Freeradius with LDAPS + mschap

Andrew Nicols andrewn at moodle.com
Thu Jan 23 05:12:34 CET 2020 

Hello all,

I have been trying to create a freeradius configuration to support
authentication for a VPN connection. The VPN is provided by Ubiquiti's
Unifi product (though I don't believe that makes any difference).

Our LDAP server is providing a variety of auths already, and we do have it
configured with Freeradius already. It will currently work with pap, and
with our 802.1X wireless network.

The VPN typically requires mschap, or mschapv2 and this is where I'm
currently stuck.

The authenticate section of the inner-tunnel configuration is:

authenticate {
  Auth-Type PAP {
    ldap
  }

  Auth-Type CHAP {
    chap
  }

  Auth-Type MS-CHAP {
    mschap
  }

  mschap

  ldap

  eap
}


And the authenticate section:
authorize {
  filter_username
  chap
  mschap
  suffix
  update control {
    &Proxy-To-Realm := LOCAL
  }
  eap {
    ok = return
  }
  ldap
  expiration
  logintime
  pap

  if (User-Password) {
            update control {
                Auth-Type := ldap
            }
        }
}

And here is a sample log from a failed connection:

(27) Received Access-Request Id 122 from 172.17.0.1:40240 to
172.17.0.3:1812 length 135
(27)   Service-Type = Framed-User
(27)   Framed-Protocol = PPP
(27)   User-Name = "andrewn"
(27)   MS-CHAP-Challenge = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(27)   MS-CHAP2-Response =
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(27)   NAS-IP-Address = 127.0.1.1
(27)   NAS-Port = 0
(27) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(27)   authorize {
(27)     policy filter_username {
(27)       if (&User-Name) {
(27)       if (&User-Name)  -> TRUE
(27)       if (&User-Name)  {
(27)         if (&User-Name =~ / /) {
(27)         if (&User-Name =~ / /)  -> FALSE
(27)         if (&User-Name =~ /@[^@]*@/ ) {
(27)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(27)         if (&User-Name =~ /\.\./ ) {
(27)         if (&User-Name =~ /\.\./ )  -> FALSE
(27)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(27)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(27)         if (&User-Name =~ /\.$/)  {
(27)         if (&User-Name =~ /\.$/)   -> FALSE
(27)         if (&User-Name =~ /@\./)  {
(27)         if (&User-Name =~ /@\./)   -> FALSE
(27)       } # if (&User-Name)  = notfound
(27)     } # policy filter_username = notfound
(27)     [preprocess] = ok
(27)     [chap] = noop
(27) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(27)     [mschap] = ok
(27)     [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "andrewn", looking up realm NULL
(27) suffix: No such realm "NULL"
(27)     [suffix] = noop
(27) eap: No EAP-Message, not doing EAP
(27)     [eap] = noop
(27) files: users: Matched entry DEFAULT at line 181
(27)     [files] = ok
rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle
for 72 seconds
rlm_ldap (ldap): Reserved connection (13)
(27) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(27) ldap:    --> (uid=andrewn)
(27) ldap: Performing search in "dc=moodle,dc=com" with filter
"(uid=andrewn)", scope "sub"
(27) ldap: Waiting for search result...
(27) ldap: User object found at DN "uid=andrewn,ou=people,dc=moodle,dc=com"
(27) ldap: Processing user attributes
(27) ldap: control:Cleartext-Password :=
'{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap (ldap): Released connection (13)
Need 6 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (17), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldaps://auth.in.moodle.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(27)     [ldap] = updated
(27)     [expiration] = noop
(27)     [logintime] = noop
(27) pap: WARNING: Auth-Type already set.  Not setting to PAP
(27)     [pap] = noop
(27)     if (User-Password) {
(27)     if (User-Password)  -> FALSE
(27)   } # authorize = updated
(27) Found Auth-Type = mschap
(27) # Executing group from file /etc/freeradius/sites-enabled/default
(27)   authenticate {
(27) mschap: Found Cleartext-Password, hashing to create NT-Password
(27) mschap: Found Cleartext-Password, hashing to create LM-Password
(27) mschap: Creating challenge hash with username: andrewn
(27) mschap: Client is using MS-CHAPv2
(27) mschap: ERROR: MS-CHAP2-Response is incorrect
(27)     [mschap] = reject
(27)   } # authenticate = reject
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject
(27) # Executing group from file /etc/freeradius/sites-enabled/default
(27)   Post-Auth-Type REJECT {
(27) attr_filter.access_reject: EXPAND %{User-Name}
(27) attr_filter.access_reject:    --> andrewn
(27) attr_filter.access_reject: Matched entry DEFAULT at line 11
(27)     [attr_filter.access_reject] = updated
(27)     [eap] = noop
(27)     policy remove_reply_message_if_eap {
(27)       if (&reply:EAP-Message && &reply:Reply-Message) {
(27)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(27)       else {
(27)         [noop] = noop
(27)       } # else = noop
(27)     } # policy remove_reply_message_if_eap = noop
(27)   } # Post-Auth-Type REJECT = updated
(27) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(27) Sending delayed response
(27) Sent Access-Reject Id 122 from 172.17.0.3:1812 to
172.17.0.1:40240 length 103
(27)   MS-CHAP-Error = "\272E=691 R=1
C=c6a8eea80730f4b2f359e698eba21ae4 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(27) Cleaning up request packet ID 122 with timestamp +804
Ready to process requests


I have tried to read the various documentation, but I may well be missing
something so I apologise if that is the case. Is the password in our LDAP
server in an incompatible format, or have I got an error in my
configuration above?

Thanks in advance,

Andrew Nicols

More information about the Freeradius-Users mailing list