Hi <br><br>I have been trying to implement radius authetication server
at my workplace. The idea is to have all wifi access points authenticate
against a radius server.<br>The radius server needs to pass
authentication to a backend Active Directory server. I have been
sucessful in authenticating wifi users against file based and SQL based
authentication in radius. NTLM_AUTH using PAP also works fine, wherein
plaintext password is sucessfully authenticated against the AD and I get
an "Access-Accept". However when I pass the same credentials over CHAP,
MSCHAP or EAP_MSCHAP the same is not working and I end up in a
"Access-Reject". Seems like that the ntlm_auth program is not parsing
the received encrypted password hence the authetication fails. MSCHAP is
a requirement as wifi clients at my place mostly have eap supplicant.
(Read in freeradius documentation that eap and ldap doesnt go hand in
hand, I may be wrong at interpreting the same)<br>
<br>The freeradius logs for all the cases is listed below. Radius gurus
please point me to the right direction as to make MS_CHAP authentication
owrk over ntlm_auth or ldap(if possible).<br><br>PS: I did all the testing using JRadius simulator. <br>
<br>Regards<br>Dhiraj Gaur <br><br>-------------------------- LOGS ------------------------------<br>rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=69<br> User-Name = "01546"<br>
User-Password = "xxxxxxxxxxx" --> (Plian Text password)<br> NAS-IP-Address = 192.168.0.199<br> Message-Authenticator = 0x008294e58343b74ea977c228f5b5<div id=":14s">ec5d<br>Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...}<br>
Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok<br>Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL<br>
Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL"<br>Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP<br>Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop<br>
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>Fri
Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=xxxxxxxxx --> (We can
see the password in plaintext)<br>
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0<br>
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok<br>Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop<br>Fri
Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.<br>
Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type)<br>Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE<br>Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE<br>
Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...}<br>Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop<br>Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop<br>Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth<br>
Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...}<br>Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx<br>
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0<br>
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok<br>Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...}<br>Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)<br>Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)<br>
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0<br>Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok<br>Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop<br>Sending Access-Accept of id 22 to 192.168.3.210 port 32854<br>
<br>JRADIUS CLINET LOG<br><br>Sending RADIUS Packet:<br>----------------------------------------------------------<br><br>Class: class net.jradius.packet.AccessRequest<br>Attributes:<br>User-Name := 01546<br>User-Password := [Encrypted String]<br>
<br>NAS-IP-Address := 192.168.0.199<br> Message-Authenticator := [Binary Data (length=16)]<br><br><br>Received RADIUS Packet:<br>----------------------------------------------------------<br><br>Class: class net.jradius.packet.AccessAccept<br>
Attributes:<br><br>-----------------------------------------------------------------------<br><br>rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=88<br> User-Name = "01546"<br>
NAS-IP-Address = 192.168.0.199<br> CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57<br> CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e<br> Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2<br>
Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...}<br>Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok<br>Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP'<br>Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok<br>
Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop<br>Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL<br>Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL"<br>
Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop<br>Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP<br>Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop<br>Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=<br>Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1<br>Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject<br>Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject<br>Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...}<br>
Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546<br>Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11<br>Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns updated<br>
Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds<br>Fri Jan 20 18:29:27 2012 : Debug: Going to the next request<br>Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds.<br>Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5<br>
Sending Access-Reject of id 22 to 192.168.3.210 port 32854<br><br>JRADIUS CLINET LOG<br><br>Sending RADIUS Packet:<br>----------------------------------------------------------<br><br>Class: class net.jradius.packet.AccessRequest<br>
Attributes:<br>User-Name := 01546<br>NAS-IP-Address := 192.168.0.199<br><br>CHAP-Challenge := [Binary Data (length=16)]<br>CHAP-Password := [Binary Data (length=17)]<br><br>Message-Authenticator := [Binary Data (length=16)]<br>
<br><br>Received RADIUS Packet:<br>----------------------------------------------------------<br>Class: class net.jradius.packet.AccessReject<br>Attributes:<br><br>--------------------------------------------------------------------------------------<br>
<br>rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23, length=133<br> User-Name = "01546"<br> NAS-IP-Address = 192.168.0.199<br> MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e<br>
MS-CHAP2-Response = 0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f<br> Message-Authenticator = 0x92716bba8963b228666c070135f8245a<br>Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...}<br>
Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok<br>Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop<br>Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'<br>
Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok<br>Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL<br>Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL"<br>
Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop<br>Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP<br>Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop<br>Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=<br>Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1<br>Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject<br>Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject<br>Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...}<br>
Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546<br>Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11<br>Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns updated<br>
Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds<br>Fri Jan 20 18:29:57 2012 : Debug: Going to the next request<br>Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds.<br>Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6<br>
Sending Access-Reject of id 23 to 192.168.3.210 port 32854<br><br>JRADIUS CLINET LOG<br><br>Sending RADIUS Packet:<br>----------------------------------------------------------<br><br>Class: class net.jradius.packet.AccessRequest<br>
Attributes:<br>User-Name := 01546<br>NAS-IP-Address := 192.168.0.199<br><br>MS-CHAP-Challenge := [Binary Data (length=16)]<br>MS-CHAP2-Response := [Binary Data (length=50)]<br><br>Message-Authenticator := [Binary Data (length=16)]<br>
<br><br>Received RADIUS Packet:<br>----------------------------------------------------------<br>Class: class net.jradius.packet.AccessReject<br>Attributes:<br><br>-----------------------------------------------------------------------------------------<br>
<br>rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24, length=63<br> User-Name = "01546"<br> NAS-IP-Address = 192.168.0.199<br> EAP-Message = 0x0200000a013031353436<br>
Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9<br>Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...}<br>Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok<br>Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop<br>
Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop<br>Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL<br>Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL"<br>
Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop<br>Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length 10<br>Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation<br>
Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated<br>Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546<br>Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=<br>
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)<br>
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1<br>Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject<br>Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject<br>Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...}<br>
Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546<br>Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11<br>Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns updated<br>
Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds<br>Fri Jan 20 18:30:30 2012 : Debug: Going to the next request<br>Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds.<br>Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7<br>
Sending Access-Reject of id 24 to 192.168.3.210 port 32854<br><br>JRADIUS CLINET LOG<br><br>Sending RADIUS Packet:<br>----------------------------------------------------------<br><br>Class: class net.jradius.packet.AccessRequest<br>
Attributes:<br>User-Name := 01546<br>NAS-IP-Address := 192.168.0.199<br><br>EAP-Message := [Binary Data (length=10)]<br><br>Message-Authenticator := [Binary Data (length=16)]<br><br><br>Received RADIUS Packet:<br>----------------------------------------------------------<br>
Class: class net.jradius.packet.AccessReject<br>Attributes:</div><br><div><div> </div></div><br>