[RADIATOR] MSCHAPV2 with Vpn Concentrator 3000
Sami Keski-Kasari
samikk at archred.com
Mon Aug 25 08:49:42 CDT 2008
Hi Sergio,
You can't rewrite username if you are using mschapv2.
Use UsernameMatchesWithoutRealm inside authby instead.
--
Sami
SEG7 kirjoitti:
> Hugh Irvine wrote:
>
>> Hello Sergio -
>>
>> Could you please send a more complete trace 4 showing the incoming
>> packet dump?
>>
>> And could you also please try a test entry in your LDAP database that
>> contains the {nthash} prefix.
>>
>> You can also add "NoDefault" to your AuthBy LDAP2 clause to stop the
>> DEFAULT lookup.
>>
>> BTW - the most recent version is Radiator 4.3.1 (plus patches).
>>
>> regards
>>
>> Hugh
>>
>>
>> On 21 Aug 2008, at 01:01, SEG7 wrote:
>>
>>
>>> Hi there,
>>>
>>> Currently we are auth our VPN Concentrator 3000 with Radiator 3.17 with
>>> cleartext password stored in attribute field on our ldap server, it's
>>> working fine but we don't want to store the password in cleartext on our
>>> ldap server.
>>>
>>> So, to my understading the alternative is to check the NT hash we have
>>> those too, but i just can it get to work properly, tryed every method i
>>> saw in this list and nothing. (tryed also to put {nthash}46464....
>>> directly in the ldap server to check if the hook wasn't working but also
>>> fails)
>>>
>>> Any help with this?
>>> Regards,
>>> Sérgio
>>>
>>> Handler working with cleartext (sambaNTPassword is cleartext)
>>> <Handler Realm = vpn.ipb.pt>
>>> MaxSessions 4
>>> AccountingHandled
>>> SessionDatabase SessDBUsers
>>> <AuthBy LDAP2>
>>> Host localhost
>>> Port 389
>>> AuthDN cn=root,dc=ipb,dc=pt
>>> AuthPassword *
>>> BaseDN ou=Staff,ou=Pessoas,dc=ipb,dc=pt
>>> Scope sub
>>> UsernameAttr krbName
>>> PasswordAttr sambaNTPassword
>>> SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
>>> AutoMPPEKeys yes
>>> </AuthBy>
>>> AcctLogFileName /var/log/radius/vpn-detail.log
>>> AccountingHandled
>>> AuthLog vpnusers
>>> </Handler>
>>>
>>> Handler not working :( (sambaNTPassword is a MD4 hash)
>>> <Handler Realm = vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> MaxSessions 4
>>> AccountingHandled
>>> SessionDatabase SessDBUsers
>>> <AuthBy LDAP2>
>>> Host localhost
>>> Port 389
>>> Version 3
>>> AuthDN cn=root,dc=ipb,dc=pt
>>> AuthPassword *
>>> BaseDN ou=staff,ou=users,dc=ipb,dc=pt
>>> Scope sub
>>> PasswordAttr sambaNTPassword
>>> #EncryptedPasswordAttr ntPassword
>>> #PasswordAttr ntPassword
>>> SearchFilter (uid=%1)
>>> #ServerChecksPassword
>>> debug 255
>>> AutoMPPEKeys yes
>>> TranslatePasswordHook sub { return "{nthash}$_[0]"; }
>>> #EAPType MSCHAP-V2
>>> </AuthBy>
>>> AcctLogFileName /var/log/radius/vpn-detail.log
>>> AccountingHandled
>>> AuthLog vpnusers
>>> </Handler>
>>>
>>> Trace 4 log
>>> Wed Aug 20 16:17:49 2008: DEBUG: Handling request with Handler 'Realm =
>>> vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
>>> Wed Aug 20 16:17:49 2008: DEBUG: Rewrote user name to seg7
>>> Wed Aug 20 16:17:49 2008: DEBUG: SessDBUsers Deleting session for
>>> seg7 at vpn.ipb.pt, 193.137.107.254, 1906
>>> Wed Aug 20 16:17:49 2008: DEBUG: do query is: 'delete from RADONLINE
>>> where NASIDENTIFIER='193.137.107.254' and NASPORT=01906':
>>> Wed Aug 20 16:17:49 2008: DEBUG: Query is: 'select NASIDENTIFIER,
>>> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
>>> USERNAME='seg7 at vpn.ipb.pt'':
>>> Wed Aug 20 16:17:49 2008: DEBUG: Handling with Radius::AuthLDAP2:
>>> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
>>> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
>>> blade04.ccom.ipb.pt:389
>>> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got result for
>>> uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
>>> Wed Aug 20 16:17:49 2008: DEBUG: LDAP got sambaNTPassword:
>>> 3B4C5A10DBC9058CB705CB8144AA3F8B
>>> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 looks for match with
>>> seg7 [seg7 at vpn.ipb.pt]
>>> Wed Aug 20 16:17:49 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
>>> seg7 [seg7 at vpn.ipb.pt]
>>> Wed Aug 20 16:17:49 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
>>> Wed Aug 20 16:17:49 2008: INFO: Attempting to bind to LDAP server
>>> blade04.ccom.ipb.pt:389
>>> Wed Aug 20 16:17:49 2008: DEBUG: No entries for DEFAULT found in LDAP
>>> database
>>> Wed Aug 20 16:17:49 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>> Password
>>> Wed Aug 20 16:17:49 2008: INFO: Access rejected for seg7: Bad Password
>>> Wed Aug 20 16:17:49 2008: DEBUG: Packet
>>> dump:<seg7.vcf>_______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>>
> Thanks for the tip on nodefault Hugh it was added,
>
> As for the hash attribute it's it defined as
>
> sambaNTPassword: {nthash}31D6CFE0D16AE931B73C59D7E0C089C0
>
> I disabled the hook, to get it working directly then i will try to
> remove the {nthash} string from the hash and hook it again (if i can get
> it to work)
> Regards,
> Sérgio
>
> Here's the complete trace 4 log.
>
> Mon Aug 25 11:09:08 2008: DEBUG: Packet dump:
> *** Received from 193.137.107.254 port 1130 ....
> Code: Access-Request
> Identifier: 45
> Authentic: <155>Z<231><182> &<143><246>'<213>V<231>k<182><21><169>
> Attributes:
> User-Name = "seg7 at vpn.ipb.pt"
> NAS-Port = 2279
> Service-Type = Framed
> Framed-Protocol = PPP
> Tunnel-Client-Endpoint = 193.136.195.195
> MS-CHAP-Challenge =
> "<6><155><138>0<149><17><228><5><254><143>Q<1><186>NT<187>"
> MS-CHAP2-Response = "<2><0><17><177><140>,[<191><6><157>
> <0><244><234><127>d<130><245><0><0><0><0><0><0><0><0>I<136><26>u<221><196><251>pU<25><21><17
> 8>$#<130><234><169><4>/BO<8>9_"
> NAS-IP-Address = 193.137.107.254
> NAS-Port-Type = Virtual
>
> Mon Aug 25 11:09:08 2008: DEBUG: Handling request with Handler 'Realm =
> vpn.ipb.pt,User-Name = seg7 at vpn.ipb.pt'
> Mon Aug 25 11:09:08 2008: DEBUG: Rewrote user name to seg7
> Mon Aug 25 11:09:08 2008: DEBUG: SessDBUsers Deleting session for
> seg7 at vpn.ipb.pt, 193.137.107.254, 2279
> Mon Aug 25 11:09:08 2008: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='193.137.107.254' and NASPORT=02279':
> Mon Aug 25 11:09:08 2008: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='seg7 at vpn.ipb.pt'':
> Mon Aug 25 11:09:08 2008: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Aug 25 11:09:08 2008: INFO: Connecting to blade04.ccom.ipb.pt:389
> Mon Aug 25 11:09:08 2008: INFO: Attempting to bind to LDAP server
> blade04.ccom.ipb.pt:389
> Mon Aug 25 11:09:08 2008: DEBUG: LDAP got result for
> uid=seg7,ou=staff,ou=users,dc=ipb,dc=pt
> Mon Aug 25 11:09:08 2008: DEBUG: LDAP got sambaNTPassword:
> {nthash}31D6CFE0D16AE931B73C59D7E0C089C0
> Mon Aug 25 11:09:08 2008: DEBUG: Radius::AuthLDAP2 looks for match with
> seg7 [seg7 at vpn.ipb.pt]
> Mon Aug 25 11:09:08 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
> seg7 [seg7 at vpn.ipb.pt]
> Mon Aug 25 11:09:08 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password
> Mon Aug 25 11:09:08 2008: INFO: Access rejected for seg7: Bad Password
> Mon Aug 25 11:09:08 2008: DEBUG: Packet dump:
> *** Sending to 193.137.107.254 port 1130 ....
> Code: Access-Reject
> Identifier: 45
> Authentic: <155>Z<231><182> &<143><246>'<213>V<231>k<182><21><169>
> Attributes:
> Reply-Message = "Request Denied"
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list