[RADIATOR] MSCHAP-V2 and AuthBy FILE

Heikki Vatiainen hvn at open.com.au
Mon Sep 19 12:36:46 CDT 2011 

On 09/19/2011 03:36 AM, Mike Newton wrote:

Hello Mike,

> How can this be done? It keeps complaining about an empty password, I
> guess because it's encrypted. This is what I have now; the next handler
> is an AuthBy SQL and it works just fine, after the user is rejected by
> the FILE handler. Thanks for any assistance.

It should work once you remove RejectEmptyPassword. The reason Radiator
complains is this setting. Check the reference manual to verify if you
need this option or not.

The problem here is there is no password that can be decoded. With
MS-CHAP-V2 you get a challange that is calculated using the password,
but not the password itself in any form that can be decrypted.

Thanks!
Heikki

> <Handler Service-Type=Framed-User|Login-User|8744>
>     AuthByPolicy ContinueWhileReject
>     Identifier UserAuthenticationHandler
>     <AuthBy FILE>
>         CachePasswordExpiry 86400
>         CachePasswords 1
>         EAPAnonymous anonymous
>         EAPContextTimeout 1000
>         EAPType MSCHAP-V2
>         Filename %D/users
>         Identifier SpecialUserAuthenticationMethod
>         IgnoreAccounting 1
>         NoDefault 1
>         PasswordPrompt password
>         RejectEmptyPassword 1
>     </AuthBy>
>     <AuthBy SQL>
>>     </AuthBy>
> 
> Sun Sep 18 20:23:44 2011: DEBUG: Packet dump:
> *** Received from 209.115.176.75 port 32771 ....
> Code:       Access-Request
> Identifier: 119
> Authentic:  <231><153>uw<12><180>wx4<26>(<18><246>=<18><255>
> Attributes:
> Acct-Session-Id = "5f0bb501"
> NAS-Port = 13
> NAS-Port-Type = Wireless-IEEE-802-11
> User-Name = "0RESTRICTED"
> MS-CHAP2-Response = w<0>Y<141> <175>G<198>1<147><221><250><154>L<7>A …
> MS-CHAP-Challenge = <231><153>uw<12><180>wx4<26>(<18><246>=<18><255>
> NAS-Identifier = "FOO"
> Framed-MTU = 1496
> Connect-Info = "HTTPS"
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Message-Authenticator = <175><189>i<150><16>{I\<29><29><197>$y<24><167><197>
> 
> Sun Sep 18 20:23:44 2011: DEBUG: Handling request with Handler
> 'Service-Type=Framed-User|Login-User|8744', Identifier
> 'UserAuthenticationHandler'
> Sun Sep 18 20:23:44 2011: DEBUG:  Deleting session for 0RESTRICTED,
> 209.115.176.75, 13
> Sun Sep 18 20:23:44 2011: DEBUG: Handling with Radius::AuthFILE:
> SpecialUserAuthenticationMethod
> Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthFILE rejected 0RESTRICTED
> because of an empty password
> Sun Sep 18 20:23:44 2011: DEBUG: AuthBy FILE result: REJECT, Empty password
> Sun Sep 18 20:23:44 2011: DEBUG: Handling with Radius::AuthSQL:
> SQLUserAuthenticationMethod
> Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthSQL looks for match with
> 0RESTRICTED [0RESTRICTED]
> Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthSQL ACCEPT: : 0RESTRICTED
> [0RESTRICTED]
> Sun Sep 18 20:23:44 2011: DEBUG: AuthBy SQL result: ACCEPT, 
> Sun Sep 18 20:23:44 2011: DEBUG: Access accepted for 0RESTRICTED
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list