(RADIATOR) Problem with rewriteusername and chap
Dear all, First, I must say sorry for the log post (and html). Secondly, we have a client sending: username = [EMAIL PROTECTED] via MS-CAHP V2 and the password "password". We are running a simple config.file: RewriteUsername s/[EMAIL PROTECTED]// Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy FILE Filename /usr/local/etc/users /AuthBy /Realm the users file contains: user User-Password="password", user2 User-Password="password", But the following happens: Yeilds: Wed Jan 7 17:54:21 2004: DEBUG: Reading users file /usr/local/etc/users Wed Jan 7 17:54:21 2004: DEBUG: Finished reading configuration file '/usr/local/etc/simple.cfg' Wed Jan 7 17:54:21 2004: DEBUG: Reading dictionary file '/var/log/radius/dictionary' Wed Jan 7 17:54:21 2004: DEBUG: Creating authentication port 0.0.0.0:1813 Wed Jan 7 17:54:21 2004: DEBUG: Creating accounting port 0.0.0.0:1812 Wed Jan 7 17:54:21 2004: NOTICE: Server started: Radiator 3.8 on dns1 Wed Jan 7 17:54:25 2004: DEBUG: Packet dump: *** Received from 172.16.1.52 port 1814 Code: Access-Request Identifier: 13 Authentic: /s0126143149200R154239244tu_138 Attributes: MS-CHAP-Challenge = "o167k193136128203138262141602301270K" MS-CHAP2-Response = "10145228250/r177"E13148236%25182230Y-1470246129b1815318832021781931654143@249s28X1652162" User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 172.16.1.52 NAS-Identifier = "[EMAIL PROTECTED]/24" Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 208 Wed Jan 7 17:54:25 2004: DEBUG: Rewrote user name to user Wed Jan 7 17:54:25 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 17:54:25 2004: DEBUG: Deleting session for [EMAIL PROTECTED], 172.16.1.52, Wed Jan 7 17:54:25 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE looks for match with user2 Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 7 17:54:25 2004: INFO: Access rejected for user: Bad Password Wed Jan 7 17:54:25 2004: DEBUG: Packet dump: *** Sending to 172.16.1.52 port 1814 Code: Access-Reject Identifier: 13 Authentic: /s0126143149200R154239244tu_138 Attributes: Reply-Message = "Request Denied" Proxy-State = 208 But if the follwoing is used: radpwtst -user [EMAIL PROTECTED] -password password the output below: *** Received from 127.0.0.1 port 60973 Code: Access-Request Identifier: 215 Authentic: 1234567890123456 Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "137234,163v14618889160216}x153" Wed Jan 7 18:05:05 2004: DEBUG: Rewrote user name to user2 Wed Jan 7 18:05:05 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 18:05:05 2004: DEBUG: Deleting session for [EMAIL PROTECTED], 203.63.154.1, 1234 Wed Jan 7 18:05:05 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE looks for match with user2 Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 7 18:05:05 2004: DEBUG: Access accepted for user2 Wed Jan 7 18:05:05 2004: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 60973 Code: Access-Accept Identifier: 215 Authentic: 1234567890123456 Attributes: BUT With rewriteUsername OFF and using MS-CHAP V2, and chaging the user anmes in the users file to [EMAIL PROTECTED] It works. *** Received from 172.16.1.52 port 1814 Code: Access-Request Identifier: 14 Authentic: 20227JyPz8192168183245M252k139j Attributes: MS-CHAP-Challenge = "14l15825209199205a8J137u402146" MS-CHAP2-Response = "10F195ps4160|2502001763q213c2442175224269j180"2203238?157230231206184*192K194203y30" User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 172.16.1.52 NAS-Identifier = "[EMAIL PROTECTED]/24" Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 80 Wed Jan 7 18:08:21 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 18:08:21 2004: DEBUG: Deleting session for [EMAIL PROTECTED], 172.16.1.52, Wed Jan 7 18:08:21 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE looks for match with [EMAIL PROTECTED] Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 7 18:08:21 2004: DEBUG: Access accepted for [EMAIL PROTECTED] Wed Jan 7 18:08:21 2004: DEBUG: Packet dump: Does anybody have any idea's where we would be going wrong? regards Chris. -- Chris Simmons Network Engineer St Georges Hospital Medical School Tel: 020 8725 0234 mail: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: (RADIATOR) Problem with rewriteusername and chap
Hello Chris - I believe the problem is to do with MS-CHAP V2 which uses the full username to check the password. Have a look at the comment header and the code in Radius/MSCHAP.pm in the Radiator 3.8 distribution. regards Hugh On 08/01/2004, at 5:18 AM, Chris Simmons wrote: Dear all, First, I must say sorry for the log post (and html). Secondly, we have a client sending: username [EMAIL PROTECTED] MS-CAHP V2 and the password password. We are running a simple config.file: RewriteUsername s/[EMAIL PROTECTED]// Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy FILE Filename /usr/local/etc/users /AuthBy /Realm the users file contains: user User-Password=password, user2 User-Password=password, But the following happens: Yeilds: Wed Jan 7 17:54:21 2004: DEBUG: Reading users file /usr/local/etc/users Wed Jan 7 17:54:21 2004: DEBUG: Finished reading configuration file '/usr/local/etc/simple.cfg' Wed Jan 7 17:54:21 2004: DEBUG: Reading dictionary file '/var/log/radius/dictionary' Wed Jan 7 17:54:21 2004: DEBUG: Creating authentication port 0.0.0.0:1813 Wed Jan 7 17:54:21 2004: DEBUG: Creating accounting port 0.0.0.0:1812 Wed Jan 7 17:54:21 2004: NOTICE: Server started: Radiator 3.8 on dns1 Wed Jan 7 17:54:25 2004: DEBUG: Packet dump: *** Received from 172.16.1.52 port 1814 Code: Access-Request Identifier: 13 Authentic: /s0126143149200R154239244tu_138 Attributes: MS-CHAP-Challenge = o167k193136128203138262141602301270K MS-CHAP2-Response = 10145228250/ r177E13148236%25182230Y- 1470246129b1815318832021781931654143@249s 28X1652162 User-Name =[EMAIL PROTECTED] NAS-IP-Address = 172.16.1.52 NAS-Identifier =[EMAIL PROTECTED]/24 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 208 Wed Jan 7 17:54:25 2004: DEBUG: Rewrote user name to user Wed Jan 7 17:54:25 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 17:54:25 2004: DEBUG: Deleting session [EMAIL PROTECTED], 172.16.1.52, Wed Jan 7 17:54:25 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE looks for match with user2 Wed Jan 7 17:54:25 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 7 17:54:25 2004: INFO: Access rejected for user: Bad Password Wed Jan 7 17:54:25 2004: DEBUG: Packet dump: *** Sending to 172.16.1.52 port 1814 Code: Access-Reject Identifier: 13 Authentic: /s0126143149200R154239244tu_138 Attributes: Reply-Message = Request Denied Proxy-State = 208 But if the follwoing is used: radpwtst [EMAIL PROTECTED] password the output below: *** Received from 127.0.0.1 port 60973 Code: Access-Request Identifier: 215 Authentic: 1234567890123456 Attributes: User-Name =[EMAIL PROTECTED] Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 137234,163v14618889160216}x153 Wed Jan 7 18:05:05 2004: DEBUG: Rewrote user name to user2 Wed Jan 7 18:05:05 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 18:05:05 2004: DEBUG: Deleting session [EMAIL PROTECTED], 203.63.154.1, 1234 Wed Jan 7 18:05:05 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE looks for match with user2 Wed Jan 7 18:05:05 2004: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 7 18:05:05 2004: DEBUG: Access accepted for user2 Wed Jan 7 18:05:05 2004: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 60973 Code: Access-Accept Identifier: 215 Authentic: 1234567890123456 Attributes: BUT With rewriteUsername OFF and using MS-CHAP V2, and chaging the user anmes in the users file [EMAIL PROTECTED] It works. *** Received from 172.16.1.52 port 1814 Code: Access-Request Identifier: 14 Authentic: 20227JyPz8192168183245M252k139j Attributes: MS-CHAP-Challenge = 14l15825209199205a8J137u402146 MS-CHAP2-Response = 10F195ps4160|2502001763q213c24420 000175224269j1802203238? 157230231206184*192K194203y30 User-Name =[EMAIL PROTECTED] NAS-IP-Address = 172.16.1.52 NAS-Identifier =[EMAIL PROTECTED]/24 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 80 Wed Jan 7 18:08:21 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jan 7 18:08:21 2004: DEBUG: Deleting session [EMAIL PROTECTED], 172.16.1.52, Wed Jan 7 18:08:21 2004: DEBUG: Handling with Radius::AuthFILE: Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE looks for match [EMAIL PROTECTED] Wed Jan 7 18:08:21 2004: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 7 18:08:21 2004: DEBUG: Access accepted [EMAIL PROTECTED] Wed Jan 7 18:08:21