[RADIATOR] MSCHAPV2 with Vpn Concentrator 3000
SEG7
seg7 at ipb.pt
Mon Aug 25 05:17:32 CDT 2008
Hugh Irvine wrote:
>
> Hello Sergio -
>
> Could you please send a more complete trace 4 showing the incoming
> packet dump?
>
> And could you also please try a test entry in your LDAP database that
> contains the {nthash} prefix.
>
> You can also add "NoDefault" to your AuthBy LDAP2 clause to stop the
> DEFAULT lookup.
>
> BTW - the most recent version is Radiator 4.3.1 (plus patches).
>
> regards
>
> Hugh
>
>
> On 21 Aug 2008, at 01:01, SEG7 wrote:
>
>> Hi there,
>>
>> Currently we are auth our VPN Concentrator 3000 with Radiator 3.17 with
>> cleartext password stored in attribute field on our ldap server, it's
>> working fine but we don't want to store the password in cleartext on our
>> ldap server.
>>
>> So, to my understading the alternative is to check the NT hash we have
>> those too, but i just can it get to work properly, tryed every method i
>> saw in this list and nothing. (tryed also to put {nthash}46464....
>> directly in the ldap server to check if the hook wasn't working but also
>> fails)
>>
>> Any help with this?
>> Regards,
>> Sérgio
>>
>> Handler working with cleartext (sambaNTPassword is cleartext)
>> <Handler Realm = vpn.ipb.pt>
>> MaxSessions 4
>> AccountingHandled
>> SessionDatabase SessDBUsers
>> <AuthBy LDAP2>
>> Host localhost
>> Port 389
>> AuthDN cn=root,dc=ipb,dc=pt
>> AuthPassword *
>> BaseDN ou=Staff,ou=Pessoas,dc=ipb,dc=pt
>> Scope sub
>> UsernameAttr krbName
>> PasswordAttr sambaNTPassword
>> SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
>> AutoMPPEKeys yes
>> </AuthBy>
>> AcctLogFileName /var/log/radius/vpn-detail.log
>> AccountingHandled
>> AuthLog vpnusers
>> </Handler>
>>
>> Handler not working :( (sambaNTPassword is a MD4 hash)
>> <Handler Realm = vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt>
>> RewriteUsername s/^([^@]+).*/$1/
>> MaxSessions 4
>> AccountingHandled
>> SessionDatabase SessDBUsers
>> <AuthBy LDAP2>
>> Host localhost
>> Port 389
>> Version 3
>> AuthDN cn=root,dc=ipb,dc=pt
>> AuthPassword *
>> BaseDN ou=staff,ou=users,dc=ipb,dc=pt
>> Scope sub
>> PasswordAttr sambaNTPassword
>> #EncryptedPasswordAttr ntPassword
>> #PasswordAttr ntPassword
>> SearchFilter (uid=%1)
>> #ServerChecksPassword
>> debug 255
>> AutoMPPEKeys yes
>> TranslatePasswordHook sub { return "{nthash}$_[0]"; }
>> #EAPType MSCHAP-V2
>> </AuthBy>
>> AcctLogFileName /var/log/radius/vpn-detail.log
>> AccountingHandled
>> AuthLog vpnusers
>> </Handler>
>>
>> Trace 4 log
>> Wed Aug 20 16:17:49 2008: DEBUG: Handling request with Handler 'Realm =
>> vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
>> Wed Aug 20 16:17:49 2008: DEBUG: Rewrote user name to seg7
>> Wed Aug 20 16:17:49 2008: DEBUG: SessDBUsers Deleting session for
>> seg7 at vpn.ipb.pt, 193.137.107.254, 1906
>> Wed Aug 20 16:17:49 2008: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='193.137.107.254' and NASPORT=01906':
>> Wed Aug 20 16:17:49 2008: DEBUG: Query is: 'select NASIDENTIFIER,
>> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
>> USERNAME='seg7 at vpn.ipb.pt'':
>> Wed Aug 20 16:17:49 2008: DEBUG: Handling with Radius::AuthLDAP2:
>> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
>> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
>> blade04.ccom.ipb.pt:389
>> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got result for
>> uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
>> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got sambaNTPassword:
>> 3B4C5A10DBC9058CB705CB8144AA3F8B
>> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 looks for match with
>> seg7 [seg7 at vpn.ipb.pt]
>> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
>> seg7 [seg7 at vpn.ipb.pt]
>> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
>> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
>> blade04.ccom.ipb.pt:389
>> Wed Aug 20 16:17:49 2008: DEBUG: No entries for DEFAULT found in LDAP
>> database
>> Wed Aug 20 16:17:49 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>> Password
>> Wed Aug 20 16:17:49 2008: INFO: Access rejected for seg7: Bad Password
>> Wed Aug 20 16:17:49 2008: DEBUG: Packet
>> dump:<seg7.vcf>_______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
Thanks for the tip on nodefault Hugh it was added,
As for the hash attribute it's it defined as
sambaNTPassword: {nthash}31D6CFE0D16AE931B73C59D7E0C089C0
I disabled the hook, to get it working directly then i will try to
remove the {nthash} string from the hash and hook it again (if i can get
it to work)
Regards,
Sérgio
Here's the complete trace 4 log.
Mon Aug 25 11:09:08 2008: DEBUG: Packet dump:
*** Received from 193.137.107.254 port 1130 ....
Code: Access-Request
Identifier: 45
Authentic: <155>Z<231><182> &<143><246>'<213>V<231>k<182><21><169>
Attributes:
User-Name = "seg7 at vpn.ipb.pt"
NAS-Port = 2279
Service-Type = Framed
Framed-Protocol = PPP
Tunnel-Client-Endpoint = 193.136.195.195
MS-CHAP-Challenge =
"<6><155><138>0<149><17><228><5><254><143>Q<1><186>NT<187>"
MS-CHAP2-Response = "<2><0><17><177><140>,[<191><6><157>
<0><244><234><127>d<130><245><0><0><0><0><0><0><0><0>I<136><26>u<221><196><251>pU<25><21><17
8>$#<130><234><169><4>/BO<8>9_"
NAS-IP-Address = 193.137.107.254
NAS-Port-Type = Virtual
Mon Aug 25 11:09:08 2008: DEBUG: Handling request with Handler 'Realm =
vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
Mon Aug 25 11:09:08 2008: DEBUG: Rewrote user name to seg7
Mon Aug 25 11:09:08 2008: DEBUG: SessDBUsers Deleting session for
seg7 at vpn.ipb.pt, 193.137.107.254, 2279
Mon Aug 25 11:09:08 2008: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER='193.137.107.254' and NASPORT=02279':
Mon Aug 25 11:09:08 2008: DEBUG: Query is: 'select NASIDENTIFIER,
NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='seg7 at vpn.ipb.pt'':
Mon Aug 25 11:09:08 2008: DEBUG: Handling with Radius::AuthLDAP2:
Mon Aug 25 11:09:08 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
Mon Aug 25 11:09:08 2008: INFO: Attempting to bind to LDAP server
blade04.ccom.ipb.pt:389
Mon Aug 25 11:09:08 2008: DEBUG: LDAP got result for
uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
Mon Aug 25 11:09:08 2008: DEBUG: LDAP got sambaNTPassword:
{nthash}31D6CFE0D16AE931B73C59D7E0C089C0
Mon Aug 25 11:09:08 2008: DEBUG: Radius::AuthLDAP2 looks for match with
seg7 [seg7 at vpn.ipb.pt]
Mon Aug 25 11:09:08 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
seg7 [seg7 at vpn.ipb.pt]
Mon Aug 25 11:09:08 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password
Mon Aug 25 11:09:08 2008: INFO: Access rejected for seg7: Bad Password
Mon Aug 25 11:09:08 2008: DEBUG: Packet dump:
*** Sending to 193.137.107.254 port 1130 ....
Code: Access-Reject
Identifier: 45
Authentic: <155>Z<231><182> &<143><246>'<213>V<231>k<182><21><169>
Attributes:
Reply-Message = "Request Denied"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: seg7.vcf
Type: text/x-vcard
Size: 203 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080825/b5a302a9/attachment.vcf>
More information about the radiator
mailing list