[RADIATOR] Problems with UsernameMatchesWithoutRealm in AuthBy NTLM

Sami Keski-Kasari samikk at archred.com
Tue Aug 5 06:23:55 CDT 2008 

Hi,

I am running radiator 4.3.1 with latest patches.

It seems that there is some problems with UsernameMatchesWithoutRealm 
when using AuthBy NTLM.
With same config PAP doesn't work but MSCHAPv2 is working fine.

Here is my config:

<Handler Realm=/^radiator\.testdomain\.fi$/>
<AuthBy NTLM>              
   NtlmAuthProg /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1                
   DefaultDomain windows               
   UsernameMatchesWithoutRealm       
</AuthBy>       
AuthLog authlogger-syslog       
AuthLog authlogger-file
</Handler>

And here is Trace 4 first from PAP case and second from MSCHAPv2 case:
As you can see in first case username is more longer than in second case.

*** Received from 127.0.0.1 port 1054 ....
Code:       Access-Request
Identifier: 24
Authentic:  i<136>Uu\<219>I<5>S/<150><170>G<172><130><234>
Attributes:
        User-Name = "luser at radiator.testdomain.fi"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234       
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
<15><248><231><131><193><235>k<3><180><196>v<29>_<3><13><173>

Tue Aug  5 14:09:55 2008: DEBUG: Handling request with Handler 
'Realm=/^radiator\.testdomain\.fi$/'
Tue Aug  5 14:09:55 2008: DEBUG:  Deleting session for 
luser at radiator.testdomain.fi, 203.63.154.1, 1234
Tue Aug  5 14:09:55 2008: DEBUG: Handling with Radius::AuthNTLM:
Tue Aug  5 14:09:55 2008: DEBUG: Radius::AuthNTLM looks for match with 
luser [luser at radiator.testdomain.fi]
Tue Aug  5 14:09:55 2008: INFO: Starting NtlmAuthProg: 
/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute Password:: dGVzxxxyMw==
Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute NT-Domain:: d2luZG93cw==
Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute Username:: 
bHVzZXJAcmFkaWF0b3IudGVzdGRvbWFpbi5maQ==
Tue Aug  5 14:09:55 2008: DEBUG: Received attribute: Authenticated: No
Tue Aug  5 14:09:55 2008: DEBUG: Received attribute: .
Tue Aug  5 14:09:55 2008: WARNING: NTLM Could not authenticate user:
Tue Aug  5 14:09:55 2008: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM 
Password check failed: luser [luser at radiator.testdomain.fi]
Tue Aug  5 14:09:55 2008: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM 
Password check failed
Tue Aug  5 14:09:55 2008: INFO: Access rejected for 
luser at radiator.testdomain.fi: AuthBy NTLM Password check failed
Tue Aug  5 14:09:55 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1054 ....
Code:       Access-Reject
Identifier: 24Authentic:  <139><252><161><236><222>#<31><254>y<173><218> 
<214>WP<161>
Attributes:
        Reply-Message = "Request Denied"

----------------


*** Received from 127.0.0.1 port 1054 ....
Code:       Access-Request
Identifier: 30
Authentic:  
<22>Y<177><164><180><154><30>0<252><132><175><157><19><127><133><16>
Attributes:
        User-Name = "luser at radiator.testdomain.fi"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        MS-CHAP-Challenge = []|}{?/><,`!2&&(
        MS-CHAP2-Response = 
<1><0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0>1<247>+<23><29><196><3><230>v<229><14><138
 ><148><5><242><215>W<128>&<170><255>"9:

Tue Aug  5 14:10:00 2008: DEBUG: Handling request with Handler 
'Realm=/^radiator\.testdomain\.fi$/'
Tue Aug  5 14:10:00 2008: DEBUG:  Deleting session for 
luser at radiator.testdomain.fi, 203.63.154.1, 1234
Tue Aug  5 14:10:00 2008: DEBUG: Handling with Radius::AuthNTLM:
Tue Aug  5 14:10:00 2008: DEBUG: Radius::AuthNTLM looks for match with 
luser [luser at radiator.testdomain.fi]
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute 
Request-User-Session-Key: Yes
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute 
Request-LanMan-Session-Key: Yes
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute LANMAN-Challenge: 
22430ef239
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute NT-Response: 
31f72b171dc403e676e50e8a9405f2d793a
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute NT-Domain:: d2luZG93cw==
Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute Username:: bHVzZXI=
Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: Authenticated: Yes
Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: LANMAN-Session-Key: 
624AAC41DC1
Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: User-Session-Key: 
AA536086FF31CA736F4916
Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: .
Tue Aug  5 14:10:00 2008: DEBUG: Radius::AuthNTLM ACCEPT: : luser 
[luser at radiator.testdomain.fi]
Tue Aug  5 14:10:00 2008: DEBUG: AuthBy NTLM result: ACCEPT,
Tue Aug  5 14:10:00 2008: DEBUG: Access accepted for 
luser at radiator.testdomain.fi
Tue Aug  5 14:10:00 2008: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1054 ....
Code:       Access-Accept
Identifier: 30
Authentic:  -1<217>A<145><184><235>c<147>d<227><224>nR<240><220>
Attributes:
        MS-CHAP2-Success = "<1>S=E1917976C7350B82D275D1932229321C203"



BR,
 Sami

More information about the radiator mailing list