[RADIATOR] Troubles trying to proxy NTLM

David Zych dmrz at illinois.edu
Thu Oct 30 11:06:29 CDT 2014 

On 10/29/2014 12:05 PM, Jethro R Binks wrote:
> However, if I change it (on the same host) to look like this in the front-end, modelled
> after David's examples:
> 
> <AuthBy GROUP>
>   # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
>   Identifier      ITSAuthEAPInnerJRB
>   AuthBy          BackendProxy
> </AuthBy>
> 
> <AuthBy ROUNDROBIN>
>   Identifier BackendProxy
>   Include %D/secret.backend.conf
>   RetryTimeout 3
>   Retries 0
>   MaxTargetHosts 2
>   FailureBackoffTime 1
>   StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout
>   AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3
>   ReplyTimeoutHook file:"%D/hooks/replytimeout"
>   <Host 127.0.0.1>
>     AuthPort %{GlobalVar:Backendworker1Port}
>   </Host>
>   IgnoreAccounting
> </AuthBy>
> 
> and then in the backend:
> 
> <Handler Client-Identifier=frontend>
>   Identifier frontend
>   AuthBy ITSAuthEAPInnerNTLMbackend
> </Handler>
> 
> <AuthBy NTLM>
>   Identifier      ITSAuthEAPInnerNTLMbackend
>   NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
>   DefaultDomain DS.STRATH.AC.UK
>   EAPType MSCHAP-V2
>   UsernameMatchesWithoutRealm
> </AuthBy>
> 
> I always get a password failure from ntlm_auth when going through Radiator.

Hi Jethro,

The main difference I see between the above and what I'm doing is that
my back-end instance AuthBy NTLM doesn't do any EAP. Instead, my main
instance takes care of converting any EAP-MSCHAPv2 to plain MSCHAPv2
_before_ proxying it to the back-end, thus making sure that the back-end
only has to handle a single (stateless) request/response and not a
multiple-request "conversation". This is especially important if you're
using ROUNDROBIN with multiple Hosts (as I am), but might have an effect
even with just one Host; I'm not sure.

The relevant pieces of my main instance config are below (the hooks are
not important to this discussion).

HTH,
David


# Convert EAP-MSCHAPV2 requests into ordinary MSCHAPV2 requests that
# get redispatched to a Handler matching ConvertedFromEAPMSCHAPV2=1
<AuthBy FILE>
  Identifier eap_mschap_converter
  # don't allow any non-EAP logins
  Filename %D/users.nomatch
  EAPType MSCHAP-V2
  EAP_PEAP_MSCHAP_Convert
  # Copy additional attributes to the inner request before dispatching
  PreHandlerHook sub { CITES::inner_attrs(@_) }
</AuthBy>

# "inner request" helpers
<Handler X-Client-Identifier=wireless, ConvertedFromEAPMSCHAPV2=1>
  Identifier wireless-EAPMSCHAPV2
  # this attribute is not in the dictionary
  StripFromRequest ConvertedFromEAPMSCHAPV2
  AuthBy workerproxy
  RejectHasReason
  AuthLog wirelessInnermostAuthlog
</Handler>

<Handler X-Client-Identifier=wireless, TunnelledByTTLS=1>
  Identifier wireless-TTLS
  # encapsulated protocol may be EAP-MSCHAPv2 or plain MSCHAPv2
  AuthByPolicy ContinueWhileReject
  AuthBy eap_mschap_converter
  AuthBy workerproxy
  RejectHasReason
  PostAuthHook sub { CITES::authlog_attributes(@_) }
  AuthLog wirelessInnerAuthlog
</Handler>

<Handler X-Client-Identifier=wireless, TunnelledByPEAP=1>
  Identifier wireless-PEAP
  AuthBy eap_mschap_converter
  RejectHasReason
  PostAuthHook sub { CITES::authlog_attributes(@_) }
  AuthLog wirelessInnerAuthlog
</Handler>

# handle wireless access requests
<Handler X-Client-Identifier=wireless, Request-Type=Access-Request>
  Identifier wireless
  AuthByPolicy ContinueWhileAccept

  # Block by MAC address
  AuthBy wireless-mac_block

#(this is my AuthBy FILE with EAPType TTLS,PEAP)
  AuthBy wireless-eapOuter

  PostAuthHook sub { CITES::inner_identity(@_); CITES::authlog_attributes(@_) }

  AuthLog wirelessAuthlog
  AuthLog wirelessSyslog
</Handler>

More information about the radiator mailing list