MS-CHAP
Fabricio Viana
fabricioviana at hotmail.com
Wed Oct 5 13:54:50 UTC 2022
Hello! I need some help, please.
I need to reject a MSCHAP request based on request:Service-Type.
The access-request package is:
(13) Received Access-Request Id 154 from 186.209.57.182:36712 to 66.228.40.107:1812 length 150
(13) Service-Type = Login-User
(13) User-Name = "domingos"
(13) MS-CHAP-Challenge = 0xa110fa67f06890c435ad37caea5f0687
(13) MS-CHAP2-Response = 0x00008d30616b943fb54593ac922fe9d686d5000000000000000023b65bd8115df118559a56f434829c17838d7120bff04eb5
(13) Calling-Station-Id = "192.168.0.2"
(13) NAS-Identifier = "Main_Router"
(13) NAS-IP-Address = 186.209.57.182
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(13) authorize {
(13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(13) EXPAND %{Cisco-AVPair[*]}
(13) -->
(13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(13) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(13) ERROR: Failed retrieving values required to evaluate condition
(13) else {
(13) update request {
(13) EXPAND %{toupper:%{Calling-Station-Id}}
(13) --> 192.168.0.2
(13) Calling-Station-Id := 192.168.0.2
(13) } # update request = noop
(13) } # else = noop
(13) if (!control:Cleartext-Password){
(13) if (!control:Cleartext-Password) -> TRUE
(13) if (!control:Cleartext-Password) {
(13) update control {
(13) Cleartext-Password := "no_user_found_radiusnet"
(13) } # update control = noop
(13) } # if (!control:Cleartext-Password) = noop
(13) [preprocess] = ok
(13) [chap] = noop
(13) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(13) [mschap] = ok
(13) eap: No EAP-Message, not doing EAP
(13) [eap] = noop
(13) sql: EXPAND %{User-Name}
(13) sql: --> domingos
(13) sql: SQL-User-Name set to 'domingos'
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'domingos' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'domingos' ORDER BY id
(13) sql: User found in radcheck table
(13) sql: Conditional check items matched, merging assignment check items
(13) sql: Cleartext-Password := "ghcjkgfh"
(13) sql: Service-Type := Login-User
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'domingos' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'domingos' ORDER BY id
(13) sql: User found in radreply table, merging reply items
(13) sql: Mikrotik-Group = "full"
(13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(13) sql: --> SELECT groupname FROM radusergroup WHERE username = 'domingos' ORDER BY priority
(13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'domingos' ORDER BY priority
(13) sql: User not found in any groups
(13) [sql] = ok
(13) pap: WARNING: Auth-Type already set. Not setting to PAP
(13) [pap] = noop
(13) } # authorize = ok
(13) Found Auth-Type = mschap
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13) authenticate {
(13) mschap: Found Cleartext-Password, hashing to create NT-Password
(13) mschap: Found Cleartext-Password, hashing to create LM-Password
(13) mschap: Creating challenge hash with username: domingos
(13) mschap: Client is using MS-CHAPv2
(13) mschap: Adding MS-CHAPv2 MPPE keys
(13) [mschap] = ok
(13) } # authenticate = ok
(13) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(13) post-auth {
(13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(13) EXPAND %{Cisco-AVPair[*]}
(13) -->
(13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(13) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(13) ERROR: Failed retrieving values required to evaluate condition
(13) else {
(13) update request {
(13) EXPAND %{toupper:%{Calling-Station-Id}}
(13) --> 192.168.0.2
(13) Calling-Station-Id := 192.168.0.2
(13) } # update request = noop
(13) } # else = noop
(13) sqlippool_v4: No Pool-Name defined
(13) sqlippool_v4: EXPAND No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
(13) sqlippool_v4: --> No Pool-Name defined (did cli 192.168.0.2 port user domingos)
(13) [sqlippool_v4] = noop
(13) sqlippool_v6: No Pool-Name defined
(13) sqlippool_v6: EXPAND No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
(13) sqlippool_v6: --> No Pool-Name defined (did cli 192.168.0.2 port user domingos)
(13) [sqlippool_v6] = noop
(13) update {
(13) No attributes updated
(13) } # update = noop
(13) sql: EXPAND .query
(13) sql: --> .query
(13) sql: Using query template 'query'
(13) sql: EXPAND %{User-Name}
(13) sql: --> domingos
(13) sql: SQL-User-Name set to 'domingos'
(13) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{NAS-IP-Address}', '%{Calling-Station-Id}')
(13) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'domingos', '', 'Access-Accept', UTC_TIMESTAMP(), '186.209.57.182', '192.168.0.2')
(13) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'domingos', '', 'Access-Accept', UTC_TIMESTAMP(), '186.209.57.182', '192.168.0.2')
(13) sql: SQL query returned: success
(13) sql: 1 record(s) updated
(13) [sql] = ok
(13) [exec] = noop
(13) policy remove_reply_message_if_eap {
(13) if (&reply:EAP-Message && &reply:Reply-Message) {
(13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(13) else {
(13) [noop] = noop
(13) } # else = noop
(13) } # policy remove_reply_message_if_eap = noop
(13) } # post-auth = ok
(13) Sent Access-Accept Id 154 from 66.228.40.107:1812 to 186.209.57.182:36712 length 0
(13) Mikrotik-Group = "full"
(13) MS-CHAP2-Success = 0x00533d37323241353031413237414144393731304344434439394143333631313837374641433930343844
(13) MS-MPPE-Recv-Key = 0x9fa3aa9656828c3e1aa891107bca46ef
(13) MS-MPPE-Send-Key = 0x7fe346a576db74394b746b3b638a4037
(13) MS-MPPE-Encryption-Policy = Encryption-Allowed
(13) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(13) Finished request
The authenticate section on sites-enabled default is:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap{
reject = 1
invalid = 1
}
if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){
reject
}
if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){
reject
}
if (request:Service-Type == Framed-User && reply:Mikrotik-Group){
reject
}
if (invalid && Framed-Protocol == PPP) {
ok
update control {
Auth-Type := "Accept"
Pool-Name := "pool_username_or_mac_error"
}
update request{
User-Password := "username_or_mac_error"
}
update reply {
framed-pool := "pool_username_or_mac_error"
mikrotik-rate-limit := 10k
framed-ip-address !* ANY
}
#ok
}
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap{
reject = 1
invalid = 1
}
if (request:Service-Type == Login-User){
reject
}
}
#
# For old names, too.
#
mschap
#
# Allow EAP authentication.
eap
}
I´m trying to follow the same logic from "Auth-Type CHAP", but without success.
Could please someone point me the right directions, please?
Thanks
Fabricio Viana
More information about the Freeradius-Users
mailing list