[RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm

Hugh Irvine hugh at open.com.au
Wed May 12 18:01:48 CDT 2010 

Hello Craig -

Add "UsernameMatchesWithoutRealm" to your inner AuthBy LSA clause without any RewriteUsername(s).

.....

# Active Directory lookup via MSCHAP-V2
<AuthBy LSA>
    # say my name!
    Identifier AuthByActiveDirectory

    #Domain
    Domain ad.sfu.ca
    
    #No default user exists
    NoDefault
    
    #just use the username part of the User-Name string
    UsernameMatchesWithoutRealm

    #EAP Types accepted
    EAPType MSCHAP-V2

</AuthBy>

.....

See section 5.18.59 in the Radiator 4.6 reference manual ("doc/ref.pdf").

regards

Hugh


On 13 May 2010, at 08:43, craigsimons at sfu.ca wrote:

> Hi All,
> 
> I'm having a problem getting MSCHAP-V2 working in the manner that I wish. My end goal is to allow users to login against AD with the username in the "user at realm.com" format. To date, only "user" and "domain\user" seem to work. I know I should not rewrite user names because of the MSCHAP hashing. Is this even possible? 
> 
> I am testing against a Windows 2008 server with a Windows 7 wireless client. Is it possible the Windows supplicant is taking the "user at domain.com", internally rewriting the user name to domain.com\user, and then creating the MSCHAPv2 hash?
> 
> The following is a snippet of config and log trace examples:
> 
> # Active Directory lookup via MSCHAP-V2
> <AuthBy LSA>
>     # say my name!
>     Identifier AuthByActiveDirectory
> 
>     #Domain
>     Domain ad.sfu.ca
>     
>     #No default user exists
>   NoDefault
>     
>     #EAP Types accepted
>     EAPType MSCHAP-V2
> 
> </AuthBy>
> 
> #Incoming Inner Requests from HiPath Wireless via PEAP\MSCHAP-V2
> <Handler Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1>
>     # rewrite username to strip realm off
>     #RewriteUsername s/^([^@]+).*/$1/
>         
>     #Identifier for logging purposes
>     Identifier Wireless TunnelledByPEAP
>        
>     # Authentication
>   AuthBy AuthByActiveDirectory
> 
> </Handler>
> 
> Using "user at domain.com" *** does not work
> 
> Wed May 12 15:32:35 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> Wed May 12 15:32:35 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> Wed May 12 15:32:35 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26
> Wed May 12 15:32:35 2010: DEBUG: Response type 26
> Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA looks for match with user at ad.sfu.ca [user at ad.sfu.ca]
> Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA ACCEPT: : user at ad.sfu.ca [user at ad.sfu.ca]
> Wed May 12 15:32:35 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> 
> 
> Wed May 12 15:32:35 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Wed May 12 15:32:35 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
> Wed May 12 15:32:35 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure
> Wed May 12 15:32:35 2010: DEBUG: Returned PEAP tunnelled packet dump:
> 
> Using "domain.com/user" *** works!
> 
> Wed May 12 15:35:47 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> Wed May 12 15:35:47 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> Wed May 12 15:35:47 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
> Wed May 12 15:35:47 2010: DEBUG: Response type 26
> Wed May 12 15:35:47 2010: DEBUG: EAP result: 0, 
> Wed May 12 15:35:47 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> Wed May 12 15:35:47 2010: DEBUG: Access accepted for ad.sfu.ca\user
> Wed May 12 15:35:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
> 
> Using "user" *** works!
> 
> Wed May 12 15:31:34 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> Wed May 12 15:31:34 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> Wed May 12 15:31:34 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
> Wed May 12 15:31:34 2010: DEBUG: Response type 26
> Wed May 12 15:31:34 2010: DEBUG: EAP result: 0, 
> Wed May 12 15:31:34 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> Wed May 12 15:31:34 2010: DEBUG: Access accepted for user
> Wed May 12 15:31:34 2010: DEBUG: Returned PEAP tunnelled packet dump:
> 
> 
> Regards, 
> Craig Simons
> 
> 
> --------------------------------------
> Craig Simons
> Network Operations
> Simon Fraser University
> Surrey BC, Canada
> em. craigsimons at sfu.ca
> ph. 778-782-8036
> ce. 604-649-7977
> -------------------------------------- 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list