<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Is there a good document that goes over PEAP, EAP, and MSCHAPV2?</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div></div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>
<div><span id="ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Heikki Vatiainen <hvn@open.com.au><br>
<b>Sent:</b> Wednesday, March 23, 2022 2:46 AM<br>
<b>To:</b> Ullfig, Roberto Alfredo <rullfig@uic.edu>; radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Simple Question Regarding Realm Handling</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote:<br>
<br>
> I need to get on-site to do some more debugging but does anyone have any <br>
> ideas? Is ntlm_auth messing up somewhere? Is the problem related to a <br>
> PEAP tunnel? AD confirms incorrect credentials but that's not the case. <br>
> If we just do a simple thing like this:<br>
<br>
Please also see this:<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FNtlmAuthProg_AuthByNTLM.html&data=04%7C01%7Crullfig%40uic.edu%7Ca13f393d0e34402d324808da0ca14371%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637836184008650464%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0TA%2BtUk4mWDfA9XOqBDnHeKRQ5d%2FscMBVBaw5hdecqM%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FNtlmAuthProg_AuthByNTLM.html&data=04%7C01%7Crullfig%40uic.edu%7Ca13f393d0e34402d324808da0ca14371%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637836184008650464%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0TA%2BtUk4mWDfA9XOqBDnHeKRQ5d%2FscMBVBaw5hdecqM%3D&reserved=0</a><br>
<br>
Adding --allow-mschapv2 is often needed currently but it's not on by <br>
default because older ntlm_auth versions don't support it and fail to start.<br>
<br>
> <Handler ConvertedFromEAPMSCHAPV2=1><br>
> ...<br>
> <AuthBy NTLM><br>
> UsernameMatchesWithoutRealm<br>
> DefaultDomain AD<br>
> </AuthBy><br>
> <br>
> Everything works just fine.<br>
> <br>
> One thing I don't understand is that just before that section in the <br>
> debug log we have:<br>
<br>
You could try removing the rewrites. A double @realm could cause a <br>
problem here. Hashing that MSCHAP versions do includes username. I don't <br>
have a tester right to refresh my memory, but this might be a part of <br>
problem. There's a possibility to do username rewrites with AuthBy NTLM <br>
and, for example, EAP-MSCHAP-V2, so a definite answer would require a <br>
review and test.<br>
<br>
To summarise: you could consider the additional option for ntlm_auth and <br>
drop the rewrites. Double @realm is actually against the RFC that <br>
defines Radius username and I don't think it's used by, for example, AD <br>
even internally.<br>
<br>
> Tue Mar 8 11:09:51 2022: DEBUG: Handling request with Handler <br>
> 'TunnelledByPEAP=1', Identifier ''<br>
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to <br>
> NETID@uic.edu@uic.wireless<br>
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to <br>
> NETID@uic.edu@uic.wireless<br>
> Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to <br>
> NETID@uic.edu@uic.wireless<br>
> <br>
> I don't understand this PEAP tunnel section and maybe that's part of the <br>
> problem.<br>
<br>
-- <br>
Heikki Vatiainen <hvn@open.com.au><br>
<br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>
</div>
</span></font></div>
</body>
</html>