[RADIATOR] Simple Question Regarding Realm Handling

Heikki Vatiainen hvn at open.com.au
Wed Mar 23 07:46:36 UTC 2022


On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote:

> I need to get on-site to do some more debugging but does anyone have any 
> ideas? Is ntlm_auth messing up somewhere? Is the problem related to a 
> PEAP tunnel? AD confirms incorrect credentials but that's not the case. 
> If we just do a simple thing like this:

Please also see this:
https://files.radiatorsoftware.com/radiator/ref/NtlmAuthProg_AuthByNTLM.html

Adding --allow-mschapv2 is often needed currently but it's not on by 
default because older ntlm_auth versions don't support it and fail to start.

> <Handler ConvertedFromEAPMSCHAPV2=1>
> ...
>          <AuthBy NTLM>
>                  UsernameMatchesWithoutRealm
>                  DefaultDomain AD
>          </AuthBy>
> 
> Everything works just fine.
> 
> One thing I don't understand is that just before that section in the 
> debug log we have:

You could try removing the rewrites. A double @realm could cause a 
problem here. Hashing that MSCHAP versions do includes username. I don't 
have a tester right to refresh my memory, but this might be a part of 
problem. There's a possibility to do username rewrites with AuthBy NTLM 
and, for example, EAP-MSCHAP-V2, so a definite answer would require a 
review and test.

To summarise: you could consider the additional option for ntlm_auth and 
drop the rewrites. Double @realm is actually against the RFC that 
defines Radius username and I don't think it's used by, for example, AD 
even internally.

> Tue Mar  8 11:09:51 2022: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1', Identifier ''
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
> NETID at uic.edu@uic.wireless
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
> NETID at uic.edu@uic.wireless
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
> NETID at uic.edu@uic.wireless
> 
> I don't understand this PEAP tunnel section and maybe that's part of the 
> problem.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.


More information about the radiator mailing list