On 2/7/25 4:48 PM, Alan DeKok wrote:
On Feb 7, 2025, at 7:44 PM, Alan Batie <alan@batie.org> wrote:
I'm migrating an outdated system from centos 5/freeradius 1.1.7
Oh boy, that is decades old.
Yes, we've tried to update it before but other things interfered
to ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap by mac address with an sql procedure call. It doesn't look like there's anything to configure in mschap, the old system has all the mschap stuff commented out by default and so does the new system, but mschap is failing and it looks like it's not even getting to the sql part. It really just needs to ignore the mschap since the only part of it getting used is one of a few static usernames. I can send the full debug output privately if need be...
The debug log doesn't show it running sql, or getting the "known good' password from anywhere.
Where are the static usernames defined?
The client system is configured with a static user/pw, there's an sql procedure that verifies the static user/pw then checks the mac address against the db It's not getting to the sql because the mschap is failing. Which gave me the idea of putting sql first, and it passes, but mschap fails, so I tried just commenting out mschap, but then it complains that nothing is handling cleartext passwords. I'm not sure how it's working on the old system since the point of chap is to avoid *having* passwords... (0) Received Access-Request Id 23 from 10.65.23.69:40816 to 10.67.10.137:1812 length 294 (0) Message-Authenticator = 0x7a435fe1cbf36ab524723fb9be348c31 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port-Type = Ethernet (0) User-Name = "<username>" (0) Calling-Station-Id = "<macaddr>" (0) Calling-Station-Id = "tarana-service" (0) NAS-Port-Id = "vlan2000-tarana" (0) Acct-Session-Id = "81f01557" (0) MS-CHAP-Challenge = 0x3131366139653232316662366161376332313437343231373735346236613135 (0) MS-CHAP2-Response = 0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646530306330366137666137376464356132313063313662623037613235363063623563333838373264 (0) NAS-Identifier = "admin03" (0) NAS-IP-Address = 207.55.16.41 (0) NAS-Port = 15762707 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/peak (0) authorize { (0) sql: EXPAND %{User-Name} (0) sql: --> <username> (0) sql: SQL-User-Name set to '<username>' rlm_sql (sql): Reserved connection (0) (0) sql: EXPAND call onw_authorize_check('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}'); (0) sql: --> call onw_authorize_check('<username>','<secret>','<macaddr>'); (0) sql: Executing select query: call onw_authorize_check('<username>','<secret>','<macaddr>'); (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>" (0) sql: EXPAND call onw_authorize_reply('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}'); (0) sql: --> call onw_authorize_reply('<username>','<secret>','<macaddr>'); (0) sql: Executing select query: call onw_authorize_reply('<username>','<secret>','<macaddr>'); (0) sql: User found in radreply table, merging reply items (0) sql: Mikrotik-Rate-Limit := "22M/55M" (0) sql: Framed-Route := "" (0) sql: Framed-Route := "69.59.217.29/32" (0) sql: Framed-Route := "" (0) sql: EXPAND SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' (0) sql: --> SELECT GroupName FROM usergroup WHERE UserName='<username>' (0) sql: Executing select query: SELECT GroupName FROM usergroup WHERE UserName='<username>' (0) sql: User not found in any groups rlm_sql (sql): Released connection (0) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.41-0ubuntu0.24.04.1, protocol version 10 (0) [sql] = ok (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Feb 7 16:59:12 2025 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = fail (0) } # authorize = fail (0) Invalid user: [<username>] (from client admin01 port 15762707 cli <macaddr>) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/peak (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: WARNING: No such configuration item .query (0) [sql] = noop (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> <username> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect: [<username>] (from client admin01 port 15762707 cli <macaddr>)