EAP-PEAP with mschap login failed MSCHAP returns reject but we want to send no Reject but Accept with GUEST Vlan AVPs
Hi all, I am using FreeRADIUS for quite some time now, though I can't wrap my mind around one thing: When a module (say, mschap with ntlm_auth) returns REJECT because of the user is not present in the AD, I want to continue processing the request to, let's say, accept the request, but provide an alternative VLAN (Tunnel-Id) to the endpoint. In chapter 16.3.1 of http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf, section "Return Codes as Modules", it clearly states: * reject: Causes the request to be immediately rejected So my question boils down to: How can I use the mscap module to check whether a user is valid, and somehow anticipate that he/she does not exist, and continue with an alternate processing (read: decide later on whether to accept/reject the user) in such a case. I thank you very much in advance, and I appreciate your answer. For full reference, I included my current setup with explainations: --- Using EAP-PEAPv0 -> valid user credentials should result in an accept with AV-Pair list A and invalid credentials should result in Accept but AV-Pair list B Example: Using EAP-PEAP Login OK Sending Accept and Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "22" Login failed Sending Accept and Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "33" I want to control the result via a manipulated control attribute AcnACLType. I set these attibutes from withing rlm_perl: ########### Snippet Perl Policy ############################### if ( $RAD_CHECK{'AcnACLType'} eq "data" ) { $RAD_CHECK{'Auth-Type'}= "Accept"; $RAD_REPLY{'Reply-Message'}= "data"; $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'}= "22"; $RAD_REPLY{'Tunnel-Type'}= "VLAN"; return RLM_MODULE_OK; } elsif ( $RAD_CHECK{'AcnACLType'} eq "authfail" ) { $RAD_CHECK{'Auth-Type'}= "Accept"; $RAD_REPLY{'Reply-Message'}= "AuthFail"; $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'}= "33"; $RAD_REPLY{'Tunnel-Type'}= "VLAN"; return RLM_MODULE_OK; } ########### Snippet Perl Policy ############################### In case of MSCHAP authenticating, everything works as expected: ===================Begin LOG ================================ Wed Jun 18 09:59:50 2014 : Info: [eap] processing type mschapv2 Wed Jun 18 09:59:50 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel Wed Jun 18 09:59:50 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] Told to do MS-CHAPv2 for pschmidt with NT-Password Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=testlab.auconet.lan Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9499863a8977daa3 Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=161b24c676d1a53738cdb10037111c81f1fe1d4d5407266a Wed Jun 18 09:59:50 2014 : Debug: Exec-Program output: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886 Wed Jun 18 09:59:50 2014 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886 Wed Jun 18 09:59:50 2014 : Debug: Exec-Program: returned: 0 Wed Jun 18 09:59:50 2014 : Info: ++[mschap] returns ok Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) Wed Jun 18 09:59:50 2014 : Info: ? Evaluating (ok) -> TRUE Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) -> TRUE Wed Jun 18 09:59:50 2014 : Info: ++- entering if (ok) {...} Wed Jun 18 09:59:50 2014 : Info: +++[control] returns ok Wed Jun 18 09:59:50 2014 : Info: ++- if (ok) returns ok Wed Jun 18 09:59:50 2014 : Info: ++ ... skipping elsif for request 20: Preceding "if" was taken Wed Jun 18 09:59:50 2014 : Debug: MSCHAP Success Wed Jun 18 09:59:50 2014 : Info: ++[eap] returns handled } # server inner-tunnel Wed Jun 18 09:59:50 2014 : Info: ++[control] returns ok : Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair User-Name = testlab.auconet.lan\\pschmidt Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x030b0004 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-EMSK = 0x97d3f6e398c284127ee6ad52d55d8a0e609e453971050f546c964193d18dae3c0d74518ef466560670426f120bae29e1c268494e07b5c13ce67033c7135a08d3 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 22 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair AcnACLType = data Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept Wed Jun 18 09:59:50 2014 : Info: ++[perlpolicy] returns ok Wed Jun 18 09:59:50 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 09:59:50 2014 : Info: +- entering group post-auth {...} Wed Jun 18 09:59:50 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 11 to 127.0.0.1 port 38368 Reply-Message = "AuthFail" MS-MPPE-Send-Key = 0x8cc588be92973040e5f09c8ebdc30ea4480a717aaf984fdf8182c3c6c5ffbfa8 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testlab.auconet.lan\\pschmidt" MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5 EAP-Message = 0x030b0004 Tunnel-Private-Group-Id:0 = "22" Wed Jun 18 09:59:50 2014 : Info: Finished request 22. =============================== END LOG ===================================== My problem begins if the credentials are invalid. In this case inner-tunnel returns with "REJECT" and then there seems to be no way to change this into an "ACCEPT". My feeling at this point is that I miss an important concept in the way FreeRADIUS processes requests. Here is a snippet from inner-tunnel section: ############### SNIP ########################## authenticate { Auth-Type EAP { eap { ok = 1 reject = return fail=return } # if (ok) { update control { Auth-Type := "Accept" AcnACLType="data" } } elsif (reject) { update control { Auth-Type := "Accept" AcnACLType="authfail" LogMessage := "RadiusReject" } auconetLog } } ########################## End Inner tunnel ########################### and in default server ############################ Default Server ########################### Auth-Type EAP { eap { ok = 1 reject = return invalid =1 } if (ok) { update control { #Auth-Type := "Accept" AcnACLType := "data" } #update reply { # Tunnel-Type := VLAN # Tunnel-Medium-Type := IEEE-802 # Tunnel-Private-Group-Id := "22" #} } elsif (reject || invalid ) { update control { AcnACLType := "authfail" LogMessage := "RadiusReject" Auth-Type := "Accept" } auconetLog update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "33" } } update control { FreeRADIUS-Client-Shortname="%{Client-Shortname}" } perlpolicy } ###################################################### The log is: ================ LOG Begin =================================== Wed Jun 18 10:48:04 2014 : Info: [eap] processing type mschapv2 Wed Jun 18 10:48:04 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel Wed Jun 18 10:48:04 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] Told to do MS-CHAPv2 for radiusfail with NT-Password Wed Jun 18 10:48:04 2014 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain= Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3fc42259705d168a Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1a7a459b40d3527944a7aadcdf32a499c097cf0dc1c296ad Wed Jun 18 10:48:04 2014 : Debug: Exec-Program output: Logon failure (0xc000006d) Wed Jun 18 10:48:04 2014 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Wed Jun 18 10:48:04 2014 : Debug: Exec-Program: returned: 1 Wed Jun 18 10:48:04 2014 : Info: [mschap] External script failed. Wed Jun 18 10:48:04 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Wed Jun 18 10:48:04 2014 : Info: ++[mschap] returns reject Wed Jun 18 10:48:04 2014 : Info: [eap] Freeing handler Wed Jun 18 10:48:04 2014 : Info: ++[eap] returns reject <<<<<< Wed Jun 18 10:48:04 2014 : Info: Failed to authenticate the user. } # server inner-tunnel Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Info: [peap] Tunneled authentication was rejected. Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair State = 0xe26df394eb67ea7b6c664f076e6e6a50 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Calling-Station-Id = 02:00:00:00:00:01 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x6ab434e42ece49cdb13eb90438443c03 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair User-Name = radiusfail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x020a0050190017030100208c1c20ac2dcb12e53b8a57d494b40657b43bd5019ca84e352e57a1069a1176a917030100209ed7b46fa6d167c1aacf327ae328c70674c366c0ddeceab26e7ba5232f3b029e Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Type = PEAP Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Framed-MTU = 1400 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Reply-Message = AuthFail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x040a0004 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 33 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair FreeRADIUS-Client-Shortname = localhost Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair LogMessage = RadiusReject Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair AcnACLType = authfail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept Wed Jun 18 10:48:04 2014 : Info: ++[perlpolicy] returns ok Wed Jun 18 10:48:04 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 10:48:04 2014 : Info: +- entering group post-auth {...} Wed Jun 18 10:48:04 2014 : Info: ++[exec] returns noop Wed Jun 18 10:48:04 2014 : Info: Using Post-Auth-Type Reject Wed Jun 18 10:48:04 2014 : Info: # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 10:48:04 2014 : Info: +- entering group REJECT {...} Wed Jun 18 10:48:04 2014 : Info: ++- group REJECT returns noop Wed Jun 18 10:48:04 2014 : Info: Delaying reject of request 10 for 1 seconds Wed Jun 18 10:48:04 2014 : Debug: Going to the next request Wed Jun 18 10:48:04 2014 : Debug: Waking up in 0.9 seconds. Wed Jun 18 10:48:05 2014 : Info: Sending delayed reject for request 10 Sending Access-Reject of id 10 to 127.0.0.1 port 51730 Reply-Message = "AuthFail" EAP-Message = 0x040a0004 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "33" Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:05 2014 : Debug: Waking up in 3.9 seconds. ================= LOG End ===================================== My naïve idea is to instead send an Access-Accept with a Tunnel-Id of 11. I disabled the filter in Post-Auth-Type REJECT { #attr_filter.access_reject } to see attributes from my perl-policy. Thanks
On 18/06/14 13:09, Becker, Alexander wrote:
When a module (say, mschap with ntlm_auth) returns REJECT because of the user is not present in the AD, I want to continue processing the request to, let's say, accept the request, but provide an alternative VLAN (Tunnel-Id) to the endpoint.
You can't. mschap is a challenge/response protocol. You can't force it to succeed without valid authentication data and if you do, the client will reject it anyway as the response will be invalid. You need to look for "fail vlan" support on your NAS.
participants (2)
-
Becker, Alexander -
Phil Mayers