Masquerading MSCHAPv2 User-Name?

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

Masquerading MSCHAPv2 User-Name?

Users mailing list
Hi,

We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.
I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"

I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:
Initiator:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
PasswordHash = chap.NtPasswordHash(Password)
Challenge = chap.ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName)
NTResponse = chap.ChallengeResponse(Challenge, PasswordHash)
print ('Challenge : '+Challenge.hex())
print ('NTResponse: '+NTResponse.hex())
radius:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
NTResponse = b''.fromhex('6c da db 80 dd 53 10 b8 05 f2 a0 da 9b b4 5e ad 51 ee 65 34 4c 95 e6 00')
PasswordHash = chap.NtPasswordHash(Password)
AuthenticatorResponse = chap.GenerateAuthenticatorResponse(Password, NTResponse, PeerChallenge, AuthenticatorChallenge, UserName)
print('Authenticator Response: ' + AuthenticatorResponse)

I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?
If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?

I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.


Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.

[cid:image001.png@01D703BA.131606D0]


References:

  *   Understanding PEAP In-Depth
https://sensepost.com/blog/2019/understanding-peap-in-depth/
  *   Yubico OTPs Explained
https://developers.yubico.com/OTP/OTPs_Explained.html


Regards
David Herselman

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image001.png (204K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
On Feb 15, 2021, at 10:11 AM, David Herselman via Freeradius-Users <[hidden email]> wrote:
> We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.

  That's good.

> I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"

  I'm not sure what you mean by "masquerade the presented username".  That is not at all common terminology.

> I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:

  That is *way* down into technical details.  I'd suggest instead describing what you want to do.  Use simple descriptions.

> I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?

  No.

> If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?

  See above.  winbind is there for a reason.  We don't add features just to be sexy.  They all have a reason.

> I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.

  It's impossible.  It's designed to be impossible.  Not by us, but by the people who designed MS-CHAP in the first place.  It's been this way for 20+ years.

  If this was possible, then FreeRADIUS would ship with an example configuration which shows how to do this.

> Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.

  FreeRADIUS can split strings into pieces, and look those pieces up in files.  It can check passwords against multiple back-ends.

  But I have no idea what this has to do with MS-CHAP.

  If FreeRADIUS gets a clear-text AD password, it can just check that password against AD, using LDAP.  There's no need to use MS-CHAP or winbind.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Masquerading MSCHAPv2 User-Name?

Users mailing list
Hi Alan,



I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"' and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:



Client:

[davidh@linux-test ~]$ ssh andrewr@192.168.10.1<mailto:andrewr@192.168.10.1>

andrewr@192.168.10.1's<mailto:andrewr@192.168.10.1's> password:************



<snip>

  MikroTik RouterOS 6.48.1 (c) 1999-2020       http://www.mikrotik.com/

<snip>

[andrewr@router] >



FR 3.0.17:

(1) Received Access-Request Id 253 from 100.127.255.10:59408 to 192.168.20.11:1812 length 161

(1)   Service-Type = Login-User

(1)   User-Name = "andrewr"

(1)   MS-CHAP-Challenge = 0xefa32ded589962742ec408cbd4b0eaf7

(1)   MS-CHAP2-Response = 0x0000f0c84a52b1482f3d0eb5a455ce5972be0000000000000000a5b2ad8947a6c27eadb1fe80c9aa1a7dc9d0632f3987a72a

(1)   Calling-Station-Id = "192.168.1.77"

(1)   NAS-Identifier = "router"

(1)   NAS-IP-Address = 100.127.255.10

<snip>

(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(1)     [mschap] = ok

<snip>

(1) Found Auth-Type = mschap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) mschap: Creating challenge hash with username: andrewr

(1) mschap: Client is using MS-CHAPv2

(1) mschap: ERROR: No NT-Domain was found in the User-Name

(1) mschap: EXPAND %{mschap:NT-Domain}

(1) mschap:    -->

rlm_mschap (mschap): Reserved connection (1)

(1) mschap: sending authentication request user='davidh' domain=''

rlm_mschap (mschap): Released connection (1)

Need 4 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (6), 1 of 26 pending slots used

(1) mschap: Authenticated successfully

(1) mschap: Adding MS-CHAPv2 MPPE keys

(1)     [mschap] = ok

(1)   } # authenticate = ok

<snip>

(1) Login OK: [andrewr] (from client test-mschap port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:1 nas-id:router

(1) Sent Access-Accept Id 253 from 192.168.20.11:1812 to 100.127.255.10:59408 length 0

(1)   Reply-Message = "Member of routers_test_full"

(1)   Mikrotik-Group = "full"

(1)   MS-CHAP2-Success = 0x00533d35383041354643413539414141313530383433303639414243414134334135303446414642354434

(1)   MS-MPPE-Recv-Key = 0x8ac2030b74b35cbee9bc8d6b84c66bcc

(1)   MS-MPPE-Send-Key = 0x99c473780b7a5068022fc19f1af97181

(1)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(1)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(1) Finished request





I presume FR therefor does have the ability to transform/replace/masquerade the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:



Client:

[davidh@linux-test ~]$ ssh cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit@192.168.10.1<mailto:cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit@192.168.10.1>

cccccctcikejkrbhnvrjrdlujuujdc@192.168.10.1's password:************



<snip>

  MikroTik RouterOS 6.48.1 (c) 1999-2020       http://www.mikrotik.com/

<snip>

[cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit@router] >



FR 3.0.17:

(0) Received Access-Request Id 6 from 100.127.255.10:56594 to 192.168.20.11:1812 length 198

(0)   Service-Type = Login-User

(0)   User-Name = "cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit"

(0)   MS-CHAP-Challenge = 0x74a6b11442e47c657a6d7a543c698731

(0)   MS-CHAP2-Response = 0x0000f16bc9ef22ae36871e353ae9726073e600000000000000006680411fedf2daf0b191d442a5eea7a10fabcfd8949f89d9

(0)   Calling-Station-Id = "192.168.1.77"

(0)   NAS-Identifier = "router"

(0)   NAS-IP-Address = 100.127.255.10

<snip>

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)     [mschap] = ok

<snip>

(0) Found Auth-Type = mschap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) mschap: Creating challenge hash with username: cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit

(0) mschap: Client is using MS-CHAPv2

(0) mschap: ERROR: No NT-Domain was found in the User-Name

(0) mschap: EXPAND %{mschap:NT-Domain}

(0) mschap:    -->

rlm_mschap (mschap): Reserved connection (0)

(0) mschap: sending authentication request user='davidh' domain=''

rlm_mschap (mschap): Released connection (0)

Need 5 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used

(0) mschap: Authenticated successfully

(0) mschap: Adding MS-CHAPv2 MPPE keys

(0)     [mschap] = ok

(0)   } # authenticate = ok

<snip>

(0) Login OK: [cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit] (from client test-mschap port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:0 nas-id:router

(0) Sent Access-Accept Id 6 from 192.168.20.11:1812 to 100.127.255.10:56594 length 0

(0)   Reply-Message = "Member of routers_test_full"

(1)   Mikrotik-Group = "full"

(0)   MS-CHAP2-Success = 0x00533d42463830443339423145324136343533324335304131323633344633343242464630454131434439

(0)   MS-MPPE-Recv-Key = 0xeaa2fdd6b60b5dbc60a02c2fb3a7d473

(0)   MS-MPPE-Send-Key = 0x895c22f518ba4122d39f6e42eba2e7c4

(0)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(0)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(0) Finished request





Regards

David Herselman



-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: Monday, 15 February 2021 5:40 PM
To: FreeRadius users mailing list <[hidden email]>
Cc: David Herselman <[hidden email]>
Subject: Re: Masquerading MSCHAPv2 User-Name?



On Feb 15, 2021, at 10:11 AM, David Herselman via Freeradius-Users <[hidden email]<mailto:[hidden email]>> wrote:

> We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.



  That's good.



> I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:

> winbind_username = "%{mschap:User-Name}"

> winbind_domain = "%{mschap:NT-Domain}"



  I'm not sure what you mean by "masquerade the presented username".  That is not at all common terminology.



> I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:



  That is *way* down into technical details.  I'd suggest instead describing what you want to do.  Use simple descriptions.



> I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?



  No.



> If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?



  See above.  winbind is there for a reason.  We don't add features just to be sexy.  They all have a reason.



> I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.



  It's impossible.  It's designed to be impossible.  Not by us, but by the people who designed MS-CHAP in the first place.  It's been this way for 20+ years.



  If this was possible, then FreeRADIUS would ship with an example configuration which shows how to do this.



> Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.



  FreeRADIUS can split strings into pieces, and look those pieces up in files.  It can check passwords against multiple back-ends.



  But I have no idea what this has to do with MS-CHAP.



  If FreeRADIUS gets a clear-text AD password, it can just check that password against AD, using LDAP.  There's no need to use MS-CHAP or winbind.



  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
On Feb 17, 2021, at 2:54 PM, David Herselman <[hidden email]> wrote:
> I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"'

  winbind is not MS-CHAP.  Winbind is (essentially) the database query used to verify the MS-CHAP information.

  The "winbind_username" field is *not* used in any part of the MS-CHAP calculation.  As I said.

  TBH, I'm rather surprised that you ask questions, and then argue with the answers.  Are you that aware of the details of each protocol, that you can authoritatively argue against someone who's been doing this for 20 years?

> and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:

  It doesn't matter.

  I can put the users password into an LDAP entry for user with the name "I_like_to_eat_pizza".  That name has nothing whatsoever to do with the MS-CHAP calculations.

  Try this with the "users" file.   Add this to the top of the "users" file:

DEFAULT Cleartext-Password := "hello"

  Then log in as ANY other user (e.g. "bob"), using MS-CHAP, and the password "hello".  Use "radclient" or "radtest" to do this.

  What will happen?  The user will be authenticated.  But if the entry in the "users" file is for DEFAULT, how can this possibly work?

  Answer:  if you understand the system, the answer is obvious.

> I presume FR therefor does have the ability to transform/replace/masquerade

  Stop using the term "masquerade".  It's wrong.  I already told you that it's not correct terminology.  Your repeated use of it shows that you don't know how things work.  And worse, that you''re resisting the suggestion to learn.

  You're asking questions using terms you've invented, and are then arguing with the answers.  This is generally a good approach if you want to confuse and annoy people.  I suggest not doing this.

> the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:

  Whatever question you're asking is unrelated to the tests you're doing.

  Stop inventing terms.  Stop doing irrelevant tests.  Put some effort into understanding the system.

  I still have no idea what you're really trying to do.  In large part because you're not describing it using simple, common, terms.  You're not saying what the RADIUS server receives, what's in the DB, what keys are used for lookups, etc.  You just keep repeated "I want to masquerade the user name for MS-CHAP", as if repetition will get your point across.

  It won't.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Masquerading MSCHAPv2 User-Name?

Users mailing list
Hi Alan,

I have the utmost respect for your knowledge, experience and extraordinary amount of time you invest in answering posts in mailing lists. I also appreciate that my terminology isn't correct, although the only feedback has been to point this out repeatedly without providing the correct terms you would like me to use.

A message from this group in June 2017 appears to refer to this functionality as 'Change username for MSCHAPv2' where no comment was made regarding this being incorrect terminology. I'll use that going forward, unless someone would be helpful enough to correct me or simply point me at a document which details correct terminology:
  http://lists.freeradius.org/pipermail/freeradius-users/2017-June/088060.html


The following is primarily intended for others like me, that would love to search for YubiKey MFA / 2FA / OTP and get re-assurance that FreeRADIUS is perfectly suited to meet the following objectives:
  - RADIUS Multi-factor authentication using YubiKeys where people simply need to press a single button to generate an OTP. No mobile device apps or 3rd party software required. Plug-in and press the button.
  - Some of our network devices exclusively support MSCHAPv2
  - We want to manage accounts exclusively via Active Directory
  - We do not want to store credentials in AD with reversible encryption
  - We do not want to store plaintext credentials in RADIUS


By using the YubiKey OTP as the username, instead of being part of the provided password, results in MS-CHAPv2 authentication working flawlessly. This is due to FreeRADIUS constructing the challenge hash using the username provided in the authentication request, whilst retrieving information from AD using the account that key is associated with.

In layman terms, I can login as eg cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit/secret and have it successfully authenticate against Active Directory as davidh/secret.



Regards
David Herselman

-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: Thursday, 18 February 2021 3:02 AM
To: David Herselman <[hidden email]>
Cc: FreeRadius users mailing list <[hidden email]>
Subject: Re: Masquerading MSCHAPv2 User-Name?

On Feb 17, 2021, at 2:54 PM, David Herselman <[hidden email]> wrote:
> I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"'

  winbind is not MS-CHAP.  Winbind is (essentially) the database query used to verify the MS-CHAP information.

  The "winbind_username" field is *not* used in any part of the MS-CHAP calculation.  As I said.

  TBH, I'm rather surprised that you ask questions, and then argue with the answers.  Are you that aware of the details of each protocol, that you can authoritatively argue against someone who's been doing this for 20 years?

> and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:

  It doesn't matter.

  I can put the users password into an LDAP entry for user with the name "I_like_to_eat_pizza".  That name has nothing whatsoever to do with the MS-CHAP calculations.

  Try this with the "users" file.   Add this to the top of the "users" file:

DEFAULT Cleartext-Password := "hello"

  Then log in as ANY other user (e.g. "bob"), using MS-CHAP, and the password "hello".  Use "radclient" or "radtest" to do this.

  What will happen?  The user will be authenticated.  But if the entry in the "users" file is for DEFAULT, how can this possibly work?

  Answer:  if you understand the system, the answer is obvious.

> I presume FR therefor does have the ability to transform/replace/masquerade

  Stop using the term "masquerade".  It's wrong.  I already told you that it's not correct terminology.  Your repeated use of it shows that you don't know how things work.  And worse, that you''re resisting the suggestion to learn.

  You're asking questions using terms you've invented, and are then arguing with the answers.  This is generally a good approach if you want to confuse and annoy people.  I suggest not doing this.

> the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:

  Whatever question you're asking is unrelated to the tests you're doing.

  Stop inventing terms.  Stop doing irrelevant tests.  Put some effort into understanding the system.

  I still have no idea what you're really trying to do.  In large part because you're not describing it using simple, common, terms.  You're not saying what the RADIUS server receives, what's in the DB, what keys are used for lookups, etc.  You just keep repeated "I want to masquerade the user name for MS-CHAP", as if repetition will get your point across.

  It won't.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
On Feb 18, 2021, at 4:49 AM, David Herselman <[hidden email]> wrote:
> I have the utmost respect for your knowledge, experience and extraordinary amount of time you invest in answering posts in mailing lists.

  Thanks, but there's no need to be nice.  Just ask good questions, and I will be happy.

> I also appreciate that my terminology isn't correct, although the only feedback has been to point this out repeatedly without providing the correct terms you would like me to use.

  Terms to do *what*?

  I asked you to describe what you wanted to do.    Your response was to (essentially) repeat your original question / description.  That doesn't let me know *anything* about what you want to do.

  It is *impossible* for me to suggest the correct terms if I have no idea what you're trying to do.  Even worse, using the wrong term (multiple times) makes me wary about everything *else* you're saying, because clearly the words you're using don't have the meaning *I* think they do.

  Given 20 years of this, I would much rather ask "what do you mean by that", or "please explain in a different way".  If I just respond with what I *think* you mean, we would end up going down a rabbit hole of confusion.  You wouldn't understand my responses, because the words I use wouldn't mean the same thing to you.  It's just a recipe for endless disaster.

  So my repeated "what do you mean by that" is not me being mean, rude, etc.  It's me trying desperately to get you to *explain* what you're doing.

> A message from this group in June 2017 appears to refer to this functionality as 'Change username for MSCHAPv2' where no comment was made regarding this being incorrect terminology.

  Because he doesn't use the word "masquerade".  And he describes exactly what he's doing, using examples from the configuration.

  My comments there are also correct: Don't change the User-Name.

  And also:  do change the database queries used to look up users.  That's fine.

  As I pointed out in my last message. the database doesn't care what key is used to look up a password.  It can be %{User-Name}, or a fixed string like "i_like_cheese_pizza".  The point is that you're not "masquerading" the name.  You're not doing anything with MS-CHAP.  MS-CHAP is entirely irrelevant.

  What you're doing is getting User-Name, X, somehow determine that you need to use key Y for a database lookup, and then getting the password from the database using key Y.

> The following is primarily intended for others like me, that would love to search for YubiKey MFA / 2FA / OTP and get re-assurance that FreeRADIUS is perfectly suited to meet the following objectives:
>  - RADIUS Multi-factor authentication using YubiKeys where people simply need to press a single button to generate an OTP. No mobile device apps or 3rd party software required. Plug-in and press the button.
>  - Some of our network devices exclusively support MSCHAPv2
>  - We want to manage accounts exclusively via Active Directory
>  - We do not want to store credentials in AD with reversible encryption
>  - We do not want to store plaintext credentials in RADIUS
>
> By using the YubiKey OTP as the username, instead of being part of the provided password, results in MS-CHAPv2 authentication working flawlessly. This is due to FreeRADIUS constructing the challenge hash using the username provided in the authentication request, whilst retrieving information from AD using the account that key is associated with.

  That makes a lot more sense.  Use simple terminology.  Describe what you have.  Describe what you want to happen.

> In layman terms, I can login as eg cccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit/secret and have it successfully authenticate against Active Directory as davidh/secret.

  It's not exactly that, it's more:

* Login as
  User-Name = ccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit
  MS-CHAP blob which depends on BOTH that User-Name and the password "secret"

* Discover that ccccctcikejkrbhnvrjrdlujuujdcjvltdcrdkhhtit maps to use "davidh".

*  Hand the MS-CHAP blob over to Active Directory, AND tell Active Directory to look up the password in user "davidh".

   It all works.  As I pointed out in my last message.,, nothing cares about the key used to do database lookups.  You can login as "bob", and look up the password in a DEFAULT entry in the "users" file.

  With computers, details matter.  Especially when there are complex protocols and database involved.  These systems have odd corner cases where things don't always work in the most obvious way.  That's why details matter, and why it's critical to get a clear description of what's going on.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Masquerading MSCHAPv2 User-Name?

Users mailing list
Hi,

I like the simplicity of being able to use the rlm_files authorize file to manage collections of clients by AD group membership. Using Samba winbind presents AD as local Linux accounts and groups. The following example is where I've defined clients with shortname set as checkpoint_gaia:

DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_view"
        CP-Gaia-User-Role = "monitorRole",
        CP-Gaia-SuperUser-Access = "0"
DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_full"
        CP-Gaia-User-Role = "adminRole",
        CP-Gaia-SuperUser-Access = "1"
DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Auth-Type := Reject
        Reply-Message = "Access Denied - Not a member of any checkpoint_gaia security groups"
DEFAULT Auth-Type := Reject
        Reply-Message = "Access Denied"

I needed to therefor change the username before running files in authorize. My current mess is this:
authorize {
        <snip>
        update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
        if (User-Name =~ /^cccccctcikej[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
        if (User-Name =~ /^cccccctcikff[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
        if (&sAMAccountName) {update request {Yubikey-OTP = "%{User-Name}"}}
        <snip>
        if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
        files
        if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
        <snip>
post-auth {
        if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}


Logs subsequently record usernames instead of 44 char token codes.
    Login OK: [davidh] (from client checkpoint_gaia port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:1 nas-id:router


I would prefer to look up the token identifier (first 12 chars) in a file, but don't know yet how to select a portion of an attribute to do that.

My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...


Regards
David Herselman

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Users mailing list
The following appears to work:
authorize {
    <snip>
    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
    if (&sAMAccountName) {
        update request {Yubikey-OTP = "%{User-Name}"}
        update control {Auth-Type := "YubiCHAP"}
    }
    <snip>
    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files
    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
    <snip>

authenticate {
    Auth-Type YubiCHAP {
        mschap
        yubikey
    }


Regards
David Herselman

________________________________

My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
On Feb 19, 2021, at 3:08 PM, David Herselman via Freeradius-Users <[hidden email]> wrote:
>
> The following appears to work:
> authorize {
>    <snip>
>    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
>    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
>    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}

  OK, if it works... ship it. :)

>    if (&sAMAccountName) {
>        update request {Yubikey-OTP = "%{User-Name}"}
>        update control {Auth-Type := "YubiCHAP"}
>    }

  That's good.

>    <snip>
>    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files

  I really don't recommend changing User-Name.  It is very likely to break all kinds of things.

  What you can do is edit mods-enabled/files, and change the key used to look up entries.  Use:

        key = %{%{sAMAccountName}:-%{User-Name}}

>    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
>    <snip>
>
> authenticate {
>    Auth-Type YubiCHAP {
>        mschap
>        yubikey
>    }
> ...
> My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...

  Just list it after mschap, as above.  It really is that easy.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Masquerading MSCHAPv2 User-Name?

Users mailing list
Hi Alan,

Changing the key in mods-enabled/files unfortunately results in the group checks then failing. It appears 'Group ==' checks require 'User-Name' to be set. Is this possibly a bug?

(1) files: EXPAND %{%{sAMAccountName}:-%{%{Stripped-User-Name}:-%{User-Name}}}
(1) files:    --> davidh
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: users: Matched entry DEFAULT at line 295
(1)     [files] = ok
<snip>
(1) Found Auth-Type = Reject


I had updated key as follows:
    key = "%{%{sAMAccountName}:-%{%{Stripped-User-Name}:-%{User-Name}}}"


If I restore the key statement and amend sites-available/default back to the following it works again:
    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
    files
    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}

(1) files: users: Matched entry DEFAULT at line 288
(1)     [files] = ok


My rlm_files authorize content:
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_view"
        Mikrotik-Group = "view"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_restricted"
        Mikrotik-Group = "restricted"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_nms"
        Mikrotik-Group = "view"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_full"
        Mikrotik-Group = "full"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Auth-Type := Reject


Regards
David Herselman

-----Original Message-----

>    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files

  I really don't recommend changing User-Name.  It is very likely to break all kinds of things.
  What you can do is edit mods-enabled/files, and change the key used to look up entries.  Use:
        key = %{%{sAMAccountName}:-%{User-Name}}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Masquerading MSCHAPv2 User-Name?

Users mailing list
In reply to this post by Alan DeKok-2
Hi,

On a related note, it occurred to me that I should most probably be sanitising incoming attributes? If the request arrived with sAMAccountName it would then override what I'm setting...

Or is it safe, in that there's little point in trying to scrub this if the initiator of the request is compromised?

In reference to:
    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
    if (&sAMAccountName) {
        update request {Yubikey-OTP = "%{User-Name}"}
        update control {Auth-Type := "YubiCHAP"}
    }


Regards
David Herselman

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
In reply to this post by Users mailing list
On Feb 20, 2021, at 2:16 AM, David Herselman via Freeradius-Users <[hidden email]> wrote:
>
> Hi Alan,
>
> Changing the key in mods-enabled/files unfortunately results in the group checks then failing. It appears 'Group ==' checks require 'User-Name' to be set. Is this possibly a bug?

  No.

  The Group attribute does lookups in Unix groups, based on User-Name.  This is documented.

  If there's no User-Name, then the Group lookups can't happen.

  And... if these group lookups are failing, then there's no User-Name in the Access-Request.  How does that happen?  It's *always* supposed to be included!

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Masquerading MSCHAPv2 User-Name?

Alan DeKok-2
In reply to this post by Users mailing list


> On Feb 20, 2021, at 2:23 AM, David Herselman via Freeradius-Users <[hidden email]> wrote:
>
> Hi,
>
> On a related note, it occurred to me that I should most probably be sanitising incoming attributes? If the request arrived with sAMAccountName it would then override what I'm setting...

  That attribute isn't in the default dictionaries.  If you added it to raddb/dictionary, then read the comments in that file.  Attributes following those guidelines will never appear in a RADIUS packet.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html