Re: Working around broken EAP client
On 11 Jun 2013, at 16:06, Alan DeKok al...@deployingradius.com wrote: That's really not what I said to do. I said set User-Name to be the MS-CHAP identity. You've got that inverted. update request { User-Name := %{mschap:User-Name} } This worked a treat. Thank you very much ! GTG -- Gordon Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Working around broken EAP client
I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04 I'm wanting to use Freeradius to authenticate 802.1x clients. However, one client I need to authenticate I believe is broken, in that it's stripping the suffix on the inner identity. From running freeradius -X I see: [mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as MS-CHAP Name (68983) from EAP-MSCHAPv2 Putting the same credentials into an iPhone allows the iPhone to sign onto the network without problems. So I feel it's the client that's broken, and not my freeradius setup. I've seen some warnings that fixing the identity mis-match is a Bad Idea, but I need to get this client to work. I found a page[1] that has a similar problem, but for Windows domain prefixes being stripped. It suggests that adding: if ( User-Name =~ /^machine.*/ ) { update request { MS-CHAP-User-Name = %{request:User-Name} } } to the inner configuration will fix it. Is it possible to do something similar to add the suffix if it's missing ? Thanks, GTG -- Gordon Ross [1] http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1cHash=557619254a0e733446140dcefbced985 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
Gordon Ross gr...@ucs.cam.ac.uk wrote: I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04 I'm wanting to use Freeradius to authenticate 802.1x clients. However, one client I need to authenticate I believe is broken, in that it's stripping the suffix on the inner identity. From running freeradius -X I see: [mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as MS-CHAP Name (68983) from EAP-MSCHAPv2 Putting the same credentials into an iPhone allows the iPhone to sign onto the network without problems. So I feel it's the client that's broken, and not my freeradius setup. I've seen some warnings that fixing the identity mis-match is a Bad Idea, but I need to get this client to work. I found a page[1] that has a similar problem, but for Windows domain prefixes being stripped. It suggests that adding: if ( User-Name =~ /^machine.*/ ) { update request { MS-CHAP-User-Name = %{request:User-Name} } } to the inner configuration will fix it. Is it possible to do something similar to add the suffix if it's missing ? Thanks, GTG -- Gordon Ross [1] http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1cHash=557619254a0e733446140dcefbced985 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Can we see a full debug? It might help people suggest options. The advice you seem to have dug up seems plain wrong - no idea why they think setting that will help as it will mangle the challenge/response. -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
Gordon Ross wrote: [mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as MS-CHAP Name (68983) from EAP-MSCHAPv2 It appears that behavior is allowed. I've had discussions with the people doing the standards. And the MS-CHAP identity has *no* relation to the EAP-Identity. It's insane, but that's how it works. I think for v2.2.1, it's best to make that check configurable, instead of an error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
On 11 Jun 2013, at 13:59, Alan DeKok al...@deployingradius.com wrote: It appears that behavior is allowed. I've had discussions with the people doing the standards. And the MS-CHAP identity has *no* relation to the EAP-Identity. It's insane, but that's how it works. I think for v2.2.1, it's best to make that check configurable, instead of an error. In the meantime, is there anything I can do to accept these requests ? GTG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
Gordon Ross wrote: In the meantime, is there anything I can do to accept these requests ? Set the User-Name to be the same as the MS-CHAP identity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
On 11 Jun 2013, at 14:32, Alan DeKok al...@deployingradius.com wrote: Gordon Ross wrote: In the meantime, is there anything I can do to accept these requests ? Set the User-Name to be the same as the MS-CHAP identity. How and where do I do that ? In the inner part by something close to: update request { MS-CHAP-User-Name = %{request:User-Name} } ? GTG -- Gordon Ross Computing Service - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
On 11/06/13 15:11, Gordon Ross wrote: On 11 Jun 2013, at 14:32, Alan DeKok al...@deployingradius.com wrote: Gordon Ross wrote: In the meantime, is there anything I can do to accept these requests ? Set the User-Name to be the same as the MS-CHAP identity. How and where do I do that ? In the inner part by something close to: It's a bit complicated, because the code munges the username values depending on whether you've got with_ntdomain_hack set to yes or no (which is why I asked for a full debug). You want to set it as late as possible but just before mschap authenticate runs. Something like this: server inner-tunnel { ... authenticate { Auth-Type MSCHAP { if (MS-CHAP-User-Name) { update request { User-Name := %{MS-CHAP-User-Name} } } mschap } ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
Gordon Ross wrote: Set the User-Name to be the same as the MS-CHAP identity. How and where do I do that ? In the inner part by something close to: update request { MS-CHAP-User-Name = %{request:User-Name} } That's really not what I said to do. I said set User-Name to be the MS-CHAP identity. You've got that inverted. update request { User-Name := %{mschap:User-Name} } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html