(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Tue Sep 27 23:29:09 CDT 2005

Hello Virgil,

Im not entirely sure this plan will work. MSCHAPV2 authentication uses the 
user name as part of the password hashing and checking, so changing the 
username and then checking the MSCHAPV2 hashed password will probably fail.

Cheers.

On Wednesday 28 September 2005 12:41, Virgil wrote:
> On 14/9/05 9:37 PM, "Mike McCauley" <mikem at open.com.au> wrote:
>
> Mike, and others,
>
> >> Will AuthBy LSA work with userPrincipcalName ?
> >
> > AuthBy LSA uses the Windows LogonUserNetworkMSCHAP function, which will
> > authenticate the user in the same way as a standard Windows user logon.
> > You may need to rewrite the user name into DOMAIN\user format?
>
> My problem is that the "user" part of "DOMAIN\user" has no correlation to
> the "user" part of "user at domain.name", except in the LDAP tree.  The
> current plan is to use a PreAuthHook to convert a supplied user at domain.name
> User-Name into a NT4/LSA username via an LDAP lookup.
>
> Can anyone give me some help with the PreAuthHook code?
>
> <AuthBy LDAP2>
>     Identifier              LDAP-PEAP
>     EAPType                 PEAP
>     EAPAnonymous            %0
>
>     ...
>     ServerChecksPassword
>     UsernameAttr            userPrincipalName
>     AuthAttrDef     extensionAttribute13,Tunnel-Private-Group-ID,reply
>     ...
>
> </AuthBy>
>
>
> <Handler TunnelledByPEAP=1>
> # PEAP inner request
>     <AuthBy LSA>
>         EAPType             MSCHAP-V2
>         Domain              DOMAINNAME # "NT4" domain name for AD
>
>         #LDAP lookup to select sAMAccountName
>         #that matches userPrincipalName for supplied "User-Name"
>         PreAuthHook         %D/upn2sam.pl
>
>         #LDAP lookup to select extensionAttribute13
>         #that matches userPrincipalName for supplied "User-Name"
>         PostAuthHook        %D/ldapvlan.pl
>
>     </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Type=Ethernet, Service-Type=Framed-User>
> #dot1x auth on switches
>     AuthBy                  LDAP-PEAP
>
>     AddToReplyIfNotExist    Tunnel-Type = VLAN,\
>                             Tunnel-Medium-Type = Ether_802
>
>     RejectHasReason
>     AcctLogFileName         %L/detail
> </Handler>
>
>
>
> Regards
> Virgil

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.