MS-CHAPv2 not working
Hi, Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS implementation we've built? I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP. The issue only occurs when a realm is added to the username (on the RADIUS client). As I understand, as nostrip is not entered in the relevant realm block in /etc/raddb/proxy.conf, this should be stripped. radiusd -X output is at https://pastebin.com/kK9JYsF0 Information and passwords have been changed / sanitized. If I've missed any required information, please tell me, and I will respond accordingly. Warm Regards, Matthew McTague Head of Infrastructure, Reliance Networks d. +64 3 222 6013 t. 0800 483 882 (+64 3 683 9090) Website | Service Desk | Internet Services Reliance Networks Ltd accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
On Apr 30, 2019, at 7:36 PM, Matthew McTague via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS implementation we've built?
You edited the configuration and broke it. Don't do that.
I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP.
The issue only occurs when a realm is added to the username (on the RADIUS client). As I understand, as nostrip is not entered in the relevant realm block in /etc/raddb/proxy.conf, this should be stripped.
The MS-CHAP calculations are done with the User-Name. If you mangle the User-Name, the MS-CHAP calculations will be wrong.
radiusd -X output is at https://pastebin.com/kK9JYsF0
Just post it here. That's what the documentation says to do.
Information and passwords have been changed / sanitized.
• rad_recv: Access-Request packet from host 10.11.127.229 port 60421, id=170, length=278 • Service-Type = Framed-User • Framed-Protocol = PPP • NAS-Port = 15732821 • NAS-Port-Type = Ethernet • User-Name = "testuser@test.net.nz" This is the real User-Name. • [preprocess] expand: %{User-Name} -> testuser@test.net.nz • [preprocess] hints: Matched DEFAULT at 36 • [preprocess] expand: %{1} -> testuser Then you mangle it, for reasons unexplained. • [mschap] Creating challenge hash with username: testuser Which is not the correct User-Name. • [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password • [mschap] FAILED: MS-CHAP2-Response is incorrect And MS-CHAP fails. Don't re-write the User-Name. If you need to support realms, the "realms" module does this already. And, it does it in a way that *doesn't* break everything. Delete the "hints" configuration which re-writes the User-Name. Add in "test.net.nz" as a local realm to proxy.conf. It *will* work. Alan DeKok.
Are you using NT-password in your database? If not that's why it's not working! Mschapv2 uses this format in the challege! Em qua, 1 de mai de 2019 09:51, Alan DeKok <aland@deployingradius.com> escreveu:
On Apr 30, 2019, at 7:36 PM, Matthew McTague via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS implementation we've built?
You edited the configuration and broke it. Don't do that.
I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP.
The issue only occurs when a realm is added to the username (on the RADIUS client). As I understand, as nostrip is not entered in the relevant realm block in /etc/raddb/proxy.conf, this should be stripped.
The MS-CHAP calculations are done with the User-Name. If you mangle the User-Name, the MS-CHAP calculations will be wrong.
radiusd -X output is at https://pastebin.com/kK9JYsF0
Just post it here. That's what the documentation says to do.
Information and passwords have been changed / sanitized.
• rad_recv: Access-Request packet from host 10.11.127.229 port 60421, id=170, length=278 • Service-Type = Framed-User • Framed-Protocol = PPP • NAS-Port = 15732821 • NAS-Port-Type = Ethernet • User-Name = "testuser@test.net.nz"
This is the real User-Name.
• [preprocess] expand: %{User-Name} -> testuser@test.net.nz • [preprocess] hints: Matched DEFAULT at 36 • [preprocess] expand: %{1} -> testuser
Then you mangle it, for reasons unexplained.
• [mschap] Creating challenge hash with username: testuser
Which is not the correct User-Name.
• [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password • [mschap] FAILED: MS-CHAP2-Response is incorrect
And MS-CHAP fails.
Don't re-write the User-Name. If you need to support realms, the "realms" module does this already. And, it does it in a way that *doesn't* break everything.
Delete the "hints" configuration which re-writes the User-Name.
Add in "test.net.nz" as a local realm to proxy.conf.
It *will* work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, I've removed the change to hints. In case it's relevant, this FreeRADIUS deployment was deployed using the DaloRADIUS instructions, including their web GUI. MS-CHAPv2 works perfectly when I try to connect as testlane5, but when I authenticate as testlane5@test.net.nz, it doesn't work. I understand the suggestion to use NT-Password. I have two questions: - How do I hash to get NT-Password prior to INSERT into the database? - If this is the issue, why does it connect normally without the realm? The user information is in the MySQL database, and does not include realm, i.e. I've used testlane5 rather than testlane5@test.net.nz as the username in the database I need this to work, to enable a user to use any realm configured in FreeRADIUS. I'm using ClearText-Password, shown below: mysql> select * from radcheck where id=189\G; *************************** 1. row *************************** id: 189 username: testlane5 attribute: Cleartext-Password op: := value: s8fds9856f 1 row in set (0.00 sec) ERROR: No query specified mysql> Current debug output: [root@radius-220q ~]# radiusd -X radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 18 2017 at 12:13:14 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sqlippool.conf including configuration file /etc/raddb/sql/mysql/ippool.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = no auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### realm other.test.net.nz { authhost = 127.0.0.1 accthost = 127.0.0.1 secret = s7f9876dg6sg85shd5s9 } realm test.net.nz { authhost = 127.0.0.1 accthost = 127.0.0.1 secret = s7f9876dg6sg85shd5s9 } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "s7f9876dg6sg85shd5s9" nastype = "other" } client 10.11.127.229 { require_message_authenticator = no secret = "s7f9876dg6sg85shd5s9" } client 10.11.127.218 { require_message_authenticator = no secret = "s7f9876dg6sg85shd5s9" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/huntgroups reading pairlist file /etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "pqJdP6qa3sZPt76" radius_db = "cloudradius" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 32 lifetime = 0 max_queries = 0 sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{%{Acct-Session-Time}:-0}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{%{Acct-Session-Time}:-0}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{%{Acct-Session-Time}:-0}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{%{Acct-Session-Time}:-0}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/cloudradius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): starting 5 rlm_sql (sql): Attempting to connect rlm_sql_mysql #5 rlm_sql_mysql: Starting connect to MySQL server for #5 rlm_sql (sql): Connected new DB handle, #5 rlm_sql (sql): starting 6 rlm_sql (sql): Attempting to connect rlm_sql_mysql #6 rlm_sql_mysql: Starting connect to MySQL server for #6 rlm_sql (sql): Connected new DB handle, #6 rlm_sql (sql): starting 7 rlm_sql (sql): Attempting to connect rlm_sql_mysql #7 rlm_sql_mysql: Starting connect to MySQL server for #7 rlm_sql (sql): Connected new DB handle, #7 rlm_sql (sql): starting 8 rlm_sql (sql): Attempting to connect rlm_sql_mysql #8 rlm_sql_mysql: Starting connect to MySQL server for #8 rlm_sql (sql): Connected new DB handle, #8 rlm_sql (sql): starting 9 rlm_sql (sql): Attempting to connect rlm_sql_mysql #9 rlm_sql_mysql: Starting connect to MySQL server for #9 rlm_sql (sql): Connected new DB handle, #9 rlm_sql (sql): starting 10 rlm_sql (sql): Attempting to connect rlm_sql_mysql #10 rlm_sql_mysql: Starting connect to MySQL server for #10 rlm_sql (sql): Connected new DB handle, #10 rlm_sql (sql): starting 11 rlm_sql (sql): Attempting to connect rlm_sql_mysql #11 rlm_sql_mysql: Starting connect to MySQL server for #11 rlm_sql (sql): Connected new DB handle, #11 rlm_sql (sql): starting 12 rlm_sql (sql): Attempting to connect rlm_sql_mysql #12 rlm_sql_mysql: Starting connect to MySQL server for #12 rlm_sql (sql): Connected new DB handle, #12 rlm_sql (sql): starting 13 rlm_sql (sql): Attempting to connect rlm_sql_mysql #13 rlm_sql_mysql: Starting connect to MySQL server for #13 rlm_sql (sql): Connected new DB handle, #13 rlm_sql (sql): starting 14 rlm_sql (sql): Attempting to connect rlm_sql_mysql #14 rlm_sql_mysql: Starting connect to MySQL server for #14 rlm_sql (sql): Connected new DB handle, #14 rlm_sql (sql): starting 15 rlm_sql (sql): Attempting to connect rlm_sql_mysql #15 rlm_sql_mysql: Starting connect to MySQL server for #15 rlm_sql (sql): Connected new DB handle, #15 rlm_sql (sql): starting 16 rlm_sql (sql): Attempting to connect rlm_sql_mysql #16 rlm_sql_mysql: Starting connect to MySQL server for #16 rlm_sql (sql): Connected new DB handle, #16 rlm_sql (sql): starting 17 rlm_sql (sql): Attempting to connect rlm_sql_mysql #17 rlm_sql_mysql: Starting connect to MySQL server for #17 rlm_sql (sql): Connected new DB handle, #17 rlm_sql (sql): starting 18 rlm_sql (sql): Attempting to connect rlm_sql_mysql #18 rlm_sql_mysql: Starting connect to MySQL server for #18 rlm_sql (sql): Connected new DB handle, #18 rlm_sql (sql): starting 19 rlm_sql (sql): Attempting to connect rlm_sql_mysql #19 rlm_sql_mysql: Starting connect to MySQL server for #19 rlm_sql (sql): Connected new DB handle, #19 rlm_sql (sql): starting 20 rlm_sql (sql): Attempting to connect rlm_sql_mysql #20 rlm_sql_mysql: Starting connect to MySQL server for #20 rlm_sql (sql): Connected new DB handle, #20 rlm_sql (sql): starting 21 rlm_sql (sql): Attempting to connect rlm_sql_mysql #21 rlm_sql_mysql: Starting connect to MySQL server for #21 rlm_sql (sql): Connected new DB handle, #21 rlm_sql (sql): starting 22 rlm_sql (sql): Attempting to connect rlm_sql_mysql #22 rlm_sql_mysql: Starting connect to MySQL server for #22 rlm_sql (sql): Connected new DB handle, #22 rlm_sql (sql): starting 23 rlm_sql (sql): Attempting to connect rlm_sql_mysql #23 rlm_sql_mysql: Starting connect to MySQL server for #23 rlm_sql (sql): Connected new DB handle, #23 rlm_sql (sql): starting 24 rlm_sql (sql): Attempting to connect rlm_sql_mysql #24 rlm_sql_mysql: Starting connect to MySQL server for #24 rlm_sql (sql): Connected new DB handle, #24 rlm_sql (sql): starting 25 rlm_sql (sql): Attempting to connect rlm_sql_mysql #25 rlm_sql_mysql: Starting connect to MySQL server for #25 rlm_sql (sql): Connected new DB handle, #25 rlm_sql (sql): starting 26 rlm_sql (sql): Attempting to connect rlm_sql_mysql #26 rlm_sql_mysql: Starting connect to MySQL server for #26 rlm_sql (sql): Connected new DB handle, #26 rlm_sql (sql): starting 27 rlm_sql (sql): Attempting to connect rlm_sql_mysql #27 rlm_sql_mysql: Starting connect to MySQL server for #27 rlm_sql (sql): Connected new DB handle, #27 rlm_sql (sql): starting 28 rlm_sql (sql): Attempting to connect rlm_sql_mysql #28 rlm_sql_mysql: Starting connect to MySQL server for #28 rlm_sql (sql): Connected new DB handle, #28 rlm_sql (sql): starting 29 rlm_sql (sql): Attempting to connect rlm_sql_mysql #29 rlm_sql_mysql: Starting connect to MySQL server for #29 rlm_sql (sql): Connected new DB handle, #29 rlm_sql (sql): starting 30 rlm_sql (sql): Attempting to connect rlm_sql_mysql #30 rlm_sql_mysql: Starting connect to MySQL server for #30 rlm_sql (sql): Connected new DB handle, #30 rlm_sql (sql): starting 31 rlm_sql (sql): Attempting to connect rlm_sql_mysql #31 rlm_sql_mysql: Starting connect to MySQL server for #31 rlm_sql (sql): Connected new DB handle, #31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /etc/raddb/users reading pairlist file /etc/raddb/acct_users reading pairlist file /etc/raddb/preproxy_users Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_sqlippool Module: Instantiating module "sqlippool" from file /etc/raddb/sqlippool.conf sqlippool { sql-instance-name = "sql" lease-duration = 1200 pool-name = "" allocate-begin = "START TRANSACTION" allocate-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'" allocate-find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < NOW() OR expiry_time IS NULL) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE" allocate-update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 1200 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL" allocate-commit = "COMMIT" allocate-rollback = "ROLLBACK" pool-check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1" start-begin = "START TRANSACTION" start-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 1200 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" start-commit = "COMMIT" start-rollback = "ROLLBACK" alive-begin = "START TRANSACTION" alive-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 1200 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" alive-commit = "COMMIT" alive-rollback = "ROLLBACK" stop-begin = "START TRANSACTION" stop-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'" stop-commit = "COMMIT" stop-rollback = "ROLLBACK" on-begin = "START TRANSACTION" on-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'" on-commit = "COMMIT" on-rollback = "ROLLBACK" off-begin = "START TRANSACTION" off-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'" off-commit = "COMMIT" off-rollback = "ROLLBACK" sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" sqlippool_log_clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" sqlippool_log_nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" defaultpool = "main_pool" } Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/raddb/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.11.127.229 port 46224, id=31, length=276 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5@test.net.nz" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] Looking up realm "test.net.nz" for User-Name = "testlane5@test.net.nz" [suffix] Found realm "test.net.nz" [suffix] Adding Stripped-User-Name = "testlane5" [suffix] Adding Realm = "test.net.nz" [suffix] Proxying request from user testlane5 to realm test.net.nz [suffix] Preparing to proxy authentication request to realm "test.net.nz" ++[suffix] = updated [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{Stripped-User-Name} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' rlm_sql (sql): Reserving sql socket id: 31 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testlane5' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testlane5' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'default' ORDER BY id [sql] User found in group default [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'default' ORDER BY id rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 71 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3331 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 71 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3331 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=71, length=267 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3331 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "testlane5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testlane5 [sql] expand: %{%{User-Name}:-DEFAULT} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testlane5' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testlane5' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'default' ORDER BY id [sql] User found in group default [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'default' ORDER BY id rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +group MS-CHAP { [mschap] Creating challenge hash with username: testlane5 [mschap] Client is using MS-CHAPv2 for testlane5, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testlane5 [sql] expand: %{%{User-Name}:-DEFAULT} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5', '', 'Access-Reject', '2019-05-19 20:05:11') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5', '', 'Access-Reject', '2019-05-19 20:05:11') rlm_sql (sql): Reserving sql socket id: 29 rlm_sql (sql): Released sql socket id: 29 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> testlane5 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.11.127.229 port 46224, id=31, length=276 Sending duplicate proxied request to home server 127.0.0.1 port 1812 - ID: 71 Sending Access-Request of id 71 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3331 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=71, length=267 Waiting to send Access-Reject to client localhost port 1814 - ID: 71 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 10.11.127.229 port 46224, id=31, length=276 Sending duplicate proxied request to home server 127.0.0.1 port 1812 - ID: 71 Sending Access-Request of id 71 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729457 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x1f3993056e4dacd5d7112a34d9d97078 MS-CHAP2-Response = 0x0100eb3b8b7818917c46039413a48a7a52780000000000000000246c4cef8fc251c4ed3fccc26c71a0b1242e0d678989479d NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3331 Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=71, length=267 Waiting to send Access-Reject to client localhost port 1814 - ID: 71 Waking up in 0.3 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 71 to 127.0.0.1 port 1814 MS-CHAP-Error = "\001E=691 R=1" Proxy-State = 0x3331 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=71, length=42 MS-CHAP-Error = "\001E=691 R=1" Proxy-State = 0x3331 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [sql] expand: %{Stripped-User-Name} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-05-19 20:05:11') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-05-19 20:05:11') rlm_sql (sql): Reserving sql socket id: 28 rlm_sql (sql): Released sql socket id: 28 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> testlane5@test.net.nz attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 31 to 10.11.127.229 port 46224 MS-CHAP-Error = "\001E=691 R=1" Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.127.229 port 58794, id=32, length=276 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5@test.net.nz" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] Looking up realm "test.net.nz" for User-Name = "testlane5@test.net.nz" [suffix] Found realm "test.net.nz" [suffix] Adding Stripped-User-Name = "testlane5" [suffix] Adding Realm = "test.net.nz" [suffix] Proxying request from user testlane5 to realm test.net.nz [suffix] Preparing to proxy authentication request to realm "test.net.nz" ++[suffix] = updated [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{Stripped-User-Name} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' rlm_sql (sql): Reserving sql socket id: 27 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testlane5' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testlane5' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'default' ORDER BY id [sql] User found in group default [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'default' ORDER BY id rlm_sql (sql): Released sql socket id: 27 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 116 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3332 Proxying request 2 to home server 127.0.0.1 port 1812 Sending Access-Request of id 116 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3332 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=116, length=267 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3332 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "testlane5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testlane5 [sql] expand: %{%{User-Name}:-DEFAULT} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' rlm_sql (sql): Reserving sql socket id: 26 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testlane5' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testlane5' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'default' ORDER BY id [sql] User found in group default [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'default' ORDER BY id rlm_sql (sql): Released sql socket id: 26 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +group MS-CHAP { [mschap] Creating challenge hash with username: testlane5 [mschap] Client is using MS-CHAPv2 for testlane5, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testlane5 [sql] expand: %{%{User-Name}:-DEFAULT} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5', '', 'Access-Reject', '2019-05-19 20:05:12') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5', '', 'Access-Reject', '2019-05-19 20:05:12') rlm_sql (sql): Reserving sql socket id: 25 rlm_sql (sql): Released sql socket id: 25 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> testlane5 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.11.127.229 port 58794, id=32, length=276 Sending duplicate proxied request to home server 127.0.0.1 port 1812 - ID: 116 Sending Access-Request of id 116 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-timarutech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3332 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=116, length=267 Waiting to send Access-Reject to client localhost port 1814 - ID: 116 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 10.11.127.229 port 58794, id=32, length=276 Sending duplicate proxied request to home server 127.0.0.1 port 1812 - ID: 116 Sending Access-Request of id 116 to 127.0.0.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15729458 NAS-Port-Type = Ethernet User-Name = "testlane5" Calling-Station-Id = "02:24:83:47:95:AB" Called-Station-Id = "tech.test.net.nz" NAS-Port-Id = "eoip-tech" MS-CHAP-Domain = "test.net.nz" MS-CHAP-Challenge = 0x8cfad6f1df5918ab44bcca7d4fd0eb9d MS-CHAP2-Response = 0x01007b8394b86094fb4bd086c3e8183f2e1b00000000000000007e68546c2b8eed73be5a12f8cb5175ab4cbedfa2aec45d2b NAS-Identifier = "tech.test.net.nz" Mikrotik-Realm = "test.net.nz" NAS-IP-Address = 10.11.127.229 Proxy-State = 0x3332 Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=116, length=267 Waiting to send Access-Reject to client localhost port 1814 - ID: 116 Waking up in 0.3 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 116 to 127.0.0.1 port 1814 MS-CHAP-Error = "\001E=691 R=1" Proxy-State = 0x3332 Waking up in 3.8 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=116, length=42 MS-CHAP-Error = "\001E=691 R=1" Proxy-State = 0x3332 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [sql] expand: %{Stripped-User-Name} -> testlane5 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testlane5 [sql] sql_set_user escaped user --> 'testlane5' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-05-19 20:05:12') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-05-19 20:05:12') rlm_sql (sql): Reserving sql socket id: 24 rlm_sql (sql): Released sql socket id: 24 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> testlane5@test.net.nz attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 32 to 10.11.127.229 port 58794 MS-CHAP-Error = "\001E=691 R=1" Finished request 2. Going to the next request Waking up in 3.8 seconds. ^C [root@radius-220q ~]# Warm Regards, Matthew McTague Head of Infrastructure, Reliance Networks d. +64 3 222 6013 t. 0800 483 882 (+64 3 683 9090) Website | Service Desk | Internet Services Reliance Networks Ltd accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+matthew.mctague=reliance.net.nz@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Thursday, 2 May 2019 12:51 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: MS-CHAPv2 not working On Apr 30, 2019, at 7:36 PM, Matthew McTague via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS implementation we've built?
You edited the configuration and broke it. Don't do that.
I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP.
The issue only occurs when a realm is added to the username (on the RADIUS client). As I understand, as nostrip is not entered in the relevant realm block in /etc/raddb/proxy.conf, this should be stripped.
The MS-CHAP calculations are done with the User-Name. If you mangle the User-Name, the MS-CHAP calculations will be wrong.
radiusd -X output is at https://pastebin.com/kK9JYsF0
Just post it here. That's what the documentation says to do.
Information and passwords have been changed / sanitized.
• rad_recv: Access-Request packet from host 10.11.127.229 port 60421, id=170, length=278 • Service-Type = Framed-User • Framed-Protocol = PPP • NAS-Port = 15732821 • NAS-Port-Type = Ethernet • User-Name = "testuser@test.net.nz" This is the real User-Name. • [preprocess] expand: %{User-Name} -> testuser@test.net.nz • [preprocess] hints: Matched DEFAULT at 36 • [preprocess] expand: %{1} -> testuser Then you mangle it, for reasons unexplained. • [mschap] Creating challenge hash with username: testuser Which is not the correct User-Name. • [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password • [mschap] FAILED: MS-CHAP2-Response is incorrect And MS-CHAP fails. Don't re-write the User-Name. If you need to support realms, the "realms" module does this already. And, it does it in a way that *doesn't* break everything. Delete the "hints" configuration which re-writes the User-Name. Add in "test.net.nz" as a local realm to proxy.conf. It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 19, 2019, at 4:28 AM, Matthew McTague via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I've removed the change to hints.
That's good.
In case it's relevant, this FreeRADIUS deployment was deployed using the DaloRADIUS instructions, including their web GUI.
That doesn't really matter.
MS-CHAPv2 works perfectly when I try to connect as testlane5, but when I authenticate as testlane5@test.net.nz, it doesn't work.
Which is what you said before.
I understand the suggestion to use NT-Password. I have two questions: - How do I hash to get NT-Password prior to INSERT into the database?
There are many tools to do this. The server comes with a program called "smbencrypt" that does this.
- If this is the issue, why does it connect normally without the realm?
It isn't the issue. As I explained before.
The user information is in the MySQL database, and does not include realm, i.e. I've used testlane5 rather than testlane5@test.net.nz as the username in the database I need this to work, to enable a user to use any realm configured in FreeRADIUS.
You've said that before...
I'm using ClearText-Password, shown below:
That's fine.
Current debug output:
[root@radius-220q ~]# radiusd -X radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 18 2017 at 12:13:14
2.2.26 is many years out of date. As for the rest of the debug output, you're *proxying* the packets to localhost:
radiusd: #### Loading Realms and Home Servers #### realm other.test.net.nz { authhost = 127.0.0.1 accthost = 127.0.0.1 secret = s7f9876dg6sg85shd5s9 } realm test.net.nz { authhost = 127.0.0.1 accthost = 127.0.0.1 secret = s7f9876dg6sg85shd5s9 }
Don't do that. I said create a *local* realm. The comments in the proxy.conf file tell you how to do this. Just do: realm.test.net.nz { } And it should work. And PLEASE edit your posts. There's no need to include 100's of lines of prior messages at the bottom of your post. Follow best practices and you can get problems solved. Have poor practices, and you'll be stumbling in the dark for a long time. Alan DeKok.
Hi Alan, Thanks for the constructive feedback, and my apologies for the length of my previous reply (bad list etiquette, I should know better). This was originally built on CentOS 6 due to a MySQL clustering issue that a colleague had had previously with CentOS 7. Nevertheless, I'm doing to start again with CentOS 7 and FreeRADIUS 3, and build this from scratch (and from source) without using DaloRADIUS, which I feel will give a much cleaner and reliable result. I'm planning to run a Galera cluster on the same servers, to sync the database, and I'll utilise git for source control of configuration files. Does this sound okay? I'm trying to achieve a standard build, which I can then add to slowly to achieve my desired result. Warm Regards, Matthew McTague Head of Infrastructure, Reliance Networks d. +64 3 222 6013 t. 0800 483 882 (+64 3 683 9090) Website | Service Desk | Internet Services Reliance Networks Ltd accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
On May 19, 2019, at 10:07 PM, Matthew McTague via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Nevertheless, I'm doing to start again with CentOS 7 and FreeRADIUS 3, and build this from scratch (and from source) without using DaloRADIUS, which I feel will give a much cleaner and reliable result. I'm planning to run a Galera cluster on the same servers, to sync the database, and I'll utilise git for source control of configuration files.
Does this sound okay?
Yes.
I'm trying to achieve a standard build, which I can then add to slowly to achieve my desired result.
1) use the default install 2) add a local realm to proxy.conf: realm.test.net.nz { } 3) edit raddb/users (or raddb/mods-config/files/authorize, which is the same file) Add at the top: user Cleartext-Password := "password" It *will* work. Alan DeKok.
Hi Alan, I'm still experiencing the same MS-CHAPv2 issues, where I connect as testlane5@test.net.nz. Works fine without the realm. Cleartext-Password exists in database: MariaDB [radius]> select * from radcheck\G; *************************** 1. row *************************** id: 1 username: testlane5 attribute: Cleartext-Password op: := value: R1zmj55L5o 1 row in set (0.00 sec) Debug output: [root@radius-220q raddb]# radiusd -X FreeRADIUS Version 3.0.19 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/moonshot-targeted-ids including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/rfc7542 including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm test.net.nz { } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_sql # Loading module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql rlm_sql_mysql: libmysql version: 10.1.38-MariaDB mysql { tls { tls_required = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 10.11.127.229 (tech-220q) to global clients list rlm_sql (10.11.127.229): Client "tech-220q" (sql) added rlm_sql (sql): Adding client 10.11.127.237 (tech-162g) to global clients list rlm_sql (10.11.127.237): Client "tech-162g" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.2.24-MariaDB-log, protocol version 10 # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 46303 Listening on proxy address :: port 53827 Ready to process requests (0) Received Access-Request Id 146 from 10.11.127.229:53835 to 10.220.11.120:1812 length 273 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15774416 (0) NAS-Port-Type = Ethernet (0) User-Name = "testlane5@test.net.nz" (0) Calling-Station-Id = "02:24:83:47:95:AB" (0) Called-Station-Id = "tech.reliance.net.nz" (0) NAS-Port-Id = "eoip-timarutech" (0) MS-CHAP-Domain = "test.net.nz" (0) MS-CHAP-Challenge = 0x19909c0173ad130d2ee1b1638bd14e28 (0) MS-CHAP2-Response = 0x0100f4e22372c5eaec88436495a031b5440f0000000000000000d62c1da843d1500aab3bd3a3cc47d1c2cd5bc764a308936a (0) NAS-Identifier = "tech.reliance.net.nz" (0) Mikrotik-Realm = "test.net.nz" (0) NAS-IP-Address = 10.11.127.229 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "test.net.nz" for User-Name = "testlane5@test.net.nz" (0) suffix: Found realm "test.net.nz" (0) suffix: Adding Stripped-User-Name = "testlane5" (0) suffix: Adding Realm = "test.net.nz" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> testlane5@test.net.nz (0) sql: SQL-User-Name set to 'testlane5@test.net.nz' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5@test.net.nz' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5@test.net.nz' ORDER BY id rlm_sql (sql): Reserved connection (2) rlm_sql (sql): Released connection (2) (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testlane5@test.net.nz' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testlane5@test.net.nz' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (0) mschap: Creating challenge hash with username: testlane5@test.net.nz (0) mschap: Client is using MS-CHAPv2 (0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (0) sql: EXPAND %{User-Name} (0) sql: --> testlane5@test.net.nz (0) sql: SQL-User-Name set to 'testlane5@test.net.nz' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-06-04 13:26:31') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testlane5@test.net.nz', '', 'Access-Reject', '2019-06-04 13:26:31') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> testlane5@test.net.nz (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. (0) (0) Discarding duplicate request from client tech-220q port 53835 - ID: 146 due to delayed response Waking up in 0.6 seconds. (0) (0) Discarding duplicate request from client tech-220q port 53835 - ID: 146 due to delayed response Waking up in 0.4 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 146 from 10.220.11.120:1812 to 10.11.127.229:53835 length 103 (0) MS-CHAP-Error = "\001E=691 R=1 C=ab094b3abb912e9b74970591f519a847 V=3 M=Authentication rejected" Waking up in 3.9 seconds. ^C[root@radius-220q raddb]# Warm Regards, Matthew McTague Head of Infrastructure, Reliance Networks d. +64 3 222 6013 t. 0800 483 882 (+64 3 683 9090) Website | Service Desk | Internet Services Reliance Networks Ltd accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
On Jun 3, 2019, at 9:36 PM, Matthew McTague via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm still experiencing the same MS-CHAPv2 issues, where I connect as testlane5@test.net.nz.
No, you're not. Read the debug output. There's a lot there, but it's not difficult if you *read* it.
Works fine without the realm.
Cleartext-Password exists in database:
MariaDB [radius]> select * from radcheck\G; *************************** 1. row *************************** id: 1 username: testlane5 attribute: Cleartext-Password op: := value: R1zmj55L5o
That's nice.
... (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> testlane5@test.net.nz (0) sql: SQL-User-Name set to 'testlane5@test.net.nz' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5@test.net.nz' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testlane5@test.net.nz' ORDER BY id
Hmm... that seems pretty darned clear. Read raddb/mods-config/sql/main/mysql/queries.conf See sql_user_name Alan DeKok.
participants (3)
-
Alan DeKok -
Manoel bezerra -
Matthew McTague