MSCHAPv2 Module with Stripped-Username - no ActiveDirectory
Alan DeKok
aland at deployingradius.com
Fri Nov 9 23:25:00 CET 2018
On Nov 9, 2018, at 5:01 PM, Markus Maurer <lists at v-net.tk> wrote:
>
>
> Hi everybody,
>
> I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2.
> The OTP should be placed in the "User-Name" attribute with a ":" as seperator.
> e.g.: <username>:<otp> - johndoe:123456
That's not recommended. It's much easier to put the OTP into the password.
> In the authorize section the User-Name attribute get splitted in two parts:
> "Stripped-Username"
> and
> "User-OTP"
> if ( &User-Name =~ /^(.*):([0-9]{6})$/) {
> update request {
> Stripped-User-Name := "%{1}"
> User-OTP := "%{2}"
> }
> }
>
> The first step is to authenticate the username with otp over rlm_perl.
> If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password).
> And here is my problem. Whenever I get to this step, I get the following error:
> "rlm_eap: Identity does not match User-Name, setting from EAP identity"
When EAP happens, the server gets the users name as both the User-Name and as an EAP-Identitity. The two need to match.
> The eap module uses the original username (johndoe:123456) and password for the mschap challenge.
That should work, I think.
> Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD.
No. MS-CHAP uses the *whole* User-Name for authentication. That's how MS-CHAP works.
Alan DeKok.
More information about the Freeradius-Users
mailing list