Ms-Chap + NT-Password

Anton Kiryushkin swood at fotofor.biz
Mon Dec 31 16:22:42 CET 2018 

In other words, how can I make a different way to authorisation users by
per controllers?
I found the option virtual_server, but when I read a log I saw that client
goes through a dedicated site with an md5-hashed password and after comes
back to default site.
What is this hash:
 MD5-Password := 0x6c375752517179667431416e4c4f6462714d365679413d3d
I saved in my database other hashed via next script:

#! /usr/bin/perl -w
use strict;
use Digest::MD5;
use MIME::Base64;
unless($ARGV[0]){
 print "Please supply a password to create a MD5 hash from.\n";
 exit;
}
my $ctx = Digest::MD5->new;
$ctx->add($ARGV[0]);
print encode_base64($ctx->digest,'')."\n";

And passwords hashed in that way are working with VPN-site.

пн, 31 дек. 2018 г. в 14:56, Anton Kiryushkin <swood at fotofor.biz>:

> Hello, Alan.
>
> As I understand I need two sites for authorizing clients via wifi and
> ethernet. I made a different site, and I wrote a rule to redirect users.
> But. When I'm checking this solution I can't understand why freeradius
> expecting Cleartext-Password instead MD5-password (Please see log below):
>
> (9) Received Access-Request Id 143 from 127.0.0.1:45799 to 127.0.0.1:1812
> length 72
> (9)   User-Name = “testier"
> (9)   User-Password = “password"
> (9)   NAS-IP-Address = 127.0.0.1
> (9) # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (9)   authorize {
> (9)     if (!control:Cleartext-Password && &User-Password) {
> (9)     if (!control:Cleartext-Password && &User-Password)  -> TRUE
> (9)     if (!control:Cleartext-Password && &User-Password)  {
> (9)       update control {
> (9)         EXPAND %{control:User-Password}
> (9)            -->
> (9)         Password-With-Header :=
> (9)         EXPAND %{control:User-Password}
> (9)            -->
> (9)         control:Cleartext-Password :=
> (9)         User-Password := ""
> (9)       } # update control = noop
> (9)       update reply {
> (9)         EXPAND %{control:User-Password}
> (9)            -->
> (9)         User-Password -=
> (9)       } # update reply = noop
> (9)     } # if (!control:Cleartext-Password && &User-Password)  = noop
> (9)     if (config:User-Password && config:Cleartext-Password) {
> (9)     if (config:User-Password && config:Cleartext-Password)  -> TRUE
> (9)     if (config:User-Password && config:Cleartext-Password)  {
> (9)       update config {
> (9)         User-Password !* ANY
> (9)       } # update config = noop
> (9)     } # if (config:User-Password && config:Cleartext-Password)  = noop
> (9)     [preprocess] = ok
> (9)     [chap] = noop
> (9)     [mschap] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "testuser", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9)     [suffix] = noop
> (9)     update control {
> (9)       Proxy-To-Realm := LOCAL
> (9)     } # update control = noop
> (9) eap: No EAP-Message, not doing EAP
> (9)     [eap] = noop
> (9)     if (NAS-IP-Address == 127.0.0.1) {
> (9)     if (NAS-IP-Address == 127.0.0.1)  -> TRUE
> (9)     if (NAS-IP-Address == 127.0.0.1)  {
> (9) sql-wifi-ethernet: EXPAND %{User-Name}
> (9) sql-wifi-ethernet:    --> testuser
> (9) sql-wifi-ethernet: SQL-User-Name set to 'testuser'
> rlm_sql (sql-wifi-ethernet): Reserved connection (13)
> (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, username,
> 'MD5-Password' as attribute, md5_hash, ':=' as  op FROM wifiusers WHERE
> username = '%{SQL-User-Name}' ORDER BY id
> (9) sql-wifi-ethernet:    --> SELECT wifi_id as id, username,
> 'MD5-Password' as attribute, md5_hash, ':=' as  op FROM wifiusers WHERE
> username = 'testuser' ORDER BY id
> (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
> username, 'MD5-Password' as attribute, md5_hash, ':=' as  op FROM wifiusers
> WHERE username = 'testuser' ORDER BY id
> (9) sql-wifi-ethernet: User found in radcheck table
> (9) sql-wifi-ethernet: Conditional check items matched, merging assignment
> check items
> (9) sql-wifi-ethernet:   MD5-Password :=
> 0x6c375752517179667431416e4c4f6462714d365679413d3d
> (9) sql-wifi-ethernet: EXPAND SELECT id, UserName, Attribute, Value, op
> FROM msk_wifi_attrs WHERE username = '%{SQL-User-Name}' ORDER BY id
> (9) sql-wifi-ethernet:    --> SELECT id, UserName, Attribute, Value, op
> FROM msk_wifi_attrs WHERE username = 'testuser' ORDER BY id
> (9) sql-wifi-ethernet: Executing select query: SELECT id, UserName,
> Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'testuser' ORDER
> BY id
> (9) sql-wifi-ethernet: EXPAND SELECT 'Officewifi' as GroupName FROM
> wifiusers WHERE UserName='%{SQL-User-Name}'
> (9) sql-wifi-ethernet:    --> SELECT 'Officewifi' as GroupName FROM
> wifiusers WHERE UserName='testuser'
> (9) sql-wifi-ethernet: Executing select query: SELECT 'Officewifi' as
> GroupName FROM wifiusers WHERE UserName='testuser'
> (9) sql-wifi-ethernet: User found in the group table
> (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as
> GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM
> wifiusers           WHERE Username = '%{SQL-User-Name}'           ORDER BY
> id
> (9) sql-wifi-ethernet:    --> SELECT wifi_id as id, 'Officewifi' as
> GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM
> wifiusers           WHERE Username = 'testuser'           ORDER BY id
> (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
> 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op
>  FROM wifiusers           WHERE Username = 'testuser'           ORDER BY
> id
> (9) sql-wifi-ethernet: Group "Officewifi": Conditional check items matched
> (9) sql-wifi-ethernet: Group "Officewifi": Merging assignment check items
> (9) sql-wifi-ethernet:   MD5-Password :=
> 0x6c375752517179667431416e4c4f6462714d365679413d3d
> (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as
> GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op         FROM
> wifiusers           WHERE Username = '%{SQL-User-Name}'           ORDER BY
> id
> (9) sql-wifi-ethernet:    --> SELECT wifi_id as id, 'Officewifi' as
> GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op         FROM
> wifiusers           WHERE Username = 'testuser'           ORDER BY id
> (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
> 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as
> op         FROM wifiusers           WHERE Username = 'testuser'
> ORDER BY id
> (9) sql-wifi-ethernet: Group "Officewifi": Merging reply items
> (9) sql-wifi-ethernet:   MD5-Password :=
> 0x6c375752517179667431416e4c4f6462714d365679413d3d
> rlm_sql (sql-wifi-ethernet): Released connection (13)
> (9)       [sql-wifi-ethernet] = ok
> (9)     } # if (NAS-IP-Address == 127.0.0.1)  = ok
> (9)     ... skipping else: Preceding "if" was taken
> (9)     [files] = noop
> (9)     [expiration] = noop
> (9)     [logintime] = noop
> (9) pap: WARNING: Config already contains a "known good" password
> (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
> (9) pap: Normalizing MD5-Password from base64 encoding, 24 bytes -> 16
> bytes
> (9)     [pap] = updated
> (9)   } # authorize = updated
> (9) Found Auth-Type = PAP
> (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (9)   Auth-Type PAP {
> (9) pap: Login attempt with password
> (9) pap: Comparing with "known good" Cleartext-Password
> (9) pap: ERROR: Cleartext password does not match "known good" password
> (9) pap: Passwords don't match
> (9)     [pap] = reject
> (9)   } # Auth-Type PAP = reject
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (9)   Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject:    --> testuser
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9)     [attr_filter.access_reject] = updated
> (9)   } # Post-Auth-Type REJECT = updated
>
> I wish you Happy New Year. Thanks for the future answer.
>
> сб, 22 дек. 2018 г. в 13:43, Alan DeKok <aland at deployingradius.com>:
>
>> On Dec 21, 2018, at 6:28 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
>> >
>> > Thank you very much for your explanation. I fixed one of my problems.
>> But
>> > there is one more, unfortunately. Could you please tell me why some
>> clients
>> > still can't log in:
>>
>>   The debug messages are clear...
>> >
>> > (100) eap: Peer sent packet with method EAP MD5 (4)
>> > (100) eap: Calling submodule eap_md5 to process data
>> > (100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
>> > authentication
>>
>>   You need a Cleartext-Password to do EAP-MD5.
>>
>>   The rest of the debug messages make it clear that the EAP-MD5 method is
>> being used *inside* of PEAP.
>>
>> > I suppose, the main problem from this string:
>> >
>> > (100) eap_peap: EAP method MD5 (4)
>> >
>> > But, I haven't enabled this type of authorization:
>>
>>   Yes, you have.  You've listed "md5" inside of the "eap" module
>> configuration.  If you didn't list "md5" there, then FreeRADIUS would
>> complain that EAP-MD5 wasn't permitted.  Instead, it runs EAP-MD5.
>>
>> > Probably I should have two versions of hashes for wifi and ethernet
>> > authorization?
>>
>>   The debug log says you need the Cleartext-Password, not a hashed
>> password.  And once you have that, FreeRADIUS can do PEAP/MS-CHAP, too.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
> --
> Best regards,
> Anton Kiryushkin
>
>

-- 
Best regards,
Anton Kiryushkin

More information about the Freeradius-Users mailing list