(RADIATOR) rewriteusername and mschapv2
Nacho Paredes
iparedes at eurocomercial.es
Fri Jun 16 09:23:31 CDT 2006
Hola!
This has been previously discussed in the list:
http://www.open.com.au/archives/radiator/2004-04/msg00060.html
You cannot use MSCHAPv2 and rewrite the username. MSCHAPv2 uses the full
username string (as the user configures it in his supplicant) to calculate
the challenge. If you rewrite the username, the calculated challenge in the
RADIUS server will be different and wouldn't match.
Regards
-----Mensaje original-----
De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] En nombre
de José María Fernández
Enviado el: viernes, 16 de junio de 2006 13:33
Para: radiator at open.com.au
Asunto: (RADIATOR) rewriteusername and mschapv2
Hi from University of Oviedo,
Until now, we are using to authenticate the default handler, using the
following sequence:
Authby LDAP (to retrieve users atributes) Authby LSA (to authenticate the
user)
We are supporting EAP-TTLS and EAP-PEAP with MSCAHP-V2.
Now, we have to provide services to some different realms, but when we try
to rewrite the username John at uniovi.es to John (eliminating the realm), we
cannot validate the user with MSCHAPV2. Any suggestions?
Thanks in advance,
Jose Maria Fernandez
Servicio de Informatica
Universidad de Oviedo
Our radius.cfg looks like this:
____________________________________________________________________________
__
# $Id: radius.cfg,v 1.3 2005/06/20 20:00:10 chema Exp $
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
# User a lower trace level in production systems:
Trace 4
<Client DEFAULT>
Secret XXXXXXXXXXXXXXXX
DupInterval 0
IgnoreAcctSignature
</Client>
<SessionDatabase SQL>
Identifier SQLSession
DBSource dbi:mysql:radius
DBUsername XXXXXXXXXXXXXXX
DBAuth XXXXXXXXXXXX
</SessionDatabase>
<AuthBy SQL>
Identifier SQLAccounting
DBSource dbi:mysql:radius
DBUsername XXXXXXXXXXXXXXX
DBAuth XXXXXXXXXXXX
#Clausula vacia para que no autentique
AuthSelect
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName c:/Program Files/Radiator/missedaccounting
SQLRecoveryFile c:/Program Files/Radiator/missedaccounting </AuthBy>
<AuthBy LSA>
Identifier LSAAuthentication
# IgnoreAccounting
DefaultSimultaneousUse 1
EAPType PEAP, TTLS
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 1
EAPAnonymous %U
</AuthBy>
<AuthBy LSA>
Identifier LSAInner
NoEAP
</AuthBy>
<AuthBy LSA>
Identifier LSAInnerPEAP
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/^([^@]+).*/$1/
EAPType MSCHAP-V2
</AuthBy>
<AuthBy LDAP2>
Identifier LDAPAttributes
Host localhost
AuthDN cn=Administrador,cn=XXXXXX,dc=XXXXXXXX,dc=uniovi,dc=es
AuthPassword XXXXXXXXXX
BaseDN dc=XXXXXXXXX,dc=uniovi,dc=es
UsernameAttr sAMAccountName
NoCheckPassword
AuthAttrDef UOPerfil,Class,reply
# Debug 255
Version 3
NoEAP
</AuthBy>
<AuthBy FILE>
Identifier fichero
Filename c:/Program Files/Radiator/usuario
</AuthBy>
#<StatsLog FILE>
# Interval 2
# Filename -
# Format %0:%1:%2:%23:%6:%3:%5
# Header
#</StatsLog>
<Monitor>
# Specifies the TCP port to use. Defaults to 9048
#Port 7777
#Port %{GlobalVar:monitorport}
BindAddress XXXXXXXXXXXXX, 127.0.0.1
Username XXXXXXX
Password XXXXXXX
# IF you set TraceOnly, connections through this Monitor are
# prevented from getting statistics, or getting or setting
# configuration data, or restarting the server
# TraceOnly
# Clients let you specify which clients you will accept connects from
# You can specify one or more comma or space separated IP addresses
Clients XXXXXXXXXXXXXXXXXXXXXXXXXX
</Monitor>
<Handler TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
AuthBy LDAPAttributes
AuthBy LSAInnerPEAP
AuthBy fichero
</Handler>
<Handler TunnelledByTTLS=1>
AuthByPolicy ContinueWhileAccept
AuthBy LDAPAttributes
AuthBy LSAInner
AuthBy fichero
PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Handler>
<Handler>
AuthByPolicy ContinueAlways
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/^([^@]+).*/$1/
AcctLogFileName %L/accounting_%h_%Y%m
AuthBy SQLAccounting
AuthBy LSAAuthentication
SessionDatabase SQLSession
# PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Handler>
<Realm uniovi.es>
AuthByPolicy ContinueAlways
AcctLogFileName %L/accounting_%h_%Y%m
AuthBy SQLAccounting
AuthBy LSAAuthentication
SessionDatabase SQLSession
# PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Realm>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au To unsubscribe, email
'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list