Hi everyone, I'm using a pfsense server as captive portal to authenticate users on my WiFi network. The captive portal is set to interrogate my freeradius server. My freeradius server can already authenticate users via my AD using winbind. I also need local account (via "users" file) to create some temporary "WiFi" account for guests. My problem is that it seems that when freeradius receive an mschap request, it only interrogate the AD and do not check the local "users" file : *Radtest output :* *root@radius:/etc/freeradius/3.0# radtest test hello localhost 0 testing123Sent Access-Request Id 221 from 0.0.0.0:55019 <http://0.0.0.0:55019> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 74 User-Name = "test" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello"Received Access-Accept Id 221 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0> length 20root@radius:/etc/freeradius/3.0# radtest -t mschap test hello localhost 0 testing123Sent Access-Request Id 57 from 0.0.0.0:45981 <http://0.0.0.0:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 130 User-Name = "test" MS-CHAP-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" MS-CHAP-Challenge = 0x721c5f615cce85ee MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5Received Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0> length 61 MS-CHAP-Error = "\000E=648 R=0 C=36f192b64ad8bf50 V=2"(0) -: Expected Access-Accept got Access-Reject* *freeradius -X output :* *1) Received Access-Request Id 57 from 127.0.0.1:45981 <http://127.0.0.1:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 130(1) User-Name = "test"(1) NAS-IP-Address = 127.0.1.1(1) NAS-Port = 0(1) Message-Authenticator = 0x2ac9eeb221acb45d57e63c7670667269(1) MS-CHAP-Challenge = 0x721c5f615cce85ee(1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (&User-Name) {(1) if (&User-Name) -> TRUE(1) if (&User-Name) {(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@[^@]*@/ ) {(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /@\./) {(1) if (&User-Name =~ /@\./) -> FALSE(1) } # if (&User-Name) = notfound(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'(1) [mschap] = ok(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: No EAP-Message, not doing EAP(1) [eap] = noop(1) files: users: Matched entry test at line 1(1) [files] = ok(1) [expiration] = noop(1) [logintime] = noop(1) pap: WARNING: Auth-Type already set. Not setting to PAP(1) [pap] = noop(1) } # authorize = ok(1) Found Auth-Type = mschap(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) authenticate {(1) mschap: Found Cleartext-Password, hashing to create NT-Password(1) mschap: Found Cleartext-Password, hashing to create LM-Password(1) mschap: Client is using MS-CHAPv1 with NT-Password(1) mschap: EXPAND %{mschap:User-Name}(1) mschap: --> testrlm_mschap (mschap): Reserved connection (0)(1) mschap: sending authentication request user='test' domain='lan.domain.tld'rlm_mschap (mschap): Released connection (0)rlm_mschap (mschap): Need 5 more connections to reach 10 sparesrlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used(1) mschap: ERROR: No such user [0xC0000064](1) mschap: ERROR: Password has expired. User should retry authentication(1) [mschap] = reject(1) } # authenticate = reject(1) Failed to authenticate the user(1) Using Post-Auth-Type Reject(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) Post-Auth-Type REJECT {(1) attr_filter.access_reject: EXPAND %{User-Name}(1) attr_filter.access_reject: --> test(1) attr_filter.access_reject: Matched entry DEFAULT at line 11(1) [attr_filter.access_reject] = updated(1) [eap] = noop(1) policy remove_reply_message_if_eap {(1) if (&reply:EAP-Message && &reply:Reply-Message) {(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(1) else {(1) [noop] = noop(1) } # else = noop(1) } # policy remove_reply_message_if_eap = noop(1) } # Post-Auth-Type REJECT = updated(1) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(1) Sending delayed response(1) Sent Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 127.0.0.1:45981 <http://127.0.0.1:45981> length 61(1) MS-CHAP-Error = "\000E=648 R=0 C=36f192b64ad8bf50 V=2"Waking up in 3.9 seconds.(1) Cleaning up request packet ID 57 with timestamp +19* Does anyone has an idea how i can use both authentication methods (AD and "local") simultaneously ? Thanks in advance. Regards, *Benjamin Dupalut* Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr