[RADIATOR] AuthNTLM feature requests

Klara Mall klara.mall at kit.edu
Wed Aug 20 17:36:51 CDT 2014 

Hi,

On Wed, Aug 20, 2014 at 11:27:30PM +0300, Heikki Vatiainen wrote:
> On 08/20/2014 02:27 AM, Klara Mall wrote:
> 
> > * ntlm_auth_prog-with-variables.patch:
> > This one is related to my last request. I need to use the variable
> > %{Handler:Identifier} in NtlmAuthProg (for group membership checks).
> 
> Hmm, if are planning to use the same AuthBy NTLM with multiple Handlers,
> this is likely not to work. The ntlm_auth process is started when the
> first request arrives and it will be left running. So if two or more
> Handlers are using the same AuthBy NTLM they will be using the same
> ntlm_auth process.

I see. So what I planned will not work. I have to use a dedicated
AuthBy NTLM for every handler, right? Therefore I also don't need
variables in NtlmAuthProg. I love variables but I cannot use them
here - got it. :)

> > * ntlm-rewritefunction.patch:
> > This one is simply because I need a rewrite function for the inner
> > identity in PEAP/MSCHAP-V2 auth. It is in production since three
> > years or more and there was never a problem with it.
> 
> Can you tell why a rewrite is needed? I'd like to understand better the
> case since so far this has not been required.

Someone wanted to make it possible for the users to authenticate
with either their account name _or_ there email address _or_ their
alias email address. Just as they wish. :/ So I have to make an LDAP
search to do some guessing what I have and then convert it to the
corresponding account name. Then I authenticate the account name
with NTLM.

> > I would be very happy if this (or some better code with the desired
> > functionality) could be included in radiator.
> 
> The patch only changes MSCHAPv2 check but the are plaintext, CHAP and
> MSCHAP checks too. Would those need similar functionality too? Or should
> this go into EAP_26.pm, the EAP-MSCHAP-V2 module, so that the
> functionality would be there for AuthBy FILE, SQL, etc. too, not just
> AuthBy NTLM. Please let us know why this is needed.

You're right, there should be some more explanation. It's just 
such a long time ago that I wrote this path. But now I remember the
whole story: I used RewriteFunction successfully in many handlers to
realise what I described above. As well in <Handler
TunnelledByTTLS=1>. But I noticed that it didn't work in my
<Handler TunnelledByPEAP=1> where I use AuthBy NTLM. Due to your
explanations in my other thread "PEAP and realm check" I think I now
understand why. But anyway this was the reason why I wanted the
RewriteFunction to be applicable in AuthBy NTLM. I don't know with
which auth methods one could have similar difficuties to use
RewriteFunction in the handler. Where one can use it in the handler
there is IMHO no need to use it in AuthBy. Hope you understand what
I mean? Or perhaps here's also some error in my reasoning? Just
tell. :)

Thank you, Heikki.

Regards
Klara

More information about the radiator mailing list