rlm_perl with WinXP MS-CHAP clients ?

Michael Gale michael.gale at pason.com
Wed Sep 20 21:38:00 CEST 2006 

Hello,

	I have a freeradius 1.0.X server setup with ppp and pptp using a mysql 
DB for user authentication.

Here I assign static IP's and users to groups. We wish to use rlm_perl 
instead of the sql module so we can authenticate the users against a in 
house application.

I have build freeradius 1.1.3 from source and it seems to work however 
since the client is WinXP and the auth type is MS-CHAP it seems to be 
calling the mschap section under authentication and then exiting.

Here is my debug output:

rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141
         Service-Type = Framed-User
         Framed-Protocol = PPP
         User-Name = "baduser"
         MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6
         MS-CHAP2-Response = 
0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
         Calling-Station-Id = ".271"
         NAS-IP-Address = 127.0.0.1
         NAS-Port = 0
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
   modcall[authorize]: module "mschap" returns ok for request 0
     rlm_realm: No '@' in User-Name = "baduser", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched entry DEFAULT at line 155
     users: Matched entry DEFAULT at line 173
     users: Matched entry DEFAULT at line 185
   modcall[authorize]: module "files" returns ok for request 0
perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1
found interpetator at address 0x9d5ad20
rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User
rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271
rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 
0x0c09ad640ce7275613b8a0dd51d2f4c6
rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1
rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP
rlm_perl: MG RAD_REQUEST: User-Name = baduser
rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 
0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: MG RAD_REQUEST: NAS-Port = 0
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = MS-CHAP
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9d5ad20
   modcall[authorize]: module "perl" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password
   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
   modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [baduser/<no User-Password attribute>] (from client 
localhost port 0 cli .271)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 51 to 127.0.0.1 port 32768
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 51 with timestamp 451194b6
Nothing to do.  Sleeping until we see a request.



-- 
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.

More information about the Freeradius-Users mailing list