[strongSwan] eap_mschapv2

MILITA MARCO M.Milita at trenitalia.it
Mon Jul 30 14:53:51 CEST 2012 

Hi

I'm using strongswan 4.5.0 as gateway for Windows 7 client
(ike2 + mschapv2)

Strongswan calls freeradius (then freeradius calls AD) for autenticate the Windows 7 client.

In freeradius I must set with_ntdomain_hack=yes
because:
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.


Now, I need to use the same configuration for Linux strongswan (5.0) client but 
freeradius says: Authentication failure !

So, I've changed the eap_mschapv2.c.
Now Linux/Strangswan can autenticate
correctly but i'm not sure if the solution is correct.

what do you think about ?

========================================================== 
 
@@ -535,7 +535,7 @@
  * Returns a chunk of just the username part of the given user identity.
  * Note: the chunk points to internal data of the identification.
  */
-static chunk_t extract_username(identification_t* identification)
+static chunk_t extract_win_username(identification_t* identification)
 {
        char *has_domain;
        chunk_t id;
@@ -645,7 +645,7 @@
        eap_mschapv2_header_t *eap;
        eap_mschapv2_challenge_t *cha;
        eap_mschapv2_response_t *res;
-       chunk_t data, peer_challenge, username, nt_hash;
+       chunk_t data, peer_challenge, username, win_username, nt_hash;
        u_int16_t len = RESPONSE_PAYLOAD_LEN;

        data = in->get_data(in);
@@ -687,11 +687,12 @@
                return NOT_FOUND;
        }

-       username = extract_username(this->peer);
+       username = this->peer->get_encoding(this->peer);
+       win_username = extract_win_username(this->peer);
        len += username.len;

        if (GenerateStuff(this, this->challenge, peer_challenge,
-                                         username, nt_hash) != SUCCESS)
+                                         win_username, nt_hash) != SUCCESS)
        {
                DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
                chunk_clear(&nt_hash);

@@ -1005,7 +1006,7 @@
 {
        eap_mschapv2_header_t *eap;
        eap_mschapv2_response_t *res;
-       chunk_t data, peer_challenge, username, nt_hash;
+       chunk_t data, peer_challenge, username, win_username, nt_hash;
        identification_t *userid;
        int name_len;
        char buf[256];
@@ -1026,7 +1027,8 @@
        snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
        userid = identification_create_from_string(buf);
        DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
-       username = extract_username(userid);
+       username = userid->get_encoding(userid);
+       win_username = extract_win_username(userid);

        if (!get_nt_hash(this, this->server, userid, &nt_hash))
        {
@@ -1043,7 +1045,7 @@
        }

        if (GenerateStuff(this, this->challenge, peer_challenge,
-                                         username, nt_hash) != SUCCESS)
+                                         win_username, nt_hash) != SUCCESS)
        {
                DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
                userid->destroy(userid);
 
========================================================== 
 

Best regards
 
 Marco Milita

More information about the Users mailing list