Masquerading MSCHAPv2 User-Name?

David Herselman dhe at syrex.co
Thu Feb 18 10:49:06 CET 2021 

Hi Alan,

I have the utmost respect for your knowledge, experience and extraordinary amount of time you invest in answering posts in mailing lists. I also appreciate that my terminology isn't correct, although the only feedback has been to point this out repeatedly without providing the correct terms you would like me to use.

A message from this group in June 2017 appears to refer to this functionality as 'Change username for MSCHAPv2' where no comment was made regarding this being incorrect terminology. I'll use that going forward, unless someone would be helpful enough to correct me or simply point me at a document which details correct terminology:
  http://lists.freeradius.org/pipermail/freeradius-users/2017-June/088060.html


The following is primarily intended for others like me, that would love to search for YubiKey MFA / 2FA / OTP and get re-assurance that FreeRADIUS is perfectly suited to meet the following objectives:
  - RADIUS Multi-factor authentication using YubiKeys where people simply need to press a single button to generate an OTP. No mobile device apps or 3rd party software required. Plug-in and press the button.
  - Some of our network devices exclusively support MSCHAPv2
  - We want to manage accounts exclusively via Active Directory
  - We do not want to store credentials in AD with reversible encryption
  - We do not want to store plaintext credentials in RADIUS


By using the YubiKey OTP as the username, instead of being part of the provided password, results in MS-CHAPv2 authentication working flawlessly. This is due to FreeRADIUS constructing the challenge hash using the username provided in the authentication request, whilst retrieving information from AD using the account that key is associated with.

In layman terms, I can login as eg cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit/secret and have it successfully authenticate against Active Directory as davidh/secret.



Regards
David Herselman

-----Original Message-----
From: Alan DeKok <aland at deployingradius.com> 
Sent: Thursday, 18 February 2021 3:02 AM
To: David Herselman <dhe at syrex.co>
Cc: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Masquerading MSCHAPv2 User-Name?

On Feb 17, 2021, at 2:54 PM, David Herselman <dhe at syrex.co> wrote:
> I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"'

  winbind is not MS-CHAP.  Winbind is (essentially) the database query used to verify the MS-CHAP information.

  The "winbind_username" field is *not* used in any part of the MS-CHAP calculation.  As I said.

  TBH, I'm rather surprised that you ask questions, and then argue with the answers.  Are you that aware of the details of each protocol, that you can authoritatively argue against someone who's been doing this for 20 years?

> and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:

  It doesn't matter.

  I can put the users password into an LDAP entry for user with the name "I_like_to_eat_pizza".  That name has nothing whatsoever to do with the MS-CHAP calculations.

  Try this with the "users" file.   Add this to the top of the "users" file:

DEFAULT Cleartext-Password := "hello"

  Then log in as ANY other user (e.g. "bob"), using MS-CHAP, and the password "hello".  Use "radclient" or "radtest" to do this.

  What will happen?  The user will be authenticated.  But if the entry in the "users" file is for DEFAULT, how can this possibly work?

  Answer:  if you understand the system, the answer is obvious.

> I presume FR therefor does have the ability to transform/replace/masquerade

  Stop using the term "masquerade".  It's wrong.  I already told you that it's not correct terminology.  Your repeated use of it shows that you don't know how things work.  And worse, that you''re resisting the suggestion to learn.

  You're asking questions using terms you've invented, and are then arguing with the answers.  This is generally a good approach if you want to confuse and annoy people.  I suggest not doing this.

> the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:

  Whatever question you're asking is unrelated to the tests you're doing.

  Stop inventing terms.  Stop doing irrelevant tests.  Put some effort into understanding the system.

  I still have no idea what you're really trying to do.  In large part because you're not describing it using simple, common, terms.  You're not saying what the RADIUS server receives, what's in the DB, what keys are used for lookups, etc.  You just keep repeated "I want to masquerade the user name for MS-CHAP", as if repetition will get your point across.

  It won't.

  Alan DeKok.

More information about the Freeradius-Users mailing list