MSCHAPv2 Module with Stripped-Username - no ActiveDirectory
Markus Maurer
lists at v-net.tk
Fri Nov 9 23:01:21 CET 2018
Hi everybody,
I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2.
The OTP should be placed in the "User-Name" attribute with a ":" as seperator.
e.g.: <username>:<otp> - johndoe:123456
In the authorize section the User-Name attribute get splitted in two parts:
"Stripped-Username"
and
"User-OTP"
if ( &User-Name =~ /^(.*):([0-9]{6})$/) {
update request {
Stripped-User-Name := "%{1}"
User-OTP := "%{2}"
}
}
The first step is to authenticate the username with otp over rlm_perl.
If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password).
And here is my problem. Whenever I get to this step, I get the following error:
"rlm_eap: Identity does not match User-Name, setting from EAP identity"
The eap module uses the original username (johndoe:123456) and password for the mschap challenge.
Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD.
I cant attach my debug log as I havent access to the server right now but maybe someone could give me a hint. I have googled a lot and read some threads with a similar problem but they all are using AD auth with ntlm_auth.
Thanks for helping!!
Best Regards
--
This email was Malware checked by UTM 9. http://www.sophos.com
More information about the Freeradius-Users
mailing list