[RADIATOR] PEAP-MSCHAPv2 + LDAP problem

William Ulrich bulrich at haverford.edu
Fri Oct 3 08:42:37 CDT 2008 

Hello all,

I'm currently attempting to use a combination of Radiator and Sun's LDAP
to provide authentication for our wireless network. The wireless
controller uses PEAP/MSCHAPv2. If anyone has a suggestion on getting
this to work, I'd be most grateful.

I've successfully authenticated the ubiquitous 'mikem' user using a
stripped down user file (/etc/radiator/users) containing only this entry:

	mikem 	User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4
		Service-Type=Framed-User

 and the following radius.cfg file, shamelessly cribbed from a mailing
list posting back in May:

	<Handler TunnelledByPEAP=1>
		<AuthBy FILE>
			Filename    /etc/radiator/users
			EAPType     MSCHAP-V2
		</AuthBy>
	</Handler>
	<Handler>
		<AuthBy FILE>
			EAPType PEAP
			EAPTLS_CAFile 		.../CA_cert_file.crt
			EAPTLS_CertificateFile 	.../server.crt
			EAPTLS_PrivateKeyFile 	.../server.key
			EAPTLS_CertificateType 	PEM
			EAPTLS_MaxFragmentSize 	1000
			AutoMPPEKeys
		</AuthBy>
	</Handler>

This works. Now if I swap the TunnelledByPEAP handler's <AuthBy FILE>
section with an analogous <AuthBy LDAP2>:

    <AuthBy LDAP2>
        Host            	*******************
        Port            	389
        AuthDN          	cn=*************
        AuthPassword    	***********
        BaseDN          	ou=people,dc=test,***********
        UsernameAttr    	uid
        PasswordAttr    	ntPassword
        EAPType MSCHAP-V2
        EAPTLS_CAFile 		.../CA_cert_file.crt
        EAPTLS_CertificateFile 	.../server.crt
        EAPTLS_PrivateKeyFile 	.../server.key
        EAPTLS_CertificateType 	PEM
        EAPTLS_MaxFragmentSize 	1000
        AutoMPPEKeys
    </AuthBy>

Authentication fails, with the following log entry (apologies for the
awkward wrapping):

Thu Oct  2 15:32:28 2008: INFO: Connecting to ***********:389
Thu Oct  2 15:32:28 2008: INFO: Attempting to bind to LDAP server
*************:389
Thu Oct  2 15:32:28 2008: DEBUG: LDAP got result for
uid=fuser,ou=people,*************
Thu Oct  2 15:32:28 2008: DEBUG: LDAP got ntPassword:
{nthash}6DB1E3552E2ED738ED10FA3ED91C3768
Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for match with
fuser [anonymous]
Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
[anonymous]
Thu Oct  2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Thu Oct  2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
MSCHAP-V2 Authentication failure
Thu Oct  2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
MSCHAP-V2 Authentication failure
Thu Oct  2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet dump:

>From what I can see in the log, it gets the right attribute (ntPassword)
in the right form ({nthash}... a la the users file) an I've verified
that the nthash is correct for the test user account.

So - what's going wrong? I'm a little stymied, so if anyone has an idea,
I'd love to hear it.

Thanks in Advance,

Bill Ulrich

More information about the radiator mailing list