Hi,
we updated to XG v17 on the Weekend and since then most of our PPTP based VPN Users are not able to connect anymore. The issue is an
"The system could not log you on. Make sure your password is correct" from the RADIUS Server.
From debugging my guess is that v17 breaks MS-CHAPv2 when using Radius because it converts usernames to lower-case before sending of to
the RADIUS Server. As with MS-CHAPv2 the username is part of the Challenge the RADIUS Server and the Client will calculate different
Challenges and will not be able to verify the password hash based on password and challenge.
I have tcpdump captures showing pptp/ppp and the RADIUS counterparts which shows the modification of the username
Trace with Frames 27 (PPP CHAP Response), 28 RADIUS Access-Request, 29 RADIUS Access Accept) use a initial lower-case username.
Trace with Frames 146(PPP CHAP Response), 147 RADIUS Access-Request, 149 RADIUS Access-Reject) use the same initial partial uppercase username which gets lowercased in the RADIUS Access-Request.
27 2017-11-28 07:53:26.980000 tmo-113-104.customers.d1-online.com business-213-023-139-222.static.arcor-ip.net PPP CHAP 116 Response (NAME='pneumann', VALUE=0x26bd6a4f165acc325c51aa437e3629660000000000000000...)
Frame 27: 116 bytes on wire (928 bits), 116 bytes captured (928 bits)
Internet Protocol Version 4, Src: tmo-113-104.customers.d1-online.com (80.187.113.104), Dst: business-213-023-139-222.static.arcor-ip.net (213.23.139.222)
Generic Routing Encapsulation (PPP)
Point-to-Point Protocol
[Direction: DCE->DTE (1)]
PPP Challenge Handshake Authentication Protocol
Code: Response (2)
Identifier: 247
Length: 62
Data
Value Size: 49
Value: 26bd6a4f165acc325c51aa437e3629660000000000000000...
Name: pneumann
28 2017-11-28 07:53:26.980267 10.0.0.39 10.0.0.32 RADIUS 174 Access-Request(1) (id=12, l=130)
Frame 28: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits)
Internet Protocol Version 4, Src: 10.0.0.39 (10.0.0.39), Dst: 10.0.0.32 (10.0.0.32)
User Datagram Protocol, Src Port: 40641 (40641), Dst Port: radius (1812)
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xc (12)
Length: 130
Authenticator: a19fd67c56a4f5cc3b1cdb016c2e4cad
[The response to this request is in frame 29]
Attribute Value Pairs
AVP: l=6 t=Service-Type(6): Authenticate-Only(8)
AVP: l=10 t=User-Name(1): pneumann
AVP: l=24 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=6 t=NAS-Port(5): 0
AVP: l=6 t=NAS-IP-Address(4): 10.0.0.39
29 2017-11-28 07:53:26.982297 10.0.0.32 10.0.0.39 RADIUS 331 Access-Accept(2) (id=12, l=287)
Frame 29: 331 bytes on wire (2648 bits), 331 bytes captured (2648 bits)
Internet Protocol Version 4, Src: 10.0.0.32 (10.0.0.32), Dst: 10.0.0.39 (10.0.0.39)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 40641 (40641)
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0xc (12)
Length: 287
Authenticator: 55babe327adc6fab2542337f4c0efba5
[This is a response to a request in frame 28]
[Time from request: 0.002030000 seconds]
Attribute Value Pairs
[ ... ]
And now a broken try using the same username with uppercase - This still should work as the AD RADIUS Backend is
case insensitive.
146 2017-11-28 07:53:54.515903 tmo-113-104.customers.d1-online.com business-213-023-139-222.static.arcor-ip.net PPP CHAP 116 Response (NAME='PNeumann', VALUE=0x6613ff51a2eb8c25992bee688aeb56500000000000000000...)
Frame 146: 116 bytes on wire (928 bits), 116 bytes captured (928 bits)
Internet Protocol Version 4, Src: tmo-113-104.customers.d1-online.com (80.187.113.104), Dst: business-213-023-139-222.static.arcor-ip.net (213.23.139.222)
Generic Routing Encapsulation (PPP)
Point-to-Point Protocol
[Direction: DCE->DTE (1)]
PPP Challenge Handshake Authentication Protocol
Code: Response (2)
Identifier: 255
Length: 62
Data
Value Size: 49
Value: 6613ff51a2eb8c25992bee688aeb56500000000000000000...
Name: PNeumann
147 2017-11-28 07:53:54.516169 10.0.0.39 10.0.0.32 RADIUS 174 Access-Request(1) (id=15, l=130)
Frame 147: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits)
Internet Protocol Version 4, Src: 10.0.0.39 (10.0.0.39), Dst: 10.0.0.32 (10.0.0.32)
User Datagram Protocol, Src Port: 46004 (46004), Dst Port: radius (1812)
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xf (15)
Length: 130
Authenticator: eb56ab11edbdddb318fa2e557b3c6a4d
[The response to this request is in frame 149]
Attribute Value Pairs
AVP: l=6 t=Service-Type(6): Authenticate-Only(8)
AVP: l=10 t=User-Name(1): pneumann
AVP: l=24 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=6 t=NAS-Port(5): 0
AVP: l=6 t=NAS-IP-Address(4): 10.0.0.39
** As you can see in this frame the username has been modified to be lower-case.
149 2017-11-28 07:53:54.828669 10.0.0.32 10.0.0.39 RADIUS 86 Access-Reject(3) (id=15, l=42)
Frame 149: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
Internet Protocol Version 4, Src: 10.0.0.32 (10.0.0.32), Dst: 10.0.0.39 (10.0.0.39)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 46004 (46004)
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0xf (15)
Length: 42
Authenticator: 497593301b87d3819090d4ba04a556a8
[This is a response to a request in frame 147]
[Time from request: 0.312500000 seconds]
Attribute Value Pairs
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
This thread was automatically locked due to age.
