Radclient.c hack for ntlm_auth testing
Hi All, Is there any way to get radclient working with chap and ntlm_auth? If I try to use it with ntlm_auth, I get an Accept even with a bad password. redhatfc5:/etc/raddb # rt /tmp/file Sending Access-Request of id 15 to 127.0.0.1 port 1812 User-Name = "codo" CHAP-Password = 0x0f25a253a1113c6f903f31ec0d8eb7fae9 NAS-IP-Address = 180.44.200.10 NAS-Port-Type = Ethernet NAS-Port = 1 Calling-Station-Id = "000100000001" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=61 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "103" HP-port-priority-regeneration-table = "0" Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 redhatfc5:/etc/raddb # grep codo users codo Auth-Type := ntlm_auth redhatfc5:/etc/raddb # radtest codo badpass 127.0.0.1 1 hpsecret Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = "codo" User-Password = "badpass" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=35 The radiusd debug output shows: auth: type "ntlm_auth" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=NETIDM --username=codo --password=' Exec-Program: /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=NETIDM --username=codo --password= modcall[authenticate]: module "ntlm_auth" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Login OK: [codo/<CHAP-Password>] (from client me port 1 cli 000100000001) Processing the post-auth section of radiusd.conf I saw Alan's blog that states this isn't currently available but I was wondering if there was a way around it. Thanks ! Corey Corey Dow Solution Test Center Engineer ProCurve Networking Hewlett-Packard Company
Dow, Corey wrote:
Is there any way to get radclient working with chap and ntlm_auth?
No.
If I try to use it with ntlm_auth, I get an Accept even with a bad password.
That's arguably a bug in ntlm_auth, but you're also calling it incorrectly.
radius_xlat: '/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=NETIDM --username=codo --password='
There's no User-Password in the request, so the '--password=' argument is getting passed nothing. Don't do that. But even that isn't the issue. The real issue is that you should not be calling ntlm_auth with '--password=...' if there's no User-Password in the request.
I saw Alan's blog that states this isn't currently available but I was wondering if there was a way around it.
No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Dow, Corey