[RADIATOR] Problem rewriting inner username with PEAP-MSCHAPV2

Hugh Irvine hugh at open.com.au
Mon Dec 29 17:32:50 CST 2008


Hello Michael -

The MSCHAP-V2 checksum you mention below is generated from the whole  
username as entered into the supplicant, and hence Radiator needs the  
original unaltered username.

In other words you cannot use RewriteUsername(s) and/or DefaultRealm(s).

You will notice that the Radiator manual mentions PEAP in the list for  
UsernameMatchesWithoutRealm.

regards

Hugh



On 24 Dec 2008, at 11:27, Michael Harlow wrote:

>
> Hi Hugh,
>
> Manual 4.3.1 section 5.18.57 (page 82 of 346)
>
> UsernameMatchesWithoutRealm does not list "AuthBy LSA"
>
> I have added the line anyway, and the part of the debug that used to  
> say
> Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA looks for match  
> with mike at utas.edu.au [anonymous]
> Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike at utas.edu.au 
>  [anonymous]
> Tue Dec 23 11:54:52 2008: WARNING: Could not LogonUserNetworkMSCHAP  
> (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
>
> NOW says (utas.edu.au stripped)
>
> Wed Dec 24 11:05:08 2008: DEBUG: Radius::AuthLSA looks for match  
> with mike [anonymous]
> Wed Dec 24 11:05:08 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike  
> [anonymous]
> Wed Dec 24 11:05:08 2008: WARNING: Could not LogonUserNetworkMSCHAP  
> (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
>
> But still no ACCEPT unless I don't pass in the @utas.edu.au as part  
> of the username in the first place (shown below).
>
> Wed Dec 24 11:20:39 2008: DEBUG: Radius::AuthLSA looks for match  
> with mike [anonymous]
> Wed Dec 24 11:20:39 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike  
> [anonymous]
> Wed Dec 24 11:20:39 2008: DEBUG: EAP result: 3, EAP MSCHAP V2  
> Challenge: Success
> Wed Dec 24 11:20:39 2008: DEBUG: AuthBy LSA result: CHALLENGE, EAP  
> MSCHAP V2 Challenge: Success
>
> Cheers, Michael
>
> PS. I think I saw Windows7 Beta using forward-slashes not back- 
> slashes when passing in DOMAIN\user-name (viz DOMAIN/user-name).  
> Something I'll check again later. Don't know it this will break  
> anything, but not part of this current issue anyway.
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, 23 December 2008 10:02 PM
> To: Michael Harlow; Matti Saarinen
> Cc: radiator at open.com.au list
> Subject: Re: [RADIATOR] Problem rewriting inner username with PEAP- 
> MSCHAPV2
>
>
> Hello Matti, Hello Michael -
>
> Correct - rather than use a RewriteUsername, you should use
> UsernameMatchesWithoutRealm in the inner AuthBy LSA clause.
>
> regards
>
> Hugh
>
>
> On 23 Dec 2008, at 19:08, Matti Saarinen wrote:
>
>> Michael Harlow wrote:
>>
>>> I'm trying to work our how to re-write the inner username for a TTLS
>>> or PEAP request.
>>>
>>> [...]
>>>
>>> It seems to be working for TunnelledByTTLS/PAP, but not for
>>> TunnelledByTTLS/MSCHAP-V2 and TunnelledByPEAP/MSCHAP-V2. Am I  
>>> missing
>>> something?
>>
>> I have understood that MSCHAPv2 packets contain checksum that is
>> generated by the supplicant. Therefore the packets cannot be altered
>> by
>> any intermediate RADIUS servers.
>>
>> -- 
>> - Matti -
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list