[RADIATOR] eap-ttls/ms-chap-v2
Michael Shoemaker
shoemake at america.net
Tue Jan 18 16:09:13 CST 2011
tonytestgordonlab User-Password = "testing123"
Service-Type = 2,
Ascend-Assign-IP-Pool = 0,
Ascend-Data-Filter = "ip in forward tcp est",
Ascend-Data-Filter = "ip in forward dstip xxxxxxxxxx",
Ascend-Data-Filter = "ip in drop tcp dstport = 25",
Ascend-Data-Filter = "ip in forward"
On 01/18/2011 05:03 PM, Heikki Vatiainen wrote:
> On 01/18/2011 11:51 PM, Michael Shoemaker wrote:
>> Yes, I used the -t as I am working with a db compiled as such and can't
>> change that at this time.
> Ok. From the log it looks like Radiator can read the DBM file correctly.
> Please reply with the entry for user tonytestgordonlab from the original
> plain text user file.
>
> Since you are using MSCHAPv2, the User-Password needs to be in plain
> text or NTHash format. See the file called "users" in the top level of
> Radiator distribution directory. Check examples pwtest14 and pwtest15.
>
>> This is what is in the access request to the dbfile.
>>
>>
>> User-Name = "tonytestgordonlab"
>> MS-CHAP-Challenge = f<223>)<22><158>R\<27><3><5>ia<226><213>*n
>> MS-CHAP2-Response =
>> <193><0><0><0><0><27><0><0><0>P<24><7><0><1><0><0><0><0><0><0><0><0><0><0><0><0><229>[<149><185><148><25>I,D<250>KS<153><183><28>\
>> -<209><18> <186><1><183>
>>
>> Fri Jan 14 12:44:56 2011: DEBUG: EAP TTLS inner authentication request
>> for tonytestgordonlab
>> Fri Jan 14 12:44:56 2011: DEBUG: Handling request with Handler
>> 'TunnelledByTTLS=1'
>> Fri Jan 14 12:44:56 2011: DEBUG: Rewrote user name to tonytestgordonlab
>> Fri Jan 14 12:44:56 2011: DEBUG: Deleting session for
>> tonytestgordonlab, 192.168.0.1,
>> Fri Jan 14 12:44:56 2011: DEBUG: Handling with Radius::AuthDBFILE:
>> Fri Jan 14 12:44:56 2011: DEBUG: Radius::AuthDBFILE looks for match with
>> tonytestgordonlab [tonytestgordonlab]
>> Fri Jan 14 12:44:57 2011: DEBUG: Radius::AuthDBFILE REJECT: Bad
>> Password: tonytestgordonlab [tonytestgordonlab]
>> Fri Jan 14 12:44:57 2011: DEBUG: AuthBy DBFILE result: REJECT, Bad Password
>> Fri Jan 14 12:44:57 2011: INFO: Access rejected for tonytestgordonlab:
>> Bad Password
>> Fri Jan 14 12:44:57 2011: DEBUG: Returned TTLS tunnelled Diameter Packet
>> dump:
>>
>>
>> That is what I have. I am quite sure I must be over looking something
>> fairly trivial.
>>
>> Thoughts?
>>
>>
>> On 01/18/2011 04:19 PM, Heikki Vatiainen wrote:
>>> On 01/18/2011 05:19 PM, Michael Shoemaker wrote:
>>>
>>>> We are trying to get authentication with an alvarion wireless unit that
>>>> is sending mschapv2 encrypted passwords through a eap-ttls tunnel.
>>>>
>>>> I can get the eap-ttls tunnel built and can see the attempts to request
>>>> the mschapv2 but am not sure where our hangup is.
>>> I have a couple of suggestions below. If they do not work, reply with
>>> your configuration file (no secrets) and log file that shows the failing
>>> requests.
>>>
>>>> What needs to be done to be able to get local authentication on the
>>>> radiator server using AuthBy DBFILE (DB_File)
>>>>
>>>> The db was built using a plaintext file then converted using the
>>>> builddbm script.
>>> Did you use -t option with builddbm? If you did not, then you should
>>> remove "DBType DB_FILE" from the config. By default builddbm creates a
>>> AnyDBM_File which is also the default value for DBType.
>>>
>>>> <Handler TunnelledByTTLS=1>
>>>>
>>>> <AuthBy DBFILE>
>>>> Filename /etc/raddb.proxy/dbm/users.db
>>>> DBType DB_File
>>> Check if this is really the correct value.
>>>
>>>> </AuthBy>
>>>> this gets me to the point of doing the ttls tunnel, then it passes the
>>>> mschap stuff to the authby dbfile... but I am not sure how to unencrypt
>>>> the pw to check vs the db file.
>>> If the DBType check will not help, then the problems with password check
>>> should be visible in the log.
>>>
>>> Thanks!
>>> Heikki Vatiainen
>>>
>
More information about the radiator
mailing list