[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

Jethro Binks jethro.binks at strath.ac.uk
Mon Sep 23 18:16:24 UTC 2024 

Thanks Heikki.

I managed to run Radiator-4.17 on the new host for the backend EAP auth part and there is no difference in behaviour.

I also upgraded the samba pkg to 4.19.8 in the hope that that fixed something in ntlm_auth but no change there either.

I went back to my original tests.

mschap-test -c succeeds

Eapol_test using a non-realm identity="username" succeeds

Eapol_test using realm identity="username at strath.ac.uk" fails NT_STATUS_WRONG_PASSWORD

Running ntlm_auth manually feeding as input what was captured from the requests going via Radiator also succeeds and fails in the same way.  Username and NT-Domain are identical and correct (base64 encoded) in each case, all that is different is LANMAN-Challenge and NT-Response.

For info, the OS upgrade was from FreeBSD10.3 to 13.3.

Any more suggestions?

Jethro.


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

Jethro R Binks, Network Manager,

Information Services Directorate, University Of Strathclyde, Glasgow, UK


The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator at lists.open.com.au>
Sent: 16 September 2024 2:46 PM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

On 13.9.2024 0.29, Jethro Binks via radiator wrote:

>  > ​You did mention that the OS that runs Radiator is also a new one.
> Could it be that the samba config is different enough to cause the
> change in behaviour?
>
> Mildly, as the samba version was also greater so some adjustments were
> made (upgrading samba always throws in changes).  But the above tests
> are all against the same running samba on the new server.  They key
> setting maybe "ntlm auth = mschapv2-and-ntlmv2-only" which was unstated
> (removing it doesn't seem to make a different to the results).

Do you think you could try the current Radiator version on the old
server? That would help to learn if we could reduce the number of
changed components in the whole system.

Or as an alternative, try the older Radiator version on the new system.

Thanks,
Heikki


--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software


_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20240923/0471de8b/attachment.html>

More information about the radiator mailing list