UPN and mschap issues

Alan DeKok aland at deployingradius.com
Fri Nov 27 13:12:14 CET 2015

On Nov 27, 2015, at 4:44 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>  For various reasons, we've had to start changing our AD samaccountname and upn values to be slightly different. We can't get around this.

  i.e. Someone has made a policy decision which ignores how the protocols work.

  That can't end well.

>  When they were the same, the various canonicalization routines stripped off the domain and the result was the same, username == samaccountname == stripped upn.
>  This worked fine with ntlm and mschap based auth, even if the user was logged into the machine with their UPN (the default for PEAP-EAP-MSCHAP is that it uses the logged in credentials with Windows). Now, since the UPN format is "firstname.surname at domai" and samaccountname is "surnameinitial" we have issues.


> The LDAP lookup is fine with an "OR" operator on the filter so PEAP-EAP-TLS and EAP-TLS work, and I can do a (nasty) UPN -> Samaccountname lookup via an LDAP xlat when matching the UPN format so NTLM auth is fine for PAP,

  You don't need to do ntlm_auth for pap.  You can do LDAP "bind as user" directly.

> as long as we tell it to use the new user name (I update Stripped-User-Name and tell ntlm_auth to use that, not sure if that's a horrible thing to do).

  It works because "ntlm_auth for pap" is just "name / password" lookups.

>  Anything inside the EAP tunnel doesn't like you playing with the username though, so we can't do UPN based MSCHAPv2 lookup - UPN format doesn't work, as far as I can tell, with the ntlm_auth program and I can't update the username.

  Because the MS-CHAP data *also* contains the UPN name.  And the MS-CHAP calculates are based on that UPN name.  So you can't say "check name smithb with bob.smith credentials".  The MS-CHAP calculations just won't work.

> I can force the mschap auth process to use an alternative user name, but the hash then doesn't work, and I can't work out how to update the mschap:user-name.

  You can't.  It's impossible.

>  All this is nasty. Has anyone ever done anything better? I can't really find many people being successful with ntlm_auth and upn format, I can't do ldap - mschapv2 auth afaik, so maybe I just state that we can't do upn -> mschapv2 and stick to certs?
>  Maybe there's something really obviously simple that I'm missing..

  Add the UPN name as an account name in Active Directory.  Maybe AD allows aliases for account names.

  It is just *impossible* to do what you want.  Authentication protocols are designed to prevent "bob" from logging in using the credentials for "doug".  This situation is no different.

  Alan DeKok.

More information about the Freeradius-Users mailing list