On 04/30/2012 07:23 PM, Alex Sharaz wrote: > root@eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx > -user [email protected] -password yyyy -auth_port 1812 -noacct -mschapv2 > > although it works in that it does rewrite the username stripping off the > realm and giving, in this case alexsharaz instead of alexsharaz.info, > authentication fails further down the food chain > Which I guess is something o do with the mschapv2 and the realm in the > original request
I think what happens here is the client calculates MS-CHAP2-Response based on username with realm. Once the Handler strips the realm part, the respective calculation within AuthBy is done with just the username part. The results will not then match and the authentication fails. Can you add UsernameMatchesWithoutRealm into the AuthBy. This does the user information lookup without realm but does not change the username allowing MS-CHAP-V2 to succeed. Thanks! Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
