subject:"Working around broken EAP client"

Re: Working around broken EAP client

2013-06-13 Thread Gordon Ross

On 11 Jun 2013, at 16:06, Alan DeKok al...@deployingradius.com wrote:

  That's really not what I said to do.  I said set User-Name to be the
 MS-CHAP identity.  You've got that inverted.
 
   update request {
   User-Name := %{mschap:User-Name}
   }


This worked a treat. Thank you very much !

GTG
-- 
Gordon Ross
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Working around broken EAP client

2013-06-11 Thread Gordon Ross

I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04

I'm wanting to use Freeradius to authenticate 802.1x clients. However, one 
client I need to authenticate I believe is broken, in that it's stripping the 
suffix on the inner identity.

From running freeradius -X I see:

[mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as MS-CHAP 
Name (68983) from EAP-MSCHAPv2

Putting the same credentials into an iPhone allows the iPhone to sign onto the 
network without problems. So I feel it's the client that's broken, and not my 
freeradius setup.

I've seen some warnings that fixing the identity mis-match is a Bad Idea, but I 
need to get this client to work.

I found a page[1] that has a similar problem, but for Windows domain prefixes 
being stripped. It suggests that adding:

if ( User-Name =~ /^machine.*/ ) {
 update request {
 MS-CHAP-User-Name = %{request:User-Name}
 }
}

to the inner configuration will fix it.

Is it possible to do something similar to add the suffix if it's missing ?

Thanks,

GTG
-- 
Gordon Ross

[1] 
http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1cHash=557619254a0e733446140dcefbced985
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Phil Mayers

Gordon Ross gr...@ucs.cam.ac.uk wrote:

I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04

I'm wanting to use Freeradius to authenticate 802.1x clients. However,
one client I need to authenticate I believe is broken, in that it's
stripping the suffix on the inner identity.

From running freeradius -X I see:

[mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as
MS-CHAP Name (68983) from EAP-MSCHAPv2

Putting the same credentials into an iPhone allows the iPhone to sign
onto the network without problems. So I feel it's the client that's
broken, and not my freeradius setup.

I've seen some warnings that fixing the identity mis-match is a Bad
Idea, but I need to get this client to work.

I found a page[1] that has a similar problem, but for Windows domain
prefixes being stripped. It suggests that adding:

if ( User-Name =~ /^machine.*/ ) {
update request {
MS-CHAP-User-Name = %{request:User-Name}
}
}

to the inner configuration will fix it.

Is it possible to do something similar to add the suffix if it's
missing ?

Thanks,

GTG
--
Gordon Ross

[1]
http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1cHash=557619254a0e733446140dcefbced985
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Can we see a full debug? It might help people suggest options. The advice you
seem to have dug up seems plain wrong - no idea why they think setting that
will help as it will mangle the challenge/response.
--
Sent from my phone with, please excuse brevity and typos-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Alan DeKok

Gordon Ross wrote:
 [mschap] ERROR: User-Name (68...@phone.cam.ac.uk) is not the same as MS-CHAP 
 Name (68983) from EAP-MSCHAPv2

  It appears that behavior is allowed.  I've had discussions with the
people doing the standards.  And the MS-CHAP identity has *no* relation
to the EAP-Identity.

  It's insane, but that's how it works.

  I think for v2.2.1, it's best to make that check configurable, instead
of an error.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Gordon Ross

On 11 Jun 2013, at 13:59, Alan DeKok al...@deployingradius.com wrote:

  It appears that behavior is allowed.  I've had discussions with the
 people doing the standards.  And the MS-CHAP identity has *no* relation
 to the EAP-Identity.
 
  It's insane, but that's how it works.
 
  I think for v2.2.1, it's best to make that check configurable, instead
 of an error.


In the meantime, is there anything I can do to accept these requests ?

GTG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Alan DeKok

Gordon Ross wrote:
 In the meantime, is there anything I can do to accept these requests ?

  Set the User-Name to be the same as the MS-CHAP identity.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Gordon Ross

On 11 Jun 2013, at 14:32, Alan DeKok al...@deployingradius.com
 wrote:

 Gordon Ross wrote:
 In the meantime, is there anything I can do to accept these requests ?
 
  Set the User-Name to be the same as the MS-CHAP identity.


How and where do I do that ? In the inner part by something close to:

update request {
MS-CHAP-User-Name = %{request:User-Name}
}

?

GTG
-- 
Gordon Ross
Computing Service

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Phil Mayers


On 11/06/13 15:11, Gordon Ross wrote:

On 11 Jun 2013, at 14:32, Alan DeKok al...@deployingradius.com
  wrote:


Gordon Ross wrote:

In the meantime, is there anything I can do to accept these requests ?


  Set the User-Name to be the same as the MS-CHAP identity.



How and where do I do that ? In the inner part by something close to:


It's a bit complicated, because the code munges the username values 
depending on whether you've got with_ntdomain_hack set to yes or 
no (which is why I asked for a full debug).


You want to set it as late as possible but just before mschap 
authenticate runs.


Something like this:

server inner-tunnel {

...

authenticate {
  Auth-Type MSCHAP {
if (MS-CHAP-User-Name) {
  update request {
User-Name := %{MS-CHAP-User-Name}
  }
}
mschap
  }

  ...
}

}



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

2013-06-11 Thread Alan DeKok

Gordon Ross wrote:
  Set the User-Name to be the same as the MS-CHAP identity.
 
 
 How and where do I do that ? In the inner part by something close to:
 
 update request {
 MS-CHAP-User-Name = %{request:User-Name}
 }

  That's really not what I said to do.  I said set User-Name to be the
MS-CHAP identity.  You've got that inverted.

update request {
User-Name := %{mschap:User-Name}
}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Working around broken EAP client

Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

Re: Working around broken EAP client

9 matches

Site Navigation

Mail list logo

Footer information