Masquerading MSCHAPv2 User-Name?

David Herselman dhe at syrex.co
Wed Feb 17 20:54:17 CET 2021


Hi Alan,



I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"' and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:



Client:

[davidh at linux-test ~]$ ssh andrewr at 192.168.10.1<mailto:andrewr at 192.168.10.1>

andrewr at 192.168.10.1's<mailto:andrewr at 192.168.10.1's> password:************



<snip>

  MikroTik RouterOS 6.48.1 (c) 1999-2020       http://www.mikrotik.com/

<snip>

[andrewr at router] >



FR 3.0.17:

(1) Received Access-Request Id 253 from 100.127.255.10:59408 to 192.168.20.11:1812 length 161

(1)   Service-Type = Login-User

(1)   User-Name = "andrewr"

(1)   MS-CHAP-Challenge = 0xefa32ded589962742ec408cbd4b0eaf7

(1)   MS-CHAP2-Response = 0x0000f0c84a52b1482f3d0eb5a455ce5972be0000000000000000a5b2ad8947a6c27eadb1fe80c9aa1a7dc9d0632f3987a72a

(1)   Calling-Station-Id = "192.168.1.77"

(1)   NAS-Identifier = "router"

(1)   NAS-IP-Address = 100.127.255.10

<snip>

(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(1)     [mschap] = ok

<snip>

(1) Found Auth-Type = mschap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) mschap: Creating challenge hash with username: andrewr

(1) mschap: Client is using MS-CHAPv2

(1) mschap: ERROR: No NT-Domain was found in the User-Name

(1) mschap: EXPAND %{mschap:NT-Domain}

(1) mschap:    -->

rlm_mschap (mschap): Reserved connection (1)

(1) mschap: sending authentication request user='davidh' domain=''

rlm_mschap (mschap): Released connection (1)

Need 4 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (6), 1 of 26 pending slots used

(1) mschap: Authenticated successfully

(1) mschap: Adding MS-CHAPv2 MPPE keys

(1)     [mschap] = ok

(1)   } # authenticate = ok

<snip>

(1) Login OK: [andrewr] (from client test-mschap port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:1 nas-id:router

(1) Sent Access-Accept Id 253 from 192.168.20.11:1812 to 100.127.255.10:59408 length 0

(1)   Reply-Message = "Member of routers_test_full"

(1)   Mikrotik-Group = "full"

(1)   MS-CHAP2-Success = 0x00533d35383041354643413539414141313530383433303639414243414134334135303446414642354434

(1)   MS-MPPE-Recv-Key = 0x8ac2030b74b35cbee9bc8d6b84c66bcc

(1)   MS-MPPE-Send-Key = 0x99c473780b7a5068022fc19f1af97181

(1)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(1)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(1) Finished request





I presume FR therefor does have the ability to transform/replace/masquerade the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:



Client:

[davidh at linux-test ~]$ ssh cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit at 192.168.10.1<mailto:cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit at 192.168.10.1>

cccccctcikejkrbhnvrjrdlujuujdc at 192.168.10.1's password:************



<snip>

  MikroTik RouterOS 6.48.1 (c) 1999-2020       http://www.mikrotik.com/

<snip>

[cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit at router] >



FR 3.0.17:

(0) Received Access-Request Id 6 from 100.127.255.10:56594 to 192.168.20.11:1812 length 198

(0)   Service-Type = Login-User

(0)   User-Name = "cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit"

(0)   MS-CHAP-Challenge = 0x74a6b11442e47c657a6d7a543c698731

(0)   MS-CHAP2-Response = 0x0000f16bc9ef22ae36871e353ae9726073e600000000000000006680411fedf2daf0b191d442a5eea7a10fabcfd8949f89d9

(0)   Calling-Station-Id = "192.168.1.77"

(0)   NAS-Identifier = "router"

(0)   NAS-IP-Address = 100.127.255.10

<snip>

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)     [mschap] = ok

<snip>

(0) Found Auth-Type = mschap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) mschap: Creating challenge hash with username: cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit

(0) mschap: Client is using MS-CHAPv2

(0) mschap: ERROR: No NT-Domain was found in the User-Name

(0) mschap: EXPAND %{mschap:NT-Domain}

(0) mschap:    -->

rlm_mschap (mschap): Reserved connection (0)

(0) mschap: sending authentication request user='davidh' domain=''

rlm_mschap (mschap): Released connection (0)

Need 5 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used

(0) mschap: Authenticated successfully

(0) mschap: Adding MS-CHAPv2 MPPE keys

(0)     [mschap] = ok

(0)   } # authenticate = ok

<snip>

(0) Login OK: [cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit] (from client test-mschap port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:0 nas-id:router

(0) Sent Access-Accept Id 6 from 192.168.20.11:1812 to 100.127.255.10:56594 length 0

(0)   Reply-Message = "Member of routers_test_full"

(1)   Mikrotik-Group = "full"

(0)   MS-CHAP2-Success = 0x00533d42463830443339423145324136343533324335304131323633344633343242464630454131434439

(0)   MS-MPPE-Recv-Key = 0xeaa2fdd6b60b5dbc60a02c2fb3a7d473

(0)   MS-MPPE-Send-Key = 0x895c22f518ba4122d39f6e42eba2e7c4

(0)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(0)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(0) Finished request





Regards

David Herselman



-----Original Message-----
From: Alan DeKok <aland at deployingradius.com>
Sent: Monday, 15 February 2021 5:40 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: David Herselman <dhe at syrex.co>
Subject: Re: Masquerading MSCHAPv2 User-Name?



On Feb 15, 2021, at 10:11 AM, David Herselman via Freeradius-Users <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>> wrote:

> We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.



  That's good.



> I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:

> winbind_username = "%{mschap:User-Name}"

> winbind_domain = "%{mschap:NT-Domain}"



  I'm not sure what you mean by "masquerade the presented username".  That is not at all common terminology.



> I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:



  That is *way* down into technical details.  I'd suggest instead describing what you want to do.  Use simple descriptions.



> I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?



  No.



> If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?



  See above.  winbind is there for a reason.  We don't add features just to be sexy.  They all have a reason.



> I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.



  It's impossible.  It's designed to be impossible.  Not by us, but by the people who designed MS-CHAP in the first place.  It's been this way for 20+ years.



  If this was possible, then FreeRADIUS would ship with an example configuration which shows how to do this.



> Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.



  FreeRADIUS can split strings into pieces, and look those pieces up in files.  It can check passwords against multiple back-ends.



  But I have no idea what this has to do with MS-CHAP.



  If FreeRADIUS gets a clear-text AD password, it can just check that password against AD, using LDAP.  There's no need to use MS-CHAP or winbind.



  Alan DeKok.




More information about the Freeradius-Users mailing list