Masquerading MSCHAPv2 User-Name?

Alan DeKok aland at
Thu Feb 18 15:21:42 CET 2021

On Feb 18, 2021, at 4:49 AM, David Herselman <dhe at> wrote:
> I have the utmost respect for your knowledge, experience and extraordinary amount of time you invest in answering posts in mailing lists.

  Thanks, but there's no need to be nice.  Just ask good questions, and I will be happy.

> I also appreciate that my terminology isn't correct, although the only feedback has been to point this out repeatedly without providing the correct terms you would like me to use.

  Terms to do *what*?

  I asked you to describe what you wanted to do.    Your response was to (essentially) repeat your original question / description.  That doesn't let me know *anything* about what you want to do.

  It is *impossible* for me to suggest the correct terms if I have no idea what you're trying to do.  Even worse, using the wrong term (multiple times) makes me wary about everything *else* you're saying, because clearly the words you're using don't have the meaning *I* think they do.

  Given 20 years of this, I would much rather ask "what do you mean by that", or "please explain in a different way".  If I just respond with what I *think* you mean, we would end up going down a rabbit hole of confusion.  You wouldn't understand my responses, because the words I use wouldn't mean the same thing to you.  It's just a recipe for endless disaster.

  So my repeated "what do you mean by that" is not me being mean, rude, etc.  It's me trying desperately to get you to *explain* what you're doing.

> A message from this group in June 2017 appears to refer to this functionality as 'Change username for MSCHAPv2' where no comment was made regarding this being incorrect terminology.

  Because he doesn't use the word "masquerade".  And he describes exactly what he's doing, using examples from the configuration.

  My comments there are also correct: Don't change the User-Name.

  And also:  do change the database queries used to look up users.  That's fine.

  As I pointed out in my last message. the database doesn't care what key is used to look up a password.  It can be %{User-Name}, or a fixed string like "i_like_cheese_pizza".  The point is that you're not "masquerading" the name.  You're not doing anything with MS-CHAP.  MS-CHAP is entirely irrelevant.

  What you're doing is getting User-Name, X, somehow determine that you need to use key Y for a database lookup, and then getting the password from the database using key Y.

> The following is primarily intended for others like me, that would love to search for YubiKey MFA / 2FA / OTP and get re-assurance that FreeRADIUS is perfectly suited to meet the following objectives:
>  - RADIUS Multi-factor authentication using YubiKeys where people simply need to press a single button to generate an OTP. No mobile device apps or 3rd party software required. Plug-in and press the button.
>  - Some of our network devices exclusively support MSCHAPv2
>  - We want to manage accounts exclusively via Active Directory
>  - We do not want to store credentials in AD with reversible encryption
>  - We do not want to store plaintext credentials in RADIUS
> By using the YubiKey OTP as the username, instead of being part of the provided password, results in MS-CHAPv2 authentication working flawlessly. This is due to FreeRADIUS constructing the challenge hash using the username provided in the authentication request, whilst retrieving information from AD using the account that key is associated with.

  That makes a lot more sense.  Use simple terminology.  Describe what you have.  Describe what you want to happen.

> In layman terms, I can login as eg cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit/secret and have it successfully authenticate against Active Directory as davidh/secret.

  It's not exactly that, it's more:

* Login as
  User-Name = ccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit 
  MS-CHAP blob which depends on BOTH that User-Name and the password "secret"

* Discover that ccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit maps to use "davidh".

*  Hand the MS-CHAP blob over to Active Directory, AND tell Active Directory to look up the password in user "davidh".

   It all works.  As I pointed out in my last message.,, nothing cares about the key used to do database lookups.  You can login as "bob", and look up the password in a DEFAULT entry in the "users" file.

  With computers, details matter.  Especially when there are complex protocols and database involved.  These systems have odd corner cases where things don't always work in the most obvious way.  That's why details matter, and why it's critical to get a clear description of what's going on.

  Alan DeKok.

More information about the Freeradius-Users mailing list