[RADIATOR] MSCHAPV2 with Vpn Concentrator 3000
SEG7
seg7 at ipb.pt
Wed Aug 20 10:31:13 CDT 2008
Hi there,
Currently we are auth our VPN Concentrator 3000 with Radiator 3.17 with
cleartext password stored in attribute field on our ldap server, it's
working fine but we don't want to store the password in cleartext on our
ldap server.
So, to my understading the alternative is to check the NT hash we have
those too, but i just can it get to work properly, tryed every method i
saw in this list and nothing. (tryed also to put {nthash}46464....
directly in the ldap server to check if the hook wasn't working but also
fails)
Any help with this?
Regards,
Sérgio
Handler working with cleartext (sambaNTPassword is cleartext)
<Handler Realm = vpn.ipb.pt>
MaxSessions 4
AccountingHandled
SessionDatabase SessDBUsers
<AuthBy LDAP2>
Host localhost
Port 389
AuthDN cn=root,dc=ipb,dc=pt
AuthPassword *
BaseDN ou=Staff,ou=Pessoas,dc=ipb,dc=pt
Scope sub
UsernameAttr krbName
PasswordAttr sambaNTPassword
SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
AutoMPPEKeys yes
</AuthBy>
AcctLogFileName /var/log/radius/vpn-detail.log
AccountingHandled
AuthLog vpnusers
</Handler>
Handler not working :( (sambaNTPassword is a MD4 hash)
<Handler Realm = vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt>
RewriteUsername s/^([^@]+).*/$1/
MaxSessions 4
AccountingHandled
SessionDatabase SessDBUsers
<AuthBy LDAP2>
Host localhost
Port 389
Version 3
AuthDN cn=root,dc=ipb,dc=pt
AuthPassword *
BaseDN ou=staff,ou=users,dc=ipb,dc=pt
Scope sub
PasswordAttr sambaNTPassword
#EncryptedPasswordAttr ntPassword
#PasswordAttr ntPassword
SearchFilter (uid=%1)
#ServerChecksPassword
debug 255
AutoMPPEKeys yes
TranslatePasswordHook sub { return "{nthash}$_[0]"; }
#EAPType MSCHAP-V2
</AuthBy>
AcctLogFileName /var/log/radius/vpn-detail.log
AccountingHandled
AuthLog vpnusers
</Handler>
Trace 4 log
Wed Aug 20 16:17:49 2008: DEBUG: Handling request with Handler 'Realm =
vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
Wed Aug 20 16:17:49 2008: DEBUG: Rewrote user name to seg7
Wed Aug 20 16:17:49 2008: DEBUG: SessDBUsers Deleting session for
seg7 at vpn.ipb.pt, 193.137.107.254, 1906
Wed Aug 20 16:17:49 2008: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER='193.137.107.254' and NASPORT=01906':
Wed Aug 20 16:17:49 2008: DEBUG: Query is: 'select NASIDENTIFIER,
NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='seg7 at vpn.ipb.pt'':
Wed Aug 20 16:17:49 2008: DEBUG: Handling with Radius::AuthLDAP2:
Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
blade04.ccom.ipb.pt:389
Wed Aug 20 16:17:49 2008: DEBUG: LDAP got result for
uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
Wed Aug 20 16:17:49 2008: DEBUG: LDAP got sambaNTPassword:
3B4C5A10DBC9058CB705CB8144AA3F8B
Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 looks for match with
seg7 [seg7 at vpn.ipb.pt]
Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
seg7 [seg7 at vpn.ipb.pt]
Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
blade04.ccom.ipb.pt:389
Wed Aug 20 16:17:49 2008: DEBUG: No entries for DEFAULT found in LDAP
database
Wed Aug 20 16:17:49 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password
Wed Aug 20 16:17:49 2008: INFO: Access rejected for seg7: Bad Password
Wed Aug 20 16:17:49 2008: DEBUG: Packet dump:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: seg7.vcf
Type: text/x-vcard
Size: 203 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080820/2070f8cc/attachment.vcf>
More information about the radiator
mailing list