rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)

Tim Chen gphoto6 at gmail.com
Thu Nov 12 02:02:31 CET 2015 

Hello friends,
I am using Freeradius version 2.2.9. I doubt that module rlm_passwd have
some problem handle Stripped-User-Name check when in inner-tunnel mode
(PEAP).

I tried to use a password file to store my user/pass data. And some
config snippet is here:

1. modules/passwd
   passwd passwdf1 {
        filename = /home/radius/passwd1
        format = "*User-Name:NT-Password:"
2. /home/radius/passwd1
   john:************D463009BE761BB******:
3. both sites-enabled/default,inner-tunnel
   have passwdf1 in
   authorize {
   block
4. proxy.conf
   realm NULL {
   }
   realm eduroam.example.edu {
        auth_pool = my_auth_failover
   }
   realm DEFAULT {
        pool    = upperlevel
   }
Test results:
1. PAP with/without domain(realm) PASSED
   radtest john password radhost 1812 testing123
   radtest john at eduroam.example.edu password radhost 1812 testing123
2. MSCHAP with/without domain(realm) PASSED
   radtest -t mschap john password radhost 1812 testing123
   radtest -t mschap john at eduroam.example.edu password radhost 1812
testing123
3. EAP(PEAP)
   I use eapol_test to test
   identity="john" PASS
   identity="john at eduroam.example.edu" FAIL!!

   log from debug shows:
   [mschapv2] +group MS-CHAP {
   [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
   [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
   [mschap] Creating challenge hash with username: john at eduroam.example.edu
   [mschap] Client is using MS-CHAPv2 for jsc at eduroam.ntu.edu.tw, we need
NT-Password
   [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
   [mschap] FAILED: MS-CHAP2-Response is incorrect

However, I did more tests:
1. if I put both
   john:************D463009BE761BB******:
   john at eduroam.example.edu:************D463009BE761BB******:
   in /home/radius/passwd1
   PEAP with domain(realm) PASSED
2. if I change modules/passwd into
   passwd passwdf1 {
        filename = /home/radius/passwd1
        format = "*Stripped-User-Name:NT-Password:"
   Then ALL authentication tests FAILED
3. if I put the user/pass info in users file
   john NT-Password := "************D463009BE761BB******"
   Then all the tests including PEAP with/without domain(realm) PASSED.

I doubt if there is some problem in the rlm_passwd module?
Either it didn't handle Stripped-User-Name well when been authenticated,
or it didn't accept the "format = "*Stripped-User-Name:NT-Password:" syntax?

Thanks in advance for your help.

I have been used freeradius for more than 15 years since version 1.x.
I do appreciate your effort to freeradius.

Eric Chang

More information about the Freeradius-Users mailing list