[RADIATOR] MSCHAPv2 problem

Colin Byelong c.byelong at ucl.ac.uk
Wed Feb 25 08:13:23 CST 2009


Hi,

We have been using radiator as part of the Eduroam service, we currently
support EAP-TTLS and proxy requests for other realms this has been
working for a number of years with only a few problems.
I have been asked if we could add EAP-PEAP support, I have configured
Radiator on a windows 2003 server to test this and thought I could use
Authby LSA.
The problem is that if I use username at realm format it fails but if I use
username format it works I understand that this is because of the way
MSCHAP makes a hash but I thought usernameMatchesWithoutRealm would fix
this.

Below is the simple config I have been using I have tried to attache the 
logs for a success and unsuccessful logins but the mail was too big

Any help much appreciated

Thanks

Colin

#
Foreground
LogStdout
LogDir .
DbDir .
#
#Logfiles
DictionaryFile %D/dictionary,%D/dictionary.cisco
#
#
#
#
#Use port 1812 for Authentication
AuthPort 1812,1645
#Use port 1813 for accounting
AcctPort 1813,1646
Trace  4
#
#
#
#




#
<Client localhost>
       Secret mysecret
       DupInterval 0
</Client>
#
<Client DEFAULT>
#
Secret Goeduroamyourself!
DupInterval 0
#
</Client>

#
<Handler TunnelledByPEAP=1>
#RewriteUsername s/^([^@]+).*/$1/
        <AuthBy LSA>
                 UsernameMatchesWithoutRealm
                #RewriteUsername s/^([^@]+).*/$1/
                # Specifies which Windows Domain is ALWAYS to be used to
authenticate
                # users (even if they specify a different domain in their
username).
                # Empty string means the local machine only
                # Special characters are supported. Can be an Active
                # directory domain or a Windows NT domain controller
                # domain name
                # Empty string (the default) means the local machine
                #Domain OPEN

                # Specifies the Windows Domain to use if the user does not
                # specify a doain domain in their username.
                # Special characters are supported. Can be an Active
                # directory domain or a Windows NT domain controller
                # domain name
                # Empty string (the default) means the local machine
                #DefaultDomain OPEN

                # This specifies the workstation to the LSA. It might be
used tocheck
                # whether the the user is permitted to log in. If the
user has any
                # workstation logon restrictions, this is the name that it
                # will be checked against. Defaults to '', which means that
                # workstation restrictions will not be checked
                #Workstation WLAN

                # You can check whether each user is the member of a
windows group
                # with the Group parameter. If more than one Group is
specified,then the
                # user must be a member of at least one of them. Requires
Win32::NetAdmin
                # (which is installed by default with ActivePerl). If no
Group
                # parameters are specified, then Group checks will not be
performed.
                #Group Administrators
                #Group Domain Users

                # You can force which domain controller will be used to
check group
                # membership with the DomainController parameter. If no
Group parameters
                # are specified, DomainController will not be used.
Defaults to
                # empty string, meaning AuthBy LSQA will try to find
                # the controller to use based on the users domain. IF
                # that fails, then the default controller of the host
where this
                # instance of Radiator is running.
                #DomainController zulu

                # If you specify EAPType LEAP, you can also handle
                # Cisco LEAP with any LSA native authentication
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>
#
#
<Handler>
#RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
             RewriteUsername s/^([^@]+).*/$1/
              #]UsernameMatchesWithoutRealm
             Filename /dev/null
              EAPType PEAP
              EAPTLS_CAFile %D/certs/sureserverEDU.pem
              EAPTLS_CertificateFile %D/certs/orps.pem
              EAPTLS_CertificateType PEM
              EAPTLS_PrivateKeyFile %D/certs/server.key
              EAPTLS_MaxFragmentSize 1500
              AutoMPPEKeys
              EAPAnonymous
              #EAPTLS_PEAPBrokenV1Label
              SSLeayTrace 4
            </AuthBy>
</Handler>

-- 
-----------------------------------------------------------------------


Colin Byelong                             Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street                              Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------




More information about the radiator mailing list