Hi
I have been trying to implement radius authetication server
at my workplace. The idea is to have all wifi access points authenticate
against a radius server.
The radius server needs to pass
authentication to a backend Active Directory server. I have been
sucessful in authenticating wifi users against file based and SQL based
authentication in radius. NTLM_AUTH using PAP also works fine, wherein
plaintext password is sucessfully authenticated against the AD and I get
an "Access-Accept". However when I pass the same credentials over CHAP,
MSCHAP or EAP_MSCHAP the same is not working and I end up in a
"Access-Reject". Seems like that the ntlm_auth program is not parsing
the received encrypted password hence the authetication fails. MSCHAP is
a requirement as wifi clients at my place mostly have eap supplicant.
(Read in freeradius documentation that eap and ldap doesnt go hand in
hand, I may be wrong at interpreting the same)
The freeradius logs for all the cases is listed below. Radius gurus
please point me to the right direction as to make MS_CHAP authentication
owrk over ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
Regards
Dhiraj Gaur
-------------------------- LOGS ------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=69
User-Name = "01546"
User-Password = "xxxxxxxxxxx" --> (Plian Text password)
NAS-IP-Address = 192.168.0.199
Message-Authenticator = 0x008294e58343b74ea977c228f5b5
ec5d
Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL
Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri
Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=xxxxxxxxx --> (We can
see the password in plaintext)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop
Fri
Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type)
Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...}
Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop
Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth
Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 22 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
User-Password := [Encrypted String]
NAS-IP-Address := 192.168.0.199
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessAccept
Attributes:
-----------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=88
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57
CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e
Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2
Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP'
Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok
Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL
Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546
Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns updated
Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds
Fri Jan 20 18:29:27 2012 : Debug: Going to the next request
Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5
Sending Access-Reject of id 22 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
CHAP-Challenge := [Binary Data (length=16)]
CHAP-Password := [Binary Data (length=17)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
--------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23, length=133
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e
MS-CHAP2-Response = 0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f
Message-Authenticator = 0x92716bba8963b228666c070135f8245a
Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok
Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL
Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546
Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns updated
Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds
Fri Jan 20 18:29:57 2012 : Debug: Going to the next request
Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds.
Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6
Sending Access-Reject of id 23 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
MS-CHAP-Challenge := [Binary Data (length=16)]
MS-CHAP2-Response := [Binary Data (length=50)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
-----------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24, length=63
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
EAP-Message = 0x0200000a013031353436
Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9
Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL
Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length 10
Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546
Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns updated
Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds
Fri Jan 20 18:30:30 2012 : Debug: Going to the next request
Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7
Sending Access-Reject of id 24 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
EAP-Message := [Binary Data (length=10)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes: