Hi again, and worth to say that plain authentication using "radtest doka q1w2e3 localhost 1812 mysecret" agains SHA2-Password in "users" works perfectly: Sent Access-Request Id 237 from 0.0.0.0:37952 to 127.0.0.1:1812 length 74 User-Name = "doka" User-Password = "q1w2e3" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "q1w2e3" Received Access-Accept Id 237 from 127.0.0.1:1812 to 0.0.0.0:0 length 33 Reply-Message = "Hello, doka" with the following debug (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry doka at line 69 (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, doka (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = pap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA2-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok so there are no problems with crypto libraries and "SHA2-Password" statement itself. On 2/28/18 12:34 PM, Volodymyr Litovka wrote:
Hi colleagues,
I'm pretty new in FreeRadius and looks missing something that will allow me to authenticate MSCHAP users agains stored SHA256 hashes.
Having the following entries in the "users" file :
#doka Cleartext-Password := "q1w2e3" doka SHA2-Password := "AE5A853873043C7B011C6300C464D8D4014BF833697A3C01817D83AA91A53166"
I'm trying to authenticate Stronswan connections, which use EAP-MSCHAPv2. In both cases, FreeRadius notes that "pap: WARNING: Auth-Type already set. Not setting to PAP" but while it's not required with Cleartext-Password, it's required (but not called) for SHA2-Password:
There are two different debugs:
1) for clear-text password it works:
(1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry doka at line 68 (1) files: EXPAND Hello, %{User-Name} (1) files: --> Hello, doka (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xa83c0023a83d1a89 (1) eap: Finished EAP session with state 0xa83c0023a83d1a89 (1) eap: Previous EAP request found for state 0xa83c0023a83d1a89, released from the list (1) eap: Peer sent packet with method EAP MSCHAPv2 (26) (1) eap: Calling submodule eap_mschapv2 to process data (1) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) eap_mschapv2: authenticate { (1) mschap: Found Cleartext-Password, hashing to create NT-Password (1) mschap: Found Cleartext-Password, hashing to create LM-Password (1) mschap: Creating challenge hash with username: doka (1) mschap: Client is using MS-CHAPv2 (1) mschap: Adding MS-CHAPv2 MPPE keys (1) [mschap] = ok (1) } # authenticate = ok (1) MSCHAP Success
2) while as soon as I switch to SHA2-Password, it stops authenticate requests
(1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry doka at line 69 (1) files: EXPAND Hello, %{User-Name} (1) files: --> Hello, doka (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 bytes (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x1ba8bb871ba9a1a0 (1) eap: Finished EAP session with state 0x1ba8bb871ba9a1a0 (1) eap: Previous EAP request found for state 0x1ba8bb871ba9a1a0, released from the list (1) eap: Peer sent packet with method EAP MSCHAPv2 (26) (1) eap: Calling submodule eap_mschapv2 to process data (1) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) eap_mschapv2: authenticate { (1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (1) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (1) mschap: Creating challenge hash with username: doka (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (1) mschap: ERROR: MS-CHAP2-Response is incorrect (1) [mschap] = reject (1) } # authenticate = reject (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Freeing handler (1) [eap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user
Configuration is the following:
1) sites-enabled/default : authorize { filter_username preprocess auth_log chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap }
2) mods-enabled/eap : eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } mschapv2 { } }
3) mods-enabled/mschap (unmodified) : mschap { pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { } }
4) mod-enabled/pap (unmodified) : pap { }
I will greatly appreciate any help on working around this issue. Please.
Thank you!
-- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison
-- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison