[RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm

Hugh Irvine hugh at open.com.au
Thu May 13 17:33:02 CDT 2010


Hello Craig -

Hmmm - yes quite right.

Could you set up a simple test configuration in the lab, based on "goodies/lsa__eap_peap.cfg" so we can see the differences in processing different usernames?

Please send me a copy of the test configuration file together with the results with different usernames.

many thanks for your assistance

regards

Hugh


On 14 May 2010, at 03:46, Craig Simons wrote:

> Hugh,
> 
> While this may be an AD issue I have to check up on, I don't quite understand why it would work it with some iterations of the username but not others. If "Access this computer from the network" was not enabled, I would assume that "domain/user", and "user" would not work. From the logs it looks as though the user is found, it's just the password that is the issue, which I assume is an MSCHAPv2 hashing issue?
> 
> --------------------------------------
> Craig Simons
> Network Operations
> Simon Fraser University
> Surrey BC, Canada
> em. craigsimons at sfu.ca
> ph. 778-782-8036
> ce. 604-649-7977
> -------------------------------------- 
> 
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Craig Simons" <craigsimons at sfu.ca>
> Cc: radiator at open.com.au
> Sent: Wednesday, 12 May, 2010 16:33:10 GMT -08:00 US/Canada Pacific
> Subject: Re: [RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm
> 
> 
> Hello Craig -
> 
> No this usually means the user does not have "Access this computer from the network" enabled in AD.
> 
> See section 5.51 in the Radiator 4.6 reference manual ("doc/ref.pdf").
> 
> .....
> 
> Hint: Users can only be authenticated with AuthBy LSA if they have the ’Access this computer from the network’ security policy enabled (this is the normal configuration for Windows Domains). AuthBy LSA honours the Logon Hours, Workstation Restrictions and ‘Account is Disabled’ flags in user accounts.
> 
> .....
> 
> regards
> 
> Hugh
> 
> 
> On 13 May 2010, at 09:26, Craig Simons wrote:
> 
> > Thanks for the quick response Hugh.
> > 
> > I did try adding that previously but I didn't mention it. This does not seem to work either, although I can see it does have an effect. Would this not affect the hashing if the user name was changed? I'm assuming that the "Radius::AuthLSA ACCEPT: : user [user at ad.sfu.ca]" means the user is found but that the password is not matching?
> > 
> > Wed May 12 16:19:17 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> > Wed May 12 16:19:17 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> > Wed May 12 16:19:17 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26
> > Wed May 12 16:19:17 2010: DEBUG: Response type 26
> > Wed May 12 16:19:17 2010: DEBUG: Radius::AuthLSA looks for match with user [user at ad.sfu.ca]
> > Wed May 12 16:19:17 2010: DEBUG: Radius::AuthLSA ACCEPT: : user [user at ad.sfu.ca]
> > Wed May 12 16:19:17 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> > 
> > 
> > Wed May 12 16:19:17 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> > Wed May 12 16:19:17 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
> > Wed May 12 16:19:17 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure
> > Wed May 12 16:19:17 2010: DEBUG: Returned PEAP tunnelled packet dump:
> > 
> > --------------------------------------
> > Craig Simons
> > Network Operations
> > Simon Fraser University
> > Surrey BC, Canada
> > em. craigsimons at sfu.ca
> > ph. 778-782-8036
> > ce. 604-649-7977
> > -------------------------------------- 
> > 
> > ----- Original Message -----
> > From: "Hugh Irvine" <hugh at open.com.au>
> > To: "Craig Simons" <craigsimons at sfu.ca>
> > Cc: radiator at open.com.au
> > Sent: Wednesday, 12 May, 2010 16:01:48 GMT -08:00 US/Canada Pacific
> > Subject: Re: [RADIATOR] AuthBy LSA, MSCHAPv2 and username at realm
> > 
> > 
> > Hello Craig -
> > 
> > Add "UsernameMatchesWithoutRealm" to your inner AuthBy LSA clause without any RewriteUsername(s).
> > 
> > .....
> > 
> > # Active Directory lookup via MSCHAP-V2
> > <AuthBy LSA>
> >     # say my name!
> >     Identifier AuthByActiveDirectory
> > 
> >     #Domain
> >     Domain ad.sfu.ca
> >     
> >     #No default user exists
> >     NoDefault
> >     
> >     #just use the username part of the User-Name string
> >     UsernameMatchesWithoutRealm
> > 
> >     #EAP Types accepted
> >     EAPType MSCHAP-V2
> > 
> > </AuthBy>
> > 
> > .....
> > 
> > See section 5.18.59 in the Radiator 4.6 reference manual ("doc/ref.pdf").
> > 
> > regards
> > 
> > Hugh
> > 
> > 
> > On 13 May 2010, at 08:43, craigsimons at sfu.ca wrote:
> > 
> > > Hi All,
> > > 
> > > I'm having a problem getting MSCHAP-V2 working in the manner that I wish. My end goal is to allow users to login against AD with the username in the "user at realm.com" format. To date, only "user" and "domain\user" seem to work. I know I should not rewrite user names because of the MSCHAP hashing. Is this even possible? 
> > > 
> > > I am testing against a Windows 2008 server with a Windows 7 wireless client. Is it possible the Windows supplicant is taking the "user at domain.com", internally rewriting the user name to domain.com\user, and then creating the MSCHAPv2 hash?
> > > 
> > > The following is a snippet of config and log trace examples:
> > > 
> > > # Active Directory lookup via MSCHAP-V2
> > > <AuthBy LSA>
> > >     # say my name!
> > >     Identifier AuthByActiveDirectory
> > > 
> > >     #Domain
> > >     Domain ad.sfu.ca
> > >     
> > >     #No default user exists
> > >   NoDefault
> > >     
> > >     #EAP Types accepted
> > >     EAPType MSCHAP-V2
> > > 
> > > </AuthBy>
> > > 
> > > #Incoming Inner Requests from HiPath Wireless via PEAP\MSCHAP-V2
> > > <Handler Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1>
> > >     # rewrite username to strip realm off
> > >     #RewriteUsername s/^([^@]+).*/$1/
> > >         
> > >     #Identifier for logging purposes
> > >     Identifier Wireless TunnelledByPEAP
> > >        
> > >     # Authentication
> > >   AuthBy AuthByActiveDirectory
> > > 
> > > </Handler>
> > > 
> > > Using "user at domain.com" *** does not work
> > > 
> > > Wed May 12 15:32:35 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> > > Wed May 12 15:32:35 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> > > Wed May 12 15:32:35 2010: DEBUG: Handling with EAP: code 2, 7, 73, 26
> > > Wed May 12 15:32:35 2010: DEBUG: Response type 26
> > > Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA looks for match with user at ad.sfu.ca [user at ad.sfu.ca]
> > > Wed May 12 15:32:35 2010: DEBUG: Radius::AuthLSA ACCEPT: : user at ad.sfu.ca [user at ad.sfu.ca]
> > > Wed May 12 15:32:35 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> > > 
> > > 
> > > Wed May 12 15:32:35 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> > > Wed May 12 15:32:35 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
> > > Wed May 12 15:32:35 2010: INFO: Access rejected for user at ad.sfu.ca: EAP MSCHAP-V2 Authentication failure
> > > Wed May 12 15:32:35 2010: DEBUG: Returned PEAP tunnelled packet dump:
> > > 
> > > Using "domain.com/user" *** works!
> > > 
> > > Wed May 12 15:35:47 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> > > Wed May 12 15:35:47 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> > > Wed May 12 15:35:47 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
> > > Wed May 12 15:35:47 2010: DEBUG: Response type 26
> > > Wed May 12 15:35:47 2010: DEBUG: EAP result: 0, 
> > > Wed May 12 15:35:47 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> > > Wed May 12 15:35:47 2010: DEBUG: Access accepted for ad.sfu.ca\user
> > > Wed May 12 15:35:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
> > > 
> > > Using "user" *** works!
> > > 
> > > Wed May 12 15:31:34 2010: DEBUG: Handling request with Handler 'Client-Identifier=HiPath|Roamabout,TunnelledByPEAP=1', Identifier 'Wireless TunnelledByPEAP'
> > > Wed May 12 15:31:34 2010: DEBUG: Handling with Radius::AuthLSA: AuthByActiveDirectory
> > > Wed May 12 15:31:34 2010: DEBUG: Handling with EAP: code 2, 8, 2, 26
> > > Wed May 12 15:31:34 2010: DEBUG: Response type 26
> > > Wed May 12 15:31:34 2010: DEBUG: EAP result: 0, 
> > > Wed May 12 15:31:34 2010: DEBUG: AuthBy LSA result: ACCEPT, 
> > > Wed May 12 15:31:34 2010: DEBUG: Access accepted for user
> > > Wed May 12 15:31:34 2010: DEBUG: Returned PEAP tunnelled packet dump:
> > > 
> > > 
> > > Regards, 
> > > Craig Simons
> > > 
> > > 
> > > --------------------------------------
> > > Craig Simons
> > > Network Operations
> > > Simon Fraser University
> > > Surrey BC, Canada
> > > em. craigsimons at sfu.ca
> > > ph. 778-782-8036
> > > ce. 604-649-7977
> > > -------------------------------------- 
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> > 
> > 
> > 
> > NB: 
> > 
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets), 
> > together with a trace 4 debug showing what is happening?
> > 
> > -- 
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> > 
> > 
> > 
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list