[RADIATOR] PEAP/MSCHAPv2 auth fails with username at realm

Heikki Vatiainen hvn at open.com.au
Fri Nov 2 14:02:57 CDT 2012

On 11/01/2012 11:38 PM, Christopher Bongaarts wrote:
> I'm trying to debug a problem with PEAP/MSCHAPv2 authentication against 
> LDAP as part of spinning up eduroam.  I've included the relevant 
> Handlers from the configuration below, and the inner authentication part 
> of the (sanitized) log from an attempt to authenticate.  Despite the 
> password being correct, the authentication fails.

I just noticed you have EncryptedPasswordAttr in the LDAP config
section. EncryptedPasswordAttr should used only for crypt(3) format
hashes. Since you have NThashed passwords, you should use PasswordAttr.
See the reference manual for details.

If the hashes are stored without {nthash} prefix, you should still use
PasswordAttr but now you need a PostSearchHook to prepend the prefix.
Use something like this:
or see goodies/addnthashprefix.txt

> This configuration works for MSCHAPv2 without PEAP (i.e. using the 
> TunneledByPEAP Handler as the actual handler instead of the PEAP outer 
> handler) if I have the RewriteUsername uncommented.

That's surprising. I do not think it should work with EncryptedPassword.

> I've tried to stick to the eduroam recipes for Radiator as much as 
> possible, but I'm having trouble getting the MSCHAP auth to use the 
> "username at realm" syntax while having LDAP search on just the username 
> portion to find the user.

Using UsernameMatchesWithoutRealm should work fine. Rewriting the
username can be problematic if the rewritten username becomes part of
MSCHAP-V2 calculation. This can cause the server and client use
different usernames for calculating the results which makes the
authentication fail.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list