[RADIATOR] Simple Question Regarding Realm Handling

Ullfig, Roberto Alfredo rullfig at uic.edu
Tue Mar 22 18:51:19 UTC 2022 

For some reason this is not working. AD always thinks that the credentials are wrong. Debug shows:

Tue Mar  8 11:09:51 2022: DEBUG: Handling request with Handler 'ConvertedFromEAPMSCHAPV2=1, User-Name=/^[^@]+(@uic\.edu)?(@uic\.wireless)?\z/i', Identifier ''
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to NETID
...
Tue Mar  8 11:09:51 2022: DEBUG: Handling with Radius::AuthNTLM:
Tue Mar  8 11:09:51 2022: DEBUG: Radius::AuthNTLM looks for match with NETID [NETID at uic.edu]
...
Tue Mar  8 11:09:51 2022: DEBUG: Received attribute: Authenticated: No
Tue Mar  8 11:09:51 2022: DEBUG: Received attribute: Authentication-Error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
Tue Mar  8 11:09:51 2022: DEBUG: Received attribute: .
Tue Mar  8 11:09:51 2022: WARNING: NTLM Could not authenticate user 'NETID': When trying to update a password, this return status indicates that the value provided as the current password is not correct.
Tue Mar  8 11:09:51 2022: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: NETID [NETID at uic.edu]
Tue Mar  8 11:09:51 2022: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM Password check failed
Tue Mar  8 11:09:51 2022: INFO: Access rejected for NETID: AuthBy NTLM Password check failed
Tue Mar  8 11:09:51 2022: DEBUG: Converted EAP-MSCHAPV2 response Packet dump:

I need to get on-site to do some more debugging but does anyone have any ideas? Is ntlm_auth messing up somewhere? Is the problem related to a PEAP tunnel? AD confirms incorrect credentials but that's not the case. If we just do a simple thing like this:

<Handler ConvertedFromEAPMSCHAPV2=1>
...
        <AuthBy NTLM>
                UsernameMatchesWithoutRealm
                DefaultDomain AD
        </AuthBy>

Everything works just fine.

One thing I don't understand is that just before that section in the debug log we have:

Tue Mar  8 11:09:51 2022: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier ''
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to NETID at uic.edu@uic.wireless
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to NETID at uic.edu@uic.wireless
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to NETID at uic.edu@uic.wireless

I don't understand this PEAP tunnel section and maybe that's part of the problem.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Thursday, February 24, 2022 3:44 PM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling

On 23.2.2022 23.27, Ullfig, Roberto Alfredo wrote:

> Wed Feb 23 15:03:55 2022: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
> Password check failed: user [user at uic.edu]
> Wed Feb 23 15:03:55 2022: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
> Password check failed
>
> To AD it looks like a wrong password was entered. Why do the NTLM lines
> have "user [user at uic.edu]" - why not just user?
The format is 'value used for authenticating [original username]'. For
example, if username is rewritten, or something else, such as
Calling-Station-Id attribute value, is used to lookup user record, that
value gets logged first.

What follows between [] is the original User-Name as it was received.

The idea is to log information about what's currently used and what was
originally received as User-Name.

In your example, 'user' is passed to NTLM subsystem as authentication
username instead of 'user at uic.edu' that was the value in the incoming
request.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C4ef1ec34e13c470f64ed08d9f7df063e%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637813359530383653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=s6i5L10CBaCCZDiLZQwlYvCH2ukDM0chu8E%2BGapD8ok%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220322/4872ee84/attachment.html>

More information about the radiator mailing list