Re: [RADIATOR] Simple Question Regarding Realm Handling

Wed, 23 Mar 2022 00:47:48 -0700 

On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote:
I need to get on-site to do some more debugging but does anyone have any ideas? Is ntlm_auth messing up somewhere? Is the problem related to a PEAP tunnel? AD confirms incorrect credentials but that's not the case. If we just do a simple thing like this: 

Please also see this:
https://files.radiatorsoftware.com/radiator/ref/NtlmAuthProg_AuthByNTLM.html


Adding --allow-mschapv2 is often needed currently but it's not on by 
default because older ntlm_auth versions don't support it and fail to start.



<Handler ConvertedFromEAPMSCHAPV2=1>
...
         <AuthBy NTLM>
                 UsernameMatchesWithoutRealm
                 DefaultDomain AD
         </AuthBy>

Everything works just fine.


One thing I don't understand is that just before that section in the 
debug log we have:



You could try removing the rewrites. A double @realm could cause a 
problem here. Hashing that MSCHAP versions do includes username. I don't 
have a tester right to refresh my memory, but this might be a part of 
problem. There's a possibility to do username rewrites with AuthBy NTLM 
and, for example, EAP-MSCHAP-V2, so a definite answer would require a 
review and test.



To summarise: you could consider the additional option for ntlm_auth and 
drop the rewrites. Double @realm is actually against the RFC that 
defines Radius username and I don't think it's used by, for example, AD 
even internally.



Tue Mar  8 11:09:51 2022: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1', Identifier ''
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
[email protected]@uic.wireless
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
[email protected]@uic.wireless
Tue Mar  8 11:09:51 2022: DEBUG: Rewrote user name to 
[email protected]@uic.wireless



I don't understand this PEAP tunnel section and maybe that's part of the 
problem.


--
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator






















					Reply via email to