[RADIATOR] Simple Question Regarding Realm Handling
Heikki Vatiainen
hvn at open.com.au
Wed Mar 23 07:46:36 UTC 2022
On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote:
> I need to get on-site to do some more debugging but does anyone have any
> ideas? Is ntlm_auth messing up somewhere? Is the problem related to a
> PEAP tunnel? AD confirms incorrect credentials but that's not the case.
> If we just do a simple thing like this:
Please also see this:
https://files.radiatorsoftware.com/radiator/ref/NtlmAuthProg_AuthByNTLM.html
Adding --allow-mschapv2 is often needed currently but it's not on by
default because older ntlm_auth versions don't support it and fail to start.
> <Handler ConvertedFromEAPMSCHAPV2=1>
> ...
> <AuthBy NTLM>
> UsernameMatchesWithoutRealm
> DefaultDomain AD
> </AuthBy>
>
> Everything works just fine.
>
> One thing I don't understand is that just before that section in the
> debug log we have:
You could try removing the rewrites. A double @realm could cause a
problem here. Hashing that MSCHAP versions do includes username. I don't
have a tester right to refresh my memory, but this might be a part of
problem. There's a possibility to do username rewrites with AuthBy NTLM
and, for example, EAP-MSCHAP-V2, so a definite answer would require a
review and test.
To summarise: you could consider the additional option for ntlm_auth and
drop the rewrites. Double @realm is actually against the RFC that
defines Radius username and I don't think it's used by, for example, AD
even internally.
> Tue Mar 8 11:09:51 2022: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
>
> I don't understand this PEAP tunnel section and maybe that's part of the
> problem.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list