PEAP problem when using domain suffix

Fri Jun 6 13:59:44 CEST 2008

On 6/6/08, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
> > hi,
> >
> > you need to remove the domain suffix but you cannot
> > play with the User-Name attribute or the response will
> > be wrong - use the 'stripped-user-name' attribute
> > for the authenticate step - and ensure that if you
> > are querying an LDAP or AD et cin that stage that DOMAIN
> > being used is the correct domain - either overwrite
> > the value or set it to NULL
> >
>
> The problem is that rlm_mschap always reads the "User-Name" attribute for
> generating the chal/resp i.e. when *not* using ntlm_auth.
>
> If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\" but
> not suffix formats.
>
> Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the
> username string fed into the chal/resp code, it should really be on all the
> time, and be extended to handle suffix formats.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

I have some additional info that is interesting if not rather odd:

The results I posted in the original message were generated using the
Odyssey Access Client, I apologise for not mentioning that first. So
with OAC, the username without suffix works, with suffix fails.

Further background info is that auth is taking place using the LDAP
against back-end LDAP server hosted on Novell eDirectory.

Anyway, the interesting thing is that when the native client in XP SP3
is used with or without suffix, it works in both cases. Here is the
debug output from the radiusd when the XP SP3 client is used
(IP/domain obfuscated):

modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: Told to do MS-CHAPv2 for test05 at xyz.edu.hk with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 6
modcall: leaving group MS-CHAP (returns ok) for request 6
MSCHAP Success
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 161 to n.n.n.n port 1812
	EAP-Message = 0x0107004a1900170301003f67df50a0706efc458cf1803e59b35c681b98887353fbe3bc0257e4bae1ca8c7abb99f141ae3fce73617a05c40b098b432f417740876f7f9eb5599bc9c65cce
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xb409dd0bde5ee996d642ea46017f223c
Finished request 6

How strange! Here is the debug output from the OAC but it's rather
cryptic and I suppose not much help:

00149,09 2008/06/06 17:42:06.742 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5281 - 'odService'
>>>>>>>> Starting authentication

00150,09 2008/06/06 17:42:06.742 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.742 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00149,09 2008/06/06 17:42:06.742 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5281 - 'odService'
>>>>>>>> Starting authentication

00150,09 2008/06/06 17:42:06.742 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.792 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.792 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.822 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.822 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.852 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.862 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.882 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.882 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.902 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.902 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:06.932 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:06.942 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:09.986 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00150,09 2008/06/06 17:42:09.986 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:14.032 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00175,09 2008/06/06 17:42:14.032 0 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicantMgr.cpp:257 - 'odService' [NRM] Processing
EAP-Failure: code = 4, id = 7, length = 4

00153,09 2008/06/06 17:42:14.032 3 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5207 - 'ClientMgr' Supplicant state:
authentication failed
00164,09 2008/06/06 17:42:14.042 0 SYSTEM odClientService.exe (null)
p1404 t844 odysseyEapAkaClientIdentity.h:119 - 'odService'
SetOdysseyIdentity: pIdentity = 0x00000000

00150,09 2008/06/06 17:42:14.042 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00150,09 2008/06/06 17:42:14.042 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(0)
returned success

00164,09 2008/06/06 17:42:14.052 0 SYSTEM odClientService.exe (null)
p1404 t844 odysseyEapAkaClientIdentity.h:119 - 'odService'
SetOdysseyIdentity: pIdentity = 0x01a531f8

00161,09 2008/06/06 17:42:29.294 1 SYSTEM odClientService.exe (null)
p1404 t620 OdysseySupplicantMgr.cpp:7651 - 'odService'
OdysseySupplicantMgr::DoThread() event loop

00149,09 2008/06/06 17:42:29.294 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5281 - 'odService'
>>>>>>>> Starting authentication

00153,09 2008/06/06 17:42:29.294 3 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5207 - 'ClientMgr' Supplicant state:
authentication failed
00164,09 2008/06/06 17:42:29.294 0 SYSTEM odClientService.exe (null)
p1404 t844 odysseyEapAkaClientIdentity.h:119 - 'odService'
SetOdysseyIdentity: pIdentity = 0x00000000

00150,09 2008/06/06 17:42:29.294 2 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:95 - 'odService' SetThreadPriority(1)
returned success

00161,09 2008/06/06 17:42:29.294 1 SYSTEM odClientService.exe (null)
p1404 t620 OdysseySupplicantMgr.cpp:7651 - 'odService'
OdysseySupplicantMgr::DoThread() event loop

00138,09 2008/06/06 17:42:29.344 2 SYSTEM odClientService.exe (null)
p1404 t620 OdysseySupplicantMgr.cpp:5262 - 'odService' Configuring
adapters

00173,09 2008/06/06 17:42:29.344 1 SYSTEM odClientService.exe (null)
p1404 t620 OdysseySupplicantMgr.cpp:5132 - 'odService' updating
adapter {7F8EC7AA-9090-43E2-9C19-04CB8B04EF62}

00141,09 2008/06/06 17:42:29.344 3 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:4097 - 'ClientMgr' No equivalent
network found
00138,09 2008/06/06 17:42:29.344 3 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicant.cpp:5171 - 'ClientMgr' Supplicant state:
logoff
00148,09 2008/06/06 17:42:29.344 0 SYSTEM odClientService.exe (null)
p1404 t844 OdysseySupplicantMgr.cpp:257 - 'odService' [NRM]
Transmitting EAPOL-Logoff

00142,09 2008/06/06 17:42:29.344 3 SYSTEM odClientService.exe (null)
p1404 t844 <>:0 - '' 0000  01 02 00 00
     ....
00218,09 2008/06/06 17:42:29.344 3 SYSTEM odClientService.exe (null)
p1404 t620 OdysseySupplicantMgr.cpp:6757 - 'odService'
COdysseySupplicantMgr::CheckConnectStatus() new connect status =
0X00000010 L2_AUTHENTICATION_FAILED

00140,09 2008/06/06 17:42:29.344 2 admin OdTray.exe odTray p3384 tD40
OdTrayWindow.cpp:528 - 'ClientMgr' OD_CONNECT_STATUS is 0x00000010  -
FAILED
00154,09 2008/06/06 17:42:29.344 3 admin OdTray.exe odTray p3384 tD40
OdTrayWindow.cpp:529 - 'ClientMgr' OD_CONNECT_STATUS (detailed) -
L2_AUTHENTICATION_FAILED
00203,09 2008/06/06 17:42:29.354 2 admin OdTray.exe odTray p3384 tD40
OdTrayWindow.cpp:640 - 'ClientMgr' OdTray notification message- Your
authentication has failed.  Click on this message for more
information.