[RADIATOR] PEAP/MSCHAPv2 auth fails with username at realm

Heikki Vatiainen hvn at open.com.au
Sun Nov 4 03:59:14 CST 2012


On 11/02/2012 11:23 PM, Christopher Bongaarts wrote:

>>    http://www.open.com.au/pipermail/radiator/2005-April/011423.html
>> or see goodies/addnthashprefix.txt
> 
> Thanks, this did the trick.

Great!

>> That's surprising. I do not think it should work with EncryptedPassword.

> For plain MSCHAPv2, AuthLDAP2 calls AuthGeneric::check_password and sets 
> the "encrypted" parameter if EncryptedPasswordAttr is in use.  Then 
> check_password's MSCHAPv2 code knows that it's an NT password hash and 
> everything works.

Ok, good to see it's not surprising after all. The password (MSCHAP-V2)
checks are done differently for the two cases. Thanks for clarifying
this. Next time I'll need to check the code too :)

Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list