[RADIATOR] Radiator on OSX with mschap/mschapv2 issue

Hugh Irvine hugh at open.com.au
Wed May 19 16:45:37 CDT 2010


Hello Fred -

Can you please tell me the name of the registered company that has purchased this copy of Radiator?

Please reply to me directly.

In answer to your question, it looks like you are using a RewriteUsername which won't work with MSCHAP-V2.

regards

Hugh


On 20 May 2010, at 03:47, fred pam wrote:

> Scuze me, enter-button went AWOL. Anyway: 
> 
> I've got a strange issue on a Radiator running on OSX. Using local file authentication (the user-file contains an unencrypted password) I succeed in using mschap but fail at mschapv2:
> 
> radpwtst -mschap -s radiator -secret 'mysecret' -noacct  -user peaptest at local -password peaptest123 -trace 5 
> 
> Reading dictionary file '/etc/radiator/dictionary'
> sending Access-Request...
> Packet dump:
> *** Sending to 192.168.87.171 port 1645 ....
> 
> Packet length = 176
> 01 67 00 b0 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 16 70 65 61 70 74 65 73 74 40 68
> 73 6c 65 69 64 65 6e 2e 6e 6c 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31
> 35 34 2e 31 05 06 00 00 04 d2 1e 0b 31 32 33 34
> 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32 31
> 3d 06 00 00 00 00 1a 10 00 00 01 37 0b 0a 10 2d
> b5 df 08 5d 30 41 1a 3a 00 00 01 37 01 34 01 01
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 52 e0 e1 5e 79 15 17 6d
> 49 cb 08 95 9d d8 c5 22 23 55 ff e9 0f c3 0f 30
> Code:       Access-Request
> Identifier: 103
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "peaptest at local"
>         Service-Type = Framed-User
>         NAS-IP-Address = 192.168.154.1
>         NAS-Identifier = "192.168.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         MS-CHAP-Challenge = <16>-<181><223><8>]0A
>         MS-CHAP-Response = <1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> 0>R<224><225>^y<21><23>mI<203><8><149><157><216><197>"#U<255><233><15><195><15>0
> 
> Packet dump:
> *** Received from 192.168.87.171 port 1645 ....
> 
> Packet length = 26
> 02 67 00 1a 05 7e 00 5f e8 8c ff 1a c9 06 65 f1
> a3 94 84 27 06 06 00 00 00 02
> Code:       Access-Accept
> Identifier: 103
> Authentic:  <5>~<0>_<232><140><255><26><201><6>e<241><163><148><132>'
> Attributes:
>         Service-Type = Framed-User
> OK
> 
> 
> radpwtst -mschapv2 -s radiator -secret 'mysecret' -noacct  -user peaptest at local -password peaptest123 -trace 5                         
> Reading dictionary file '/etc/radiator/dictionary'
> sending Access-Request...
> Packet dump:
> *** Sending to 192.168.87.171 port 1645 ....
> 
> Packet length = 184
> 01 83 00 b8 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 16 70 65 61 70 74 65 73 74 40 68
> 73 6c 65 69 64 65 6e 2e 6e 6c 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31
> 35 34 2e 31 05 06 00 00 04 d2 1e 0b 31 32 33 34
> 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32 31
> 3d 06 00 00 00 00 1a 18 00 00 01 37 0b 12 5b 5d
> 7c 7d 7b 3f 2f 3e 3c 2c 60 21 32 26 26 28 1a 3a
> 00 00 01 37 19 34 01 00 21 40 23 24 25 5e 26 2a
> 28 29 5f 2b 3a 33 7c 7e 00 00 00 00 00 00 00 00
> ad ce 49 86 cb 1a 36 f0 c9 83 1e ca 84 91 0d dc
> f2 98 11 38 e5 f7 57 56
> Code:       Access-Request
> Identifier: 131
> Authentic:  1234567890123456
> Attributes:
>     User-Name = "peaptest at local"
>     Service-Type = Framed-User
>     NAS-IP-Address = 192.168.154.1
>     NAS-Identifier = "192.168.154.1"
>     NAS-Port = 1234
>     Called-Station-Id = "123456789"
>     Calling-Station-Id = "987654321"
>     NAS-Port-Type = Async
>     MS-CHAP-Challenge = []|}{?/><,`!2&&(
>     MS-CHAP2-Response = <1><0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0><173><206>I<134><203><26>6<240><201><131><30><202><132><145><13><220><242><152><17>8<229><247>WV
> 
> Packet dump:
> *** Received from 192.168.87.171 port 1645 ....
> 
> Packet length = 36
> 03 83 00 24 f9 1b 78 ea 51 db 83 08 ad 73 86 9d
> 1d 88 f1 1e 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 131
> Authentic:  <249><27>x<234>Q<219><131><8><173>s<134><157><29><136><241><30>
> Attributes:
>     Reply-Message = "Request Denied"
> 
> Rejected: Request Denied
> 
> The debug shows me
> 
> Wed May 19 19:45:11 2010: DEBUG: Handling with Radius::AuthFILE: peaptest
> Wed May 19 19:45:11 2010: DEBUG: Radius::AuthFILE looks for match with peaptest [peaptest at local]
> Wed May 19 19:45:11 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password: peaptest [peaptest at local]
> 
> Any takers? It really stumps me...
> 
> Regards, Fred
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list