[RADIATOR] PEAP/MSCHAPv2 auth fails with username at realm
Christopher Bongaarts
cab at umn.edu
Fri Nov 2 16:23:33 CDT 2012
On 11/2/2012 2:02 PM, Heikki Vatiainen wrote:
> I just noticed you have EncryptedPasswordAttr in the LDAP config
> section. EncryptedPasswordAttr should used only for crypt(3) format
> hashes. Since you have NThashed passwords, you should use PasswordAttr.
> See the reference manual for details.
>
> If the hashes are stored without {nthash} prefix, you should still use
> PasswordAttr but now you need a PostSearchHook to prepend the prefix.
> Use something like this:
> http://www.open.com.au/pipermail/radiator/2005-April/011423.html
> or see goodies/addnthashprefix.txt
Thanks, this did the trick.
>> This configuration works for MSCHAPv2 without PEAP (i.e. using the
>> TunneledByPEAP Handler as the actual handler instead of the PEAP outer
>> handler) if I have the RewriteUsername uncommented.
>
> That's surprising. I do not think it should work with EncryptedPassword.
After nosing around in the code a bit (TGFOS):
For plain MSCHAPv2, AuthLDAP2 calls AuthGeneric::check_password and sets
the "encrypted" parameter if EncryptedPasswordAttr is in use. Then
check_password's MSCHAPv2 code knows that it's an NT password hash and
everything works.
For EAP-MSCHAPv2, EAP_26::response handles the password, and it does not
know about EncryptedPasswordAttr, it just looks for the {ntuser} magic
string at the beginning of the password. Since our directory does not
have the prefix (I have to use the PostSearchHook), it doesn't work.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the radiator
mailing list