Win2003 IAS CRP's attribute manipulations == MS-CHAPv2 login failures.

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Tony (tburnett_at_columbus.rr.com)
Date: 09/23/04 

Date: Thu, 23 Sep 2004 14:46:34 -0400

In some scenarios, IAS CRP's attribute manipulations result in MS-CHAPv2
login failures.

Setup:
1. Build 2 Win2003 IAS boxes (PROXY and AUTH) in a domain (mydomain.com
[MYDOMAIN]).
2. On PROXY create a remote server group that points to AUTH
3. On AUTH create a RADIUS client for PROXY
4. On PROXY create a RADIUS client for the machine that will generate
PAP/CHAP/MS-CHAPv1/MS-CHAPv2 Access-Requests (CLIENT). DO NOT USE THE SAME
SHARED SECRET between CLIENT and PROXY that you used between PROXY and AUTH.
5. On PROXY create a CRP ("Proxy All") that captures all requests and
proxies (forwards) them to AUTH.
6. Edit "Proxy All" and select "Edit Profile". Switch to the "Attribute"
tab.
7. Select "User-Name" from the pull down
8. Select "Add"
9. Find: "^(.+)(@mydomain\.com)$" (no quotes)
10. Replace: $1
11.Send PAP, CHAP, MS-CHAPv1 and MS-CHAPv2 requests to PROXY from CLIENT for
the user "test@mydomain.com".
12.Does PAP, CHAP, MS-CHAPv1 work? How about MS-CHAPv2?
13.Now change the find/replace rules to...
14.Find: "^(MYDOMAIN\\)(.+)$"
15.Replace: $2
16.Repeat client requests with the username "MYDOMAIN\test". Same results?

We found that with find/replace set #1 using MS-CHAPv2 always resulted in a
"unknown username or bad password" failure on AUTH. However with
find/replace set #2 it works fine. In both cases you are sending the same
username attribute ("test") to AUTH from PROXY.

What gives? I assume this may have something to do with MS-CHAPv2's "peer
to peer" mutual authentication? 

-- 
Tony

Relevant Pages

  • Re: Win2003 IAS CRPs attribute manipulations == MS-CHAPv2 login failures.
    ... Username's that match the @mydomain find/replace ... work fine with MS-CHAPv2. ... On PROXY create a remote server group that points to AUTH ...
    (microsoft.public.internet.radius)
  • Re: Windows Update on Server 2000 through Terminal Services
    ... I suspect that it's windows update ... > I don't have control over the proxy & in any case this isn't a proxy problem ... > (attempting to auth with null credentials). ... When logged in as domain admin via terminal ...
    (microsoft.public.windowsupdate)
  • RE: [Full-Disclosure] Proxy - Cookie - PhP - .htaccess Questions
    ... Last I knew this was a problem some time ago, Vbulletin had issues and is ... Proxy - Cookie - PhP - .htaccess Questions ... It just seems odd that thers no obvious change in the auth, ...
    (Full-Disclosure)
  • IE Proxy Problem
    ... Proxy: ISA 2000 SP2 ... Box obwohl der USer vollzugriff haben sollte. ... und überlasse den rest der DNS Searchliste bekommt man keine Auth. ...
    (microsoft.public.de.german.inetexplorer.ie6)
  • Re: ISA Server Problems, please help
    ... The All access rule for SBS Internet ... Web Proxy and/or ... > To accommodate the linux SecureNAT clients you should create a new Client ... ISA Server denies the specified Uniform Resource Locator. ...
    (microsoft.public.windows.server.sbs)