[RADIATOR] PEAP/MSCHAPv2 auth fails with username at realm

Christopher Bongaarts cab at umn.edu
Fri Nov 2 16:23:33 CDT 2012

On 11/2/2012 2:02 PM, Heikki Vatiainen wrote:

> I just noticed you have EncryptedPasswordAttr in the LDAP config
> section. EncryptedPasswordAttr should used only for crypt(3) format
> hashes. Since you have NThashed passwords, you should use PasswordAttr.
> See the reference manual for details.
> If the hashes are stored without {nthash} prefix, you should still use
> PasswordAttr but now you need a PostSearchHook to prepend the prefix.
> Use something like this:
>    http://www.open.com.au/pipermail/radiator/2005-April/011423.html
> or see goodies/addnthashprefix.txt

Thanks, this did the trick.

>> This configuration works for MSCHAPv2 without PEAP (i.e. using the
>> TunneledByPEAP Handler as the actual handler instead of the PEAP outer
>> handler) if I have the RewriteUsername uncommented.
> That's surprising. I do not think it should work with EncryptedPassword.

After nosing around in the code a bit (TGFOS):

For plain MSCHAPv2, AuthLDAP2 calls AuthGeneric::check_password and sets 
the "encrypted" parameter if EncryptedPasswordAttr is in use.  Then 
check_password's MSCHAPv2 code knows that it's an NT password hash and 
everything works.

For EAP-MSCHAPv2, EAP_26::response handles the password, and it does not 
know about EncryptedPasswordAttr, it just looks for the {ntuser} magic 
string at the beginning of the password.  Since our directory does not 
have the prefix (I have to use the PostSearchHook), it doesn't work.

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the radiator mailing list