Masquerading MSCHAPv2 User-Name?

Alan DeKok aland at deployingradius.com
Fri Feb 19 22:27:18 CET 2021


On Feb 19, 2021, at 3:08 PM, David Herselman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> The following appears to work:
> authorize {
>    <snip>
>    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
>    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
>    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}

  OK, if it works... ship it. :)

>    if (&sAMAccountName) {
>        update request {Yubikey-OTP = "%{User-Name}"}
>        update control {Auth-Type := "YubiCHAP"}
>    }

  That's good.

>    <snip>
>    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files

  I really don't recommend changing User-Name.  It is very likely to break all kinds of things.

  What you can do is edit mods-enabled/files, and change the key used to look up entries.  Use:

	key = %{%{sAMAccountName}:-%{User-Name}}

>    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
>    <snip>
> 
> authenticate {
>    Auth-Type YubiCHAP {
>        mschap
>        yubikey
>    }
> ...
> My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...

  Just list it after mschap, as above.  It really is that easy.

  Alan DeKok.




More information about the Freeradius-Users mailing list