[RADIATOR] Simple Question Regarding Realm Handling

Ullfig, Roberto Alfredo rullfig at uic.edu
Wed Mar 23 15:55:11 UTC 2022 

Is there a good document that goes over PEAP, EAP, and MSCHAPV2?

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Heikki Vatiainen <hvn at open.com.au>
Sent: Wednesday, March 23, 2022 2:46 AM
To: Ullfig, Roberto Alfredo <rullfig at uic.edu>; radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling

On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote:

> I need to get on-site to do some more debugging but does anyone have any
> ideas? Is ntlm_auth messing up somewhere? Is the problem related to a
> PEAP tunnel? AD confirms incorrect credentials but that's not the case.
> If we just do a simple thing like this:

Please also see this:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FNtlmAuthProg_AuthByNTLM.html&data=04%7C01%7Crullfig%40uic.edu%7Ca13f393d0e34402d324808da0ca14371%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637836184008650464%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0TA%2BtUk4mWDfA9XOqBDnHeKRQ5d%2FscMBVBaw5hdecqM%3D&reserved=0

Adding --allow-mschapv2 is often needed currently but it's not on by
default because older ntlm_auth versions don't support it and fail to start.

> <Handler ConvertedFromEAPMSCHAPV2=1>
> ...
>          <AuthBy NTLM>
>                  UsernameMatchesWithoutRealm
>                  DefaultDomain AD
>          </AuthBy>
>
> Everything works just fine.
>
> One thing I don't understand is that just before that section in the
> debug log we have:

You could try removing the rewrites. A double @realm could cause a
problem here. Hashing that MSCHAP versions do includes username. I don't
have a tester right to refresh my memory, but this might be a part of
problem. There's a possibility to do username rewrites with AuthBy NTLM
and, for example, EAP-MSCHAP-V2, so a definite answer would require a
review and test.

To summarise: you could consider the additional option for ntlm_auth and
drop the rewrites. Double @realm is actually against the RFC that
defines Radius username and I don't think it's used by, for example, AD
even internally.

> Tue Mar  8 11:09:51 2022: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
> Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to
> NETID at uic.edu@uic.wireless
>
> I don't understand this PEAP tunnel section and maybe that's part of the
> problem.

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220323/c8e0fdd5/attachment.html>

More information about the radiator mailing list