXXXX
> > > > >                 EAPTLS_MaxFragmentSize 1000
> > > > >                 AutoMPPEKeys
> > > > >                 SSLeayTrace 4
> > > > >         </AuthBy>
> > > > >         <Log SYSLOG>
> > > > >                 Facility radius
> > > > >         </Log>
> > > > > </Handler>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Snipet.... (http://forum.chupa.nl/showthread.php?t=1141&page=3)
> > > > >
> > > > > passwd etc_smbpasswd_with_domain {
> > > > > filename = /opt/etc/smbpasswd
> > > > > format = "*Stripped-User-Name:NT-Password"
> > > > > authtype = MS-CHAP
> > > > > hashsize = 100
> > > > > ignorenislike = no
> > > > > allowmultiplekeys = no
> > > > > }
> > > > >
> > > > > My "smbpasswd" (far from it now) looks like this:
> > > > > # Sample smbpasswd file.
> > > > > # To use this, set 'encrypt passwords = yes' in the
> > > > > [global]-section # of /etc/smb.conf
> > > > > Tommy:NTLMPASS
> > > > > Connie:NTLMPASS
> > > > > PocketPC:NTLMPASS
> > > >
> > > > NB: I am travelling this week, so there may be delays in our
> > > > correspondence.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list