Re: [RADIATOR] PEAP/MSCHAPv2 auth fails with username@realm

Fri, 02 Nov 2012 12:03:15 -0700 

On 11/01/2012 11:38 PM, Christopher Bongaarts wrote:
> I'm trying to debug a problem with PEAP/MSCHAPv2 authentication against 
> LDAP as part of spinning up eduroam.  I've included the relevant 
> Handlers from the configuration below, and the inner authentication part 
> of the (sanitized) log from an attempt to authenticate.  Despite the 
> password being correct, the authentication fails.

I just noticed you have EncryptedPasswordAttr in the LDAP config
section. EncryptedPasswordAttr should used only for crypt(3) format
hashes. Since you have NThashed passwords, you should use PasswordAttr.
See the reference manual for details.

If the hashes are stored without {nthash} prefix, you should still use
PasswordAttr but now you need a PostSearchHook to prepend the prefix.
Use something like this:
  http://www.open.com.au/pipermail/radiator/2005-April/011423.html
or see goodies/addnthashprefix.txt

> This configuration works for MSCHAPv2 without PEAP (i.e. using the 
> TunneledByPEAP Handler as the actual handler instead of the PEAP outer 
> handler) if I have the RewriteUsername uncommented.

That's surprising. I do not think it should work with EncryptedPassword.

> I've tried to stick to the eduroam recipes for Radiator as much as 
> possible, but I'm having trouble getting the MSCHAP auth to use the 
> "username@realm" syntax while having LDAP search on just the username 
> portion to find the user.

Using UsernameMatchesWithoutRealm should work fine. Rewriting the
username can be problematic if the rewritten username becomes part of
MSCHAP-V2 calculation. This can cause the server and client use
different usernames for calculating the results which makes the
authentication fail.

Thanks,
Heikki

-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to