[RADIATOR] eap-ttls/ms-chap-v2

Michael Shoemaker shoemake at america.net
Wed Jan 19 09:25:20 CST 2011 

That was it :D

Thankyou soooo much!


On 01/19/2011 07:27 AM, Heikki Vatiainen wrote:
> On 01/19/2011 12:10 AM, Michael Shoemaker wrote:
>
>> tonytestgordonlab      User-Password = "testing123"
>>          Service-Type = 2,
>>          Ascend-Assign-IP-Pool = 0,
>>          Ascend-Data-Filter = "ip in forward tcp est",
>>          Ascend-Data-Filter = "ip in forward dstip xxxxxxxxxx",
>>          Ascend-Data-Filter = "ip in drop tcp dstport = 25",
>>          Ascend-Data-Filter = "ip in forward"
> The file contents look good. Since MSCHAPv2 uses the username for
> hashing, the server must calculate the hash from the exactly same
> username than client has. In other words, any sort of RewriteUsername
> Radiator does can cause incorrect results from MSCHAPv2.
>
> Please check your configuration for rewrites. To eliminate possible
> problem with DBFile, try<AuthBy FILE>  also.
>
> If the problem does not go away, reply with:
> - Your configuration file (no securets)
> - Full log from failed attempt
> - Radiator version
> - What username the client uses
> - What the client software is (Alvarion, something else?)
>
> Thanks!
>
>
>> On 01/18/2011 05:03 PM, Heikki Vatiainen wrote:
>>> On 01/18/2011 11:51 PM, Michael Shoemaker wrote:
>>>> Yes, I used the -t as I am working with a db compiled as such and can't
>>>> change that at this time.
>>> Ok. From the log it looks like Radiator can read the DBM file correctly.
>>> Please reply with the entry for user tonytestgordonlab from the original
>>> plain text user file.
>>>
>>> Since you are using MSCHAPv2, the User-Password needs to be in plain
>>> text or NTHash format. See the file called "users" in the top level of
>>> Radiator distribution directory. Check examples pwtest14 and pwtest15.
>>>
>>>> This is what is in the access request to the dbfile.
>>>>
>>>>
>>>>           User-Name = "tonytestgordonlab"
>>>>           MS-CHAP-Challenge = f<223>)<22><158>R\<27><3><5>ia<226><213>*n
>>>>           MS-CHAP2-Response =
>>>> <193><0><0><0><0><27><0><0><0>P<24><7><0><1><0><0><0><0><0><0><0><0><0><0><0><0><229>[<149><185><148><25>I,D<250>KS<153><183><28>\
>>>>
>>>> -<209><18>   <186><1><183>
>>>>
>>>> Fri Jan 14 12:44:56 2011: DEBUG: EAP TTLS inner authentication request
>>>> for tonytestgordonlab
>>>> Fri Jan 14 12:44:56 2011: DEBUG: Handling request with Handler
>>>> 'TunnelledByTTLS=1'
>>>> Fri Jan 14 12:44:56 2011: DEBUG: Rewrote user name to tonytestgordonlab
>>>> Fri Jan 14 12:44:56 2011: DEBUG:  Deleting session for
>>>> tonytestgordonlab, 192.168.0.1,
>>>> Fri Jan 14 12:44:56 2011: DEBUG: Handling with Radius::AuthDBFILE:
>>>> Fri Jan 14 12:44:56 2011: DEBUG: Radius::AuthDBFILE looks for match with
>>>> tonytestgordonlab [tonytestgordonlab]
>>>> Fri Jan 14 12:44:57 2011: DEBUG: Radius::AuthDBFILE REJECT: Bad
>>>> Password: tonytestgordonlab [tonytestgordonlab]
>>>> Fri Jan 14 12:44:57 2011: DEBUG: AuthBy DBFILE result: REJECT, Bad
>>>> Password
>>>> Fri Jan 14 12:44:57 2011: INFO: Access rejected for tonytestgordonlab:
>>>> Bad Password
>>>> Fri Jan 14 12:44:57 2011: DEBUG: Returned TTLS tunnelled Diameter Packet
>>>> dump:
>>>>
>>>>
>>>> That is what I have. I am quite sure I must be over looking something
>>>> fairly trivial.
>>>>
>>>> Thoughts?
>>>>
>>>>
>>>> On 01/18/2011 04:19 PM, Heikki Vatiainen wrote:
>>>>> On 01/18/2011 05:19 PM, Michael Shoemaker wrote:
>>>>>
>>>>>> We are trying to get authentication with an alvarion wireless unit
>>>>>> that
>>>>>> is sending mschapv2 encrypted passwords through a eap-ttls tunnel.
>>>>>>
>>>>>> I can get the eap-ttls tunnel built and can see the attempts to
>>>>>> request
>>>>>> the mschapv2 but am not sure where our hangup is.
>>>>> I have a couple of suggestions below. If they do not work, reply with
>>>>> your configuration file (no secrets) and log file that shows the
>>>>> failing
>>>>> requests.
>>>>>
>>>>>> What needs to be done to be able to get local authentication on the
>>>>>> radiator server using AuthBy DBFILE (DB_File)
>>>>>>
>>>>>> The db was built using a plaintext file then converted using the
>>>>>> builddbm script.
>>>>> Did you use -t option with builddbm? If you did not, then you should
>>>>> remove "DBType DB_FILE" from the config. By default builddbm creates a
>>>>> AnyDBM_File which is also the default value for DBType.
>>>>>
>>>>>> <Handler TunnelledByTTLS=1>
>>>>>>
>>>>>> <AuthBy DBFILE>
>>>>>>                     Filename /etc/raddb.proxy/dbm/users.db
>>>>>>                     DBType DB_File
>>>>> Check if this is really the correct value.
>>>>>
>>>>>> </AuthBy>
>>>>>> this gets me to the point of doing the ttls tunnel, then it passes the
>>>>>> mschap stuff to the authby dbfile... but I am not sure how to
>>>>>> unencrypt
>>>>>> the pw to check vs the db file.
>>>>> If the DBType check will not help, then the problems with password
>>>>> check
>>>>> should be visible in the log.
>>>>>
>>>>> Thanks!
>>>>> Heikki Vatiainen
>>>>>
>

More information about the radiator mailing list