MSCHAPv2 Module with Stripped-Username - no ActiveDirectory

Markus Maurer lists at v-net.tk
Fri Nov 9 23:54:21 CET 2018 

Hi Alan, 

thank you very much for the fast answer! :)

I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password  anymore?!

Is it possible to modify the eap identity before its getting to the eap module?

I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.

Thanks!

Best regards 


> Am 09.11.2018 um 23:25 schrieb Alan DeKok <aland at deployingradius.com>:
> 
>> On Nov 9, 2018, at 5:01 PM, Markus Maurer <lists at v-net.tk> wrote:
>> 
>> 
>> Hi everybody,
>> 
>> I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2.
>> The OTP should be placed in the "User-Name" attribute with a ":" as seperator. 
>> e.g.: <username>:<otp> - johndoe:123456
> 
>  That's not recommended.  It's much easier to put the OTP into the password.
> 
>> In the authorize section the User-Name attribute get splitted in two parts:
>> "Stripped-Username"
>> and
>> "User-OTP"
>> if ( &User-Name =~ /^(.*):([0-9]{6})$/) {
>>               update request {
>>                        Stripped-User-Name := "%{1}"
>>                        User-OTP := "%{2}"
>>             }
>>       }
>> 
>> The first step is to authenticate the username with otp over rlm_perl.
>> If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password).
>> And here is my problem. Whenever I get to this step, I get the following error:
>> "rlm_eap: Identity does not match User-Name, setting from EAP identity"
> 
>  When EAP happens, the server gets the users name as both the User-Name and as an EAP-Identitity.  The two need to match.
> 
>> The eap module uses the original username (johndoe:123456) and password for the mschap challenge.
> 
>  That should work, I think.
> 
>> Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD.
> 
>  No.  MS-CHAP uses the *whole* User-Name for authentication.  That's how MS-CHAP works.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -- 
> This email was Malware checked by UTM 9. http://www.sophos.com

More information about the Freeradius-Users mailing list