Re: Another LDAP/MSCHAPv2 problem

Fri, 10 Feb 2012 06:37:46 -0800 

Hi Phil,

Still no go.  Now EAP complains :
pap] Config already contains "known good" password. Ignoring Password-With-Header 
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
++? if (User-Name =~ /^host\/([^.]+)/)
? Evaluating (User-Name =~ /^host\/([^.]+)/) -> TRUE
++? if (User-Name =~ /^host\/([^.]+)/) -> TRUE
++- entering if (User-Name =~ /^host\/([^.]+)/) {...}
        expand: %{1}$ -> dti-dahport$
+++[request] returns noop
++- if (User-Name =~ /^host\/([^.]+)/) returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
I tried to put the blob before eap in authorize or after, but the result is the same. It breaks when entering the authenticate section. 

On 12-02-10 4:52 AM, Phil Mayers wrote:

On 02/09/2012 07:55 PM, Francois Gaudreault wrote:

Doing the MS-CHAP-User-Name change got me this error :

mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found NT-Password
[mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP
Name (dti-dahport$) from EAP-MSCHAPv2


Ah, of course.

I think you're going to need to rewrite the User-Name attribute instead;
that check is there to prevent clients sending a User-Name that differed
from the MS-CHAP value, and circumventing authorization checks.

I will try to come up with a patch that does all this properly later
today, but this should work:

authorize {
...
if (User-Name =~ /^host\/([^.]+)/) {
update request {
User-Name := "%{1}$"
}
}
...
}

Note to the archives: This is NOT GENERAL ADVICE. This advice is
specific to the issue Francois is facing (performing machine auth with
access to the NT-Password, as opposed to via Active Directory)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




--
Francois Gaudreault, ing. jr
[email protected]  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to