authenticate against SHA2 hash in EAP-MSCHAPv2

Volodymyr Litovka doka.ua at gmx.com
Wed Feb 28 11:56:49 CET 2018 

Hi again,

and worth to say that plain authentication using "radtest doka q1w2e3 
localhost 1812 mysecret" agains SHA2-Password in "users" works perfectly:

Sent Access-Request Id 237 from 0.0.0.0:37952 to 127.0.0.1:1812 length 74
     User-Name = "doka"
     User-Password = "q1w2e3"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 1812
     Message-Authenticator = 0x00
     Cleartext-Password = "q1w2e3"
Received Access-Accept Id 237 from 127.0.0.1:1812 to 0.0.0.0:0 length 33
     Reply-Message = "Hello, doka"

with the following debug

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry doka at line 69
(0) files: EXPAND Hello, %{User-Name}
(0) files:    --> Hello, doka
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 bytes
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = pap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" SHA2-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok

so there are no problems with crypto libraries and "SHA2-Password" 
statement itself.

On 2/28/18 12:34 PM, Volodymyr Litovka wrote:
> Hi colleagues,
>
> I'm pretty new in FreeRadius and looks missing something that will 
> allow me to authenticate MSCHAP users agains stored SHA256 hashes.
>
> Having the following entries in the "users" file :
>
> #doka   Cleartext-Password := "q1w2e3"
> doka    SHA2-Password := 
> "AE5A853873043C7B011C6300C464D8D4014BF833697A3C01817D83AA91A53166"
>
> I'm trying to authenticate Stronswan connections, which use 
> EAP-MSCHAPv2. In both cases, FreeRadius notes that "pap: WARNING: 
> Auth-Type already set. Not setting to PAP" but while it's not required 
> with Cleartext-Password, it's required (but not called) for 
> SHA2-Password:
>
> There are two different debugs:
>
> 1) for clear-text password it works:
>
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1)     [eap] = updated
> (1) files: users: Matched entry doka at line 68
> (1) files: EXPAND Hello, %{User-Name}
> (1) files:    --> Hello, doka
> (1)     [files] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0xa83c0023a83d1a89
> (1) eap: Finished EAP session with state 0xa83c0023a83d1a89
> (1) eap: Previous EAP request found for state 0xa83c0023a83d1a89, 
> released from the list
> (1) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (1) eap: Calling submodule eap_mschapv2 to process data
> (1) eap_mschapv2: # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> (1) eap_mschapv2:   authenticate {
> (1) mschap: Found Cleartext-Password, hashing to create NT-Password
> (1) mschap: Found Cleartext-Password, hashing to create LM-Password
> (1) mschap: Creating challenge hash with username: doka
> (1) mschap: Client is using MS-CHAPv2
> (1) mschap: Adding MS-CHAPv2 MPPE keys
> (1)     [mschap] = ok
> (1)   } # authenticate = ok
> (1) MSCHAP Success
>
> 2) while as soon as I switch to SHA2-Password, it stops authenticate 
> requests
>
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1)     [eap] = updated
> (1) files: users: Matched entry doka at line 69
> (1) files: EXPAND Hello, %{User-Name}
> (1) files:    --> Hello, doka
> (1)     [files] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 
> bytes
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0x1ba8bb871ba9a1a0
> (1) eap: Finished EAP session with state 0x1ba8bb871ba9a1a0
> (1) eap: Previous EAP request found for state 0x1ba8bb871ba9a1a0, 
> released from the list
> (1) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (1) eap: Calling submodule eap_mschapv2 to process data
> (1) eap_mschapv2: # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> (1) eap_mschapv2:   authenticate {
> (1) mschap: WARNING: No Cleartext-Password configured. Cannot create 
> NT-Password
> (1) mschap: WARNING: No Cleartext-Password configured. Cannot create 
> LM-Password
> (1) mschap: Creating challenge hash with username: doka
> (1) mschap: Client is using MS-CHAPv2
> (1) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform 
> authentication
> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
> (1)     [mschap] = reject
> (1)   } # authenticate = reject
> (1) eap: Sending EAP Failure (code 4) ID 1 length 4
> (1) eap: Freeing handler
> (1)     [eap] = reject
> (1)   } # authenticate = reject
> (1) Failed to authenticate the user
>
> Configuration is the following:
>
> 1) sites-enabled/default :
> authorize {
>     filter_username
>     preprocess
>     auth_log
>     chap
>     mschap
>     digest
>     suffix
>     eap {
>         ok = return
>     }
>     files
>     -sql
>     -ldap
>     expiration
>     logintime
>     pap
> }
> authenticate {
>     Auth-Type PAP {
>         pap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     mschap
>     digest
>     eap
> }
>
> 2) mods-enabled/eap :
> eap {
>     default_eap_type = mschapv2
>     timer_expire     = 60
>     ignore_unknown_eap_types = no
>     cisco_accounting_username_bug = no
>     max_sessions = ${max_requests}
>     md5 {
>     }
>     mschapv2 {
>     }
> }
>
> 3) mods-enabled/mschap (unmodified) :
> mschap {
>     pool {
>         start = ${thread[pool].start_servers}
>         min = ${thread[pool].min_spare_servers}
>         max = ${thread[pool].max_servers}
>         spare = ${thread[pool].max_spare_servers}
>         uses = 0
>         retry_delay = 30
>         lifetime = 86400
>         cleanup_interval = 300
>         idle_timeout = 600
>     }
>     passchange {
>     }
> }
>
> 4) mod-enabled/pap (unmodified) :
> pap {
> }
>
> I will greatly appreciate any help on working around this issue. Please.
>
> Thank you!
>
> -- 
> Volodymyr Litovka
> "Vision without Execution is Hallucination." -- Thomas Edison

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Freeradius-Users mailing list