[RADIATOR] Problems with UsernameMatchesWithoutRealm in AuthBy NTLM

Mike McCauley mikem at open.com.au
Tue Aug 5 17:25:36 CDT 2008


Hello Sami,

thanks for reporting this. It has now been fixed in the latest patch set.
Cheers.

On Tuesday 05 August 2008 21:23, Sami Keski-Kasari wrote:
> Hi,
>
> I am running radiator 4.3.1 with latest patches.
>
> It seems that there is some problems with UsernameMatchesWithoutRealm
> when using AuthBy NTLM.
> With same config PAP doesn't work but MSCHAPv2 is working fine.
>
> Here is my config:
>
> <Handler Realm=/^radiator\.testdomain\.fi$/>
> <AuthBy NTLM>
>    NtlmAuthProg /usr/bin/ntlm_auth
> --helper-protocol=ntlm-server-1
>    DefaultDomain windows
>    UsernameMatchesWithoutRealm
> </AuthBy>
> AuthLog authlogger-syslog
> AuthLog authlogger-file
> </Handler>
>
> And here is Trace 4 first from PAP case and second from MSCHAPv2 case:
> As you can see in first case username is more longer than in second case.
>
> *** Received from 127.0.0.1 port 1054 ....
> Code:       Access-Request
> Identifier: 24
> Authentic:  i<136>Uu\<219>I<5>S/<150><170>G<172><130><234>
> Attributes:
>         User-Name = "luser at radiator.testdomain.fi"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> <15><248><231><131><193><235>k<3><180><196>v<29>_<3><13><173>
>
> Tue Aug  5 14:09:55 2008: DEBUG: Handling request with Handler
> 'Realm=/^radiator\.testdomain\.fi$/'
> Tue Aug  5 14:09:55 2008: DEBUG:  Deleting session for
> luser at radiator.testdomain.fi, 203.63.154.1, 1234
> Tue Aug  5 14:09:55 2008: DEBUG: Handling with Radius::AuthNTLM:
> Tue Aug  5 14:09:55 2008: DEBUG: Radius::AuthNTLM looks for match with
> luser [luser at radiator.testdomain.fi]
> Tue Aug  5 14:09:55 2008: INFO: Starting NtlmAuthProg:
> /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute Password:: dGVzxxxyMw==
> Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute NT-Domain:: d2luZG93cw==
> Tue Aug  5 14:09:55 2008: DEBUG: Passing attribute Username::
> bHVzZXJAcmFkaWF0b3IudGVzdGRvbWFpbi5maQ==
> Tue Aug  5 14:09:55 2008: DEBUG: Received attribute: Authenticated: No
> Tue Aug  5 14:09:55 2008: DEBUG: Received attribute: .
> Tue Aug  5 14:09:55 2008: WARNING: NTLM Could not authenticate user:
> Tue Aug  5 14:09:55 2008: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
> Password check failed: luser [luser at radiator.testdomain.fi]
> Tue Aug  5 14:09:55 2008: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
> Password check failed
> Tue Aug  5 14:09:55 2008: INFO: Access rejected for
> luser at radiator.testdomain.fi: AuthBy NTLM Password check failed
> Tue Aug  5 14:09:55 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1054 ....
> Code:       Access-Reject
> Identifier: 24Authentic:  <139><252><161><236><222>#<31><254>y<173><218>
> <214>WP<161>
> Attributes:
>         Reply-Message = "Request Denied"
>
> ----------------
>
>
> *** Received from 127.0.0.1 port 1054 ....
> Code:       Access-Request
> Identifier: 30
> Authentic:
> <22>Y<177><164><180><154><30>0<252><132><175><157><19><127><133><16>
> Attributes:
>         User-Name = "luser at radiator.testdomain.fi"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         MS-CHAP-Challenge = []|}{?/><,`!2&&(
>         MS-CHAP2-Response =
> <1><0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0>1<247>+<23><29><196><3><230>v
><229><14><138
>
>  ><148><5><242><215>W<128>&<170><255>"9:
>
> Tue Aug  5 14:10:00 2008: DEBUG: Handling request with Handler
> 'Realm=/^radiator\.testdomain\.fi$/'
> Tue Aug  5 14:10:00 2008: DEBUG:  Deleting session for
> luser at radiator.testdomain.fi, 203.63.154.1, 1234
> Tue Aug  5 14:10:00 2008: DEBUG: Handling with Radius::AuthNTLM:
> Tue Aug  5 14:10:00 2008: DEBUG: Radius::AuthNTLM looks for match with
> luser [luser at radiator.testdomain.fi]
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute
> Request-User-Session-Key: Yes
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute
> Request-LanMan-Session-Key: Yes
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute LANMAN-Challenge:
> 22430ef239
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute NT-Response:
> 31f72b171dc403e676e50e8a9405f2d793a
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute NT-Domain:: d2luZG93cw==
> Tue Aug  5 14:10:00 2008: DEBUG: Passing attribute Username:: bHVzZXI=
> Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: Authenticated: Yes
> Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: LANMAN-Session-Key:
> 624AAC41DC1
> Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: User-Session-Key:
> AA536086FF31CA736F4916
> Tue Aug  5 14:10:00 2008: DEBUG: Received attribute: .
> Tue Aug  5 14:10:00 2008: DEBUG: Radius::AuthNTLM ACCEPT: : luser
> [luser at radiator.testdomain.fi]
> Tue Aug  5 14:10:00 2008: DEBUG: AuthBy NTLM result: ACCEPT,
> Tue Aug  5 14:10:00 2008: DEBUG: Access accepted for
> luser at radiator.testdomain.fi
> Tue Aug  5 14:10:00 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1054 ....
> Code:       Access-Accept
> Identifier: 30
> Authentic:  -1<217>A<145><184><235>c<147>d<227><224>nR<240><220>
> Attributes:
>         MS-CHAP2-Success = "<1>S=E1917976C7350B82D275D1932229321C203"
>
>
>
> BR,
>  Sami
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc 
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list