[RADIATOR] MSCHAPv2 problem

Colin Byelong c.byelong at ucl.ac.uk
Thu Feb 26 08:15:09 CST 2009


Hi Hugh,

The successful trace is appended/attached

Thanks

Colin
>
> Hello Colin -
>
> I will need to see a trace 4 debug showing what is happening.
>
> The trace showing just the outer requests and the inner request 
> processing shouldn't be too large - you can send them separately if 
> you need to.
>
> regards
>
> Hugh
>
>
> On 26 Feb 2009, at 01:13, Colin Byelong wrote:
>
>> Hi,
>>
>> We have been using radiator as part of the Eduroam service, we currently
>> support EAP-TTLS and proxy requests for other realms this has been
>> working for a number of years with only a few problems.
>> I have been asked if we could add EAP-PEAP support, I have configured
>> Radiator on a windows 2003 server to test this and thought I could use
>> Authby LSA.
>> The problem is that if I use username at realm format it fails but if I use
>> username format it works I understand that this is because of the way
>> MSCHAP makes a hash but I thought usernameMatchesWithoutRealm would fix
>> this.
>>
>> Below is the simple config I have been using I have tried to attache 
>> the logs for a success and unsuccessful logins but the mail was too big
>>
>> Any help much appreciated
>>
>> Thanks
>>
>> Colin
>>
>> #
>> Foreground
>> LogStdout
>> LogDir .
>> DbDir .
>> #
>> #Logfiles
>> DictionaryFile %D/dictionary,%D/dictionary.cisco
>> #
>> #
>> #
>> #
>> #Use port 1812 for Authentication
>> AuthPort 1812,1645
>> #Use port 1813 for accounting
>> AcctPort 1813,1646
>> Trace  4
>> #
>> #
>> #
>> #
>>
>>
>>
>>
>> #
>> <Client localhost>
>>      Secret mysecret
>>      DupInterval 0
>> </Client>
>> #
>> <Client DEFAULT>
>> #
>> Secret Goeduroamyourself!
>> DupInterval 0
>> #
>> </Client>
>>
>> #
>> <Handler TunnelledByPEAP=1>
>> #RewriteUsername s/^([^@]+).*/$1/
>>       <AuthBy LSA>
>>                UsernameMatchesWithoutRealm
>>               #RewriteUsername s/^([^@]+).*/$1/
>>               # Specifies which Windows Domain is ALWAYS to be used to
>> authenticate
>>               # users (even if they specify a different domain in their
>> username).
>>               # Empty string means the local machine only
>>               # Special characters are supported. Can be an Active
>>               # directory domain or a Windows NT domain controller
>>               # domain name
>>               # Empty string (the default) means the local machine
>>               #Domain OPEN
>>
>>               # Specifies the Windows Domain to use if the user does not
>>               # specify a doain domain in their username.
>>               # Special characters are supported. Can be an Active
>>               # directory domain or a Windows NT domain controller
>>               # domain name
>>               # Empty string (the default) means the local machine
>>               #DefaultDomain OPEN
>>
>>               # This specifies the workstation to the LSA. It might be
>> used tocheck
>>               # whether the the user is permitted to log in. If the
>> user has any
>>               # workstation logon restrictions, this is the name that it
>>               # will be checked against. Defaults to '', which means 
>> that
>>               # workstation restrictions will not be checked
>>               #Workstation WLAN
>>
>>               # You can check whether each user is the member of a
>> windows group
>>               # with the Group parameter. If more than one Group is
>> specified,then the
>>               # user must be a member of at least one of them. Requires
>> Win32::NetAdmin
>>               # (which is installed by default with ActivePerl). If no
>> Group
>>               # parameters are specified, then Group checks will not be
>> performed.
>>               #Group Administrators
>>               #Group Domain Users
>>
>>               # You can force which domain controller will be used to
>> check group
>>               # membership with the DomainController parameter. If no
>> Group parameters
>>               # are specified, DomainController will not be used.
>> Defaults to
>>               # empty string, meaning AuthBy LSQA will try to find
>>               # the controller to use based on the users domain. IF
>>               # that fails, then the default controller of the host
>> where this
>>               # instance of Radiator is running.
>>               #DomainController zulu
>>
>>               # If you specify EAPType LEAP, you can also handle
>>               # Cisco LEAP with any LSA native authentication
>>               EAPType MSCHAP-V2
>>       </AuthBy>
>> </Handler>
>> #
>> #
>> <Handler>
>> #RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy FILE>
>>            RewriteUsername s/^([^@]+).*/$1/
>>             #]UsernameMatchesWithoutRealm
>>            Filename /dev/null
>>             EAPType PEAP
>>             EAPTLS_CAFile %D/certs/sureserverEDU.pem
>>             EAPTLS_CertificateFile %D/certs/orps.pem
>>             EAPTLS_CertificateType PEM
>>             EAPTLS_PrivateKeyFile %D/certs/server.key
>>             EAPTLS_MaxFragmentSize 1500
>>             AutoMPPEKeys
>>             EAPAnonymous
>>             #EAPTLS_PEAPBrokenV1Label
>>             SSLeayTrace 4
>>           </AuthBy>
>> </Handler>
>>
>> -- 
>> -----------------------------------------------------------------------
>>
>>
>> Colin Byelong                             Email: C.Byelong at ucl.ac.uk
>> Senior Network Development Officer
>> Network Group
>> Information Systems Division
>> University College London
>> Gower Street                              Phone: 020 7679-2572
>> London WC1E 6BT
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>


-- 
-----------------------------------------------------------------------


Colin Byelong                             Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street                              Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: working.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090226/1e323e60/attachment-0001.txt>


More information about the radiator mailing list