PEAP/EAP-MSCHAPv2 module modification problem
Hello list, I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified EAP-MSCHAPv2 rlm to use a weird password store system and authentication works fine. There is one thing I am missing - I need to add a specific VSA to access-accept (depending on the user) and am trying to do it this way: #define VENDOR_CISCO 9 #define CISCO_SSG_ACCOUNT_INFO 250 VALUE_PAIR *myvsa; myvsa = radius_paircreate(request, &request->reply->vps, CISCO_SSG_ACCOUNT_INFO, VENDOR_CISCO); if (myvsa == NULL) RDEBUG("MYVSA == NULL"); const char *mystr="AINTERNET"; pairmemcpy(myvsa, (const uint8_t *)mystr,4); this is done under case PW_MSCHAP2_SUCCESS: (line ~180) in rlm_eap_mschapv2.c module. There is no error but I never see this output on access-accept sent to BRAS. What am I doing wrong? Is there a better way to achieve this? BR, iostres
Forgot to mention - if I put this AVP in rlm_eap.c (line 439) under: if ((request->reply->code == PW_AUTHENTICATION_ACK) && request->username) { This VSA is contained in outgoing access-accept. But the problem is that this VSA value should be set in eap-mschapv2. How to transfer value from EAP-MSCHAPv2 to rlm_eap? BR, iostres On 5/23/13 12:45 PM, Ivan Ostres wrote:
Hello list,
I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified EAP-MSCHAPv2 rlm to use a weird password store system and authentication works fine. There is one thing I am missing - I need to add a specific VSA to access-accept (depending on the user) and am trying to do it this way:
#define VENDOR_CISCO 9 #define CISCO_SSG_ACCOUNT_INFO 250
VALUE_PAIR *myvsa; myvsa = radius_paircreate(request, &request->reply->vps, CISCO_SSG_ACCOUNT_INFO, VENDOR_CISCO); if (myvsa == NULL) RDEBUG("MYVSA == NULL"); const char *mystr="AINTERNET"; pairmemcpy(myvsa, (const uint8_t *)mystr,4);
this is done under
case PW_MSCHAP2_SUCCESS: (line ~180) in rlm_eap_mschapv2.c module.
There is no error but I never see this output on access-accept sent to BRAS. What am I doing wrong? Is there a better way to achieve this?
BR, iostres - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On 23/05/13 12:00, Ivan Ostres wrote:
Forgot to mention - if I put this AVP in rlm_eap.c (line 439) under:
if ((request->reply->code == PW_AUTHENTICATION_ACK) && request->username) {
This VSA is contained in outgoing access-accept. But the problem is that this VSA value should be set in eap-mschapv2. How to transfer value from EAP-MSCHAPv2 to rlm_eap?
It sounds like you need: use_tunneled_reply = yes ...in your "peap {}" block. Attributes from the inner access-accept should be copied to the outer if this is set.
On 5/23/13 1:24 PM, Phil Mayers wrote:
On 23/05/13 12:00, Ivan Ostres wrote:
Forgot to mention - if I put this AVP in rlm_eap.c (line 439) under:
if ((request->reply->code == PW_AUTHENTICATION_ACK) && request->username) {
This VSA is contained in outgoing access-accept. But the problem is that this VSA value should be set in eap-mschapv2. How to transfer value from EAP-MSCHAPv2 to rlm_eap?
It sounds like you need:
use_tunneled_reply = yes
...in your "peap {}" block. Attributes from the inner access-accept should be copied to the outer if this is set. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Hi! I actually set that one...the real question is -> how to send/receive pairs between rlm_eap and handler (rlm_eap_mschapv2)? This communication part is the real problem. BR, iostres
Ivan Ostres wrote:
I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified EAP-MSCHAPv2 rlm to use a weird password store system
You should do that ONLY if the password store does MS-CHAP. Otherwise, you should write a module to pull the password from the store, and let FreeRADIUS do the rest.
There is no error but I never see this output on access-accept sent to BRAS. What am I doing wrong? Is there a better way to achieve this?
As Phil said, you need to set "use_tunneled_reply" in the PEAP module. Or, since you're already hacking the code, just access request->parent->reply directly. Alan DeKok.
On 5/23/13 2:59 PM, Alan DeKok wrote:
Ivan Ostres wrote:
I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified EAP-MSCHAPv2 rlm to use a weird password store system You should do that ONLY if the password store does MS-CHAP.
Otherwise, you should write a module to pull the password from the store, and let FreeRADIUS do the rest.
Hi Alan, thanks for answering - I indeed have a weird setup here - I have 2 external authentication systems: (1) fast one acting as cache (that means it could have stale password info) (2) slow one which always have a right password The thing is that I need to use (1) whenever possible so I can do the lookup in (1) while in rlm_eap and simply do "pairmake_config("NT-Password",....). Then in eap-mschapv2 handler I need to check whether this password is ok (I can do that by checking response from peer and then if password appear to be wrong I need to contact (2) to check whether password is really wrong or just (1) was wrong. If password in (2) is correct, I need to update record in (1). Since I don't want to open new connection to (1) and (2) for every authentication I wanted to keep connections open in rlm_eap module instead in eap-mschapv2 handler but somehow I need to know whether password from (1) or (2) was eventually used to update (1) if needed - that;s why I asked how can I propagate info from eap-mschapv2 handler back to rlm_eap. BR, iostres
Ivan Ostres wrote:
On 5/23/13 2:59 PM, Alan DeKok wrote: The thing is that I need to use (1) whenever possible so I can do the lookup in (1) while in rlm_eap and simply do "pairmake_config("NT-Password",....).
As I said, your design is wrong. The EAP module SHOULD NOT be doing password lookups to external systems. And the server really isn't set up for things like "try authentication 1, if it fails, try authentication 2".
Then in eap-mschapv2 handler I need to check whether this password is ok (I can do that by checking response from peer and then if password appear to be wrong I need to contact (2) to check whether password is really wrong or just (1) was wrong. If password in (2) is correct, I need to update record in (1).
Keeping systems in sync is really outside of FreeRADIUS. But you can do what you want in the default configuration. All you need is to create a module which looks up passwords in (1) or in (2).
Since I don't want to open new connection to (1) and (2) for every authentication
You don't. That's why the git "head" has a connection pool API. See rlm_sql, rlm_ldap, rlm_redis, etc.
I wanted to keep connections open in rlm_eap module instead in eap-mschapv2 handler but somehow I need to know whether password from (1) or (2) was eventually used to update (1) if needed - that;s why I asked how can I propagate info from eap-mschapv2 handler back to rlm_eap.
You're asking the wrong question. You SHOULD be doing this in the "inner-tunnel" virtual server: authorize { ... lookup_password_in_1 ... eap ... } authenticate { ... Auth-Type MS-CHAP { mschap { reject = 1 } if (reject) { update reply { MS-CHAP-Error !* 0x00 } lookup_password_in_2 mschap } } } That will fix the problem. It will also ensure that your module will *continue* working when the server is upgraded. You won't need source-code patches. And you won't be fighting with the internals of the EAP module. The whole reason you're having issues is because the module isn't *designed* to support what you're doing. Because it's wrong. Alan DeKok.
participants (3)
-
Alan DeKok -
Ivan Ostres -
Phil Mayers