Hi,
As you can see, staff/authorize/pap actually found the NT-Password and did it's stuff with it.
If you compare that with the same pap instance on the other request, it just says noop.
And if you look at the previous line, in the correct flow also the eap-staff module is not silent, prints out "eap-staff : No EAP-Message, not doing EAP"; but on the incorrect one, it only prints "noop".
So, I can only suspect that the proxy-to-vserver functionality breaks it.
And this continues to be my suspicion. Stefan
Greetings,
Stefan Winter
On 15.04.2014 10:26, Stefan Winter wrote:
Hi,
posting to devel, as this is possibly a severe bug. Apologies if not.
In FR 2, I authenticated our staff against a users-style file, setting NT-Password := ...
Their passwords were checked.
In FreeRADIUS 3, I retained this, NT-Passwords are found, pap returns noop(?), authorize returns ok, and then I see
Auth-Type = Accept, accepting the user
*regardless of his password* ?
I've rolled back the one affected vserver that had this problem, but would be really interested in an explanation. here is the -X flow:
rad_recv: Access-Request packet from host 158.64.1.65 port 46814, id=96, length=63 User-Name = 'ctompers' User-Password = '' NAS-Identifier = 'AAI-Staff-IdP' (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/AAI (11) authorize { (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) { (11) update request { (11) RESTENA-Service-Type := 'Staff-AAI' (11) } # update request = noop (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) suffix : No '@' in User-Name = "ctompers", looking up realm NULL (11) suffix : No such realm "NULL" (11) [suffix] = noop (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) { (11) update control { (11) Proxy-To-Realm := 'TO-STAFF' (11) } # update control = noop (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) } # authorize = noop Proxying to virtual server staff (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/staff (11) authorize { (11) if ( "%{NAS-Identifier}" == "ejabberd" ) (11) EXPAND %{NAS-Identifier} (11) --> AAI-Staff-IdP (11) if ( "%{NAS-Identifier}" == "ejabberd" ) -> FALSE (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) (11) EXPAND %{NAS-Identifier} (11) --> AAI-Staff-IdP (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) -> TRUE (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) { (11) update request { (11) RESTENA-Service-Type = 'Staff-AAI' (11) } # update request = noop (11) } # elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) (11) Client does not contain config item "staff_type" (11) EXPAND %{client:staff_type} (11) --> (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) -> FALSE (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) -> FALSE (11) auth_log_silent : EXPAND /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail (11) auth_log_silent : --> /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail (11) auth_log_silent : /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail (11) auth_log_silent : EXPAND %t (11) auth_log_silent : --> Tue Apr 15 09:57:57 2014 (11) [auth_log_silent] = ok (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) -> FALSE (11) else else { (11) staff-auth : users: Matched entry ctompers at line 22 (11) [staff-auth] = ok (11) } # else else = ok (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) -> TRUE (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) { (11) staff-attributes : users: Matched entry ctompers at line 45 (11) [staff-attributes] = ok (11) } # if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) = ok (11) [mschap] = noop (11) [eap-staff] = noop (11) [pap] = noop (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) (11) EXPAND %{Packet-Src-IP-Address} (11) --> 158.64.1.65 (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE (11) } # authorize = ok (11) Auth-Type = Accept, accepting the user (11) # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/staff (11) post-auth { (11) restena_log_policy restena_log_policy {
You see two files matches:
the first one, "staff-auth : users: Matched entry ctompers at line 22" is the NT-Password:
[...] ctompers NT-Password := EA38E7ADC559499F31CF4FA0F195ABCD [...]
(the password hash is edited)
The second match is a series of reply attributes, none of which is Auth-Type of course. The match at that line 45 is expected.
But... WHY does it not check the password against the NT-Password? This same config works with FreeRADIUS 2; pap returns updated, authorize returns updated, and authenticate checks the input against the configured password?
Greetings,
Stefan Winter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66