[RADIATOR] MSCHAPV2 with Vpn Concentrator 3000

Hugh Irvine hugh at open.com.au
Thu Aug 21 19:09:49 CDT 2008 

Hello Sergio -

Could you please send a more complete trace 4 showing the incoming  
packet dump?

And could you also please try a test entry in your LDAP database that  
contains the {nthash} prefix.

You can also add "NoDefault" to your AuthBy LDAP2 clause to stop the  
DEFAULT lookup.

BTW - the most recent version is Radiator 4.3.1 (plus patches).

regards

Hugh


On 21 Aug 2008, at 01:01, SEG7 wrote:

> Hi there,
>
> Currently we are auth our VPN Concentrator 3000 with Radiator 3.17  
> with
> cleartext password stored in attribute field on our ldap server, it's
> working fine but we don't want to store the password in cleartext  
> on our
> ldap server.
>
> So, to my understading the alternative is to check the NT hash we have
> those too, but i just can it get to work properly, tryed every  
> method i
> saw in this list and nothing. (tryed also to put {nthash}46464....
> directly in the ldap server to check if the hook wasn't working but  
> also
> fails)
>
> Any help with this?
> Regards,
> Sérgio
>
> Handler working with cleartext (sambaNTPassword is cleartext)
> <Handler Realm = vpn.ipb.pt>
>         MaxSessions 4
>         AccountingHandled
>         SessionDatabase SessDBUsers
>         <AuthBy LDAP2>
>                 Host            localhost
>                 Port 389
>                 AuthDN          cn=root,dc=ipb,dc=pt
>                 AuthPassword    *
>                 BaseDN          ou=Staff,ou=Pessoas,dc=ipb,dc=pt
>                 Scope           sub
>                 UsernameAttr    krbName
>                 PasswordAttr    sambaNTPassword
>                 SearchFilter    (&(%0=%1) (departmentNumber=ipbvpn))
>                 AutoMPPEKeys    yes
>         </AuthBy>
>         AcctLogFileName /var/log/radius/vpn-detail.log
>         AccountingHandled
>         AuthLog vpnusers
> </Handler>
>
> Handler not working :( (sambaNTPassword is a MD4 hash)
> <Handler Realm = vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt>
>         RewriteUsername         s/^([^@]+).*/$1/
>         MaxSessions 4
>         AccountingHandled
>         SessionDatabase SessDBUsers
>         <AuthBy LDAP2>
>                 Host            localhost
>                 Port 389
>                 Version         3
>                 AuthDN          cn=root,dc=ipb,dc=pt
>                 AuthPassword    *
>                 BaseDN          ou=staff,ou=users,dc=ipb,dc=pt
>                 Scope           sub
>                 PasswordAttr    sambaNTPassword
>                 #EncryptedPasswordAttr  ntPassword
>                 #PasswordAttr   ntPassword
>                 SearchFilter    (uid=%1)
>                 #ServerChecksPassword
>                 debug 255
>                 AutoMPPEKeys    yes
>                 TranslatePasswordHook sub { return "{nthash}$_[0]"; }
>                 #EAPType MSCHAP-V2
>         </AuthBy>
>         AcctLogFileName /var/log/radius/vpn-detail.log
>         AccountingHandled
>         AuthLog vpnusers
> </Handler>
>
> Trace 4 log
> Wed Aug 20 16:17:49 2008: DEBUG: Handling request with Handler  
> 'Realm =
> vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
> Wed Aug 20 16:17:49 2008: DEBUG: Rewrote user name to seg7
> Wed Aug 20 16:17:49 2008: DEBUG: SessDBUsers Deleting session for
> seg7 at vpn.ipb.pt, 193.137.107.254, 1906
> Wed Aug 20 16:17:49 2008: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='193.137.107.254' and NASPORT=01906':
> Wed Aug 20 16:17:49 2008: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='seg7 at vpn.ipb.pt'':
> Wed Aug 20 16:17:49 2008: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
> blade04.ccom.ipb.pt:389
> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got result for
> uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got sambaNTPassword:
> 3B4C5A10DBC9058CB705CB8144AA3F8B
> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> seg7 [seg7 at vpn.ipb.pt]
> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad  
> Password:
> seg7 [seg7 at vpn.ipb.pt]
> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
> blade04.ccom.ipb.pt:389
> Wed Aug 20 16:17:49 2008: DEBUG: No entries for DEFAULT found in LDAP
> database
> Wed Aug 20 16:17:49 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad  
> Password
> Wed Aug 20 16:17:49 2008: INFO: Access rejected for seg7: Bad Password
> Wed Aug 20 16:17:49 2008: DEBUG: Packet  
> dump:<seg7.vcf>_______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list