I have freeradius 1.1.4 setup as a proxy to an upstream
radius server which works. I also want to put guests in a local users
file and use MSCHAPV2 on them, but didn’t get it to work. I was
able to get PAP and CHAP working. Here is the MSCHAPV2 configuration I
tried:
users file:
cobb User-Password=="secret"
proxy.conf:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback
= yes
post_proxy_authorize = no
}
realm guests {
type = radius
authhost =
LOCAL:1812
accthost =
LOCAL:1813
secret = whatever
}
realm testlab.com {
type = radius
authhost =
172.16.0.3:1812
accthost =
172.16.0.3:1813
secret = testing
}
realm DEFAULT {
type = radius
authhost = 172.16.0.3:1812
accthost = 172.16.0.3:1813
secret = testing
}
radius.conf:
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var/lib
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
listen {
ipaddr = *
port = 1645
type = auth
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes
= 200
reject_delay =
1
status_server =
no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers =
5
max_servers =
32
min_spare_servers
= 3
max_spare_servers
= 10
max_requests_per_server
= 0
}
modules {
pap {
encryption_scheme
= crypt
}
chap {
authtype
= CHAP
}
pam {
pam_auth
= radiusd
}
unix {
cache
= no
#
Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload
= 600
radwtmp
= ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype
= MS-CHAP
#use_mppe
= no
#require_encryption
= yes
#require_strong
= yes
#with_ntdomain_hack
= no
}
ldap {
server
= "ldap.your.domain"
#
identity = "cn=admin,o=My Org,c=UA"
#
password = mypass
basedn
= "o=My Org,c=UA"
filter
= "(uid=%{Stripped-User-Name:-%{User-Name}})"
#
base_filter = "(objectclass=radiusprofile)"
#
set this to 'yes' to use TLS encrypted connections
#
to the LDAP database by using the StartTLS extended
#
operation.
#
The StartTLS operation is supposed to be used with normal
#
ldap connections instead of using ldaps (port 689) connections
start_tls
= no
#
tls_cacertfile = /path/to/cacert.pem
#
tls_cacertdir =
/path/to/ca/dir/
#
tls_certfile =
/path/to/radius.crt
#
tls_keyfile = /path/to/radius.key
#
tls_randfile =
/path/to/rnd
#
tls_require_cert = "demand"
#
default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
#
profile_attribute = "radiusProfileDn"
access_attr
= "dialupAccess"
#
Mapping of RADIUS dictionary attributes to LDAP
#
directory attributes.
dictionary_mapping
= ${raddbdir}/ldap.attrmap
ldap_connections_number
= 5
timeout
= 4
timelimit
= 3
net_timeout
= 1
#
compare_check_items = yes
#
do_xlat = yes
#
access_attr_used_for_allow = yes
}
realm IPASS {
format
= prefix
delimiter
= "/"
ignore_default
= no
ignore_null
= no
}
#
'username@realm'
#
realm suffix {
format
= suffix
delimiter
= "@"
ignore_default
= no
ignore_null
= yes
}
#
'username%realm'
#
realm
realmpercent {
format
= suffix
delimiter
= "%"
ignore_default
= no
ignore_null
= no
}
#
#
'domain\user'
#
realm ntdomain
{
format
= prefix
delimiter
= "\\"
ignore_default
= no
ignore_null
= no
}
checkval {
#
The attribute to look for in the request
item-name
= Calling-Station-Id
#
The attribute to look for in check items. Can be multi valued
check-name
= Calling-Station-Id
#
The data type. Can be
#
string,integer,ipaddr,date,abinary,octets
data-type
= string
#
If set to yes and we dont find the item-name attribute in the
#
request then we send back a reject
#
DEFAULT is no
#notfound-reject
= no
}
preprocess {
huntgroups
= ${confdir}/huntgroups
hints
= ${confdir}/hints
with_ascend_hack
= no
ascend_channels_per_line
= 23
with_ntdomain_hack
= no
with_specialix_jetstream_hack
= no
with_cisco_vsa_hack
= no
}
files {
usersfile
= ${confdir}/users
acctusersfile
= ${confdir}/acct_users
preproxy_usersfile
= ${confdir}/preproxy_users
compat
= no
}
# Write a
detailed log of all accounting records received.
#
detail {
detailfile
= ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm
= 0600
}
acct_unique {
key
= "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
$INCLUDE
${confdir}/sql.conf
radutmp {
#
Where the file is stored. It's not a log file,
#
so it doesn't need rotating.
#
filename
= ${logdir}/radutmp
username
= %{User-Name}
case_sensitive
= yes
check_with_nas
= yes
perm
= 0600
callerid
= "yes"
}
radutmp
sradutmp {
filename
= ${logdir}/sradutmp
perm
= 0644
callerid
= "no"
}
# attr_filter -
filters the attributes received in replies from
# proxied
servers, to make sure we send back to our RADIUS client
# only allowed
attributes.
attr_filter {
attrsfile
= ${confdir}/attrs
}
counter daily {
filename
= ${raddbdir}/db.daily
key
= User-Name
count-attribute
= Acct-Session-Time
reset
= daily
counter-name
= Daily-Session-Time
check-name
= Max-Daily-Session
allowed-servicetype
= Framed-User
cache-size
= 5000
}
always fail {
rcode
= fail
}
always reject {
rcode
= reject
}
always ok {
rcode
= ok
simulcount
= 0
mpp
= no
}
expr {
}
digest {
}
exec {
wait
= yes
input_pairs
= request
}
exec echo {
wait
= yes
program
= "/bin/echo %{User-Name}"
input_pairs
= request
output_pairs
= reply
}
ippool
main_pool {
#
range-start,range-stop: The start and end ip
#
addresses for the ip pool
range-start
= 192.168.1.1
range-stop
= 192.168.3.254
#
netmask: The network mask used for the ip's
netmask
= 255.255.255.0
#
cache-size: The gdbm cache size for the db
#
files. Should be equal to the number of ip's
#
available in the ip pool
cache-size
= 800
#
session-db: The main db file used to allocate ip's to clients
session-db
= ${raddbdir}/db.ippool
#
ip-index: Helper db index file used in multilink
ip-index
= ${raddbdir}/db.ipindex
#
override: Will this ippool override a Framed-IP-Address already set
override
= no
#
maximum-timeout: If not zero specifies the maximum time in seconds an
#
entry may be active. Default: 0
maximum-timeout
= 0
}
}
instantiate {
exec
expr
# daily
}
# Authorization. First preprocess (hints and
huntgroups files),
# then realms, and finally look in the
"users" file.
#
# The order of the realm modules will
determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before
any realm if you
# need to setup hints for the remote radius
server
authorize {
preprocess
chap
mschap
suffix
ntdomain
eap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP
{
chap
}
Auth-Type
MS-CHAP {
mschap
}
unix
eap
}
#
# Pre-accounting. Decide which
accounting type to use.
#
preacct {
preprocess
#
# Ensure
that we have a semi-unique identifier for every
#
request, and many NAS boxes are broken.
acct_unique
suffix
ntdomain
#
# Read
the 'acct_users' file
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
post-proxy {
eap
}
I get this error about the mschap response being incorrect.
A request form the same client that is proxied back to IAS with mschapv2 works.
rlm_realm: Looking up realm
"guests" for User-Name = "cobb@guests"
rlm_realm: Found realm "guests"
rlm_realm: Adding Stripped-User-Name =
"cobb"
rlm_realm: Proxying request from user
cobb to realm guests
rlm_realm: Adding Realm =
"guests"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns
noop for request 0
rlm_realm: Request already proxied.
Ignoring.
modcall[authorize]: module "ntdomain"
returns noop for request 0
modcall: leaving group (returns noop) for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop
for request 0
users: Matched entry cobb at line 1
modcall[authorize]: module "files" returns
ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with
NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns
reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request
0
auth: Failed to validate the user.
I also tried changing the users file to have NT-Password == “0xB6FFB3200061D7B7928F0D932F095128”
But then freeradius just said it couldn’t create the
NT-Password:
rlm_mschap: No User-Password configured. Cannot
create NT-Password,
followed by the previous error.
How do I configure MSCHAPv2 to a local users file?