MSCHAP Authentication Issue

Garber, Neal Neal.Garber at
Sat Aug 15 09:42:49 CEST 2009

> I will now proceed to create a patch.

The MS-CHAP2-Response attribute created by rlm_eap_mschapv2 does not include the Name field from the MS-CHAP response packet (as I suspected).  I thought the cleanest way to pass the Name field was to create another attribute in rlm_eap_mschapv2 before it calls rlm_mschap (I chose NTLM-User-Name as it's in the dictionary and I couldn't find it used anywhere).

I have coded/compiled the changes (radius.h changed to include PW_NTLM_USER_NAME; rlm_eap_mschapv2.c changed to create NTLM-User-Name request attribute before calling rlm_mschap.c; rlm_mschap.c changed to use NTLM-User-Name to construct MS-CHAPv1 challenge if it exists and it is same as User-Name (case-insensitive compare considering with_ntdomain_hack too). If no NTLM-User-Name found then use User-Name.  If the attributes are different, then log error and reject.  I will try to get back to work this weekend to do testing.  My plan is to get this working over the weekend and submit the patches by Monday.

Does this sound like a reasonable solution?  If not, feel free to suggest a different approach and I will make changes before submitting the patch files.

BTW, if I should be sending these type of messages to the devel list, please let me know.

More information about the Freeradius-Users mailing list