Re: Win2003 IAS CRP's attribute manipulations == MS-CHAPv2 login failures.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Tony (tburnett_at_columbus.rr.com)
Date: 09/24/04 

Date: Fri, 24 Sep 2004 10:11:44 -0400

After looking into this issue a bit father, this seems to be a deficiency in
the MS-CHAPv2 RFC (ftp://ftp.rfc-editor.org/in-notes/rfc2759.txt).

The computation of the Peer-Challenge uses the username as one of its
inputs. The RFC *attempts* to normalize the username by allowing the
"MYDOMAIN\" portion to be removed *BEFORE* the challenge is computed.
However, the RFC does not take into consideration the case where the
username is a NAI (what MS calls a UPN), test@mydomain.com.

This would explain why the MYDOMAIN\ find/replace set works, where as the
@mydomain.com find/replace set does not. As on the AUTH RAIDUS server it
already uses the normalized username (the domain PREFIX removed) in its
computations. However, in the case of sending a NAI (aka UPN),
normalization does NOT take place. As such, AUTH cannot validate the peer
challenge correctly.

In short, this issue appears to be "by bad rfc design". Looks like Glen
Zorn didn't foresee this scenario when writing the RFC.

I don't see this mentioned in a KB and/or the IAS help. But it certainly
should be. 

-- 
Tony
"Tony" <tburnett@columbus.rr.com> wrote in message 
news:OZXn$PaoEHA.3728@TK2MSFTNGP09.phx.gbl...
>I can make the setup a bit easier....
>
> Setup both find/replace rules in the **same** CRP (order doesn't mater). 
> The results are the same.  Username's that match the @mydomain 
> find/replace set fail with MS-CHAPv2, those that match the MYDOMAIN\ 
> find/replace set work fine with MS-CHAPv2.  Though in both cases the 
> username received by AUTH is identical.
>
> -- 
> Tony
> "Tony" <tburnett@columbus.rr.com> wrote in message 
> news:uVgon2ZoEHA.2340@TK2MSFTNGP10.phx.gbl...
>> In some scenarios, IAS CRP's attribute manipulations result in MS-CHAPv2 
>> login failures.
>>
>> Setup:
>> 1. Build 2 Win2003 IAS boxes (PROXY and AUTH) in a domain (mydomain.com 
>> [MYDOMAIN]).
>> 2. On PROXY create a remote server group that points to AUTH
>> 3. On AUTH create a RADIUS client for PROXY
>> 4. On PROXY create a RADIUS client for the machine that will generate 
>> PAP/CHAP/MS-CHAPv1/MS-CHAPv2 Access-Requests (CLIENT).  DO NOT USE THE 
>> SAME SHARED SECRET between CLIENT and PROXY that you used between PROXY 
>> and AUTH.
>> 5. On PROXY create a CRP ("Proxy All") that captures all requests and 
>> proxies (forwards) them to AUTH.
>> 6. Edit "Proxy All" and select "Edit Profile".  Switch to the "Attribute" 
>> tab.
>> 7. Select "User-Name" from the pull down
>> 8. Select "Add"
>> 9. Find: "^(.+)(@mydomain\.com)$" (no quotes)
>> 10. Replace: $1
>> 11.Send PAP, CHAP, MS-CHAPv1 and MS-CHAPv2 requests to PROXY from CLIENT 
>> for the user "test@mydomain.com".
>> 12.Does PAP, CHAP, MS-CHAPv1 work?  How about MS-CHAPv2?
>> 13.Now change the find/replace rules to...
>> 14.Find: "^(MYDOMAIN\\)(.+)$"
>> 15.Replace: $2
>> 16.Repeat client requests with the username "MYDOMAIN\test".  Same 
>> results?
>>
>> We found that with find/replace set #1 using MS-CHAPv2 always resulted in 
>> a "unknown username or bad password" failure on AUTH.  However with 
>> find/replace set #2 it works fine.  In both cases you are sending the 
>> same username attribute ("test") to AUTH from PROXY.
>>
>> What gives?  I assume this may have something to do with MS-CHAPv2's 
>> "peer to peer" mutual authentication?
>> -- 
>> Tony
>>
>>
>
>

Relevant Pages

  • Re: Sending Emal2SMS
    ... you want to know what type of AUTH is supported. ... After you receive the response to the EHLO command you will need to ... EHLO response will tell you what the smtp server accepts. ... To get the long string that contains your username and password you can ...
    (microsoft.public.fox.programmer.exchange)
  • Help - Authentication with ASP
    ... authentication window in which put username and password). ... IF auth = "" THEN ... Set objConn = Nothing ... checkLogin, us, pwd ...
    (microsoft.public.inetserver.asp.general)
  • SOCKS on debian etch: should i use dante?
    ... I'd like to run a SOCKS proxy on my etch box so I can easily configure firefox or others services to have an unlimited access to the internet while I'm behind restricted firewall. ... I want to restrict use with username and password not from a specific IP, so I can really connect from everywhere. ... # The server will bind to the address 10.1.1.1, port 1080 and will only ...
    (Debian-User)
  • Re: Firewall Newbie Help (PS)
    ... I don't mind logging into the server, and from Win2K to Win 2K AS isn't a ... > You will only need a proxy if you *want* to access your files from the ... > anywhere on your local network. ... > didn't require the same username and password authentication to allow ...
    (comp.security.firewalls)
  • Re: Urllib2 / add_password method
    ... Don't use a password manager with proxy auth in 2.4, ... Specifying username and password make sense, ... but I haven't found documentation on what 'realm' and 'host' are for. ... I notice just now that urllib2's digest auth support breaks ...
    (comp.lang.python)