Issue with MSCHAP

Ryan Summey ryan.summey at gmail.com
Sun Nov 4 22:42:28 CET 2012


How do i enable mschapv2?

On Sun, Nov 4, 2012 at 4:34 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> On 4 Nov 2012, at 21:20, Ryan Summey <ryan.summey at gmail.com> wrote:
>
> > So how do we secure the user accounts in the database?
>
> By securing the database.
>
> NT4 password hashes are the only other option if you want to use MSCHAPv2,
> and they're trivial to break with rainbow tables.
>
> Welcome to the wonderful world of Microsoft :)
>
> -Arran
>
>
>
> >
> > On Sun, Nov 4, 2012 at 4:11 PM, Blake Covarrubias <blake at covarrubi.as>
> wrote:
> > http://deployingradius.com/documents/protocols/compatibility.html
> >
> > md5 passwords are not compatible with MS-CHAP.
> >
> > --
> > Blake Covarrubias
> >
> > On Nov 4, 2012, at 13:56, Ryan Summey <ryan.summey at gmail.com> wrote:
> >
> >>  Below is the log. I am able to connect using clear-text passwords but
> not encrypted passwords... What is confusing me is if i do a radtest it
> works fine using the users credentials that are encrypted...  But as you
> can see below ths is me trying to connecting from my phone using the
> account i created in the databse with the password md5. Again this works
> when i do a radtest but not in a real world test. Only clear-text pw work
> in the realworld test.
> >>
> >> Thank you for your time.
> >>
> >>
> >>
> >>
> >> freeradius -X
> >> FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 11
> 2012 at 22:27:08
> >> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> >> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> >> PARTICULAR PURPOSE.
> >> You may redistribute copies of FreeRADIUS under the terms of the
> >> GNU General Public License v2.
> >> Starting - reading configuration files ...
> >> including configuration file /etc/freeradius/radiusd.conf
> >> including configuration file /etc/freeradius/proxy.conf
> >> including configuration file /etc/freeradius/clients.conf
> >> including files in directory /etc/freeradius/modules/
> >> including configuration file /etc/freeradius/modules/always
> >> including configuration file /etc/freeradius/modules/mac2ip
> >> including configuration file /etc/freeradius/modules/sql_log
> >> including configuration file /etc/freeradius/modules/smbpasswd
> >> including configuration file /etc/freeradius/modules/detail
> >> including configuration file /etc/freeradius/modules/smsotp
> >> including configuration file /etc/freeradius/modules/cui
> >> including configuration file /etc/freeradius/modules/wimax
> >> including configuration file /etc/freeradius/modules/replicate
> >> including configuration file
> /etc/freeradius/modules/sqlcounter_expire_on_login
> >> including configuration file /etc/freeradius/modules/sradutmp
> >> including configuration file /etc/freeradius/modules/pap
> >> including configuration file /etc/freeradius/modules/echo
> >> including configuration file /etc/freeradius/modules/expiration
> >> including configuration file /etc/freeradius/modules/files
> >> including configuration file /etc/freeradius/modules/mac2vlan
> >> including configuration file /etc/freeradius/modules/acct_unique
> >> including configuration file /etc/freeradius/modules/krb5
> >> including configuration file /etc/freeradius/modules/mschap
> >> including configuration file /etc/freeradius/modules/checkval
> >> including configuration file /etc/freeradius/modules/preprocess
> >> including configuration file /etc/freeradius/modules/logintime
> >> including configuration file /etc/freeradius/modules/pam
> >> including configuration file /etc/freeradius/modules/passwd
> >> including configuration file /etc/freeradius/modules/etc_group
> >> including configuration file /etc/freeradius/modules/opendirectory
> >> including configuration file /etc/freeradius/modules/attr_filter
> >> including configuration file /etc/freeradius/modules/linelog
> >> including configuration file /etc/freeradius/modules/soh
> >> including configuration file /etc/freeradius/modules/attr_rewrite
> >> including configuration file /etc/freeradius/modules/chap
> >> including configuration file /etc/freeradius/modules/rediswho
> >> including configuration file /etc/freeradius/modules/counter
> >> including configuration file /etc/freeradius/modules/digest
> >> including configuration file /etc/freeradius/modules/policy
> >> including configuration file /etc/freeradius/modules/unix
> >> including configuration file /etc/freeradius/modules/ldap
> >> including configuration file /etc/freeradius/modules/otp
> >> including configuration file /etc/freeradius/modules/radutmp
> >> including configuration file /etc/freeradius/modules/perl
> >> including configuration file /etc/freeradius/modules/dynamic_clients
> >> including configuration file /etc/freeradius/modules/detail.example.com
> >> including configuration file /etc/freeradius/modules/redis
> >> including configuration file /etc/freeradius/modules/ntlm_auth
> >> including configuration file /etc/freeradius/modules/inner-eap
> >> including configuration file /etc/freeradius/modules/ippool
> >> including configuration file /etc/freeradius/modules/realm
> >> including configuration file /etc/freeradius/modules/detail.log
> >> including configuration file /etc/freeradius/modules/exec
> >> including configuration file /etc/freeradius/modules/expr
> >> including configuration file /etc/freeradius/eap.conf
> >> including configuration file /etc/freeradius/sql.conf
> >> including configuration file /etc/freeradius/sql/mysql/dialup.conf
> >> including configuration file /etc/freeradius/policy.conf
> >> including files in directory /etc/freeradius/sites-enabled/
> >> including configuration file /etc/freeradius/sites-enabled/default
> >> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
> >> main {
> >>         user = "freerad"
> >>         group = "freerad"
> >>         allow_core_dumps = no
> >> }
> >> including dictionary file /etc/freeradius/dictionary
> >> main {
> >>         name = "freeradius"
> >>         prefix = "/usr"
> >>         localstatedir = "/var"
> >>         sbindir = "/usr/sbin"
> >>         logdir = "/var/log/freeradius"
> >>         run_dir = "/var/run/freeradius"
> >>         libdir = "/usr/lib/freeradius"
> >>         radacctdir = "/var/log/freeradius/radacct"
> >>         hostname_lookups = no
> >>         max_request_time = 30
> >>         cleanup_delay = 5
> >>         max_requests = 1024
> >>         pidfile = "/var/run/freeradius/freeradius.pid"
> >>         checkrad = "/usr/sbin/checkrad"
> >>         debug_level = 0
> >>         proxy_requests = yes
> >>  log {
> >>         stripped_names = no
> >>         auth = no
> >>         auth_badpass = no
> >>         auth_goodpass = no
> >>  }
> >>  security {
> >>         max_attributes = 200
> >>         reject_delay = 1
> >>         status_server = yes
> >>  }
> >> }
> >> radiusd: #### Loading Realms and Home Servers ####
> >>  proxy server {
> >>         retry_delay = 5
> >>         retry_count = 3
> >>         default_fallback = no
> >>         dead_time = 120
> >>         wake_all_if_all_dead = no
> >>  }
> >>  home_server localhost {
> >>         ipaddr = 127.0.0.1
> >>         port = 1812
> >>         type = "auth"
> >>         secret = "testing123"
> >>         response_window = 20
> >>         max_outstanding = 65536
> >>         require_message_authenticator = yes
> >>         zombie_period = 40
> >>         status_check = "status-server"
> >>         ping_interval = 30
> >>         check_interval = 30
> >>         num_answers_to_alive = 3
> >>         num_pings_to_alive = 3
> >>         revive_interval = 120
> >>         status_check_timeout = 4
> >>   coa {
> >>         irt = 2
> >>         mrt = 16
> >>         mrc = 5
> >>         mrd = 30
> >>   }
> >>  }
> >>  home_server_pool my_auth_failover {
> >>         type = fail-over
> >>         home_server = localhost
> >>  }
> >>  realm example.com {
> >>         auth_pool = my_auth_failover
> >>  }
> >>  realm LOCAL {
> >>  }
> >> radiusd: #### Loading Clients ####
> >>  client localhost {
> >>         ipaddr = 127.0.0.1
> >>         require_message_authenticator = no
> >>         secret = "testsecret"
> >>         nastype = "other"
> >>  }
> >>  client 192.168.2.24 {
> >>         require_message_authenticator = no
> >>         secret = "testsecret"
> >>         shortname = "cvpn-pptp"
> >>         nastype = "other"
> >>  }
> >> radiusd: #### Instantiating modules ####
> >>  instantiate {
> >>  Module: Linked to module rlm_exec
> >>  Module: Instantiating module "exec" from file
> /etc/freeradius/modules/exec
> >>   exec {
> >>         wait = no
> >>         input_pairs = "request"
> >>         shell_escape = yes
> >>   }
> >>  Module: Linked to module rlm_expr
> >>  Module: Instantiating module "expr" from file
> /etc/freeradius/modules/expr
> >>  Module: Linked to module rlm_expiration
> >>  Module: Instantiating module "expiration" from file
> /etc/freeradius/modules/expiration
> >>   expiration {
> >>         reply-message = "Password Has Expired  "
> >>   }
> >>  Module: Linked to module rlm_logintime
> >>  Module: Instantiating module "logintime" from file
> /etc/freeradius/modules/logintime
> >>   logintime {
> >>         reply-message = "You are calling outside your allowed timespan
>  "
> >>         minimum-timeout = 60
> >>   }
> >>  }
> >> radiusd: #### Loading Virtual Servers ####
> >> server { # from file /etc/freeradius/radiusd.conf
> >>  modules {
> >>   Module: Creating Auth-Type = digest
> >>   Module: Creating Post-Auth-Type = REJECT
> >>  Module: Checking authenticate {...} for more modules to load
> >>  Module: Linked to module rlm_pap
> >>  Module: Instantiating module "pap" from file
> /etc/freeradius/modules/pap
> >>   pap {
> >>         encryption_scheme = "auto"
> >>         auto_header = no
> >>   }
> >>  Module: Linked to module rlm_chap
> >>  Module: Instantiating module "chap" from file
> /etc/freeradius/modules/chap
> >>  Module: Linked to module rlm_mschap
> >>  Module: Instantiating module "mschap" from file
> /etc/freeradius/modules/mschap
> >>   mschap {
> >>         use_mppe = yes
> >>         require_encryption = yes
> >>         require_strong = yes
> >>         with_ntdomain_hack = no
> >>         allow_retry = yes
> >>   }
> >>  Module: Linked to module rlm_digest
> >>  Module: Instantiating module "digest" from file
> /etc/freeradius/modules/digest
> >>  Module: Linked to module rlm_unix
> >>  Module: Instantiating module "unix" from file
> /etc/freeradius/modules/unix
> >>   unix {
> >>         radwtmp = "/var/log/freeradius/radwtmp"
> >>   }
> >>  Module: Linked to module rlm_eap
> >>  Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
> >>   eap {
> >>         default_eap_type = "md5"
> >>         timer_expire = 60
> >>         ignore_unknown_eap_types = no
> >>         cisco_accounting_username_bug = no
> >>         max_sessions = 4096
> >>   }
> >>  Module: Linked to sub-module rlm_eap_md5
> >>  Module: Instantiating eap-md5
> >>  Module: Linked to sub-module rlm_eap_leap
> >>  Module: Instantiating eap-leap
> >>  Module: Linked to sub-module rlm_eap_gtc
> >>  Module: Instantiating eap-gtc
> >>    gtc {
> >>         challenge = "Password: "
> >>         auth_type = "PAP"
> >>    }
> >>  Module: Linked to sub-module rlm_eap_tls
> >>  Module: Instantiating eap-tls
> >>    tls {
> >>         rsa_key_exchange = no
> >>         dh_key_exchange = yes
> >>         rsa_key_length = 512
> >>         dh_key_length = 512
> >>         verify_depth = 0
> >>         CA_path = "/etc/freeradius/certs"
> >>         pem_file_type = yes
> >>         private_key_file = "/etc/freeradius/certs/server.key"
> >>         certificate_file = "/etc/freeradius/certs/server.pem"
> >>         CA_file = "/etc/freeradius/certs/ca.pem"
> >>         private_key_password = "whatever"
> >>         dh_file = "/etc/freeradius/certs/dh"
> >>         random_file = "/dev/urandom"
> >>         fragment_size = 1024
> >>         include_length = yes
> >>         check_crl = no
> >>         cipher_list = "DEFAULT"
> >>         make_cert_command = "/etc/freeradius/certs/bootstrap"
> >>         ecdh_curve = "prime256v1"
> >>     cache {
> >>         enable = no
> >>         lifetime = 24
> >>         max_entries = 255
> >>     }
> >>     verify {
> >>     }
> >>     ocsp {
> >>         enable = no
> >>         override_cert_url = yes
> >>         url = "http://127.0.0.1/ocsp/"
> >>     }
> >>    }
> >>  Module: Linked to sub-module rlm_eap_ttls
> >>  Module: Instantiating eap-ttls
> >>    ttls {
> >>         default_eap_type = "md5"
> >>         copy_request_to_tunnel = no
> >>         use_tunneled_reply = no
> >>         virtual_server = "inner-tunnel"
> >>         include_length = yes
> >>    }
> >>  Module: Linked to sub-module rlm_eap_peap
> >>  Module: Instantiating eap-peap
> >>    peap {
> >>         default_eap_type = "mschapv2"
> >>         copy_request_to_tunnel = no
> >>         use_tunneled_reply = no
> >>         proxy_tunneled_request_as_eap = yes
> >>         virtual_server = "inner-tunnel"
> >>         soh = no
> >>    }
> >>  Module: Linked to sub-module rlm_eap_mschapv2
> >>  Module: Instantiating eap-mschapv2
> >>    mschapv2 {
> >>         with_ntdomain_hack = no
> >>         send_error = no
> >>    }
> >>  Module: Checking authorize {...} for more modules to load
> >>  Module: Linked to module rlm_preprocess
> >>  Module: Instantiating module "preprocess" from file
> /etc/freeradius/modules/preprocess
> >>   preprocess {
> >>         huntgroups = "/etc/freeradius/huntgroups"
> >>         hints = "/etc/freeradius/hints"
> >>         with_ascend_hack = no
> >>         ascend_channels_per_line = 23
> >>         with_ntdomain_hack = no
> >>         with_specialix_jetstream_hack = no
> >>         with_cisco_vsa_hack = no
> >>         with_alvarion_vsa_hack = no
> >>   }
> >>  Module: Linked to module rlm_realm
> >>  Module: Instantiating module "suffix" from file
> /etc/freeradius/modules/realm
> >>   realm suffix {
> >>         format = "suffix"
> >>         delimiter = "@"
> >>         ignore_default = no
> >>         ignore_null = no
> >>   }
> >>  Module: Linked to module rlm_files
> >>  Module: Instantiating module "files" from file
> /etc/freeradius/modules/files
> >>   files {
> >>         usersfile = "/etc/freeradius/users"
> >>         acctusersfile = "/etc/freeradius/acct_users"
> >>         preproxy_usersfile = "/etc/freeradius/preproxy_users"
> >>         compat = "no"
> >>   }
> >>  Module: Linked to module rlm_sql
> >>  Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
> >>   sql {
> >>         driver = "rlm_sql_mysql"
> >>         server = "mysql.claravpn.com"
> >>         port = "3306"
> >>         login = "cvpnadmin"
> >>         password = "106westwhiteoakstreet"
> >>         radius_db = "cvpnradiusdb"
> >>         read_groups = yes
> >>         sqltrace = no
> >>         sqltracefile = "/var/log/freeradius/sqltrace.sql"
> >>         readclients = no
> >>         deletestalesessions = yes
> >>         num_sql_socks = 5
> >>         lifetime = 0
> >>         max_queries = 0
> >>         sql_user_name = "%{User-Name}"
> >>         default_user_profile = ""
> >>         nas_query = "SELECT id, nasname, shortname, type, secret,
> server FROM nas"
> >>         authorize_check_query = "SELECT id, username, attribute, value,
> op           FROM radcheck           WHERE username = '%{SQL-User-Name}'
>         ORDER BY id"
> >>         authorize_reply_query = "SELECT id, username, attribute, value,
> op           FROM radreply           WHERE username = '%{SQL-User-Name}'
>         ORDER BY id"
> >>         authorize_group_check_query = "SELECT id, groupname, attribute,
>           Value, op           FROM radgroupcheck           WHERE groupname
> = '%{Sql-Group}'           ORDER BY id"
> >>         authorize_group_reply_query = "SELECT id, groupname, attribute,
>           value, op           FROM radgroupreply           WHERE groupname
> = '%{Sql-Group}'           ORDER BY id"
> >>         accounting_onoff_query = "          UPDATE radacct
> SET              acctstoptime       =  '%S',              acctsessiontime
>  =  unix_timestamp('%S') -
>  unix_timestamp(acctstarttime),              acctterminatecause =
>  '%{Acct-Terminate-Cause}',              acctstopdelay      =
>  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL
> AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime
>   <= '%S'"
> >>         accounting_update_query = "           UPDATE radacct
> SET              framedipaddress = '%{Framed-IP-Address}',
>  acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets
>     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |
>        '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    =
> '%{%{Acct-Output-Gigawords}:-0}' << 32 |
>  '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid =
> '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'
>       AND nasipaddress    = '%{NAS-IP-Address}'"
> >>         accounting_update_query_alt = "           INSERT INTO radacct
>           (acctsessionid,    acctuniqueid,      username,
>  realm,            nasipaddress,      nasportid,              nasporttype,
>      acctstarttime,     acctsessiontime,              acctauthentic,
>  connectinfo_start, acctinputoctets,              acctoutputoctets,
> calledstationid,   callingstationid,              servicetype,
>  framedprotocol,    framedipaddress,              acctstartdelay,
> xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}',
> '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',
>  '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
>  '%{NAS-Port-Type}',              DATE_SUB('%S',
> INTERVAL (%{%{Acct-Session-Time}:-0} +
> %{%{Acct-Delay-Time}:-0}) SECOND),
> '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',
>  '%{%{Acct-In!
>  put-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',
>            '%{%{Acct-Output-Gigawords}:-0}' << 32 |
>  '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
> '%{Calling-Station-Id}',              '%{Service-Type}',
> '%{Framed-Protocol}',              '%{Framed-IP-Address}',
>  '0', '%{X-Ascend-Session-Svr-Key}')"
> >>         accounting_start_query = "           INSERT INTO radacct
>       (acctsessionid,    acctuniqueid,     username,              realm,
>          nasipaddress,     nasportid,              nasporttype,
>  acctstarttime,    acctstoptime,              acctsessiontime,
>  acctauthentic,    connectinfo_start,              connectinfo_stop,
> acctinputoctets,  acctoutputoctets,              calledstationid,
>  callingstationid, acctterminatecause,              servicetype,
>  framedprotocol,   framedipaddress,              acctstartdelay,
> acctstopdelay,    xascendsessionsvrkey)           VALUES
> ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>  '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
> '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
>  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',
>            '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
>  '%{Service-Typ!
>  e}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
>  '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
> >>         accounting_start_query_alt = "           UPDATE radacct SET
>          acctstarttime     = '%S',              acctstartdelay    =
> '%{%{Acct-Delay-Time}:-0}',              connectinfo_start =
> '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'
>       AND username         = '%{SQL-User-Name}'           AND nasipaddress
>     = '%{NAS-IP-Address}'"
> >>         accounting_stop_query = "           UPDATE radacct SET
>      acctstoptime       = '%S',              acctsessiontime    =
> '%{Acct-Session-Time}',              acctinputoctets    =
> '%{%{Acct-Input-Gigawords}:-0}' << 32 |
> '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   =
> '%{%{Acct-Output-Gigawords}:-0}' << 32 |
> '%{%{Acct-Output-Octets}:-0}',              acctterminatecause =
> '%{Acct-Terminate-Cause}',              acctstopdelay      =
> '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   =
> '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'
>         AND username          = '%{SQL-User-Name}'           AND
> nasipaddress      = '%{NAS-IP-Address}'"
> >>         accounting_stop_query_alt = "           INSERT INTO radacct
>         (acctsessionid, acctuniqueid, username,              realm,
> nasipaddress, nasportid,              nasporttype, acctstarttime,
> acctstoptime,              acctsessiontime, acctauthentic,
> connectinfo_start,              connectinfo_stop, acctinputoctets,
> acctoutputoctets,              calledstationid, callingstationid,
> acctterminatecause,              servicetype, framedprotocol,
> framedipaddress,              acctstartdelay, acctstopdelay)
> VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>          '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
> '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',
>                  INTERVAL (%{%{Acct-Session-Time}:-0} +
>  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S',
> '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
>  '%{Connect-Info}',              '%{%{Acc!
>  t-Input-Gigawords}:-0}' << 32 |
>  '%{%{Acct-Input-Octets}:-0}',
>  '%{%{Acct-Output-Gigawords}:-0}' << 32 |
>  '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
> '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',
>    '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
>      '0', '%{%{Acct-Delay-Time}:-0}')"
> >>         group_membership_query = "SELECT groupname           FROM
> radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER
> BY priority"
> >>         connect_failure_retry_delay = 60
> >>         simul_count_query = "SELECT COUNT(*)
>    #FROM radacct                              #WHERE username =
> '%{SQL-User-Name}'                              #AND acctstoptime IS NULL"
> >>         simul_verify_query = "SELECT radacctid, acctsessionid,
> username,                                nasipaddress, nasportid,
> framedipaddress,                                callingstationid,
> framedprotocol                                FROM radacct
>                WHERE username = '%{SQL-User-Name}'
>        AND acctstoptime IS NULL"
> >>         postauth_query = "INSERT INTO radpostauth
>     (username, pass, reply, authdate)                           VALUES (
>                         '%{User-Name}',
> '%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')"
> >>         safe-characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> >>   }
> >> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
> linked
> >> rlm_sql (sql): Attempting to connect to
> cvpnadmin at mysql.claravpn.com:3306/cvpnradiusdb
> >> rlm_sql (sql): starting 0
> >> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> >> rlm_sql_mysql: Starting connect to MySQL server for #0
> >> rlm_sql (sql): Connected new DB handle, #0
> >> rlm_sql (sql): starting 1
> >> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> >> rlm_sql_mysql: Starting connect to MySQL server for #1
> >> rlm_sql (sql): Connected new DB handle, #1
> >> rlm_sql (sql): starting 2
> >> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> >> rlm_sql_mysql: Starting connect to MySQL server for #2
> >> rlm_sql (sql): Connected new DB handle, #2
> >> rlm_sql (sql): starting 3
> >> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> >> rlm_sql_mysql: Starting connect to MySQL server for #3
> >> rlm_sql (sql): Connected new DB handle, #3
> >> rlm_sql (sql): starting 4
> >> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> >> rlm_sql_mysql: Starting connect to MySQL server for #4
> >> rlm_sql (sql): Connected new DB handle, #4
> >>  Module: Checking preacct {...} for more modules to load
> >>  Module: Linked to module rlm_acct_unique
> >>  Module: Instantiating module "acct_unique" from file
> /etc/freeradius/modules/acct_unique
> >>   acct_unique {
> >>         key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> >>   }
> >>  Module: Checking accounting {...} for more modules to load
> >>  Module: Linked to module rlm_detail
> >>  Module: Instantiating module "detail" from file
> /etc/freeradius/modules/detail
> >>   detail {
> >>         detailfile =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> >>         header = "%t"
> >>         detailperm = 384
> >>         dirperm = 493
> >>         locking = no
> >>         log_packet_header = no
> >>   }
> >>  Module: Linked to module rlm_radutmp
> >>  Module: Instantiating module "radutmp" from file
> /etc/freeradius/modules/radutmp
> >>   radutmp {
> >>         filename = "/var/log/freeradius/radutmp"
> >>         username = "%{User-Name}"
> >>         case_sensitive = yes
> >>         check_with_nas = yes
> >>         perm = 384
> >>         callerid = yes
> >>   }
> >>  Module: Linked to module rlm_attr_filter
> >>  Module: Instantiating module "attr_filter.accounting_response" from
> file /etc/freeradius/modules/attr_filter
> >>   attr_filter attr_filter.accounting_response {
> >>         attrsfile = "/etc/freeradius/attrs.accounting_response"
> >>         key = "%{User-Name}"
> >>         relaxed = no
> >>   }
> >>  Module: Checking session {...} for more modules to load
> >>  Module: Checking post-proxy {...} for more modules to load
> >>  Module: Checking post-auth {...} for more modules to load
> >>  Module: Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/modules/attr_filter
> >>   attr_filter attr_filter.access_reject {
> >>         attrsfile = "/etc/freeradius/attrs.access_reject"
> >>         key = "%{User-Name}"
> >>         relaxed = no
> >>   }
> >>  } # modules
> >> } # server
> >> server inner-tunnel { # from file
> /etc/freeradius/sites-enabled/inner-tunnel
> >>  modules {
> >>  Module: Checking authenticate {...} for more modules to load
> >>  Module: Checking authorize {...} for more modules to load
> >>  Module: Checking session {...} for more modules to load
> >>  Module: Checking post-proxy {...} for more modules to load
> >>  Module: Checking post-auth {...} for more modules to load
> >>  } # modules
> >> } # server
> >> radiusd: #### Opening IP addresses and Ports ####
> >> listen {
> >>         type = "auth"
> >>         ipaddr = *
> >>         port = 0
> >> }
> >> listen {
> >>         type = "acct"
> >>         ipaddr = *
> >>         port = 0
> >> }
> >> listen {
> >>         type = "auth"
> >>         ipaddr = 127.0.0.1
> >>         port = 18120
> >> }
> >>  ... adding new socket proxy address * port 48747
> >> Listening on authentication address * port 1812
> >> Listening on accounting address * port 1813
> >> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> >> Listening on proxy address * port 1814
> >> Ready to process requests.
> >> rad_recv: Access-Request packet from host 192.168.2.24 port 37360,
> id=33, length=151
> >>         Service-Type = Framed-User
> >>         Framed-Protocol = PPP
> >>         User-Name = "md5sonder"
> >>         MS-CHAP-Challenge = 0x0450cfc169281de4596f775878e83202
> >>         MS-CHAP2-Response =
> 0x50002036d573a3f3f443f0adaaf52b1557b300000000000000004fab1da0b14e7e7827768b24019d9c9e41dec2d11872bbad
> >>         Calling-Station-Id = "97.218.49.75"
> >>         NAS-IP-Address = 127.0.0.1
> >>         NAS-Port = 0
> >> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> >> +- entering group authorize {...}
> >> ++[preprocess] returns ok
> >> ++[chap] returns noop
> >> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> >> ++[mschap] returns ok
> >> ++[digest] returns noop
> >> [suffix] No '@' in User-Name = "md5sonder", looking up realm NULL
> >> [suffix] No such realm "NULL"
> >> ++[suffix] returns noop
> >> [eap] No EAP-Message, not doing EAP
> >> ++[eap] returns noop
> >> [files] users: Matched entry DEFAULT at line 172
> >> ++[files] returns ok
> >> [sql]   expand: %{User-Name} -> md5sonder
> >> [sql] sql_set_user escaped user --> 'md5sonder'
> >> rlm_sql (sql): Reserving sql socket id: 4
> >> [sql]   expand: SELECT id, username, attribute, value, op
> FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
> BY id -> SELECT id, username, attribute, value, op           FROM radcheck
>           WHERE username = 'md5sonder'           ORDER BY id
> >> [sql] User found in radcheck table
> >> [sql]   expand: SELECT id, username, attribute, value, op
> FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER
> BY id -> SELECT id, username, attribute, value, op           FROM radreply
>           WHERE username = 'md5sonder'           ORDER BY id
> >> [sql]   expand: SELECT groupname           FROM radusergroup
> WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
> groupname           FROM radusergroup           WHERE username =
> 'md5sonder'           ORDER BY priority
> >> rlm_sql (sql): Released sql socket id: 4
> >> ++[sql] returns ok
> >> ++[expiration] returns noop
> >> ++[logintime] returns noop
> >> [pap] Normalizing MD5-Password from hex encoding
> >> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> >> ++[pap] returns noop
> >> Found Auth-Type = MSCHAP
> >> # Executing group from file /etc/freeradius/sites-enabled/default
> >> +- entering group MS-CHAP {...}
> >> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> >> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> >> [mschap] Creating challenge hash with username: md5sonder
> >> [mschap] Told to do MS-CHAPv2 for md5sonder with NT-Password
> >> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> >> [mschap] FAILED: MS-CHAP2-Response is incorrect
> >> ++[mschap] returns reject
> >> Failed to authenticate the user.
> >> Using Post-Auth-Type Reject
> >> # Executing group from file /etc/freeradius/sites-enabled/default
> >> +- entering group REJECT {...}
> >> [attr_filter.access_reject]     expand: %{User-Name} -> md5sonder
> >> attr_filter: Matched entry DEFAULT at line 11
> >> ++[attr_filter.access_reject] returns updated
> >> Delaying reject of request 0 for 1 seconds
> >> Going to the next request
> >> Waking up in 0.6 seconds.
> >> Sending delayed reject for request 0
> >> Sending Access-Reject of id 33 to 192.168.2.24 port 37360
> >>         MS-CHAP-Error = "PE=691 R=1"
> >> Waking up in 4.9 seconds.
> >> Cleaning up request 0 ID 33 with timestamp +121
> >> Ready to process requests.
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121104/ad1bc7b1/attachment-0001.html>


More information about the Freeradius-Users mailing list