[RADIATOR] MSCHAP-V2 and AuthBy FILE

Mike Newton mnewton at pofp.com
Mon Sep 19 17:20:59 CDT 2011 

Thanks a lot for the reply. Removing RejectEmptyPassword did fix it; I thought I had commented it during testing and still received an Access-Reject but I guess I was mistaken.

--
Michael Newton
Manager, Information Systems
Point of Presence Technologies
You manage your business. We’ll manage your network.
3406-2371 Lam Circle, Victoria BC  V8N 6K8
T: 250-412-6688 x 7040
mnewton at pofp.com<mailto:mnewton at pofp.com> | www.pofp.com<http://www.pofp.com/>

This document and all of its contents are intended only for the party to whom it is addressed, and may contain information which is privileged or confidential. Any other delivery, distribution, copying, or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail, and destroy the message.


On 19 Sep 2011, at 10:36, Heikki Vatiainen wrote:

On 09/19/2011 03:36 AM, Mike Newton wrote:

Hello Mike,

How can this be done? It keeps complaining about an empty password, I
guess because it's encrypted. This is what I have now; the next handler
is an AuthBy SQL and it works just fine, after the user is rejected by
the FILE handler. Thanks for any assistance.

It should work once you remove RejectEmptyPassword. The reason Radiator
complains is this setting. Check the reference manual to verify if you
need this option or not.

The problem here is there is no password that can be decoded. With
MS-CHAP-V2 you get a challange that is calculated using the password,
but not the password itself in any form that can be decrypted.

Thanks!
Heikki

<Handler Service-Type=Framed-User|Login-User|8744>
   AuthByPolicy ContinueWhileReject
   Identifier UserAuthenticationHandler
   <AuthBy FILE>
       CachePasswordExpiry 86400
       CachePasswords 1
       EAPAnonymous anonymous
       EAPContextTimeout 1000
       EAPType MSCHAP-V2
       Filename %D/users
       Identifier SpecialUserAuthenticationMethod
       IgnoreAccounting 1
       NoDefault 1
       PasswordPrompt password
       RejectEmptyPassword 1
   </AuthBy>
   <AuthBy SQL>
       …
   </AuthBy>

Sun Sep 18 20:23:44 2011: DEBUG: Packet dump:
*** Received from 209.115.176.75 port 32771 ....
Code:       Access-Request
Identifier: 119
Authentic:  <231><153>uw<12><180>wx4<26>(<18><246>=<18><255>
Attributes:
Acct-Session-Id = "5f0bb501"
NAS-Port = 13
NAS-Port-Type = Wireless-IEEE-802-11
User-Name = "0RESTRICTED"
MS-CHAP2-Response = w<0>Y<141> <175>G<198>1<147><221><250><154>L<7>A …
MS-CHAP-Challenge = <231><153>uw<12><180>wx4<26>(<18><246>=<18><255>
NAS-Identifier = "FOO"
Framed-MTU = 1496
Connect-Info = "HTTPS"
Framed-Protocol = PPP
Service-Type = Framed-User
Message-Authenticator = <175><189>i<150><16>{I\<29><29><197>$y<24><167><197>

Sun Sep 18 20:23:44 2011: DEBUG: Handling request with Handler
'Service-Type=Framed-User|Login-User|8744', Identifier
'UserAuthenticationHandler'
Sun Sep 18 20:23:44 2011: DEBUG:  Deleting session for 0RESTRICTED,
209.115.176.75, 13
Sun Sep 18 20:23:44 2011: DEBUG: Handling with Radius::AuthFILE:
SpecialUserAuthenticationMethod
Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthFILE rejected 0RESTRICTED
because of an empty password
Sun Sep 18 20:23:44 2011: DEBUG: AuthBy FILE result: REJECT, Empty password
Sun Sep 18 20:23:44 2011: DEBUG: Handling with Radius::AuthSQL:
SQLUserAuthenticationMethod
Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthSQL looks for match with
0RESTRICTED [0RESTRICTED]
Sun Sep 18 20:23:44 2011: DEBUG: Radius::AuthSQL ACCEPT: : 0RESTRICTED
[0RESTRICTED]
Sun Sep 18 20:23:44 2011: DEBUG: AuthBy SQL result: ACCEPT,
Sun Sep 18 20:23:44 2011: DEBUG: Access accepted for 0RESTRICTED




_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator


--
Heikki Vatiainen <hvn at open.com.au<mailto:hvn at open.com.au>>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110919/3a4c2fca/attachment.html

More information about the radiator mailing list