[RADIATOR] Problem rewriting inner username with PEAP-MSCHAPV2
Michael Harlow
Michael.Harlow at utas.edu.au
Tue Dec 23 18:27:52 CST 2008
Hi Hugh,
Manual 4.3.1 section 5.18.57 (page 82 of 346)
UsernameMatchesWithoutRealm does not list "AuthBy LSA"
I have added the line anyway, and the part of the debug that used to say
Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA looks for match with mike at utas.edu.au [anonymous]
Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike at utas.edu.au [anonymous]
Tue Dec 23 11:54:52 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
NOW says (utas.edu.au stripped)
Wed Dec 24 11:05:08 2008: DEBUG: Radius::AuthLSA looks for match with mike [anonymous]
Wed Dec 24 11:05:08 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike [anonymous]
Wed Dec 24 11:05:08 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
But still no ACCEPT unless I don't pass in the @utas.edu.au as part of the username in the first place (shown below).
Wed Dec 24 11:20:39 2008: DEBUG: Radius::AuthLSA looks for match with mike [anonymous]
Wed Dec 24 11:20:39 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike [anonymous]
Wed Dec 24 11:20:39 2008: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Wed Dec 24 11:20:39 2008: DEBUG: AuthBy LSA result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Cheers, Michael
PS. I think I saw Windows7 Beta using forward-slashes not back-slashes when passing in DOMAIN\user-name (viz DOMAIN/user-name). Something I'll check again later. Don't know it this will break anything, but not part of this current issue anyway.
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Tuesday, 23 December 2008 10:02 PM
To: Michael Harlow; Matti Saarinen
Cc: radiator at open.com.au list
Subject: Re: [RADIATOR] Problem rewriting inner username with PEAP-MSCHAPV2
Hello Matti, Hello Michael -
Correct - rather than use a RewriteUsername, you should use
UsernameMatchesWithoutRealm in the inner AuthBy LSA clause.
regards
Hugh
On 23 Dec 2008, at 19:08, Matti Saarinen wrote:
> Michael Harlow wrote:
>
>> I'm trying to work our how to re-write the inner username for a TTLS
>> or PEAP request.
>>
>> [...]
>>
>> It seems to be working for TunnelledByTTLS/PAP, but not for
>> TunnelledByTTLS/MSCHAP-V2 and TunnelledByPEAP/MSCHAP-V2. Am I missing
>> something?
>
> I have understood that MSCHAPv2 packets contain checksum that is
> generated by the supplicant. Therefore the packets cannot be altered
> by
> any intermediate RADIUS servers.
>
> --
> - Matti -
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list