[RADIATOR] MSCHAPv2 problem
Hugh Irvine
hugh at open.com.au
Thu Mar 5 21:45:20 CST 2009
Hello Colin -
Unfortunately, the implementation of EAP PEAP varies from vendor to
vendor and supplicant to supplicant.
Some implementations use just the username without the "@some.real"
suffix to calculate the MSCHAP-V2 challenge, and others use the whole
string.
This causes the problems that you observe, and this is why many
organisations use TTLS instead.
The only suggestion I can make is to test the different variations in
your environment to see what works and what doesn't.
You might find something like Cloudpath useful in this situation (tell
them we sent you):
www.cloudpath.net
regards
Hugh
On 4 Mar 2009, at 18:52, Colin Byelong wrote:
> Hi Hugh,
>
> I sent the traces, could you see anything wrong ?
>
> Thanks
>
> Colin
>>
>> Hello Colin -
>>
>> I will need to see a trace 4 debug showing what is happening.
>>
>> The trace showing just the outer requests and the inner request
>> processing shouldn't be too large - you can send them separately if
>> you need to.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 26 Feb 2009, at 01:13, Colin Byelong wrote:
>>
>>> Hi,
>>>
>>> We have been using radiator as part of the Eduroam service, we
>>> currently
>>> support EAP-TTLS and proxy requests for other realms this has been
>>> working for a number of years with only a few problems.
>>> I have been asked if we could add EAP-PEAP support, I have
>>> configured
>>> Radiator on a windows 2003 server to test this and thought I could
>>> use
>>> Authby LSA.
>>> The problem is that if I use username at realm format it fails but if
>>> I use
>>> username format it works I understand that this is because of the
>>> way
>>> MSCHAP makes a hash but I thought usernameMatchesWithoutRealm
>>> would fix
>>> this.
>>>
>>> Below is the simple config I have been using I have tried to
>>> attache the logs for a success and unsuccessful logins but the
>>> mail was too big
>>>
>>> Any help much appreciated
>>>
>>> Thanks
>>>
>>> Colin
>>>
>>> #
>>> Foreground
>>> LogStdout
>>> LogDir .
>>> DbDir .
>>> #
>>> #Logfiles
>>> DictionaryFile %D/dictionary,%D/dictionary.cisco
>>> #
>>> #
>>> #
>>> #
>>> #Use port 1812 for Authentication
>>> AuthPort 1812,1645
>>> #Use port 1813 for accounting
>>> AcctPort 1813,1646
>>> Trace 4
>>> #
>>> #
>>> #
>>> #
>>>
>>>
>>>
>>>
>>> #
>>> <Client localhost>
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>> #
>>> <Client DEFAULT>
>>> #
>>> Secret Goeduroamyourself!
>>> DupInterval 0
>>> #
>>> </Client>
>>>
>>> #
>>> <Handler TunnelledByPEAP=1>
>>> #RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy LSA>
>>> UsernameMatchesWithoutRealm
>>> #RewriteUsername s/^([^@]+).*/$1/
>>> # Specifies which Windows Domain is ALWAYS to be used
>>> to
>>> authenticate
>>> # users (even if they specify a different domain in
>>> their
>>> username).
>>> # Empty string means the local machine only
>>> # Special characters are supported. Can be an Active
>>> # directory domain or a Windows NT domain controller
>>> # domain name
>>> # Empty string (the default) means the local machine
>>> #Domain OPEN
>>>
>>> # Specifies the Windows Domain to use if the user
>>> does not
>>> # specify a doain domain in their username.
>>> # Special characters are supported. Can be an Active
>>> # directory domain or a Windows NT domain controller
>>> # domain name
>>> # Empty string (the default) means the local machine
>>> #DefaultDomain OPEN
>>>
>>> # This specifies the workstation to the LSA. It might
>>> be
>>> used tocheck
>>> # whether the the user is permitted to log in. If the
>>> user has any
>>> # workstation logon restrictions, this is the name
>>> that it
>>> # will be checked against. Defaults to '', which
>>> means that
>>> # workstation restrictions will not be checked
>>> #Workstation WLAN
>>>
>>> # You can check whether each user is the member of a
>>> windows group
>>> # with the Group parameter. If more than one Group is
>>> specified,then the
>>> # user must be a member of at least one of them.
>>> Requires
>>> Win32::NetAdmin
>>> # (which is installed by default with ActivePerl). If
>>> no
>>> Group
>>> # parameters are specified, then Group checks will
>>> not be
>>> performed.
>>> #Group Administrators
>>> #Group Domain Users
>>>
>>> # You can force which domain controller will be used to
>>> check group
>>> # membership with the DomainController parameter. If no
>>> Group parameters
>>> # are specified, DomainController will not be used.
>>> Defaults to
>>> # empty string, meaning AuthBy LSQA will try to find
>>> # the controller to use based on the users domain. IF
>>> # that fails, then the default controller of the host
>>> where this
>>> # instance of Radiator is running.
>>> #DomainController zulu
>>>
>>> # If you specify EAPType LEAP, you can also handle
>>> # Cisco LEAP with any LSA native authentication
>>> EAPType MSCHAP-V2
>>> </AuthBy>
>>> </Handler>
>>> #
>>> #
>>> <Handler>
>>> #RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy FILE>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> #]UsernameMatchesWithoutRealm
>>> Filename /dev/null
>>> EAPType PEAP
>>> EAPTLS_CAFile %D/certs/sureserverEDU.pem
>>> EAPTLS_CertificateFile %D/certs/orps.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile %D/certs/server.key
>>> EAPTLS_MaxFragmentSize 1500
>>> AutoMPPEKeys
>>> EAPAnonymous
>>> #EAPTLS_PEAPBrokenV1Label
>>> SSLeayTrace 4
>>> </AuthBy>
>>> </Handler>
>>>
>>> --
>>> -----------------------------------------------------------------------
>>>
>>>
>>> Colin Byelong Email: C.Byelong at ucl.ac.uk
>>> Senior Network Development Officer
>>> Network Group
>>> Information Systems Division
>>> University College London
>>> Gower Street Phone: 020 7679-2572
>>> London WC1E 6BT
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>
>
> --
> -----------------------------------------------------------------------
>
>
> Colin Byelong Email: C.Byelong at ucl.ac.uk
> Senior Network Development Officer
> Network Group
> Information Systems Division
> University College London
> Gower Street Phone: 020 7679-2572
> London WC1E 6BT
> ------------------------------------------------------------------------
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list