Hi all,

 

I am using FreeRADIUS for quite some time now, though I can't wrap my mind around one thing:

 

When a module (say, mschap with ntlm_auth) returns REJECT because of the user is not present in the AD, I want to continue processing the request to, let's say, accept the request, but provide an alternative VLAN (Tunnel-Id) to the endpoint.

 

In chapter 16.3.1 of http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf, section "Return Codes as Modules", it clearly states:

 

* reject: Causes the request to be immediately rejected

 

So my question boils down to:

 

How can I use the mscap module to check whether a user is valid, and somehow anticipate that he/she does not exist, and continue with an alternate processing (read: decide later on whether to accept/reject the user) in such a case.

 

I thank you very much in advance, and I appreciate your answer.

 

For full reference, I included my current setup with explainations:

 

---

 

Using EAP-PEAPv0 -> valid user credentials should result in an accept with AV-Pair list A and invalid credentials should result in Accept but AV-Pair list B

 

Example:

Using EAP-PEAP

Login OK

Sending Accept and

  Tunnel-Type = VLAN

  Tunnel-Medium-Type = IEEE-802

  Tunnel-Private-Group-Id = "22"

 

Login failed

Sending Accept and

  Tunnel-Type = VLAN

  Tunnel-Medium-Type = IEEE-802

  Tunnel-Private-Group-Id = "33"

 

I want to control the result via a manipulated control attribute AcnACLType. I set these attibutes from withing rlm_perl:

 

########### Snippet Perl Policy ###############################

if  (  $RAD_CHECK{'AcnACLType'} eq "data" )  {

     $RAD_CHECK{'Auth-Type'}= "Accept";

     $RAD_REPLY{'Reply-Message'}= "data";

     $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802";

     $RAD_REPLY{'Tunnel-Private-Group-Id'}= "22";

     $RAD_REPLY{'Tunnel-Type'}= "VLAN";

 return  RLM_MODULE_OK;

 

 }

 elsif  (  $RAD_CHECK{'AcnACLType'} eq "authfail" )  {

       $RAD_CHECK{'Auth-Type'}= "Accept";

       $RAD_REPLY{'Reply-Message'}= "AuthFail";

       $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802";

       $RAD_REPLY{'Tunnel-Private-Group-Id'}= "33";

       $RAD_REPLY{'Tunnel-Type'}= "VLAN";

 return  RLM_MODULE_OK;

 

 }

 

########### Snippet Perl Policy ###############################

 

In case of MSCHAP authenticating, everything works as expected:

 

===================Begin LOG ================================

Wed Jun 18 09:59:50 2014 : Info: [eap] processing type mschapv2

Wed Jun 18 09:59:50 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel

Wed Jun 18 09:59:50 2014 : Info: [mschapv2] +- entering group MS-CHAP {...}

Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt

Wed Jun 18 09:59:50 2014 : Info: [mschap] Told to do MS-CHAPv2 for pschmidt with NT-Password

Wed Jun 18 09:59:50 2014 : Info: [mschap]   expand: --domain=%{mschap:NT-Domain} -> --domain=testlab.auconet.lan

Wed Jun 18 09:59:50 2014 : Info: [mschap]   expand: --username=%{mschap:User-Name} -> --username=pschmidt

Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt

Wed Jun 18 09:59:50 2014 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9499863a8977daa3

Wed Jun 18 09:59:50 2014 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=161b24c676d1a53738cdb10037111c81f1fe1d4d5407266a

Wed Jun 18 09:59:50 2014 : Debug: Exec-Program output: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886

Wed Jun 18 09:59:50 2014 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886

Wed Jun 18 09:59:50 2014 : Debug: Exec-Program: returned: 0

Wed Jun 18 09:59:50 2014 : Info: ++[mschap] returns ok

Wed Jun 18 09:59:50 2014 : Info: ++? if (ok)

Wed Jun 18 09:59:50 2014 : Info: ? Evaluating (ok) -> TRUE

Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) -> TRUE

Wed Jun 18 09:59:50 2014 : Info: ++- entering if (ok) {...}

Wed Jun 18 09:59:50 2014 : Info: +++[control] returns ok

Wed Jun 18 09:59:50 2014 : Info: ++- if (ok) returns ok

Wed Jun 18 09:59:50 2014 : Info: ++ ... skipping elsif for request 20: Preceding "if" was taken

Wed Jun 18 09:59:50 2014 : Debug: MSCHAP Success

Wed Jun 18 09:59:50 2014 : Info: ++[eap] returns handled

} # server inner-tunnel

 

Wed Jun 18 09:59:50 2014 : Info: ++[control] returns ok

                    :

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair User-Name = testlab.auconet.lan\\pschmidt

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x030b0004

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-EMSK = 0x97d3f6e398c284127ee6ad52d55d8a0e609e453971050f546c964193d18dae3c0d74518ef466560670426f120bae29e1c268494e07b5c13ce67033c7135a08d3

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 22

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair AcnACLType = data

Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept

Wed Jun 18 09:59:50 2014 : Info: ++[perlpolicy] returns ok

Wed Jun 18 09:59:50 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default

Wed Jun 18 09:59:50 2014 : Info: +- entering group post-auth {...}

Wed Jun 18 09:59:50 2014 : Info: ++[exec] returns noop

 

 

Sending Access-Accept of id 11 to 127.0.0.1 port 38368

  Reply-Message = "AuthFail"

  MS-MPPE-Send-Key = 0x8cc588be92973040e5f09c8ebdc30ea4480a717aaf984fdf8182c3c6c5ffbfa8

  Tunnel-Type:0 = VLAN

  Tunnel-Medium-Type:0 = IEEE-802

  Message-Authenticator = 0x00000000000000000000000000000000

  User-Name = "testlab.auconet.lan\\pschmidt"

  MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5

  EAP-Message = 0x030b0004

  Tunnel-Private-Group-Id:0 = "22"

Wed Jun 18 09:59:50 2014 : Info: Finished request 22.

=============================== END LOG =====================================

 

My problem begins if the credentials are invalid. In this case inner-tunnel returns with "REJECT" and then there seems to be no way to change this into an "ACCEPT". My feeling at this point is that I miss an important concept in the way FreeRADIUS processes requests.

 

Here is a snippet from inner-tunnel section:

 

############### SNIP ##########################

authenticate {

  Auth-Type EAP {

    eap {

            ok = 1

            reject = return

            fail=return

        }

#

                if (ok) {

                        update control {

                                Auth-Type := "Accept"

                                AcnACLType="data"

                        }

                }

                elsif (reject) {

                        update control {

                                Auth-Type := "Accept"

                                AcnACLType="authfail"

                                LogMessage := "RadiusReject"

                        }

                        auconetLog

                }

    }

  ########################## End Inner tunnel ###########################

 

  and in default server

 

  ############################ Default Server ###########################

    Auth-Type EAP {

                eap {

                        ok = 1

                        reject = return

                        invalid =1

                }

 

                if (ok) {

                        update control {

                                #Auth-Type := "Accept"

                                AcnACLType := "data"

                        }

                        #update reply {

                        #    Tunnel-Type := VLAN

                        #    Tunnel-Medium-Type := IEEE-802

                      #    Tunnel-Private-Group-Id := "22"

                        #}

                }

 

                elsif (reject || invalid ) {

                        update control {

                                AcnACLType := "authfail"

                                LogMessage := "RadiusReject"

                                Auth-Type := "Accept"

 

                        }

                        auconetLog

                        update reply {

                            Tunnel-Type := VLAN

                            Tunnel-Medium-Type := IEEE-802

                            Tunnel-Private-Group-Id := "33"

                        }

                }

               update control {

                     FreeRADIUS-Client-Shortname="%{Client-Shortname}"

 

                  }

                  perlpolicy

 

 

        }

  ######################################################

 

  The log is:

 

  ================ LOG Begin ===================================

  Wed Jun 18 10:48:04 2014 : Info: [eap] processing type mschapv2

Wed Jun 18 10:48:04 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel

Wed Jun 18 10:48:04 2014 : Info: [mschapv2] +- entering group MS-CHAP {...}

Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail

Wed Jun 18 10:48:04 2014 : Info: [mschap] Told to do MS-CHAPv2 for radiusfail with NT-Password

Wed Jun 18 10:48:04 2014 : Info: [mschap] No NT-Domain was found in the User-Name.

Wed Jun 18 10:48:04 2014 : Info: [mschap]   expand: --domain=%{mschap:NT-Domain} -> --domain=

Wed Jun 18 10:48:04 2014 : Info: [mschap]   expand: --username=%{mschap:User-Name} -> --username=radiusfail

Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail

Wed Jun 18 10:48:04 2014 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3fc42259705d168a

Wed Jun 18 10:48:04 2014 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1a7a459b40d3527944a7aadcdf32a499c097cf0dc1c296ad

 

Wed Jun 18 10:48:04 2014 : Debug: Exec-Program output: Logon failure (0xc000006d)

Wed Jun 18 10:48:04 2014 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d)

Wed Jun 18 10:48:04 2014 : Debug: Exec-Program: returned: 1

Wed Jun 18 10:48:04 2014 : Info: [mschap] External script failed.

Wed Jun 18 10:48:04 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect

Wed Jun 18 10:48:04 2014 : Info: ++[mschap] returns reject

Wed Jun 18 10:48:04 2014 : Info: [eap] Freeing handler

Wed Jun 18 10:48:04 2014 : Info: ++[eap] returns reject  <<<<<<

Wed Jun 18 10:48:04 2014 : Info: Failed to authenticate the user.

} # server inner-tunnel

Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply code 3

  MS-CHAP-Error = "\tE=691 R=1"

  EAP-Message = 0x04090004

  Message-Authenticator = 0x00000000000000000000000000000000

Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply RADIUS code 3

  MS-CHAP-Error = "\tE=691 R=1"

  EAP-Message = 0x04090004

  Message-Authenticator = 0x00000000000000000000000000000000

Wed Jun 18 10:48:04 2014 : Info: [peap] Tunneled authentication was rejected.

 

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair State = 0xe26df394eb67ea7b6c664f076e6e6a50

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Calling-Station-Id = 02:00:00:00:00:01

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x6ab434e42ece49cdb13eb90438443c03

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair User-Name = radiusfail

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x020a0050190017030100208c1c20ac2dcb12e53b8a57d494b40657b43bd5019ca84e352e57a1069a1176a917030100209ed7b46fa6d167c1aacf327ae328c70674c366c0ddeceab26e7ba5232f3b029e

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Type = PEAP

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair NAS-IP-Address = 127.0.0.1

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Framed-MTU = 1400

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Reply-Message = AuthFail

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x040a0004

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 33

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair FreeRADIUS-Client-Shortname = localhost

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair LogMessage = RadiusReject

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair AcnACLType = authfail

Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept

Wed Jun 18 10:48:04 2014 : Info: ++[perlpolicy] returns ok

Wed Jun 18 10:48:04 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default

Wed Jun 18 10:48:04 2014 : Info: +- entering group post-auth {...}

Wed Jun 18 10:48:04 2014 : Info: ++[exec] returns noop

Wed Jun 18 10:48:04 2014 : Info: Using Post-Auth-Type Reject

Wed Jun 18 10:48:04 2014 : Info: # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default

Wed Jun 18 10:48:04 2014 : Info: +- entering group REJECT {...}

Wed Jun 18 10:48:04 2014 : Info: ++- group REJECT returns noop

Wed Jun 18 10:48:04 2014 : Info: Delaying reject of request 10 for 1 seconds

Wed Jun 18 10:48:04 2014 : Debug: Going to the next request

Wed Jun 18 10:48:04 2014 : Debug: Waking up in 0.9 seconds.

Wed Jun 18 10:48:05 2014 : Info: Sending delayed reject for request 10

Sending Access-Reject of id 10 to 127.0.0.1 port 51730

  Reply-Message = "AuthFail"

  EAP-Message = 0x040a0004

  Tunnel-Medium-Type:0 = IEEE-802

  Tunnel-Type:0 = VLAN

  Tunnel-Private-Group-Id:0 = "33"

  Message-Authenticator = 0x00000000000000000000000000000000

Wed Jun 18 10:48:05 2014 : Debug: Waking up in 3.9 seconds.

================= LOG End =====================================

 

My naïve idea is to instead send an Access-Accept with a Tunnel-Id of 11. I disabled the filter in

 

    Post-Auth-Type REJECT {

    #attr_filter.access_reject

  }

 

to see attributes from my perl-policy.

 

 

Thanks