Hello Chris -
I believe the problem is to do with MS-CHAP V2 which uses the full username to check the password.
Have a look at the comment header and the code in "Radius/MSCHAP.pm" in the Radiator 3.8 distribution.
regards
Hugh
On 08/01/2004, at 5:18 AM, Chris Simmons wrote:
Dear all,
First, I must say sorry for the log post (and html). Secondly, we have a client sending:
username [EMAIL PROTECTED] MS-CAHP V2 and the password "password".
We are running a simple config.file:
RewriteUsername s/[EMAIL PROTECTED]//
<Client DEFAULT> Secret mysecret DupInterval 0 </Client>
<Realm DEFAULT> <AuthBy FILE> Filename /usr/local/etc/users </AuthBy> </Realm>
the users file contains:
user User-Password="password", user2 User-Password="password",
But the following happens:
Yeilds:
Wed Jan 7 17:54:21 2004: DEBUG: Reading users file /usr/local/etc/users
Wed Jan 7 17:54:21 2004: DEBUG: Finished reading configuration file '/usr/local/etc/simple.cfg'
Wed Jan 7 17:54:21 2004: DEBUG: Reading dictionary file '/var/log/radius/dictionary'
Wed Jan 7 17:54:21 2004: DEBUG: Creating authentication port 0.0.0.0:1813
Wed Jan 7 17:54:21 2004: DEBUG: Creating accounting port 0.0.0.0:1812
Wed Jan 7 17:54:21 2004: NOTICE: Server started: Radiator 3.8 on dns1
Wed Jan 7 17:54:25 2004: DEBUG: Packet dump:
*** Received from 172.16.1.52 port 1814 ....
Code: Access-Request
Identifier: 13
Authentic: /s0<1><26><143><149><200>R<154><239><244>tu_<138>
Attributes:
MS-CHAP-Challenge = "o<167>k<193><136><128><203><138><26><214>&<160><230><127><0>K"
MS-CHAP2-Response = "<1><0><145><228><250>/ r<177>"E<13><148><236>%<25><182><230>Y<0><0><0><0><0><0><0><0>- <147><0><246><129>b<18><153><188><3><202><178><193><165><4><143>@<249>s <28>X<165>2<162>"
User-Name ="[EMAIL PROTECTED]"
NAS-IP-Address = 172.16.1.52
NAS-Identifier ="[EMAIL PROTECTED]/24"
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 208
Wed Jan 7 17:54:25 2004: DEBUG: Rewrote user name to user
Wed Jan 7 17:54:25 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jan 7 17:54:25 2004: DEBUG: Deleting session [EMAIL PROTECTED], 172.16.1.52,
Wed Jan 7 17:54:25 2004: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE looks for match with user2
Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
Wed Jan 7 17:54:25 2004: INFO: Access rejected for user: Bad Password
Wed Jan 7 17:54:25 2004: DEBUG: Packet dump:
*** Sending to 172.16.1.52 port 1814 ....
Code: Access-Reject
Identifier: 13
Authentic: /s0<1><26><143><149><200>R<154><239><244>tu_<138>
Attributes:
Reply-Message = "Request Denied"
Proxy-State = 208
But if the follwoing is used:
radpwtst [EMAIL PROTECTED] password
the output below:
*** Received from 127.0.0.1 port 60973 ....
Code: Access-Request
Identifier: 215
Authentic: 1234567890123456
Attributes:
User-Name ="[EMAIL PROTECTED]"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<137><234>,<222><216>3v<146><188>8<9><160><216>}x<153>"
Wed Jan 7 18:05:05 2004: DEBUG: Rewrote user name to user2
Wed Jan 7 18:05:05 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jan 7 18:05:05 2004: DEBUG: Deleting session [EMAIL PROTECTED], 203.63.154.1, 1234
Wed Jan 7 18:05:05 2004: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE looks for match with user2
Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jan 7 18:05:05 2004: DEBUG: Access accepted for user2
Wed Jan 7 18:05:05 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60973 ....
Code: Access-Accept
Identifier: 215
Authentic: 1234567890123456
Attributes:
BUT With rewriteUsername OFF and using MS-CHAP V2, and chaging the user anmes in the users file [EMAIL PROTECTED]
It works.
*** Received from 172.16.1.52 port 1814 ....
Code: Access-Request
Identifier: 14
Authentic: <20><227>JyPz<8><192><168><183><245>M<252>k<139>j
Attributes:
MS-CHAP-Challenge = "<14>l<158><25><209><199><205>a8J<137>u<4>02<146>"
MS-CHAP2-Response = "<1><0>F<195>ps<4><160>|<250><200><176><3>q<213>c<244>2<0><0><0><0><0>< 0><0><0><175><224><26><9>j<180>"<220>3<238>? <157><230><231><206><184>*<192>K<<194><203>y<30>"
User-Name ="[EMAIL PROTECTED]"
NAS-IP-Address = 172.16.1.52
NAS-Identifier ="[EMAIL PROTECTED]/24"
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 80
Wed Jan 7 18:08:21 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jan 7 18:08:21 2004: DEBUG: Deleting session [EMAIL PROTECTED], 172.16.1.52,
Wed Jan 7 18:08:21 2004: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE looks for match [EMAIL PROTECTED]
Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jan 7 18:08:21 2004: DEBUG: Access accepted [EMAIL PROTECTED]
Wed Jan 7 18:08:21 2004: DEBUG: Packet dump:
Does anybody have any idea's where we would be going wrong?
regards
Chris.
-- Chris Simmons Network Engineer St Georges Hospital Medical School
Tel: 020 8725 0234 mail: [EMAIL PROTECTED]
-- This message has been scanned for viruses and dangerous content byMailScanner, and is believed to be clean.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.