AW: trigger an Access Challenge

Ronny Voigt Voigt at bi-web.de
Tue Feb 24 18:21:45 CET 2009 

Sorry for sending this message twice, but I forgot the debug output.
---
Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. 
That is why I tried to create the challenge with the help of the perl module. Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!?

sub authenticate {
    # For debugging purposes only
    &log_request_attributes;

    if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
        # Reject user and tell him why
        $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function";
        return RLM_MODULE_REJECT;
    } else {
        # send the challenge
        $RAD_REPLY{'State'} = "challenge";
        $RAD_REPLY{'Reply-Message'} = "challenge: ";
        $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge";
        return RLM_MODULE_HANDLED;
    }
}

If I'm not completely wrong, it's the same that worked for this guy: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.html

But the server doesn't send the reply to the client (Timeout at clientside)

rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
User-Name = "radius"
NAS-IP-Address = 10.0.1.131
CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "radius", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry radius at line 52
modcall[authorize]: module "files" returns ok for request 0
perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1
found interpetator at address 0xb809a5f0
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0xb809a5f0
modcall[authorize]: module "perl" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password:  Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 0
perl_pool: item 0xb8181050 asigned new request. Handled so far: 1
found interpetator at address 0xb8181050
rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131
rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455
rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
rlm_perl: RAD_REQUEST: User-Name = radius
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131
rlm_perl: RAD_REPLY: Reply-Message = challenge:
rlm_perl: RAD_REPLY: User-Password = pass
rlm_perl: RAD_REPLY: State = challenge
rlm_perl: Added pair Reply-Message = challenge:
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0xb8181050
modcall[authenticate]: module "perl" returns handled for request 0
modcall: leaving group Perl (returns handled) for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
Discarding duplicate request from client localhost:57004 - ID: 7
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
Discarding duplicate request from client localhost:57004 - ID: 7
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 7 with timestamp 49a4220b
Nothing to do.  Sleeping until we see a request.



If this makes sense to somebody, I would be thankful for an advice :-)
Regards, Ronny


-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+voigt=bi-web.de at lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web.de at lists.freeradius.org] Im Auftrag von tnt at kalik.net
Gesendet: Dienstag, 24. Februar 2009 00:07
An: FreeRadius users mailing list
Betreff: Re: trigger an Access Challenge

>I want to test a radius client with the freeradius server. Access
>Requests and Replies works fine, but although I searched this mailing
>list and several websites I still have no idea how to trigger an Access
>Challenge. It would be very nice, if somebody could tell me how I have
>to configure freeradius, so that it sends an access challenge to my
>client. 
>

Send a request for an authentication protocol that requires multiple
server-client exchanges (like EAP). If server needs more information
from the client it will respond with the challenge.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list