Is there a good document that goes over PEAP, EAP, and MSCHAPV2? --- Roberto Ullfig - [email protected] Systems Administrator Enterprise Applications & Services | Technology Solutions University of Illinois - Chicago ________________________________ From: Heikki Vatiainen <[email protected]> Sent: Wednesday, March 23, 2022 2:46 AM To: Ullfig, Roberto Alfredo <[email protected]>; [email protected] <[email protected]> Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling
On 22.3.2022 20.51, Ullfig, Roberto Alfredo wrote: > I need to get on-site to do some more debugging but does anyone have any > ideas? Is ntlm_auth messing up somewhere? Is the problem related to a > PEAP tunnel? AD confirms incorrect credentials but that's not the case. > If we just do a simple thing like this: Please also see this: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FNtlmAuthProg_AuthByNTLM.html&data=04%7C01%7Crullfig%40uic.edu%7Ca13f393d0e34402d324808da0ca14371%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637836184008650464%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0TA%2BtUk4mWDfA9XOqBDnHeKRQ5d%2FscMBVBaw5hdecqM%3D&reserved=0 Adding --allow-mschapv2 is often needed currently but it's not on by default because older ntlm_auth versions don't support it and fail to start. > <Handler ConvertedFromEAPMSCHAPV2=1> > ... > <AuthBy NTLM> > UsernameMatchesWithoutRealm > DefaultDomain AD > </AuthBy> > > Everything works just fine. > > One thing I don't understand is that just before that section in the > debug log we have: You could try removing the rewrites. A double @realm could cause a problem here. Hashing that MSCHAP versions do includes username. I don't have a tester right to refresh my memory, but this might be a part of problem. There's a possibility to do username rewrites with AuthBy NTLM and, for example, EAP-MSCHAP-V2, so a definite answer would require a review and test. To summarise: you could consider the additional option for ntlm_auth and drop the rewrites. Double @realm is actually against the RFC that defines Radius username and I don't think it's used by, for example, AD even internally. > Tue Mar 8 11:09:51 2022: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1', Identifier '' > Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to > [email protected]@uic.wireless > Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to > [email protected]@uic.wireless > Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to > [email protected]@uic.wireless > > I don't understand this PEAP tunnel section and maybe that's part of the > problem. -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
