[RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm
craigsimons at sfu.ca
craigsimons at sfu.ca
Wed May 12 17:43:55 CDT 2010
Hi All,
I'm having a problem getting MSCHAP-V2 working in the manner that I wish. My end goal is to allow users to login against AD with the username in the "user at realm.com" format. To date, only "user" and "domain\user" seem to work. I know I should not rewrite user names because of the MSCHAP hashing. Is this even possible?
I am testing against a Windows 2008 server with a Windows 7 wireless client. Is it possible the Windows supplicant is taking the "user at domain.com", internally rewriting the user name to domain.com\user, and then creating the MSCHAPv2 hash?
The following is a snippet of config and log trace examples:
# Active Directory lookup via MSCHAP-V2
<AuthBy LSA>
# say my name!
Identifier AuthByActiveDirectory
#Domain
Domain ad.sfu.ca
#No default user exists
NoDefault
#EAP Types accepted
EAPType MSCHAP-V2
</AuthBy>
#Incoming Inner Requests from HiPath Wireless via PEAP\MSCHAP-V2
<Handler Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1>
# rewrite username to strip realm off
#RewriteUsername s/^([^@]+).*/$1/
#Identifier for logging purposes
Identifier Wireless TunnelledByPEAP
# Authentication
AuthBy AuthByActiveDirectory
</Handler>
Using "user at domain.com" *** does not work
Wed May 12 15:32:35 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
Wed May 12 15:32:35 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
Wed May 12 15:32:35 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26
Wed May 12 15:32:35 2010: DEBUG: Response type 26
Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA looks for match with user at ad.sfu.ca [user at ad.sfu.ca]
Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA ACCEPT: : user at ad.sfu.ca [user at ad.sfu.ca]
Wed May 12 15:32:35 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
Wed May 12 15:32:35 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Wed May 12 15:32:35 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
Wed May 12 15:32:35 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure
Wed May 12 15:32:35 2010: DEBUG: Returned PEAP tunnelled packet dump:
Using "domain.com/user" *** works!
Wed May 12 15:35:47 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
Wed May 12 15:35:47 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
Wed May 12 15:35:47 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
Wed May 12 15:35:47 2010: DEBUG: Response type 26
Wed May 12 15:35:47 2010: DEBUG: EAP result: 0,
Wed May 12 15:35:47 2010: DEBUG: AuthBy LSA result: ACCEPT,
Wed May 12 15:35:47 2010: DEBUG: Access accepted for ad.sfu.ca\user
Wed May 12 15:35:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
Using "user" *** works!
Wed May 12 15:31:34 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
Wed May 12 15:31:34 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
Wed May 12 15:31:34 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
Wed May 12 15:31:34 2010: DEBUG: Response type 26
Wed May 12 15:31:34 2010: DEBUG: EAP result: 0,
Wed May 12 15:31:34 2010: DEBUG: AuthBy LSA result: ACCEPT,
Wed May 12 15:31:34 2010: DEBUG: Access accepted for user
Wed May 12 15:31:34 2010: DEBUG: Returned PEAP tunnelled packet dump:
Regards,
Craig Simons
--------------------------------------
Craig Simons
Network Operations
Simon Fraser University
Surrey BC, Canada
em. craigsimons at sfu.ca
ph. 778-782-8036
ce. 604-649-7977
--------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100512/d078a568/attachment.html
More information about the radiator
mailing list