Problem with MSCHAP and Freeradius authentication
Hi I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server. The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject". Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same) The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible). PS: I did all the testing using JRadius simulator. Regards Dhiraj Gaur -------------------------- LOGS ------------------------------ rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=69 User-Name = "01546" User-Password = "xxxxxxxxxxx" --> (Plian Text password) NAS-IP-Address = 192.168.0.199 Message-Authenticator = 0x008294e58343b74ea977c228f5b5 ec5d Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxxx --> (We can see the password in plaintext) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...} Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...} Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...} Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop Sending Access-Accept of id 22 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 User-Password := [Encrypted String] NAS-IP-Address := 192.168.0.199 Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessAccept Attributes: ----------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=88 User-Name = "01546" NAS-IP-Address = 192.168.0.199 CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57 CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2 Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP' Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds Fri Jan 20 18:29:27 2012 : Debug: Going to the next request Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds. Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 22 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 CHAP-Challenge := [Binary Data (length=16)] CHAP-Password := [Binary Data (length=17)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes: -------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23, length=133 User-Name = "01546" NAS-IP-Address = 192.168.0.199 MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e MS-CHAP2-Response = 0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f Message-Authenticator = 0x92716bba8963b228666c070135f8245a Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds Fri Jan 20 18:29:57 2012 : Debug: Going to the next request Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds. Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6 Sending Access-Reject of id 23 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 MS-CHAP-Challenge := [Binary Data (length=16)] MS-CHAP2-Response := [Binary Data (length=50)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes: ----------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24, length=63 User-Name = "01546" NAS-IP-Address = 192.168.0.199 EAP-Message = 0x0200000a013031353436 Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9 Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length 10 Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds Fri Jan 20 18:30:30 2012 : Debug: Going to the next request Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds. Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7 Sending Access-Reject of id 24 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 EAP-Message := [Binary Data (length=10)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes:
Dhiraj Gaur wrote:
I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server.
That is a common deployment, and should be easy to do.
The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject".
CHAP will *not* work with AD. See my web site: http://deployingradius.com/documents/protocols/compatibility.html
Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same)
You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP. Follow the instructions on my web site for configuring ntlm_auth: http://deployingradius.com/documents/configuration/active_directory.html And then follow the other instructions for getting EAP to work.
The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP. That should be all you need. Alan DeKok.
HI Alan Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says "Start the server and use a test client to send an MS-CHAP authentication request. The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above." Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand "There's no User-Password in MS-CHAP." Regards Dhiraj Gaur On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok <aland@deployingradius.com>wrote:
Dhiraj Gaur wrote:
I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server.
That is a common deployment, and should be easy to do.
The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject".
CHAP will *not* work with AD. See my web site:
http://deployingradius.com/documents/protocols/compatibility.html
Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same)
You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP.
Follow the instructions on my web site for configuring ntlm_auth:
http://deployingradius.com/documents/configuration/active_directory.html
And then follow the other instructions for getting EAP to work.
The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP. That should be all you need.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards Dhiraj Gaur
Il 20/01/2012 17:17, Dhiraj Gaur ha scritto:
Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says
"Start the server and use a test client to send an MS-CHAP authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept <http://freeradius.org/rfc/rfc2865.html#Access-Accept> message as above." Been there too. But after that I tested with eapol_test from wpa_supplicant. With negative results :(
Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand "There's no User-Password in MS-CHAP." It's not sent to the server, so you can't use --pass= for ntlm_auth. It's only used to encrypt the challenge.
BYtE, Diego.
Dhiraj Gaur wrote: rt the server and use a test client to send an MS-CHAP
authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept <http://freeradius.org/rfc/rfc2865.html#Access-Accept> message as above."
The radclient program has since been updated.
Hence I was of the view radtest cannot work for MS-CHAP authentication.
Sure. However, see "radtest -h". If you're running a recent version, it will tell you it can do MS-CHAP.
Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand "There's no User-Password in MS-CHAP."
You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. Again, the guide explains this in great detail. Follow it, and it will work. Alan DeKok.
Il 20/01/2012 19:44, Alan DeKok ha scritto:
The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work.
You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. That's easy, it's on the page: remove the DEFAUL added for testing :)
Again, the guide explains this in great detail. Follow it, and it will work. "It *should* work" is more correct :( There still are many things that can go wrong.
BYtE, Diego.
NdK wrote:
The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work.
Yeah, I've gone and fixed that. "git" is nice for updating web pages.
"It *should* work" is more correct :( There still are many things that can go wrong.
If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software. Alan DeKok.
Thanks ndk and alan I lll give it a fresh try to the testbed. I have already deleted the DEFAULT entry from the users file and updated mschap as indicated. I think what might be forcing NTLM_AUTH is an entry which i made to the authorize section of default file after which ntlm_auth strated to work for me if(!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } I ll try removing the same and then need to see how mschap thing will work. Would appreciate if you may point me to a further howto on the same. I aim to connect and eap client through radius without the use of certificates for which MSCHAP seems to be an option. I think I ll write a howto or add a wiki entry if I can make it work fine. regards Dhiraj Gaur On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok <aland@deployingradius.com>wrote:
NdK wrote:
The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work.
Yeah, I've gone and fixed that. "git" is nice for updating web pages.
"It *should* work" is more correct :( There still are many things that can go wrong.
If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards Dhiraj Gaur
Hi I did my tests and after removing that custom block of authorize section the following is the output. rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2, length=57 User-Name = "01546" User-Password = "xxxxxxxx" NAS-IP-Address = 192.168.0.99 NAS-Port = 0 Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...} Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm "NULL" Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxxx Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0 Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user. Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...} Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Sat Jan 21 19:21:08 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 --------------------------------------------------------- So means that ntlm_auth is still wokring good bt some access control triggers the Access-Reject. I am still directionless as to where should I head next, I mean how to make tht EAP client and MSCHAP authentication work. Would appreciate if I could get some handy quick and dirty list of works to do next OR some URL/mailing list entry etc which explains the same. I am reading a FreeRadius book (Packet Publishing) which just might help. Regards Dhiraj Gaur On Sat, Jan 21, 2012 at 7:12 PM, Dhiraj Gaur <dhiraj.gaur@gmail.com> wrote:
Thanks ndk and alan I lll give it a fresh try to the testbed. I have already deleted the DEFAULT entry from the users file and updated mschap as indicated. I think what might be forcing NTLM_AUTH is an entry which i made to the authorize section of default file after which ntlm_auth strated to work for me
if(!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } I ll try removing the same and then need to see how mschap thing will work. Would appreciate if you may point me to a further howto on the same. I aim to connect and eap client through radius without the use of certificates for which MSCHAP seems to be an option.
I think I ll write a howto or add a wiki entry if I can make it work fine.
regards Dhiraj Gaur
On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok <aland@deployingradius.com>wrote:
NdK wrote:
The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work.
Yeah, I've gone and fixed that. "git" is nice for updating web pages.
"It *should* work" is more correct :( There still are many things that can go wrong.
If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards
Dhiraj Gaur
-- Regards Dhiraj Gaur
On Sat, Jan 21, 2012 at 8:58 PM, Dhiraj Gaur <dhiraj.gaur@gmail.com> wrote:
rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2, length=57
User-Name = "01546" User-Password = "xxxxxxxx"
The presence of User-Password means you're still using pap.
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxxx
So means that ntlm_auth is still wokring good bt some access control triggers the Access-Reject.
I am still directionless as to where should I head next, I mean how to make tht EAP client and MSCHAP authentication work. Would appreciate if I could get some handy quick and dirty list of works to do next OR some URL/mailing list entry etc which explains the same.
Did you REALLY read the replies sent to this list? Did you REALLY read Alan's page, http://deployingradius.com/documents/configuration/active_directory.html to the end? If yes, you'd know that: - radtest can send mschap request as well (see 'radtest -h') - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth', contains detailed instruction on how to make FR works with AD and pap. If you can't get it to work, that means you're doing something wrong. Probably editing some entries you shouldn't, since your ntlm_auth result is OK (which means samba + AD part is working correctly). It's perfectly fine to be creative and edit the config file as you see fit, but ONLY if you know what you're doing. If you're given a recipe, and choose to stray from it, and messed up, don't blame the guy who created the recipe. - Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly. -- Fajar
hi Fajar I did read the replies as well as Alan's page. Being a newbie to FR i actually started with that only. On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <list@fajar.net> wrote:
Did you REALLY read the replies sent to this list? Did you REALLY read Alan's page, http://deployingradius.com/documents/configuration/active_directory.html to the end?
The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. Have tried upgrading the package but its already in the latest version.
If yes, you'd know that: - radtest can send mschap request as well (see 'radtest -h')
The only changes I have done to default config is in the inner tunnel or default file. Attaching the same if you may have a look. I have never blamed Alan that his recipe is flawed.
- Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth', contains detailed instruction on how to make FR works with AD and pap. If you can't get it to work, that means you're doing something wrong. Probably editing some entries you shouldn't, since your ntlm_auth result is OK (which means samba + AD part is working correctly). It's perfectly fine to be creative and edit the config file as you see fit, but ONLY if you know what you're doing. If you're given a recipe, and choose to stray from it, and messed up, don't blame the guy who created the recipe.
The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works.
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly.
Attaching the inner tunnel and default file, please go through the same and point out if something is amiss..... Default File ------------------------------------------------------------------------------ authorize { preprocess # auth_log chap mschap # digest # wimax # IPASS suffix # ntdomain eap { ok = return } # unix # files # sql ntlm_auth # etc_smbpasswd # ldap # checkval expiration logintime pap #if(!control:Auth-Type) { #update control { # Auth-Type = "ntlm_auth" #} #} # Autz-Type Status-Server { # # } } authenticate { Auth-Type NTLM_AUTH { ntlm_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam # unix # Auth-Type LDAP { # ldap # } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } INNER TUNNEL FILE -------------------------------------------------- server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap # unix # IPASS suffix # ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files #sql ntlm_auth # etc_smbpasswd # ldap # daily # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam ntlm_auth # unix # Auth-Type LDAP { # ldap # } eap } -- Regards Dhiraj Gaur
On Sat, Jan 21, 2012 at 11:14 PM, Dhiraj Gaur <dhiraj.gaur@gmail.com> wrote:
The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already.
It doesn't really matter which client you use, IF you're familiar-enough with it and know how to use it. However, your posted log still shows you use pap. So that either means: - you don't know how to send mschap request using that client, or - you haven't got pap working correctly, or - you don't know the difference between pap and mschap - you posted the wrong debug output which is it?
Have tried upgrading the package but its already in the latest version.
You could always compile from source, or build your own package. If you use debian or ubuntu my ppa has the latest stable freeradius version: https://launchpad.net/~freeradius/+archive/stable Lucid version should fit debian installations just fine.
The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works.
I take your word for it
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly.
Attaching the inner tunnel and default file, please go through the same and point out if something is amiss.....
Re-read that section, and do what it says. If you do it correctly, AND send mschap request (using whatever client you're familiar with), there should be NO debug line that says "ntlm_auth" with "User-Password" together. That's because mschap does NOT send User-Password attribute, and the ntlm_auth line is adjusted accordingly per instructions on the site. If you STILL have problems after doing that, post the updated debug logs. -- Fajar
Il 20/01/2012 21:46, Alan DeKok ha scritto:
Yeah, I've gone and fixed that. "git" is nice for updating web pages. Still there's "Then, fine the mschap module". s/fine/find/ :)
BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings. BYtE, Diego.
NdK wrote:
Il 20/01/2012 21:46, Alan DeKok ha scritto:
Yeah, I've gone and fixed that. "git" is nice for updating web pages. Still there's "Then, fine the mschap module". s/fine/find/ :)
Fixed, thanks.
BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings.
OK. Not everyone does that, but it's good to know. Alan DeKok.
participants (4)
-
Alan DeKok -
Dhiraj Gaur -
Fajar A. Nugraha -
NdK