Sending Access-Challenge instead of Access-Accept using MS-CHAPv2
Hello! This is my first post in the maillist (that have solved all of my earlier problems), but now I'm not sure if my error is my mistake, Cisco's mistake or FreeRADIUS's mistake. I've set up a two-factor athentication against our Cisco AnyConnect VPN with access-challenge (this works when I use PAP between Cisco and FreeRADIUS). But with the username and password being sent between the Cisco and the FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco ASA, so it sends the password with MS-CHAPv2. The authentication of the user works with MS-CHAPv2. To make the FreeRADIUS send an challenge after the authentication of the user I did this in sites-enabled/default: authenticate { .... Auth-Type MS-CHAP { mschap challenge } .... } The Cisco ASA recieves the Challenge and promts for and challenge. When I type in the correct challenge the FreeRADIUS sends an Access-Accept, but the Cisco ASA won't allow it. My question is if this is allowed by the standard or is it a bug on Cisco's side? Regards, Lasse Odden
On Mar 6, 2017, at 7:55 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
I've set up a two-factor athentication against our Cisco AnyConnect VPN with access-challenge (this works when I use PAP between Cisco and FreeRADIUS).
That's a common scenario.
But with the username and password being sent between the Cisco and the FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco ASA, so it sends the password with MS-CHAPv2.
That's less common.
The Cisco ASA recieves the Challenge and promts for and challenge. When I type in the correct challenge the FreeRADIUS sends an Access-Accept, but the Cisco ASA won't allow it.
Then the Cisco is broken.
My question is if this is allowed by the standard or is it a bug on Cisco's side?
It's definitely allowed by the standard. But probably a situation where the Cisco people never thought about it, and never tried it. Alan DeKok.
This is the response I got from Cisco: _________________ Thank you for the very detailed instructions. I was able to reproduce the issue and I believe that freeradius is violating rfc2548 section 2.3.3: 2.3.3. MS-CHAP2-Success Description This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets. In the packet capture I can see that the Access-Challenge contains “MS-CHAP2-Success” attribute. I have found a similar case and it looks like ASA is expecting MS-CHAP2-Success along with proper Authenticator in the Access-Accept message in order to properly validate the RADIUS exchange. Unfortunately, I have no idea how to reconfigure the FreeRadius to conform to this requirement. _________________ This is my output: Received Access-Request Id 164 from 172.28.0.18:63103 to 10.58.0.15:1812 length 241 User-Name = 'k00jlod' NAS-Port = 27713536 Called-Station-Id = '82.147.36.212' Calling-Station-Id = '77.106.182.238' NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = '77.106.182.238' MS-CHAP-Challenge = 0x8739b036b944ff2f3f7cba701f3e841b MS-CHAP2-Response = 0x0000d6e0d53088952eadf04f9f0bcc07babb0000000000000000a4f05481ea47278d26d47d8f0f2ccd36235ece255201258f NAS-IP-Address = 172.28.0.18 Cisco-AVPair = 'ip:source-ip=77.106.182.238' ASA-TunnelGroupName = 'Two-factor' ASA-ClientType = AnyConnect-Client-SSL-VPN Mon Mar 13 12:27:10 2017 : Debug: (1) Received Access-Request packet from host 172.28.0.18 port 63103, id=164, length=241 Mon Mar 13 12:27:10 2017 : Debug: (1) User-Name = 'k00jlod' Mon Mar 13 12:27:10 2017 : Debug: (1) NAS-Port = 27713536 Mon Mar 13 12:27:10 2017 : Debug: (1) Called-Station-Id = '82.147.36.212' Mon Mar 13 12:27:10 2017 : Debug: (1) Calling-Station-Id = '77.106.182.238' Mon Mar 13 12:27:10 2017 : Debug: (1) NAS-Port-Type = Virtual Mon Mar 13 12:27:10 2017 : Debug: (1) Tunnel-Client-Endpoint:0 = '77.106.182.238' Mon Mar 13 12:27:10 2017 : Debug: (1) MS-CHAP-Challenge = 0x8739b036b944ff2f3f7cba701f3e841b Mon Mar 13 12:27:10 2017 : Debug: (1) MS-CHAP2-Response = 0x0000d6e0d53088952eadf04f9f0bcc07babb0000000000000000a4f05481ea47278d26d47d8f0f2ccd36235ece255201258f Mon Mar 13 12:27:10 2017 : Debug: (1) NAS-IP-Address = 172.28.0.18 Mon Mar 13 12:27:10 2017 : Debug: (1) Cisco-AVPair = 'ip:source-ip=77.106.182.238' Mon Mar 13 12:27:10 2017 : Debug: (1) ASA-TunnelGroupName = 'Two-factor' Mon Mar 13 12:27:10 2017 : Debug: (1) ASA-ClientType = AnyConnect-Client-SSL-VPN Mon Mar 13 12:27:10 2017 : Debug: (1) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Mar 13 12:27:10 2017 : Debug: (1) authorize { Mon Mar 13 12:27:10 2017 : Debug: (1) filter_username filter_username { Mon Mar 13 12:27:10 2017 : Debug: (1) if (!&User-Name) Mon Mar 13 12:27:10 2017 : Debug: (1) if (!&User-Name) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ / /) Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ / /) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /@.*@/ ) Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /@.*@/ ) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /\\.\\./ ) Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /\\.\\./ ) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) Mon Mar 13 12:27:10 2017 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /\\.$/) Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /\\.$/) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /@\\./) Mon Mar 13 12:27:10 2017 : Debug: (1) if (&User-Name =~ /@\\./) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) } # filter_username filter_username = notfound Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [preprocess] = ok Mon Mar 13 12:27:10 2017 : Debug: (1) if (State) Mon Mar 13 12:27:10 2017 : Debug: (1) if (State) -> FALSE Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [chap] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [mschap] = ok Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [digest] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) suffix : Checking for suffix after "@" Mon Mar 13 12:27:10 2017 : Debug: (1) suffix : No '@' in User-Name = "k00jlod", looking up realm NULL Mon Mar 13 12:27:10 2017 : Debug: (1) suffix : No such realm "NULL" Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [suffix] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) eap : No EAP-Message, not doing EAP Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [eap] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling files (rlm_files) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [files] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [expiration] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [logintime] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1 Mon Mar 13 12:27:10 2017 : WARNING: (1) pap : No "known good" password found for the user. Not setting Auth-Type Mon Mar 13 12:27:10 2017 : WARNING: (1) pap : Authentication will fail unless a "known good" password is available Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [pap] = noop Mon Mar 13 12:27:10 2017 : Debug: (1) } # authorize = ok Mon Mar 13 12:27:10 2017 : Debug: (1) Found Auth-Type = MSCHAP Mon Mar 13 12:27:10 2017 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default Mon Mar 13 12:27:10 2017 : Debug: (1) Auth-Type MS-CHAP { Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authenticate]: calling mschap (rlm_mschap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : Creating challenge hash with username: k00jlod Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : Client is using MS-CHAPv2 Mon Mar 13 12:27:10 2017 : Debug: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{mschap:NT-Domain}: Mon Mar 13 12:27:10 2017 : Debug: --username=%{mschap:User-Name} Mon Mar 13 12:27:10 2017 : Debug: Parsed xlat tree: Mon Mar 13 12:27:10 2017 : Debug: literal --> --username= Mon Mar 13 12:27:10 2017 : Debug: xlat --> mschap Mon Mar 13 12:27:10 2017 : Debug: { Mon Mar 13 12:27:10 2017 : Debug: literal --> User-Name Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : EXPAND --username=%{mschap:User-Name} Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : --> --username=k00jlod Mon Mar 13 12:27:10 2017 : Debug: --challenge=%{%{mschap:Challenge}:-00} Mon Mar 13 12:27:10 2017 : Debug: Parsed xlat tree: Mon Mar 13 12:27:10 2017 : Debug: literal --> --challenge= Mon Mar 13 12:27:10 2017 : Debug: if { Mon Mar 13 12:27:10 2017 : Debug: xlat --> mschap Mon Mar 13 12:27:10 2017 : Debug: { Mon Mar 13 12:27:10 2017 : Debug: literal --> Challenge Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: else { Mon Mar 13 12:27:10 2017 : Debug: literal --> 00 Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : Creating challenge hash with username: k00jlod Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : --> --challenge=5be157fe7659ba10 Mon Mar 13 12:27:10 2017 : Debug: --nt-response=%{%{mschap:NT-Response}:-00} Mon Mar 13 12:27:10 2017 : Debug: Parsed xlat tree: Mon Mar 13 12:27:10 2017 : Debug: literal --> --nt-response= Mon Mar 13 12:27:10 2017 : Debug: if { Mon Mar 13 12:27:10 2017 : Debug: xlat --> mschap Mon Mar 13 12:27:10 2017 : Debug: { Mon Mar 13 12:27:10 2017 : Debug: literal --> NT-Response Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: else { Mon Mar 13 12:27:10 2017 : Debug: literal --> 00 Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : --> --nt-response=a4f05481ea47278d26d47d8f0f2ccd36235ece255201258f Mon Mar 13 12:27:10 2017 : Debug: --domain=%{mschap:NT-Domain} Mon Mar 13 12:27:10 2017 : Debug: Parsed xlat tree: Mon Mar 13 12:27:10 2017 : Debug: literal --> --domain= Mon Mar 13 12:27:10 2017 : Debug: xlat --> mschap Mon Mar 13 12:27:10 2017 : Debug: { Mon Mar 13 12:27:10 2017 : Debug: literal --> NT-Domain Mon Mar 13 12:27:10 2017 : Debug: } Mon Mar 13 12:27:10 2017 : ERROR: (1) mschap : No NT-Domain was found in the User-Name Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : EXPAND --domain=%{mschap:NT-Domain} Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : --> --domain= Mon Mar 13 12:27:10 2017 : Debug: Program returned code (0) and output 'NT_KEY: 726FA77A206B0A0055EA8EC04BA5C7A8' Mon Mar 13 12:27:10 2017 : Debug: (1) mschap : Adding MS-CHAPv2 MPPE keys Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [mschap] = ok Mon Mar 13 12:27:10 2017 : Debug: (1) challenge challenge { Mon Mar 13 12:27:10 2017 : Debug: (1) update control { Mon Mar 13 12:27:10 2017 : Debug: (1) &Response-Packet-Type = Access-Challenge Mon Mar 13 12:27:10 2017 : Debug: (1) } # update control = noop Mon Mar 13 12:27:10 2017 : Debug: (1) update reply { Mon Mar 13 12:27:10 2017 : Debug: (1) &Reply-Message = 'Tast inn din engangskode.\n\nOm du ikke er registrert for sterk autentisering, kan dette gjøres på nettsiden https://id.hedmark.org' Mon Mar 13 12:27:10 2017 : Debug: (1) EXPAND %{randstr:nnnnnnnn} Mon Mar 13 12:27:10 2017 : Debug: (1) --> 43934796 Mon Mar 13 12:27:10 2017 : Debug: (1) &State = 0x3433393334373936 Mon Mar 13 12:27:10 2017 : Debug: (1) } # update reply = noop Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authenticate]: calling handled (rlm_always) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) modsingle[authenticate]: returned from handled (rlm_always) for request 1 Mon Mar 13 12:27:10 2017 : Debug: (1) [handled] = handled Mon Mar 13 12:27:10 2017 : Debug: (1) } # challenge challenge = handled Mon Mar 13 12:27:10 2017 : Debug: (1) } # Auth-Type MS-CHAP = handled Mon Mar 13 12:27:10 2017 : Debug: (1) Sending Access-Challenge packet to host 172.28.0.18 port 63103, id=164, length=0 Mon Mar 13 12:27:10 2017 : Debug: (1) MS-CHAP2-Success = 0x00533d42333944423243394234453931304238454145414438444543314339353330333834343641313339 Mon Mar 13 12:27:10 2017 : Debug: (1) MS-MPPE-Recv-Key = 0x64f6fa51e30f7267fb3785e2061c501d Mon Mar 13 12:27:10 2017 : Debug: (1) MS-MPPE-Send-Key = 0xefe9c04f5d551895ab42cef20b8767a2 Mon Mar 13 12:27:10 2017 : Debug: (1) MS-MPPE-Encryption-Policy = Encryption-Allowed Mon Mar 13 12:27:10 2017 : Debug: (1) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Mon Mar 13 12:27:10 2017 : Debug: (1) Reply-Message = 'Tast inn din engangskode.\n\nOm du ikke er registrert for sterk autentisering, kan dette gjøres på nettsiden https://id.hedmark.org' Mon Mar 13 12:27:10 2017 : Debug: (1) State = 0x3433393334373936 Sending Access-Challenge Id 164 from 10.58.0.15:1812 to 172.28.0.18:63103 MS-CHAP2-Success = 0x00533d42333944423243394234453931304238454145414438444543314339353330333834343641313339 MS-MPPE-Recv-Key = 0x64f6fa51e30f7267fb3785e2061c501d MS-MPPE-Send-Key = 0xefe9c04f5d551895ab42cef20b8767a2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Reply-Message = 'Tast inn din engangskode.\n\nOm du ikke er registrert for sterk autentisering, kan dette gjøres på nettsiden https://id.hedmark.org' State = 0x3433393334373936 Mon Mar 13 12:27:10 2017 : Debug: (1) Finished request Mon Mar 13 12:27:10 2017 : Debug: Waking up in 0.2 seconds. Mon Mar 13 12:27:11 2017 : Debug: Waking up in 4.7 seconds. Mon Mar 13 12:27:15 2017 : Debug: (1) Cleaning up request packet ID 164 with timestamp +101 Mon Mar 13 12:27:15 2017 : Info: Ready to process requests Received Access-Request Id 165 from 172.28.0.18:63103 to 10.58.0.15:1812 length 187 User-Name = 'k00jlod' User-Password = '876274' NAS-Port = 27713536 Called-Station-Id = '82.147.36.212' Calling-Station-Id = '77.106.182.238' NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = '77.106.182.238' NAS-IP-Address = 172.28.0.18 State = 0x3433393334373936 Cisco-AVPair = 'ip:source-ip=77.106.182.238' ASA-TunnelGroupName = 'Two-factor' ASA-ClientType = AnyConnect-Client-SSL-VPN Mon Mar 13 12:27:17 2017 : Debug: (2) Received Access-Request packet from host 172.28.0.18 port 63103, id=165, length=187 Mon Mar 13 12:27:17 2017 : Debug: (2) User-Name = 'k00jlod' Mon Mar 13 12:27:17 2017 : Debug: (2) User-Password = '876274' Mon Mar 13 12:27:17 2017 : Debug: (2) NAS-Port = 27713536 Mon Mar 13 12:27:17 2017 : Debug: (2) Called-Station-Id = '82.147.36.212' Mon Mar 13 12:27:17 2017 : Debug: (2) Calling-Station-Id = '77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) NAS-Port-Type = Virtual Mon Mar 13 12:27:17 2017 : Debug: (2) Tunnel-Client-Endpoint:0 = '77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) NAS-IP-Address = 172.28.0.18 Mon Mar 13 12:27:17 2017 : Debug: (2) State = 0x3433393334373936 Mon Mar 13 12:27:17 2017 : Debug: (2) Cisco-AVPair = 'ip:source-ip=77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) ASA-TunnelGroupName = 'Two-factor' Mon Mar 13 12:27:17 2017 : Debug: (2) ASA-ClientType = AnyConnect-Client-SSL-VPN Mon Mar 13 12:27:17 2017 : Debug: (2) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Mar 13 12:27:17 2017 : Debug: (2) authorize { Mon Mar 13 12:27:17 2017 : Debug: (2) filter_username filter_username { Mon Mar 13 12:27:17 2017 : Debug: (2) if (!&User-Name) Mon Mar 13 12:27:17 2017 : Debug: (2) if (!&User-Name) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ / /) Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ / /) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /@.*@/ ) Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /@.*@/ ) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /\\.\\./ ) Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /\\.\\./ ) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) Mon Mar 13 12:27:17 2017 : Debug: (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /\\.$/) Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /\\.$/) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /@\\./) Mon Mar 13 12:27:17 2017 : Debug: (2) if (&User-Name =~ /@\\./) -> FALSE Mon Mar 13 12:27:17 2017 : Debug: (2) } # filter_username filter_username = notfound Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [preprocess] = ok Mon Mar 13 12:27:17 2017 : Debug: (2) if (State) Mon Mar 13 12:27:17 2017 : Debug: (2) if (State) -> TRUE Mon Mar 13 12:27:17 2017 : Debug: (2) if (State) { Mon Mar 13 12:27:17 2017 : Debug: (2) update control { Mon Mar 13 12:27:17 2017 : Debug: (2) &Auth-Type := perl Mon Mar 13 12:27:17 2017 : Debug: (2) } # update control = noop Mon Mar 13 12:27:17 2017 : Debug: (2) } # if (State) = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [chap] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [mschap] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling digest (rlm_digest) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from digest (rlm_digest) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [digest] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) suffix : Checking for suffix after "@" Mon Mar 13 12:27:17 2017 : Debug: (2) suffix : No '@' in User-Name = "k00jlod", looking up realm NULL Mon Mar 13 12:27:17 2017 : Debug: (2) suffix : No such realm "NULL" Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [suffix] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) eap : No EAP-Message, not doing EAP Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [eap] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling files (rlm_files) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [files] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling expiration (rlm_expiration) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from expiration (rlm_expiration) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [expiration] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling logintime (rlm_logintime) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from logintime (rlm_logintime) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [logintime] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: calling pap (rlm_pap) for request 2 Mon Mar 13 12:27:17 2017 : WARNING: (2) pap : No "known good" password found for the user. Not setting Auth-Type Mon Mar 13 12:27:17 2017 : WARNING: (2) pap : Authentication will fail unless a "known good" password is available Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authorize]: returned from pap (rlm_pap) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) [pap] = noop Mon Mar 13 12:27:17 2017 : Debug: (2) } # authorize = ok Mon Mar 13 12:27:17 2017 : Debug: (2) Found Auth-Type = perl Mon Mar 13 12:27:17 2017 : Debug: (2) # Executing group from file /etc/raddb/sites-enabled/default Mon Mar 13 12:27:17 2017 : Debug: (2) authenticate { Mon Mar 13 12:27:17 2017 : Debug: (2) modsingle[authenticate]: calling perl (rlm_perl) for request 2 Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'k00jlod' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'User-Password'} = &request:User-Password -> '876274' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '172.28.0.18' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '27713536' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'State'} = &request:State -> '0x3433393334373936' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> '82.147.36.212' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'Tunnel-Client-Endpoint'} = &request:Tunnel-Client-Endpoint -> '77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Mar 13 2017 12:27:17 CET' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'Cisco-AVPair'} = &request:Cisco-AVPair -> 'ip:source-ip=77.106.182.238' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'ASA-TunnelGroupName'} = &request:ASA-TunnelGroupName -> 'Two-factor' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_REQUEST{'ASA-ClientType'} = &request:ASA-ClientType -> 'AnyConnect-Client-SSL-VPN' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'perl' Mon Mar 13 12:27:17 2017 : Debug: (2) perl : $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'perl' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:ASA-ClientType = $RAD_REQUEST{'ASA-ClientType'} -> 'AnyConnect-Client-SSL-VPN' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:ASA-TunnelGroupName = $RAD_REQUEST{'ASA-TunnelGroupName'} -> 'Two-factor' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '77.106.182.238' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '82.147.36.212' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:State = $RAD_REQUEST{'State'} -> '0x3433393334373936' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:Cisco-AVPair = $RAD_REQUEST{'Cisco-AVPair'} -> 'ip:source-ip=77.106.182.238' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'k00jlod' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Mar 13 2017 12:27:17 CET' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> '876274' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:Tunnel-Client-Endpoint:0 = $RAD_REQUEST{'Tunnel-Client-Endpoint:0'} -> '77.106.182.238' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '172.28.0.18' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '27713536' Mon Mar 13 12:27:22 2017 : Debug: (2) perl : &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'perl' Mon Mar 13 12:27:22 2017 : Debug: (2) modsingle[authenticate]: returned from perl (rlm_perl) for request 2 Mon Mar 13 12:27:22 2017 : Debug: (2) [perl] = ok Mon Mar 13 12:27:22 2017 : Debug: (2) } # authenticate = ok Mon Mar 13 12:27:22 2017 : Debug: (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default Mon Mar 13 12:27:22 2017 : Debug: (2) post-auth { Mon Mar 13 12:27:22 2017 : Debug: (2) modsingle[post-auth]: calling exec (rlm_exec) for request 2 Mon Mar 13 12:27:22 2017 : Debug: (2) modsingle[post-auth]: returned from exec (rlm_exec) for request 2 Mon Mar 13 12:27:22 2017 : Debug: (2) [exec] = noop Mon Mar 13 12:27:22 2017 : Debug: (2) remove_reply_message_if_eap remove_reply_message_if_eap { Mon Mar 13 12:27:22 2017 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) Mon Mar 13 12:27:22 2017 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Mon Mar 13 12:27:22 2017 : Debug: (2) else else { Mon Mar 13 12:27:22 2017 : Debug: (2) modsingle[post-auth]: calling noop (rlm_always) for request 2 Mon Mar 13 12:27:22 2017 : Debug: (2) modsingle[post-auth]: returned from noop (rlm_always) for request 2 Mon Mar 13 12:27:22 2017 : Debug: (2) [noop] = noop Mon Mar 13 12:27:22 2017 : Debug: (2) } # else else = noop Mon Mar 13 12:27:22 2017 : Debug: (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop Mon Mar 13 12:27:22 2017 : Debug: (2) } # post-auth = noop Mon Mar 13 12:27:22 2017 : Debug: (2) Sending Access-Accept packet to host 172.28.0.18 port 63103, id=165, length=0 Sending Access-Accept Id 165 from 10.58.0.15:1812 to 172.28.0.18:63103 Mon Mar 13 12:27:22 2017 : Debug: (2) Finished request Mon Mar 13 12:27:22 2017 : Debug: Waking up in 4.9 seconds. Do you have any suggestion or answer to Cisco? Best regards, Lasse Odden On Mon, Mar 6, 2017 at 2:54 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 6, 2017, at 7:55 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
I've set up a two-factor athentication against our Cisco AnyConnect VPN with access-challenge (this works when I use PAP between Cisco and FreeRADIUS).
That's a common scenario.
But with the username and password being sent between the Cisco and the FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco ASA, so it sends the password with MS-CHAPv2.
That's less common.
The Cisco ASA recieves the Challenge and promts for and challenge. When I type in the correct challenge the FreeRADIUS sends an Access-Accept, but the Cisco ASA won't allow it.
Then the Cisco is broken.
My question is if this is allowed by the standard or is it a bug on Cisco's side?
It's definitely allowed by the standard. But probably a situation where the Cisco people never thought about it, and never tried it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Mar 13, 2017, at 7:31 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
This is the response I got from Cisco:
_________________
Thank you for the very detailed instructions. I was able to reproduce the issue and I believe that freeradius is violating rfc2548 section 2.3.3:
So... you configured the server to send Ms-Chap-Challenge in an Access-Challenge packet. FreeRADIUS largely does what you tell it to do.
Do you have any suggestion or answer to Cisco?
What you're trying to do is impossible. Don't do it. Alan DeKok.
I tried to add the same MS-CHAP2-Success attribute in the Access-Accept that the mschap modules sendt in the first authentication process where I had replaced the Access-Accept with an Access-Challengeand, and this worked. So I guess I can save the attribute and then send it again if the passcode is verified, but this does not seem like a very good solution. But on the other hand, the encryption of the users passwords are needed. Do you see any other clever way to solve this? On Mon, Mar 13, 2017 at 1:48 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 13, 2017, at 7:31 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
This is the response I got from Cisco:
_________________
Thank you for the very detailed instructions. I was able to reproduce the issue and I believe that freeradius is violating rfc2548 section 2.3.3:
So... you configured the server to send Ms-Chap-Challenge in an Access-Challenge packet.
FreeRADIUS largely does what you tell it to do.
Do you have any suggestion or answer to Cisco?
What you're trying to do is impossible. Don't do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Mar 13, 2017, at 9:47 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
I tried to add the same MS-CHAP2-Success attribute in the Access-Accept that the mschap modules sendt in the first authentication process where I had replaced the Access-Accept with an Access-Challengeand, and this worked.
That surprises me, to be honest.
So I guess I can save the attribute and then send it again if the passcode is verified, but this does not seem like a very good solution.
If it works...
But on the other hand, the encryption of the users passwords are needed.
Nonsense. The passwords are encrypted on the wire. I have no idea why people are so dead-set against using PAP. To be honest, PAP in RADIUS is *more* secure than MS-CHAP. MS-CHAPv2 can typically be cracked in a day: https://www.helpnetsecurity.com/2012/07/31/researcher-releases-tool-for-crac... Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has *zero* cracks after almost 25 years. Stop taking a naive approach to security. Use what the experts recommend, because they know rather a lot more about the situation than you do. Alan DeKok.
On 16/03/2017 13:42, Alan DeKok wrote:
Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has*zero* cracks after almost 25 years.
This is true. There is an operational reason why you still might want to use MS-CHAPv2 though, which is that it permits password expiry and password changing as part of the exchange. This can be quite a nice user experience, for those clients which support it anyway. It avoids having to rely on the user connecting to some other service to get prompted that it's time to change their password. I'm talking about MS-CHAPv2 inside TLS of course. Don't even think about PPTP across the open Internet :-) Regards, Brian.
participants (3)
-
Alan DeKok -
Brian Candler -
Lasse Odden