[RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm

Craig Simons craigsimons at sfu.ca
Wed May 12 18:26:32 CDT 2010 

Thanks for the quick response Hugh. 

I did try adding that previously but I didn't mention it. This does not seem to work either, although I can see it does have an effect. Would this not affect the hashing if the user name was changed? I'm assuming that the "Radius::AuthLSA ACCEPT: : user [user at ad.sfu.ca]" means the user is found but that the password is not matching? 

Wed May 12 16:19:17 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP' 
Wed May 12 16:19:17 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory 
Wed May 12 16:19:17 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26 
Wed May 12 16:19:17 2010: DEBUG: Response type 26 
Wed May 12 16:19:17 2010: DEBUG: Radius::AuthLSA looks for match with user [user at ad.sfu.ca] 
Wed May 12 16:19:17 2010: DEBUG: Radius::AuthLSA ACCEPT: : user [user at ad.sfu.ca] 
Wed May 12 16:19:17 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password. 


Wed May 12 16:19:17 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure 
Wed May 12 16:19:17 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure 
Wed May 12 16:19:17 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure 
Wed May 12 16:19:17 2010: DEBUG: Returned PEAP tunnelled packet dump: 

-------------------------------------- 
Craig Simons 
Network Operations 
Simon Fraser University 
Surrey BC, Canada 
em. craigsimons at sfu.ca 
ph. 778-782-8036 
ce. 604-649-7977 
-------------------------------------- 

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au> 
To: "Craig Simons" <craigsimons at sfu.ca> 
Cc: radiator at open.com.au 
Sent: Wednesday, 12 May, 2010 16:01:48 GMT -08:00 US/Canada Pacific 
Subject: Re: [RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm 


Hello Craig - 

Add "UsernameMatchesWithoutRealm" to your inner AuthBy LSA clause without any RewriteUsername(s). 

..... 

# Active Directory lookup via MSCHAP-V2 
<AuthBy LSA> 
# say my name! 
Identifier AuthByActiveDirectory 

#Domain 
Domain ad.sfu.ca 

#No default user exists 
NoDefault 

#just use the username part of the User-Name string 
UsernameMatchesWithoutRealm 

#EAP Types accepted 
EAPType MSCHAP-V2 

</AuthBy> 

..... 

See section 5.18.59 in the Radiator 4.6 reference manual ("doc/ref.pdf"). 

regards 

Hugh 


On 13 May 2010, at 08:43, craigsimons at sfu.ca wrote: 

> Hi All, 
> 
> I'm having a problem getting MSCHAP-V2 working in the manner that I wish. My end goal is to allow users to login against AD with the username in the "user at realm.com" format. To date, only "user" and "domain\user" seem to work. I know I should not rewrite user names because of the MSCHAP hashing. Is this even possible? 
> 
> I am testing against a Windows 2008 server with a Windows 7 wireless client. Is it possible the Windows supplicant is taking the "user at domain.com", internally rewriting the user name to domain.com\user, and then creating the MSCHAPv2 hash? 
> 
> The following is a snippet of config and log trace examples: 
> 
> # Active Directory lookup via MSCHAP-V2 
> <AuthBy LSA> 
> # say my name! 
> Identifier AuthByActiveDirectory 
> 
> #Domain 
> Domain ad.sfu.ca 
> 
> #No default user exists 
> NoDefault 
> 
> #EAP Types accepted 
> EAPType MSCHAP-V2 
> 
> </AuthBy> 
> 
> #Incoming Inner Requests from HiPath Wireless via PEAP\MSCHAP-V2 
> <Handler Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1> 
> # rewrite username to strip realm off 
> #RewriteUsername s/^([^@]+).*/$1/ 
> 
> #Identifier for logging purposes 
> Identifier Wireless TunnelledByPEAP 
> 
> # Authentication 
> AuthBy AuthByActiveDirectory 
> 
> </Handler> 
> 
> Using "user at domain.com" *** does not work 
> 
> Wed May 12 15:32:35 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP' 
> Wed May 12 15:32:35 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory 
> Wed May 12 15:32:35 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26 
> Wed May 12 15:32:35 2010: DEBUG: Response type 26 
> Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA looks for match with user at ad.sfu.ca [user at ad.sfu.ca] 
> Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA ACCEPT: : user at ad.sfu.ca [user at ad.sfu.ca] 
> Wed May 12 15:32:35 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password. 
> 
> 
> Wed May 12 15:32:35 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure 
> Wed May 12 15:32:35 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure 
> Wed May 12 15:32:35 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure 
> Wed May 12 15:32:35 2010: DEBUG: Returned PEAP tunnelled packet dump: 
> 
> Using "domain.com/user" *** works! 
> 
> Wed May 12 15:35:47 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP' 
> Wed May 12 15:35:47 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory 
> Wed May 12 15:35:47 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26 
> Wed May 12 15:35:47 2010: DEBUG: Response type 26 
> Wed May 12 15:35:47 2010: DEBUG: EAP result: 0, 
> Wed May 12 15:35:47 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> Wed May 12 15:35:47 2010: DEBUG: Access accepted for ad.sfu.ca\user 
> Wed May 12 15:35:47 2010: DEBUG: Returned PEAP tunnelled packet dump: 
> 
> Using "user" *** works! 
> 
> Wed May 12 15:31:34 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP' 
> Wed May 12 15:31:34 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory 
> Wed May 12 15:31:34 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26 
> Wed May 12 15:31:34 2010: DEBUG: Response type 26 
> Wed May 12 15:31:34 2010: DEBUG: EAP result: 0, 
> Wed May 12 15:31:34 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> Wed May 12 15:31:34 2010: DEBUG: Access accepted for user 
> Wed May 12 15:31:34 2010: DEBUG: Returned PEAP tunnelled packet dump: 
> 
> 
> Regards, 
> Craig Simons 
> 
> 
> -------------------------------------- 
> Craig Simons 
> Network Operations 
> Simon Fraser University 
> Surrey BC, Canada 
> em. craigsimons at sfu.ca 
> ph. 778-782-8036 
> ce. 604-649-7977 
> -------------------------------------- 
> _______________________________________________ 
> radiator mailing list 
> radiator at open.com.au 
> http://www.open.com.au/mailman/listinfo/radiator 



NB: 

Have you read the reference manual ("doc/ref.html")? 
Have you searched the mailing list archive (www.open.com.au/archives/radiator)? 
Have you had a quick look on Google (www.google.com)? 
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening? 

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows, MacOS X. 
Includes support for reliable RADIUS transport (RadSec), 
and DIAMETER translation agent. 
- 
Nets: internetwork inventory and management - graphical, extensible, 
flexible with hardware, software, platform and database independence. 
- 
CATool: Private Certificate Authority for Unix and Unix-like systems. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100512/6b09171f/attachment-0001.html

More information about the radiator mailing list