[RADIATOR] PEAP-MSCHAPv2 + LDAP problem

Hugh Irvine hugh at open.com.au
Fri Oct 3 23:54:00 CDT 2008 

Hello Bill -

Can you please tell me what version of Radiator you are using?

The latest version is Radiator 4.3.1 (plus patches).

I would also like to see a more complete trace 4 debug showing the  
complete packet exchange sequence for both cases.

thanks and regards

Hugh


On 3 Oct 2008, at 23:42, William Ulrich wrote:

> Hello all,
>
> I'm currently attempting to use a combination of Radiator and Sun's  
> LDAP
> to provide authentication for our wireless network. The wireless
> controller uses PEAP/MSCHAPv2. If anyone has a suggestion on getting
> this to work, I'd be most grateful.
>
> I've successfully authenticated the ubiquitous 'mikem' user using a
> stripped down user file (/etc/radiator/users) containing only this  
> entry:
>
> 	mikem 	User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4
> 		Service-Type=Framed-User
>
>  and the following radius.cfg file, shamelessly cribbed from a mailing
> list posting back in May:
>
> 	<Handler TunnelledByPEAP=1>
> 		<AuthBy FILE>
> 			Filename    /etc/radiator/users
> 			EAPType     MSCHAP-V2
> 		</AuthBy>
> 	</Handler>
> 	<Handler>
> 		<AuthBy FILE>
> 			EAPType PEAP
> 			EAPTLS_CAFile 		.../CA_cert_file.crt
> 			EAPTLS_CertificateFile 	.../server.crt
> 			EAPTLS_PrivateKeyFile 	.../server.key
> 			EAPTLS_CertificateType 	PEM
> 			EAPTLS_MaxFragmentSize 	1000
> 			AutoMPPEKeys
> 		</AuthBy>
> 	</Handler>
>
> This works. Now if I swap the TunnelledByPEAP handler's <AuthBy FILE>
> section with an analogous <AuthBy LDAP2>:
>
>     <AuthBy LDAP2>
>         Host            	*******************
>         Port            	389
>         AuthDN          	cn=*************
>         AuthPassword    	***********
>         BaseDN          	ou=people,dc=test,***********
>         UsernameAttr    	uid
>         PasswordAttr    	ntPassword
>         EAPType MSCHAP-V2
>         EAPTLS_CAFile 		.../CA_cert_file.crt
>         EAPTLS_CertificateFile 	.../server.crt
>         EAPTLS_PrivateKeyFile 	.../server.key
>         EAPTLS_CertificateType 	PEM
>         EAPTLS_MaxFragmentSize 	1000
>         AutoMPPEKeys
>     </AuthBy>
>
> Authentication fails, with the following log entry (apologies for the
> awkward wrapping):
>
> Thu Oct  2 15:32:28 2008: INFO: Connecting to ***********:389
> Thu Oct  2 15:32:28 2008: INFO: Attempting to bind to LDAP server
> *************:389
> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got result for
> uid=fuser,ou=people,*************
> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got ntPassword:
> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> fuser [anonymous]
> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
> [anonymous]
> Thu Oct  2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Thu Oct  2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Thu Oct  2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Thu Oct  2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet dump:
>
>> From what I can see in the log, it gets the right attribute  
>> (ntPassword)
> in the right form ({nthash}... a la the users file) an I've verified
> that the nthash is correct for the test user account.
>
> So - what's going wrong? I'm a little stymied, so if anyone has an  
> idea,
> I'd love to hear it.
>
> Thanks in Advance,
>
> Bill Ulrich
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list