rlm_perl with WinXP MS-CHAP clients ?
Hello, I have a freeradius 1.0.X server setup with ppp and pptp using a mysql DB for user authentication. Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application. I have build freeradius 1.1.3 from source and it seems to work however since the client is WinXP and the auth type is MS-CHAP it seems to be calling the mschap section under authentication and then exiting. Here is my debug output: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "baduser" MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b Calling-Station-Id = ".271" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "baduser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1 found interpetator at address 0x9d5ad20 rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271 rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP rlm_perl: MG RAD_REQUEST: User-Name = baduser rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9d5ad20 modcall[authorize]: module "perl" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [baduser/<no User-Password attribute>] (from client localhost port 0 cli .271) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 51 to 127.0.0.1 port 32768 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 451194b6 Nothing to do. Sleeping until we see a request. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
Hello, It seems that it is not using rlm_perl for authentication. I would assume that this is because according the document I was following, it had me add: Auth-Type Perl { perl } To the authentication section, which means if the Auth-Type is set to perl then using the module perl. However I think that since the client or server is setting the auth type to MS-CHAP since that is what the client is using, it is trying to use the mschap module. I did make the following change under the users file: #DEFAULT Auth-Type = System # Fall-Through = 1 DEFAULT Auth-Type = Perl Fall-Through = 1 As the documention (http://wiki.freeradius.org/index.php/Rlm_perl) said to do so. If anyone has any info it would be helpful. Michael Michael Gale wrote:
Hello,
I have a freeradius 1.0.X server setup with ppp and pptp using a mysql DB for user authentication.
Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application.
I have build freeradius 1.1.3 from source and it seems to work however since the client is WinXP and the auth type is MS-CHAP it seems to be calling the mschap section under authentication and then exiting.
Here is my debug output:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "baduser" MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
Calling-Station-Id = ".271" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "baduser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1 found interpetator at address 0x9d5ad20 rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271 rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP rlm_perl: MG RAD_REQUEST: User-Name = baduser rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9d5ad20 modcall[authorize]: module "perl" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [baduser/<no User-Password attribute>] (from client localhost port 0 cli .271) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 51 to 127.0.0.1 port 32768 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 451194b6 Nothing to do. Sleeping until we see a request.
-- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
Michael Gale <michael.gale@pason.com> wrote:
To the authentication section, which means if the Auth-Type is set to perl then using the module perl. However I think that since the client or server is setting the auth type to MS-CHAP since that is what the client is using, it is trying to use the mschap module.
The mschap module is setting that. Are you really saying you're going to write Perl code to validate the MS-CHAP data sent by the client, and in turn send the right MS-CHAP response? Why? What possible benefit does this have?
Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application.
Does that in-house application support MS-CHAP? No? Then using rlm_perl won't help. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello, I think I used some of the wrong terms before ... So currently we have a freeradius server with the default setup except I have enabled the SQL module. I have then placed users in a mysql db according to the schema. In the DB I setup static IP's for the users. Now the clients are WinXP machines using the Microsoft PPTP connection with the defaults and it is working fine. I believe that it is using MS-CHAP. I would like to move away from the SQL DB, since all the users exist in another place. So I was hoping to use the rlm_perl module to check the username and passwords of the people connecting and if valid assign them a static IP. Michael Alan DeKok wrote:
Michael Gale <michael.gale@pason.com> wrote:
To the authentication section, which means if the Auth-Type is set to perl then using the module perl. However I think that since the client or server is setting the auth type to MS-CHAP since that is what the client is using, it is trying to use the mschap module.
The mschap module is setting that.
Are you really saying you're going to write Perl code to validate the MS-CHAP data sent by the client, and in turn send the right MS-CHAP response? Why? What possible benefit does this have?
Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application.
Does that in-house application support MS-CHAP? No? Then using rlm_perl won't help.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
Michael Gale <michael.gale@pason.com> wrote:
I would like to move away from the SQL DB, since all the users exist in another place. So I was hoping to use the rlm_perl module to check the username and passwords of the people connecting and if valid assign them a static IP.
And again, my response is the same. Are you going to write MS-CHAP authentication code in Perl? It's probably not rocket science, but I just don't see why. If the users exist elsewhere, then write Perl code to query the other location for the users clear-text password. Add that to the RAD_CHECK list, and the server will take care of doing the right thing for MS-CHAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hey, I do not want to write MS-CHAP is perl, I guess I do not understand how to add stuff to the RAD_CHECK list. I will look into this, is that how the SQL module works since the passwords are currently in clear text in the DB ? Michael Alan DeKok wrote:
Michael Gale <michael.gale@pason.com> wrote:
I would like to move away from the SQL DB, since all the users exist in another place. So I was hoping to use the rlm_perl module to check the username and passwords of the people connecting and if valid assign them a static IP.
And again, my response is the same. Are you going to write MS-CHAP authentication code in Perl? It's probably not rocket science, but I just don't see why.
If the users exist elsewhere, then write Perl code to query the other location for the users clear-text password. Add that to the RAD_CHECK list, and the server will take care of doing the right thing for MS-CHAP.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
Never mind ... I should of paid closer attention to the wiki doc. Michael Alan DeKok wrote:
Michael Gale <michael.gale@pason.com> wrote:
I would like to move away from the SQL DB, since all the users exist in another place. So I was hoping to use the rlm_perl module to check the username and passwords of the people connecting and if valid assign them a static IP.
And again, my response is the same. Are you going to write MS-CHAP authentication code in Perl? It's probably not rocket science, but I just don't see why.
If the users exist elsewhere, then write Perl code to query the other location for the users clear-text password. Add that to the RAD_CHECK list, and the server will take care of doing the right thing for MS-CHAP.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
participants (2)
-
Alan DeKok -
Michael Gale