Another LDAP/MSCHAPv2 problem

Francois Gaudreault fgaudreault at inverse.ca
Fri Feb 10 15:36:15 CET 2012


Hi Phil,

Still no go.  Now EAP complains :

pap] Config already contains "known good" password.  Ignoring 
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
++? if (User-Name =~ /^host\/([^.]+)/)
? Evaluating (User-Name =~ /^host\/([^.]+)/) -> TRUE
++? if (User-Name =~ /^host\/([^.]+)/) -> TRUE
++- entering if (User-Name =~ /^host\/([^.]+)/) {...}
	expand: %{1}$ -> dti-dahport$
+++[request] returns noop
++- if (User-Name =~ /^host\/([^.]+)/) returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.


I tried to put the blob before eap in authorize or after, but the result 
is the same.  It breaks when entering the authenticate section.

On 12-02-10 4:52 AM, Phil Mayers wrote:
> On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
>> Doing the MS-CHAP-User-Name change got me this error :
>>
>> mschapv2] # Executing group from file
>> /etc/raddb/sites-enabled/packetfence-tunnel
>> [mschapv2] +- entering group MS-CHAP {...}
>> [mschap] Found NT-Password
>> [mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP
>> Name (dti-dahport$) from EAP-MSCHAPv2
>
> Ah, of course.
>
> I think you're going to need to rewrite the User-Name attribute instead;
> that check is there to prevent clients sending a User-Name that differed
> from the MS-CHAP value, and circumventing authorization checks.
>
> I will try to come up with a patch that does all this properly later
> today, but this should work:
>
> authorize {
> ...
> if (User-Name =~ /^host\/([^.]+)/) {
> update request {
> User-Name := "%{1}$"
> }
> }
> ...
> }
>
> Note to the archives: This is NOT GENERAL ADVICE. This advice is
> specific to the issue Francois is facing (performing machine auth with
> access to the NT-Password, as opposed to via Active Directory)
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



More information about the Freeradius-Users mailing list