FreeRadius MSCHAP Authenticatiom With Realm Fails
T I
j-msg at live.com
Fri Mar 14 12:24:11 CET 2014
Hi
I have FreeRadius 2.0 server with AD as user store. Authenticating using
EAP-PEAP-MSCHAP2.Local realm is defined in proxy.conf.
Authentications works fine without realm added to the username. As soon
as I authenticate using username with realm, i.e. username at realm.com,
authentication fails.
The reason for failure is clear, it fails because radius server mschap
module creates challenge hash with username which includes realm.
I need
the radius mschap module to create hash from stripped username, i.e.
which doesn't include the realm.
Any ideas?
Please see radius debug log below:
rad_recv: Access-Request packet from host 192.168.1.254 port 55769, id=138, length=376
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "user5 at igor.local"
State = 0x3ce95d9d3fed44ec4019661d07f2a324
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
EAP-Message = 0x020400d01980000000c61603010086100000820080791cc56766422be7f48414f5942dda519afd607aea2fae890f9236e8af61cf71c66f4f80a5d427672d7f949a3fa163b959f0f1957f382f533a3f9c23d576dafcb5d36ca04dc7d0002203513a23b9394b75cf98f241a6c585583593f6622829a39a736160f0f83b567fa7bbc253558191630071d1889827f6118f366040f69d8814030100010116030100307173492977a9f772a302c0ecb7d2612700f9433dce8e08ff0e74b84dbc62de5fe5a95921f364f8c68dd38484550022ae
Message-Authenticator = 0x9a61469cb26792ebd980f294bd9a64c9
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5 at igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 138 to 192.168.1.254 port 55769
EAP-Message = 0x0105004119001403010001011603010030b0496fb6db5990b1f6a9cf2425dd8587e12b8f4e394f4bd8ccd2c077fe9ba54077bc170e9af421dda6e1deba0235ae8b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ce95d9d38ec44ec4019661d07f2a324
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 56590, id=139, length=174
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "user5 at igor.local"
State = 0x3ce95d9d38ec44ec4019661d07f2a324
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
EAP-Message = 0x020500061900
Message-Authenticator = 0xd034f4a268e3ac260f43575b92006929
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5 at igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 139 to 192.168.1.254 port 56590
EAP-Message = 0x0106002b190017030100205c4bae935a0f79fa0d08a9ce246433654e7edd61806e1f065cc4bdc32958e161
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ce95d9d39ef44ec4019661d07f2a324
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 53256, id=140, length=264
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "user5 at igor.local"
State = 0x3ce95d9d39ef44ec4019661d07f2a324
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
EAP-Message = 0x02060060190017030100209cc7c674b7a342e6bec99adea0f61331d5f99b0f6a5950927de5ae55a0bcbcbd1703010030a3f8d19a2da43ad4bee38bdadeeb8049f2ccd3b6452763ed52490a8ff701f7dddeb0d19ec99dc82884df40d0c650c45c
Message-Authenticator = 0x4c2f97f2d3325123f0616a879cb73a5f
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5 at igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - user5 at igor.local
[peap] Got inner identity 'user5 at igor.local'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020600150175736572354069676f722e6c6f63616c
server {
[peap] Setting User-Name to user5 at igor.local
Sending tunneled request
EAP-Message = 0x020600150175736572354069676f722e6c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user5 at igor.local"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
[eap] EAP packet type response id 6 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[mschap] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d2798eb6d20828b51434e222e2c4892
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d2798eb6d20828b51434e222e2c4892
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 140 to 192.168.1.254 port 53256
EAP-Message = 0x0107004b190017030100400140898f0ff025ef80db345ef75a51b4a94d6b114a1d16ef08e1fc4c2d9de5d9895bd09efcdbc614e3886fa835507c92e6b34d2d657247692685e84c0e1f540f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ce95d9d3aee44ec4019661d07f2a324
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 47603, id=141, length=312
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "user5 at igor.local"
State = 0x3ce95d9d3aee44ec4019661d07f2a324
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
EAP-Message = 0x020700901900170301002045693fe624f18512a0f9c83b0b896669c3a55066d0d54494bdee159a241df7cf170301006081573695ccc8dd51297f737d1ab47a212c08801a46c831418959b106028089aac0d7cec2f5aa0740909f7ae40d4274bd4534fa24cc41b9c775c3202ad337b19d7b7062c980579e7d31ca54439954aedcb279acd9cc65df2c1fdb85039fb26142
Message-Authenticator = 0x97fd332a0965353e5459137c179a2c62
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5 at igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c
server {
[peap] Setting User-Name to user5 at igor.local
Sending tunneled request
EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user5 at igor.local"
State = 0x6d2798eb6d20828b51434e222e2c4892
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
[eap] EAP packet type response id 7 length 75
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[mschap] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: user5 at igor.local
[mschap] Told to do MS-CHAPv2 for user5 at igor.local with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> user5 at igor.local
[mschap] expand: %{%{User-Name}:-None} -> user5 at igor.local
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user5 at igor.local
[mschap] Creating challenge hash with username: user5 at igor.local
[mschap] expand: %{mschap:Challenge} -> 13479bee1886303a
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=13479bee1886303a
[mschap] expand: %{mschap:NT-Response} -> a333f4999fd9698891d2fbc675892007431387796abfa13b
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a333f4999fd9698891d2fbc675892007431387796abfa13b
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.1.254 port 47603
EAP-Message = 0x0108002b19001703010020849be569aa66a8021ded29e15410bf74c59467c7db34f5995d1b6f91ebe9f22f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ce95d9d3be144ec4019661d07f2a324
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49384, id=142, length=248
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "user5 at igor.local"
State = 0x3ce95d9d3be144ec4019661d07f2a324
NAS-Port-Id = "wlan1"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "5C-3C-27-29-AE-0B"
Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
EAP-Message = 0x02080050190017030100200ebc17e9bd20cc45f1c1772575868316464689e08bba6f4d934e5e1e4be3b040170301002078626c70503034ac41b926af5220e841c57e097b8fe870a8a49fdf71c2e749f8
Message-Authenticator = 0x658f4273b0c1858d67761528c08eac05
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5 at igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user5 at igor.local
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 142 to 192.168.1.254 port 49384
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 134 with timestamp +3480
Cleaning up request 1 ID 135 with timestamp +3480
Cleaning up request 2 ID 136 with timestamp +3480
Cleaning up request 3 ID 137 with timestamp +3480
Cleaning up request 4 ID 138 with timestamp +3480
Cleaning up request 5 ID 139 with timestamp +3480
Cleaning up request 6 ID 140 with timestamp +3480
Cleaning up request 7 ID 141 with timestamp +3480
Waking up in 1.0 seconds.
Cleaning up request 8 ID 142 with timestamp +3480
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140314/735d9b27/attachment-0001.html>
More information about the Freeradius-Users
mailing list