[RADIATOR] eap-ttls/ms-chap-v2

Heikki Vatiainen hvn at open.com.au
Tue Jan 18 16:03:21 CST 2011


On 01/18/2011 11:51 PM, Michael Shoemaker wrote:
> Yes, I used the -t as I am working with a db compiled as such and can't
> change that at this time.

Ok. From the log it looks like Radiator can read the DBM file correctly.
Please reply with the entry for user tonytestgordonlab from the original
plain text user file.

Since you are using MSCHAPv2, the User-Password needs to be in plain
text or NTHash format. See the file called "users" in the top level of
Radiator distribution directory. Check examples pwtest14 and pwtest15.

> This is what is in the access request to the dbfile.
> 
> 
>         User-Name = "tonytestgordonlab"
>         MS-CHAP-Challenge = f<223>)<22><158>R\<27><3><5>ia<226><213>*n
>         MS-CHAP2-Response =
> <193><0><0><0><0><27><0><0><0>P<24><7><0><1><0><0><0><0><0><0><0><0><0><0><0><0><229>[<149><185><148><25>I,D<250>KS<153><183><28>\
> -<209><18> <186><1><183>
> 
> Fri Jan 14 12:44:56 2011: DEBUG: EAP TTLS inner authentication request
> for tonytestgordonlab
> Fri Jan 14 12:44:56 2011: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Fri Jan 14 12:44:56 2011: DEBUG: Rewrote user name to tonytestgordonlab
> Fri Jan 14 12:44:56 2011: DEBUG:  Deleting session for
> tonytestgordonlab, 192.168.0.1,
> Fri Jan 14 12:44:56 2011: DEBUG: Handling with Radius::AuthDBFILE:
> Fri Jan 14 12:44:56 2011: DEBUG: Radius::AuthDBFILE looks for match with
> tonytestgordonlab [tonytestgordonlab]
> Fri Jan 14 12:44:57 2011: DEBUG: Radius::AuthDBFILE REJECT: Bad
> Password: tonytestgordonlab [tonytestgordonlab]
> Fri Jan 14 12:44:57 2011: DEBUG: AuthBy DBFILE result: REJECT, Bad Password
> Fri Jan 14 12:44:57 2011: INFO: Access rejected for tonytestgordonlab:
> Bad Password
> Fri Jan 14 12:44:57 2011: DEBUG: Returned TTLS tunnelled Diameter Packet
> dump:
> 
> 
> That is what I have. I am quite sure I must be over looking something
> fairly trivial.
> 
> Thoughts?
> 
> 
> On 01/18/2011 04:19 PM, Heikki Vatiainen wrote:
>> On 01/18/2011 05:19 PM, Michael Shoemaker wrote:
>>
>>> We are trying to get authentication with an alvarion wireless unit that
>>> is sending mschapv2 encrypted passwords through a eap-ttls tunnel.
>>>
>>> I can get the eap-ttls tunnel built and can see the attempts to request
>>> the mschapv2 but am not sure where our hangup is.
>> I have a couple of suggestions below. If they do not work, reply with
>> your configuration file (no secrets) and log file that shows the failing
>> requests.
>>
>>> What needs to be done to be able to get local authentication on the
>>> radiator server using AuthBy DBFILE (DB_File)
>>>
>>> The db was built using a plaintext file then converted using the
>>> builddbm script.
>> Did you use -t option with builddbm? If you did not, then you should
>> remove "DBType DB_FILE" from the config. By default builddbm creates a
>> AnyDBM_File which is also the default value for DBType.
>>
>>> <Handler TunnelledByTTLS=1>
>>>
>>> <AuthBy DBFILE>
>>>                   Filename /etc/raddb.proxy/dbm/users.db
>>>                   DBType DB_File
>> Check if this is really the correct value.
>>
>>> </AuthBy>
>>> this gets me to the point of doing the ttls tunnel, then it passes the
>>> mschap stuff to the authby dbfile... but I am not sure how to unencrypt
>>> the pw to check vs the db file.
>> If the DBType check will not help, then the problems with password check
>> should be visible in the log.
>>
>> Thanks!
>> Heikki Vatiainen
>>


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list