[RADIATOR] Rewrite userna functionality for use in ldap_aps authby
Heikki Vatiainen
hvn at open.com.au
Tue May 1 13:38:16 CDT 2012
On 04/30/2012 07:23 PM, Alex Sharaz wrote:
> root at eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx -user alexsharaz at sharaz.info -password yyyy -auth_port 1812 -noacct -mschapv2
>
> although it works in that it does rewrite the username stripping off the realm and giving, in this case alexsharaz instead of alexsharaz.info, authentication fails further down the food chain
> Which I guess is something o do with the mschapv2 and the realm in the original request
I think what happens here is the client calculates MS-CHAP2-Response
based on username with realm. Once the Handler strips the realm part,
the respective calculation within AuthBy is done with just the username
part. The results will not then match and the authentication fails.
Can you add UsernameMatchesWithoutRealm into the AuthBy. This does the
user information lookup without realm but does not change the username
allowing MS-CHAP-V2 to succeed.
Thanks!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list