[RADIATOR] Troubles trying to proxy NTLM

Jethro R Binks jethro.binks at strath.ac.uk
Thu Oct 30 12:37:03 CDT 2014 

This:

  EAP_PEAP_MSCHAP_Convert

Is almost certainly what I am missing.  Thanks, will try that!

Jethro.

On Thu, 30 Oct 2014, David Zych wrote:

> On 10/29/2014 12:05 PM, Jethro R Binks wrote:
> > However, if I change it (on the same host) to look like this in the front-end, modelled
> > after David's examples:
> > 
> > <AuthBy GROUP>
> >   # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
> >   Identifier      ITSAuthEAPInnerJRB
> >   AuthBy          BackendProxy
> > </AuthBy>
> > 
> > <AuthBy ROUNDROBIN>
> >   Identifier BackendProxy
> >   Include %D/secret.backend.conf
> >   RetryTimeout 3
> >   Retries 0
> >   MaxTargetHosts 2
> >   FailureBackoffTime 1
> >   StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout
> >   AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3
> >   ReplyTimeoutHook file:"%D/hooks/replytimeout"
> >   <Host 127.0.0.1>
> >     AuthPort %{GlobalVar:Backendworker1Port}
> >   </Host>
> >   IgnoreAccounting
> > </AuthBy>
> > 
> > and then in the backend:
> > 
> > <Handler Client-Identifier=frontend>
> >   Identifier frontend
> >   AuthBy ITSAuthEAPInnerNTLMbackend
> > </Handler>
> > 
> > <AuthBy NTLM>
> >   Identifier      ITSAuthEAPInnerNTLMbackend
> >   NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
> >   DefaultDomain DS.STRATH.AC.UK
> >   EAPType MSCHAP-V2
> >   UsernameMatchesWithoutRealm
> > </AuthBy>
> > 
> > I always get a password failure from ntlm_auth when going through Radiator.
> 
> Hi Jethro,
> 
> The main difference I see between the above and what I'm doing is that
> my back-end instance AuthBy NTLM doesn't do any EAP. Instead, my main
> instance takes care of converting any EAP-MSCHAPv2 to plain MSCHAPv2
> _before_ proxying it to the back-end, thus making sure that the back-end
> only has to handle a single (stateless) request/response and not a
> multiple-request "conversation". This is especially important if you're
> using ROUNDROBIN with multiple Hosts (as I am), but might have an effect
> even with just one Host; I'm not sure.
> 
> The relevant pieces of my main instance config are below (the hooks are
> not important to this discussion).
> 
> HTH,
> David
> 
> 
> # Convert EAP-MSCHAPV2 requests into ordinary MSCHAPV2 requests that
> # get redispatched to a Handler matching ConvertedFromEAPMSCHAPV2=1
> <AuthBy FILE>
>   Identifier eap_mschap_converter
>   # don't allow any non-EAP logins
>   Filename %D/users.nomatch
>   EAPType MSCHAP-V2
>   EAP_PEAP_MSCHAP_Convert
>   # Copy additional attributes to the inner request before dispatching
>   PreHandlerHook sub { CITES::inner_attrs(@_) }
> </AuthBy>
> 
> # "inner request" helpers
> <Handler X-Client-Identifier=wireless, ConvertedFromEAPMSCHAPV2=1>
>   Identifier wireless-EAPMSCHAPV2
>   # this attribute is not in the dictionary
>   StripFromRequest ConvertedFromEAPMSCHAPV2
>   AuthBy workerproxy
>   RejectHasReason
>   AuthLog wirelessInnermostAuthlog
> </Handler>
> 
> <Handler X-Client-Identifier=wireless, TunnelledByTTLS=1>
>   Identifier wireless-TTLS
>   # encapsulated protocol may be EAP-MSCHAPv2 or plain MSCHAPv2
>   AuthByPolicy ContinueWhileReject
>   AuthBy eap_mschap_converter
>   AuthBy workerproxy
>   RejectHasReason
>   PostAuthHook sub { CITES::authlog_attributes(@_) }
>   AuthLog wirelessInnerAuthlog
> </Handler>
> 
> <Handler X-Client-Identifier=wireless, TunnelledByPEAP=1>
>   Identifier wireless-PEAP
>   AuthBy eap_mschap_converter
>   RejectHasReason
>   PostAuthHook sub { CITES::authlog_attributes(@_) }
>   AuthLog wirelessInnerAuthlog
> </Handler>
> 
> # handle wireless access requests
> <Handler X-Client-Identifier=wireless, Request-Type=Access-Request>
>   Identifier wireless
>   AuthByPolicy ContinueWhileAccept
> 
>   # Block by MAC address
>   AuthBy wireless-mac_block
> 
> #(this is my AuthBy FILE with EAPType TTLS,PEAP)
>   AuthBy wireless-eapOuter
> 
>   PostAuthHook sub { CITES::inner_identity(@_); CITES::authlog_attributes(@_) }
> 
>   AuthLog wirelessAuthlog
>   AuthLog wirelessSyslog
> </Handler>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

More information about the radiator mailing list