[RADIATOR] PEAP Issue

Adam Bishop Adam.Bishop at ja.net
Tue Feb 1 09:41:53 CST 2011 

Looks like you're right with the PEAP/SAMBA issue, seems to be a broken
SAMBA version.

Not sure how I'm going to solve this without an OS switch or compiling
from source - looking at the original thread, the password hash gained
from ntlm_auth needs to be hashed a second time?

Would simply patching in a round of hashing correct this?

Adam Bishop

On 01/02/2011 15:16, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 02/01/2011 03:49 PM, Adam Bishop wrote:
>> Encountering an odd issue with MSCHAPv2/PEAP
>> 
>> I have 2 Radiator instances ­ one based on Debian 5, one on Ubuntu
>>10.04LTS.  They share a config file (barring secrets), and the Debian
>>one works fine.  There is a difference in patch level ­ If I remember
>>correctly, the Debian install is a few patches out of date.
>> 
>> The Ubuntu one accepts PAP, TTLS/PAP and TTLS/MSCHAPv2, but
>>PEAP/MSCHAPv2 fails.  The system is authenticated against active
>>directory - ntlm­auth --request-nt-key works.
>> 
>> The only thing that stands out in the proxied trace is the MD5 failure
>>- libdigest­md5-perl is installed (as far as I know) and seems to be
>>used:
>> 
>> root at orps3:/var/log/radiator# lsof -p 1488 | grep -i md5
>> radiusd 1488 root  mem    REG  251,3    18640  525298
>>/usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
>> 
>> The direct trace is just weird ­ NTLM_AUTH seems to give the OK, thenŠ
>>Nothing.
>> 
>> Any suggestions anyone has are appreciated.
>
>You should list the EAP types separated by commas, not one per line. If
>you have them one per line, I think the last one is the only type
>Radiator is told to use.
>
>About MD5 failure, the client does like the suggested EAP type
>(MD5-Challenge) and sends a NAK, so that's why there is the failure.
>
>You may want to remove both instances MD5-Challenge EAPType unless you
>know you need it. For PEAP, EAPType MSCHAP-V2 is usually enough.
>
>
>The "then ... Nothing." behaviour after ntlm_auth looks like what was
>seen earlier, and the reason was ntlm_auth returning incorrect values,
>which make the MSCHAPv2 server authentication fail for the client. In
>other words, the client think server failed to authenticate itself and
>the client stop the authentication process.
>
>Please see ntlm_auth thread from last September:
>http://www.open.com.au/pipermail/radiator/2010-September/thread.html#16658
>
>
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG

More information about the radiator mailing list