MS-CHAP Authentication / Bug 17

Garber, Neal Neal.Garber at
Mon Sep 21 19:30:42 CEST 2009

Alan, Thank you for taking the time to review the patch and for your feedback.

> has a look at this but it's only of interest for classic MS-CHAP
> activity rather than MSCHAPv2 in PEAP or TTLS - correct? 
> (in this case we wouldnt use this function or be able to test
> this at our site...but logically it all looks sane)

Actually, the problem definitely impacts PEAP/MSCHAPv2 (and I believe TTLS/MSCHAPv2 also because it's an error in MS-CHAP, but we don't use TTLS so I can't test that). (I haven't thought about it enough to know whether it affects v1, but it definitely occurs with v2 as that's where I found it.)

The problem occurs when the client creates the MS-CHAPv2 response and uses a userid whose case differs from what FR subsequently uses to create the challenge for ntlm_auth.

> a few changes though (?)  - its 'delimiter', not 'delimeter'  ;-)

True, but I just copied that line from what was already in the code.  I'm ok with fixing the spelling error as part of this patch though ;-)

> and...some RDEBUG2 starts with a white space and others print tight to
> the line - reason for such differences?

I was trying to mimic some of the existing code (when in Rome ;-) )...  For instance, there was already an RDEBUG2 for:

RDEBUG2("  NT Domain delimeter found, should we have enabled with_ntdomain_hack?");

I'm not opposed to eliminating the leading spaces if you think it is more readable.

BTW, I just fixed one of the attachments (rlm_eap_mschapv2.c patch).  I inadvertently had all 3 patches included in that one file - the replacement now only contains the changes for rlm_eap_mschapv2.c.  Sorry about the confusion..

More information about the Freeradius-Users mailing list