MSCHAPv2 Module with Stripped-Username - no ActiveDirectory
Hi everybody, I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2. The OTP should be placed in the "User-Name" attribute with a ":" as seperator. e.g.: <username>:<otp> - johndoe:123456 In the authorize section the User-Name attribute get splitted in two parts: "Stripped-Username" and "User-OTP" if ( &User-Name =~ /^(.*):([0-9]{6})$/) { update request { Stripped-User-Name := "%{1}" User-OTP := "%{2}" } } The first step is to authenticate the username with otp over rlm_perl. If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password). And here is my problem. Whenever I get to this step, I get the following error: "rlm_eap: Identity does not match User-Name, setting from EAP identity" The eap module uses the original username (johndoe:123456) and password for the mschap challenge. Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD. I cant attach my debug log as I havent access to the server right now but maybe someone could give me a hint. I have googled a lot and read some threads with a similar problem but they all are using AD auth with ntlm_auth. Thanks for helping!! Best Regards -- This email was Malware checked by UTM 9. http://www.sophos.com
On Nov 9, 2018, at 5:01 PM, Markus Maurer <lists@v-net.tk> wrote:
Hi everybody,
I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2. The OTP should be placed in the "User-Name" attribute with a ":" as seperator. e.g.: <username>:<otp> - johndoe:123456
That's not recommended. It's much easier to put the OTP into the password.
In the authorize section the User-Name attribute get splitted in two parts: "Stripped-Username" and "User-OTP" if ( &User-Name =~ /^(.*):([0-9]{6})$/) { update request { Stripped-User-Name := "%{1}" User-OTP := "%{2}" } }
The first step is to authenticate the username with otp over rlm_perl. If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password). And here is my problem. Whenever I get to this step, I get the following error: "rlm_eap: Identity does not match User-Name, setting from EAP identity"
When EAP happens, the server gets the users name as both the User-Name and as an EAP-Identitity. The two need to match.
The eap module uses the original username (johndoe:123456) and password for the mschap challenge.
That should work, I think.
Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD.
No. MS-CHAP uses the *whole* User-Name for authentication. That's how MS-CHAP works. Alan DeKok.
Hi Alan, thank you very much for the fast answer! :) I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password anymore?! Is it possible to modify the eap identity before its getting to the eap module? I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there. Thanks! Best regards
Am 09.11.2018 um 23:25 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 9, 2018, at 5:01 PM, Markus Maurer <lists@v-net.tk> wrote:
Hi everybody,
I'd like to build an IPSec IKEV2 VPN with 2-factor authentication over EAP-Radius and MSCHAPv2. The OTP should be placed in the "User-Name" attribute with a ":" as seperator. e.g.: <username>:<otp> - johndoe:123456
That's not recommended. It's much easier to put the OTP into the password.
In the authorize section the User-Name attribute get splitted in two parts: "Stripped-Username" and "User-OTP" if ( &User-Name =~ /^(.*):([0-9]{6})$/) { update request { Stripped-User-Name := "%{1}" User-OTP := "%{2}" } }
The first step is to authenticate the username with otp over rlm_perl. If the first step succeeds, the eap module will be called and makes an mschapv2 authentication over sql (cleartext password). And here is my problem. Whenever I get to this step, I get the following error: "rlm_eap: Identity does not match User-Name, setting from EAP identity"
When EAP happens, the server gets the users name as both the User-Name and as an EAP-Identitity. The two need to match.
The eap module uses the original username (johndoe:123456) and password for the mschap challenge.
That should work, I think.
Is there any way to use the "Stripped-Username" for mschap without executing ntlm_auth? I dont need to authenticate against AD.
No. MS-CHAP uses the *whole* User-Name for authentication. That's how MS-CHAP works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists@v-net.tk> wrote:
thank you very much for the fast answer! :)
I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password anymore?!
True. Which is why most people use PAP for OTP.
Is it possible to modify the eap identity before its getting to the eap module?
Sure. But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user. Modifying things on the RADIUS server won't affect the calculations done by the end user.
I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.
Why not just do the MS-CHAP calculations on the whole User-Name? Why strip off the OTP? Alan DeKok.
Yes, but its not possible using pap in my case anyway..:/ Cause linotp just verifys the otp over rlm_perl and it hasnt stored the password of the user in its database, so the second step is to verify only the user ft. password against the sql database. Do you have any idea how to setup something like this? Thanks! Best regards
Am 10.11.2018 um 20:45 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists@v-net.tk> wrote: thank you very much for the fast answer! :)
I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password anymore?!
True. Which is why most people use PAP for OTP.
Is it possible to modify the eap identity before its getting to the eap module?
Sure. But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user. Modifying things on the RADIUS server won't affect the calculations done by the end user.
I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.
Why not just do the MS-CHAP calculations on the whole User-Name? Why strip off the OTP?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 10, 2018, at 3:28 PM, Markus Maurer <lists@v-net.tk> wrote:
Yes, but its not possible using pap in my case anyway..:/
Then you're pretty much stuck.
Cause linotp just verifys the otp over rlm_perl and it hasnt stored the password of the user in its database, so the second step is to verify only the user ft. password against the sql database.
Do you have any idea how to setup something like this?
The server already gets passwords from SQL and authenticates the user. This is in the default config, and fairly well documented. What, exactly, are you looking for? Alan DeKok.
The problem is that the user is stored in database as following: <username> <password> And the request comes with <username>:<otp> <password>. So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
Am 11.11.2018 um 16:16 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 10, 2018, at 3:28 PM, Markus Maurer <lists@v-net.tk> wrote:
Yes, but its not possible using pap in my case anyway..:/
Then you're pretty much stuck.
Cause linotp just verifys the otp over rlm_perl and it hasnt stored the password of the user in its database, so the second step is to verify only the user ft. password against the sql database.
Do you have any idea how to setup something like this?
The server already gets passwords from SQL and authenticates the user. This is in the default config, and fairly well documented. What, exactly, are you looking for?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 11, 2018, at 10:57 AM, Markus Maurer <lists@v-net.tk> wrote:
The problem is that the user is stored in database as following: <username> <password> And the request comes with <username>:<otp> <password>. So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
You can't strip the User-Name and expect that ntlm_auth will work. Again, the MS-CHAP calculations are done on the full username as supplied by the user. Which in this case, includes the OTP. Since AD works on the *real name*, and not the *name with the OTP*, you can't pass both the real name and the one with the OTP, to ntlm_auth. ntlm_and and AD don't support that use-case. What you want to do is impossible. If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default). And *don't* modify the User-Name attribute. Alan DeKok.
I got this working on an other system which is bound to an active directory. The only difference is that I‘m using ntlm_auth in the eap module and in the ntlm_auth command I can use the stripped-username attribute. How it works? The first step: check *only* the otp over rlm_perl. If this success: The second step: exec the eap module and use ntlm_auth with the stripped-username.
Am 11.11.2018 um 17:46 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 11, 2018, at 10:57 AM, Markus Maurer <lists@v-net.tk> wrote:
The problem is that the user is stored in database as following: <username> <password> And the request comes with <username>:<otp> <password>. So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
You can't strip the User-Name and expect that ntlm_auth will work. Again, the MS-CHAP calculations are done on the full username as supplied by the user. Which in this case, includes the OTP.
Since AD works on the *real name*, and not the *name with the OTP*, you can't pass both the real name and the one with the OTP, to ntlm_auth. ntlm_and and AD don't support that use-case.
What you want to do is impossible.
If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
And *don't* modify the User-Name attribute.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I just need an external script which makes the mschap calculation, thats all, so I could use a stripped username
Am 11.11.2018 um 18:10 schrieb Markus Maurer <lists@v-net.tk>:
I got this working on an other system which is bound to an active directory. The only difference is that I‘m using ntlm_auth in the eap module and in the ntlm_auth command I can use the stripped-username attribute. How it works? The first step: check *only* the otp over rlm_perl. If this success: The second step: exec the eap module and use ntlm_auth with the stripped-username.
Am 11.11.2018 um 17:46 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 11, 2018, at 10:57 AM, Markus Maurer <lists@v-net.tk> wrote:
The problem is that the user is stored in database as following: <username> <password> And the request comes with <username>:<otp> <password>. So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
You can't strip the User-Name and expect that ntlm_auth will work. Again, the MS-CHAP calculations are done on the full username as supplied by the user. Which in this case, includes the OTP.
Since AD works on the *real name*, and not the *name with the OTP*, you can't pass both the real name and the one with the OTP, to ntlm_auth. ntlm_and and AD don't support that use-case.
What you want to do is impossible.
If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
And *don't* modify the User-Name attribute.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 11, 2018, at 12:14 PM, Markus Maurer <lists@v-net.tk> wrote:
I just need an external script which makes the mschap calculation, thats all, so I could use a stripped username
FreeRADIUS can do the MS-CHAP calculation. That's what FreeRADIUS *does*. And I think I've explained this subject enough. Either you're not paying attention, or you're not understanding me. Adding an external script won't change anything. The MS-CHAP calculations are well understood. Their inputs are understood. Their outputs are understood. There is no magical possibility of "adding an external script" and suddenly something *works* when it was impossible to do with FreeRADIUS. Things just don't work like that. Stop trying to "work around" the problem. Spend time *understanding* the problem. You will then see either that what you want to do is impossible, *or* it can be done with FreeRADIUS Alan DeKok.
I understand the problem, but I can't believe that there is no workaround. It's just because freeradius can't handle the stripped username in eap, thats all. So please explain me why it's working with AD then? Am Sonntag, November 11, 2018 20:42 CET, Alan DeKok <aland@deployingradius.com> schrieb: On Nov 11, 2018, at 12:14 PM, Markus Maurer <lists@v-net.tk> wrote:
I just need an external script which makes the mschap calculation, thats all, so I could use a stripped username
FreeRADIUS can do the MS-CHAP calculation. That's what FreeRADIUS *does*. And I think I've explained this subject enough. Either you're not paying attention, or you're not understanding me. Adding an external script won't change anything. The MS-CHAP calculations are well understood. Their inputs are understood. Their outputs are understood. There is no magical possibility of "adding an external script" and suddenly something *works* when it was impossible to do with FreeRADIUS. Things just don't work like that. Stop trying to "work around" the problem. Spend time *understanding* the problem. You will then see either that what you want to do is impossible, *or* it can be done with FreeRADIUS Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
On Nov 11, 2018, at 3:26 PM, Markus Maurer <lists@v-net.tk> wrote:
I understand the problem, but I can't believe that there is no workaround. It's just because freeradius can't handle the stripped username in eap, thats all.
That's not what I said. In fact, I said *explicitly* the opposite in my previous message. If you're not going to bother reading my answers, why are you posting questions here?
So please explain me why it's working with AD then?
Since you didn't post debug output or anything else that the documentations suggests, no. I'm done here. Alan DeKok.
Hmm... Meanwhile I think that you didn‘t understand the problem. You’re just talking around the problem, not about the problem neither trying to help solving it... The nt hash is calculated from the password, not from the username that’s why it's possible to modify the user on the radius server and that’s why you could use the otp in the username. And how do you call ntlm_auth called from eap? It‘s an external program, not contained in freeradius. In my opinion this is an *external magical possibility* using a stripped username for AD authentication.
Am 11.11.2018 um 21:31 schrieb Alan DeKok <aland@deployingradius.com>:
On Nov 11, 2018, at 3:26 PM, Markus Maurer <lists@v-net.tk> wrote: I understand the problem, but I can't believe that there is no workaround. It's just because freeradius can't handle the stripped username in eap, thats all.
That's not what I said.
In fact, I said *explicitly* the opposite in my previous message.
If you're not going to bother reading my answers, why are you posting questions here?
So please explain me why it's working with AD then?
Since you didn't post debug output or anything else that the documentations suggests, no.
I'm done here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
On 11 Nov 2018, at 20:56, Markus Maurer <lists@v-net.tk> wrote:
Hmm... Meanwhile I think that you didn‘t understand the problem. You’re just talking around the problem, not about the problem neither trying to help solving it...
I'm reasonably sure the maintainer of the server has a better idea of how it works than yourself.
The nt hash is calculated from the password, not from the username
That's 100% correct, but unfortunately 100% unrelated. MSCHAP uses the username to create the *challenge hash* not the *NT hash*. If you change the username, the authentication process fails because you've changed the challenge hash. You *cannot* make this work using MSCHAP and AD. If you want to use OTP you have to change EAP method, or as Alan told you several messages ago, store clear text passwords. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
You *cannot* make this work using MSCHAP and AD.It is working. Look at this: Mon Nov 12 11:04:40 2018 : Debug: (0) Received Access-Request Id 8 from 192.168.2.100:58006 to 192.168.1.100:1812 length 170 Mon Nov 12 11:04:40 2018 : Debug: (0) User-Name = "johndoe:123456" Mon Nov 12 11:04:40 2018 : Debug: (0) NAS-Port-Type = Virtual Mon Nov 12 11:04:40 2018 : Debug: (0) Service-Type = Framed-User Mon Nov 12 11:04:40 2018 : Debug: (0) NAS-Port = 5 Mon Nov 12 11:04:40 2018 : Debug: (0) NAS-Port-Id = "con2" Mon Nov 12 11:04:40 2018 : Debug: (0) NAS-IP-Address = 188.188.188.188 Mon Nov 12 11:04:40 2018 : Debug: (0) Called-Station-Id = "188.188.188.188[4500]" Mon Nov 12 11:04:40 2018 : Debug: (0) Calling-Station-Id = "66.66.66.66[4500]" Mon Nov 12 11:04:40 2018 : Debug: (0) EAP-Message = 0x02000019016d61726b75732e6d61757265723a313131313131 Mon Nov 12 11:04:40 2018 : Debug: (0) NAS-Identifier = "strongSwan" Mon Nov 12 11:04:40 2018 : Debug: (0) Message-Authenticator = 0xc990005408b55db605a48c5ba965d7da Mon Nov 12 11:04:40 2018 : Debug: (0) session-state: No State attribute Mon Nov 12 11:04:40 2018 : Debug: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (0) authorize { Mon Nov 12 11:04:40 2018 : Debug: (0) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: No matches Mon Nov 12 11:04:40 2018 : Debug: Adding 3 matches Mon Nov 12 11:04:40 2018 : Debug: (0) if ( &User-Name =~ /^(.*):([0-9]{6})$/) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (0) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: (0) update request { Mon Nov 12 11:04:40 2018 : Debug: (0) 1/3 Found: johndoe (14) Mon Nov 12 11:04:40 2018 : Debug: (0) EXPAND %{1} Mon Nov 12 11:04:40 2018 : Debug: (0) --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (0) Stripped-User-Name := johndoe Mon Nov 12 11:04:40 2018 : Debug: (0) 2/3 Found: 123456 (7) Mon Nov 12 11:04:40 2018 : Debug: (0) EXPAND %{2} Mon Nov 12 11:04:40 2018 : Debug: (0) --> 123456 Mon Nov 12 11:04:40 2018 : Debug: (0) User-OTP := 123456 Mon Nov 12 11:04:40 2018 : Debug: (0) } # update request = noop Mon Nov 12 11:04:40 2018 : Debug: (0) } # if ( &User-Name =~ /^(.*):([0-9]{6})$/) = noop Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (0) [preprocess] = ok Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: calling files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: XLAT-IF { Mon Nov 12 11:04:40 2018 : Debug: attribute --> Stripped-User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: XLAT-ELSE { Mon Nov 12 11:04:40 2018 : Debug: attribute --> User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: (0) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: (0) files: --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (0) files: users: Matched entry johndoe at line 4 Mon Nov 12 11:04:40 2018 : Debug: (0) files: ::: FROM 0 TO 0 MAX 0 Mon Nov 12 11:04:40 2018 : Debug: (0) files: ::: TO in 0 out 0 Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: (0) [files] = ok Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (0) [expiration] = noop Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (0) [logintime] = noop Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (0) [pap] = updated Mon Nov 12 11:04:40 2018 : Debug: (0) } # authorize = updated Mon Nov 12 11:04:40 2018 : Debug: (0) Found Auth-Type = PAP Mon Nov 12 11:04:40 2018 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (0) Auth-Type PAP { Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authenticate]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (0) pap: Login attempt with password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (0) pap: Comparing with "known good" Cleartext-Password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (0) pap: User authenticated successfully Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authenticate]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (0) [pap] = ok Mon Nov 12 11:04:40 2018 : Debug: (0) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (0) if (ok) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (0) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authenticate]: calling eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (0) eap: Peer sent packet with method EAP Identity (1) Mon Nov 12 11:04:40 2018 : Debug: (0) eap: Calling submodule eap_mschapv2 to process data Mon Nov 12 11:04:40 2018 : Debug: (0) eap_mschapv2: Issuing Challenge Mon Nov 12 11:04:40 2018 : Debug: (0) eap: Sending EAP Request (code 1) ID 1 length 43 Mon Nov 12 11:04:40 2018 : Debug: (0) eap: EAP session adding &reply:State = 0xfb6bfe4bfb6ae43b Mon Nov 12 11:04:40 2018 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (0) [eap] = handled Mon Nov 12 11:04:40 2018 : Debug: (0) } # if (ok) = handled Mon Nov 12 11:04:40 2018 : Debug: (0) } # Auth-Type PAP = handled Mon Nov 12 11:04:40 2018 : Debug: (0) Using Post-Auth-Type Challenge Mon Nov 12 11:04:40 2018 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (0) Challenge { ... } # empty sub-section is ignored Mon Nov 12 11:04:40 2018 : Debug: (0) session-state: Nothing to cache Mon Nov 12 11:04:40 2018 : Debug: (0) Sent Access-Challenge Id 8 from 192.168.1.100:1812 to 192.168.2.100:58006 length 0 Mon Nov 12 11:04:40 2018 : Debug: (0) EAP-Message = 0x0101002b1a010100261030e3952e2c9124e7da1b5349c01cd33d667265657261646975732d332e302e3133 Mon Nov 12 11:04:40 2018 : Debug: (0) Message-Authenticator = 0x00000000000000000000000000000000 Mon Nov 12 11:04:40 2018 : Debug: (0) State = 0xfb6bfe4bfb6ae43b45f5a1d5430de6d2 Mon Nov 12 11:04:40 2018 : Debug: (0) Finished request Mon Nov 12 11:04:40 2018 : Debug: Waking up in 4.9 seconds. Mon Nov 12 11:04:40 2018 : Debug: (1) Received Access-Request Id 9 from 192.168.2.100:58006 to 192.168.1.100:1812 length 242 Mon Nov 12 11:04:40 2018 : Debug: (1) User-Name = "johndoe:123456" Mon Nov 12 11:04:40 2018 : Debug: (1) NAS-Port-Type = Virtual Mon Nov 12 11:04:40 2018 : Debug: (1) Service-Type = Framed-User Mon Nov 12 11:04:40 2018 : Debug: (1) NAS-Port = 5 Mon Nov 12 11:04:40 2018 : Debug: (1) NAS-Port-Id = "con2" Mon Nov 12 11:04:40 2018 : Debug: (1) NAS-IP-Address = 188.188.188.188 Mon Nov 12 11:04:40 2018 : Debug: (1) Called-Station-Id = "188.188.188.188[4500]" Mon Nov 12 11:04:40 2018 : Debug: (1) Calling-Station-Id = "66.66.66.66[4500]" Mon Nov 12 11:04:40 2018 : Debug: (1) EAP-Message = 0x0201004f1a0201004a3145c827eec3e80f01d82457f43e2e188100000000000000004caa9abd0548379b7e274a01c7faf807a7be4b3f16980725006d61726b75732e6d61757265723a313131313131 Mon Nov 12 11:04:40 2018 : Debug: (1) NAS-Identifier = "strongSwan" Mon Nov 12 11:04:40 2018 : Debug: (1) State = 0xfb6bfe4bfb6ae43b45f5a1d5430de6d2 Mon Nov 12 11:04:40 2018 : Debug: (1) Message-Authenticator = 0x502608d30fe0da78dfab8667b1a66496 Mon Nov 12 11:04:40 2018 : Debug: (1) session-state: No cached attributes Mon Nov 12 11:04:40 2018 : Debug: (1) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (1) authorize { Mon Nov 12 11:04:40 2018 : Debug: (1) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: No matches Mon Nov 12 11:04:40 2018 : Debug: Adding 3 matches Mon Nov 12 11:04:40 2018 : Debug: (1) if ( &User-Name =~ /^(.*):([0-9]{6})$/) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (1) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: (1) update request { Mon Nov 12 11:04:40 2018 : Debug: (1) 1/3 Found: johndoe (14) Mon Nov 12 11:04:40 2018 : Debug: (1) EXPAND %{1} Mon Nov 12 11:04:40 2018 : Debug: (1) --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (1) Stripped-User-Name := johndoe Mon Nov 12 11:04:40 2018 : Debug: (1) 2/3 Found: 123456 (7) Mon Nov 12 11:04:40 2018 : Debug: (1) EXPAND %{2} Mon Nov 12 11:04:40 2018 : Debug: (1) --> 123456 Mon Nov 12 11:04:40 2018 : Debug: (1) User-OTP := 123456 Mon Nov 12 11:04:40 2018 : Debug: (1) } # update request = noop Mon Nov 12 11:04:40 2018 : Debug: (1) } # if ( &User-Name =~ /^(.*):([0-9]{6})$/) = noop Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (1) [preprocess] = ok Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: calling files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: XLAT-IF { Mon Nov 12 11:04:40 2018 : Debug: attribute --> Stripped-User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: XLAT-ELSE { Mon Nov 12 11:04:40 2018 : Debug: attribute --> User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: (1) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: (1) files: --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (1) files: users: Matched entry johndoe at line 4 Mon Nov 12 11:04:40 2018 : Debug: (1) files: ::: FROM 0 TO 0 MAX 0 Mon Nov 12 11:04:40 2018 : Debug: (1) files: ::: TO in 0 out 0 Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: (1) [files] = ok Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (1) [expiration] = noop Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (1) [logintime] = noop Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (1) [pap] = updated Mon Nov 12 11:04:40 2018 : Debug: (1) } # authorize = updated Mon Nov 12 11:04:40 2018 : Debug: (1) Found Auth-Type = PAP Mon Nov 12 11:04:40 2018 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (1) Auth-Type PAP { Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authenticate]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (1) pap: Login attempt with password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (1) pap: Comparing with "known good" Cleartext-Password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (1) pap: User authenticated successfully Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authenticate]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (1) [pap] = ok Mon Nov 12 11:04:40 2018 : Debug: (1) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (1) if (ok) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (1) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Expiring EAP session with state 0xfb6bfe4bfb6ae43b Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Finished EAP session with state 0xfb6bfe4bfb6ae43b Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Previous EAP request found for state 0xfb6bfe4bfb6ae43b, released from the list Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Peer sent packet with method EAP MSCHAPv2 (26) Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Calling submodule eap_mschapv2 to process data Mon Nov 12 11:04:40 2018 : Debug: (1) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (1) eap_mschapv2: authenticate { Mon Nov 12 11:04:40 2018 : Debug: (1) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Found Cleartext-Password, hashing to create NT-Password Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Found Cleartext-Password, hashing to create LM-Password Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Creating challenge hash with username: johndoe:123456 Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Client is using MS-CHAPv2 Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name} --domain=%{%{mschap:NT-Domain}:-EXAMPLEDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: Mon Nov 12 11:04:40 2018 : Debug: --username=%{Stripped-User-Name} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: literal --> --username= Mon Nov 12 11:04:40 2018 : Debug: attribute --> Stripped-User-Name Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: EXPAND --username=%{Stripped-User-Name} Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: --> --username=johndoe Mon Nov 12 11:04:40 2018 : Debug: --domain=%{%{mschap:NT-Domain}:-EXAMPLEDOM} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: literal --> --domain= Mon Nov 12 11:04:40 2018 : Debug: XLAT-IF { Mon Nov 12 11:04:40 2018 : Debug: xlat --> mschap Mon Nov 12 11:04:40 2018 : Debug: { Mon Nov 12 11:04:40 2018 : Debug: literal --> NT-Domain Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: XLAT-ELSE { Mon Nov 12 11:04:40 2018 : Debug: literal --> EXAMPLEDOM Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : ERROR: (1) mschap: No NT-Domain was found in the User-Name Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-EXAMPLEDOM} Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: --> --domain=EXAMPLEDOM Mon Nov 12 11:04:40 2018 : Debug: --challenge=%{mschap:Challenge:-00} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: literal --> --challenge= Mon Nov 12 11:04:40 2018 : Debug: xlat --> mschap Mon Nov 12 11:04:40 2018 : Debug: { Mon Nov 12 11:04:40 2018 : Debug: literal --> Challenge:-00 Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Creating challenge hash with username: johndoe:123456 Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: EXPAND --challenge=%{mschap:Challenge:-00} Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: --> --challenge=d64fcfdbedcc33ee Mon Nov 12 11:04:40 2018 : Debug: --nt-response=%{mschap:NT-Response:-00} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: literal --> --nt-response= Mon Nov 12 11:04:40 2018 : Debug: xlat --> mschap Mon Nov 12 11:04:40 2018 : Debug: { Mon Nov 12 11:04:40 2018 : Debug: literal --> NT-Response:-00 Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: --> --nt-response=4caa9abd0548379b7e274a01c7faf807a7be4b3f16980725 Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Program returned code (0) and output 'NT_KEY: B18DE605DA0547E15B2F27CEBA5CEBB1' Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Adding MS-CHAPv2 MPPE keys Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authenticate]: returned from mschap (rlm_mschap) Mon Nov 12 11:04:40 2018 : Debug: (1) [mschap] = ok Mon Nov 12 11:04:40 2018 : Debug: (1) } # authenticate = ok Mon Nov 12 11:04:40 2018 : Debug: (1) MSCHAP Success Mon Nov 12 11:04:40 2018 : Debug: (1) eap: Sending EAP Request (code 1) ID 2 length 51 Mon Nov 12 11:04:40 2018 : Debug: (1) eap: EAP session adding &reply:State = 0xfb6bfe4bfa69e43b Mon Nov 12 11:04:40 2018 : Debug: (1) modsingle[authenticate]: returned from eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (1) [eap] = handled Mon Nov 12 11:04:40 2018 : Debug: (1) } # if (ok) = handled Mon Nov 12 11:04:40 2018 : Debug: (1) } # Auth-Type PAP = handled Mon Nov 12 11:04:40 2018 : Debug: (1) Using Post-Auth-Type Challenge Mon Nov 12 11:04:40 2018 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (1) Challenge { ... } # empty sub-section is ignored Mon Nov 12 11:04:40 2018 : Debug: (1) session-state: Nothing to cache Mon Nov 12 11:04:40 2018 : Debug: (1) Sent Access-Challenge Id 9 from 192.168.1.100:1812 to 192.168.2.100:58006 length 0 Mon Nov 12 11:04:40 2018 : Debug: (1) EAP-Message = 0x010200331a0301002e533d31454643303335343134334238423145433843363138443039453534433946453631373032333434 Mon Nov 12 11:04:40 2018 : Debug: (1) Message-Authenticator = 0x00000000000000000000000000000000 Mon Nov 12 11:04:40 2018 : Debug: (1) State = 0xfb6bfe4bfa69e43b45f5a1d5430de6d2 Mon Nov 12 11:04:40 2018 : Debug: (1) Finished request Mon Nov 12 11:04:40 2018 : Debug: Waking up in 4.9 seconds. Mon Nov 12 11:04:40 2018 : Debug: (2) Received Access-Request Id 10 from 192.168.2.100:58006 to 192.168.1.100:1812 length 169 Mon Nov 12 11:04:40 2018 : Debug: (2) User-Name = "johndoe:123456" Mon Nov 12 11:04:40 2018 : Debug: (2) NAS-Port-Type = Virtual Mon Nov 12 11:04:40 2018 : Debug: (2) Service-Type = Framed-User Mon Nov 12 11:04:40 2018 : Debug: (2) NAS-Port = 5 Mon Nov 12 11:04:40 2018 : Debug: (2) NAS-Port-Id = "con2" Mon Nov 12 11:04:40 2018 : Debug: (2) NAS-IP-Address = 188.188.188.188 Mon Nov 12 11:04:40 2018 : Debug: (2) Called-Station-Id = "188.188.188.188[4500]" Mon Nov 12 11:04:40 2018 : Debug: (2) Calling-Station-Id = "66.66.66.66[4500]" Mon Nov 12 11:04:40 2018 : Debug: (2) EAP-Message = 0x020200061a03 Mon Nov 12 11:04:40 2018 : Debug: (2) NAS-Identifier = "strongSwan" Mon Nov 12 11:04:40 2018 : Debug: (2) State = 0xfb6bfe4bfa69e43b45f5a1d5430de6d2 Mon Nov 12 11:04:40 2018 : Debug: (2) Message-Authenticator = 0x654b4205c000cb7eab5e5262156d5ca8 Mon Nov 12 11:04:40 2018 : Debug: (2) session-state: No cached attributes Mon Nov 12 11:04:40 2018 : Debug: (2) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (2) authorize { Mon Nov 12 11:04:40 2018 : Debug: (2) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: No matches Mon Nov 12 11:04:40 2018 : Debug: Adding 3 matches Mon Nov 12 11:04:40 2018 : Debug: (2) if ( &User-Name =~ /^(.*):([0-9]{6})$/) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (2) if ( &User-Name =~ /^(.*):([0-9]{6})$/) { Mon Nov 12 11:04:40 2018 : Debug: (2) update request { Mon Nov 12 11:04:40 2018 : Debug: (2) 1/3 Found: johndoe (14) Mon Nov 12 11:04:40 2018 : Debug: (2) EXPAND %{1} Mon Nov 12 11:04:40 2018 : Debug: (2) --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (2) Stripped-User-Name := johndoe Mon Nov 12 11:04:40 2018 : Debug: (2) 2/3 Found: 123456 (7) Mon Nov 12 11:04:40 2018 : Debug: (2) EXPAND %{2} Mon Nov 12 11:04:40 2018 : Debug: (2) --> 123456 Mon Nov 12 11:04:40 2018 : Debug: (2) User-OTP := 123456 Mon Nov 12 11:04:40 2018 : Debug: (2) } # update request = noop Mon Nov 12 11:04:40 2018 : Debug: (2) } # if ( &User-Name =~ /^(.*):([0-9]{6})$/) = noop Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: calling preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: returned from preprocess (rlm_preprocess) Mon Nov 12 11:04:40 2018 : Debug: (2) [preprocess] = ok Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: calling files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: Parsed xlat tree: Mon Nov 12 11:04:40 2018 : Debug: XLAT-IF { Mon Nov 12 11:04:40 2018 : Debug: attribute --> Stripped-User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: XLAT-ELSE { Mon Nov 12 11:04:40 2018 : Debug: attribute --> User-Name Mon Nov 12 11:04:40 2018 : Debug: } Mon Nov 12 11:04:40 2018 : Debug: (2) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} Mon Nov 12 11:04:40 2018 : Debug: (2) files: --> johndoe Mon Nov 12 11:04:40 2018 : Debug: (2) files: users: Matched entry johndoe at line 4 Mon Nov 12 11:04:40 2018 : Debug: (2) files: ::: FROM 0 TO 0 MAX 0 Mon Nov 12 11:04:40 2018 : Debug: (2) files: ::: TO in 0 out 0 Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: returned from files (rlm_files) Mon Nov 12 11:04:40 2018 : Debug: (2) [files] = ok Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: calling expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: returned from expiration (rlm_expiration) Mon Nov 12 11:04:40 2018 : Debug: (2) [expiration] = noop Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: calling logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: returned from logintime (rlm_logintime) Mon Nov 12 11:04:40 2018 : Debug: (2) [logintime] = noop Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authorize]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (2) [pap] = updated Mon Nov 12 11:04:40 2018 : Debug: (2) } # authorize = updated Mon Nov 12 11:04:40 2018 : Debug: (2) Found Auth-Type = PAP Mon Nov 12 11:04:40 2018 : Debug: (2) # Executing group from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (2) Auth-Type PAP { Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authenticate]: calling pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (2) pap: Login attempt with password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (2) pap: Comparing with "known good" Cleartext-Password "123456" (6) Mon Nov 12 11:04:40 2018 : Debug: (2) pap: User authenticated successfully Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authenticate]: returned from pap (rlm_pap) Mon Nov 12 11:04:40 2018 : Debug: (2) [pap] = ok Mon Nov 12 11:04:40 2018 : Debug: (2) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (2) if (ok) -> TRUE Mon Nov 12 11:04:40 2018 : Debug: (2) if (ok) { Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authenticate]: calling eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Expiring EAP session with state 0xfb6bfe4bfa69e43b Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Finished EAP session with state 0xfb6bfe4bfa69e43b Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Previous EAP request found for state 0xfb6bfe4bfa69e43b, released from the list Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Peer sent packet with method EAP MSCHAPv2 (26) Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Calling submodule eap_mschapv2 to process data Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Sending EAP Success (code 3) ID 2 length 4 Mon Nov 12 11:04:40 2018 : Debug: (2) eap: Freeing handler Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[authenticate]: returned from eap (rlm_eap) Mon Nov 12 11:04:40 2018 : Debug: (2) [eap] = ok Mon Nov 12 11:04:40 2018 : Debug: (2) } # if (ok) = ok Mon Nov 12 11:04:40 2018 : Debug: (2) } # Auth-Type PAP = ok Mon Nov 12 11:04:40 2018 : Debug: (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default Mon Nov 12 11:04:40 2018 : Debug: (2) post-auth { Mon Nov 12 11:04:40 2018 : Debug: (2) update { Mon Nov 12 11:04:40 2018 : Debug: (2) No attributes updated Mon Nov 12 11:04:40 2018 : Debug: (2) } # update = noop Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[post-auth]: calling exec (rlm_exec) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[post-auth]: returned from exec (rlm_exec) Mon Nov 12 11:04:40 2018 : Debug: (2) [exec] = noop Mon Nov 12 11:04:40 2018 : Debug: (2) policy remove_reply_message_if_eap { Mon Nov 12 11:04:40 2018 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) { Mon Nov 12 11:04:40 2018 : Debug: (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Mon Nov 12 11:04:40 2018 : Debug: (2) else { Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[post-auth]: calling noop (rlm_always) Mon Nov 12 11:04:40 2018 : Debug: (2) modsingle[post-auth]: returned from noop (rlm_always) Mon Nov 12 11:04:40 2018 : Debug: (2) [noop] = noop Mon Nov 12 11:04:40 2018 : Debug: (2) } # else = noop Mon Nov 12 11:04:40 2018 : Debug: (2) } # policy remove_reply_message_if_eap = noop Mon Nov 12 11:04:40 2018 : Debug: (2) } # post-auth = noop Mon Nov 12 11:04:40 2018 : Debug: (2) Sent Access-Accept Id 10 from 192.168.1.100:1812 to 192.168.2.100:58006 length 0 Mon Nov 12 11:04:40 2018 : Debug: (2) MS-MPPE-Encryption-Policy = Encryption-Required Mon Nov 12 11:04:40 2018 : Debug: (2) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Mon Nov 12 11:04:40 2018 : Debug: (2) MS-MPPE-Send-Key = 0xcbf551f76a44f29550c2e6bccd4e256c Mon Nov 12 11:04:40 2018 : Debug: (2) MS-MPPE-Recv-Key = 0xd85d1854dee9755637e77e927291eec4 Mon Nov 12 11:04:40 2018 : Debug: (2) EAP-Message = 0x03020004 Mon Nov 12 11:04:40 2018 : Debug: (2) Message-Authenticator = 0x00000000000000000000000000000000 Mon Nov 12 11:04:40 2018 : Debug: (2) Finished request Mon Nov 12 11:04:40 2018 : Debug: Waking up in 4.9 seconds. Am Montag, November 12, 2018 10:27 CET, Adam Bishop <Adam.Bishop@jisc.ac.uk> schrieb: On 11 Nov 2018, at 20:56, Markus Maurer <lists@v-net.tk> wrote:
Hmm... Meanwhile I think that you didn‘t understand the problem. You’re just talking around the problem, not about the problem neither trying to help solving it...
I'm reasonably sure the maintainer of the server has a better idea of how it works than yourself.
The nt hash is calculated from the password, not from the username
That's 100% correct, but unfortunately 100% unrelated. MSCHAP uses the username to create the *challenge hash* not the *NT hash*. If you change the username, the authentication process fails because you've changed the challenge hash. You *cannot* make this work using MSCHAP and AD. If you want to use OTP you have to change EAP method, or as Alan told you several messages ago, store clear text passwords. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
On 12 Nov 2018, at 10:09, Markus Maurer <lists@v-net.tk> wrote:
You *cannot* make this work using MSCHAP and AD.It is working.
Did you send the right debug log? That shows a user being authenticated from a cleartext password in the users file and the stripped-user-name not being discarded: Debug: (1) mschap: Found Cleartext-Password, hashing to create NT-Password Debug: (1) mschap: Found Cleartext-Password, hashing to create LM-Password Debug: (1) mschap: Creating challenge hash with username: johndoe:123456 Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On 12 Nov 2018, at 10:43, Adam Bishop <adam.bishop@jisc.ac.uk> wrote:
Did you send the right debug log? That shows a user being authenticated from a cleartext password in the users file and the stripped-user-name not being discarded:
s/not being/being/ Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Yes, that’s exactly what I need, doing a cleartext auth with rlm_perl with username and otp (in this case I‘m using the users file, for testing purpose) and when this succeeds exec the eap module. The debug log shows that there‘s a challenge for Johndoe:123456 but it uses the external ntlm_auth with the stripped-username (johndoe).
Am 12.11.2018 um 11:44 schrieb Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 12 Nov 2018, at 10:43, Adam Bishop <adam.bishop@jisc.ac.uk> wrote: Did you send the right debug log? That shows a user being authenticated from a cleartext password in the users file and the stripped-user-name not being discarded:
s/not being/being/
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, 2018-11-12 at 10:43 +0000, Adam Bishop wrote:
On 12 Nov 2018, at 10:09, Markus Maurer <lists@v-net.tk> wrote:
You *cannot* make this work using MSCHAP and AD.It is working.
Did you send the right debug log? That shows a user being authenticated from a cleartext password in the users file and the stripped-user-name not being discarded:
Debug: (1) mschap: Found Cleartext-Password, hashing to create NT-Password Debug: (1) mschap: Found Cleartext-Password, hashing to create LM-Password Debug: (1) mschap: Creating challenge hash with username: johndoe:123456
Which is exactly what Alan said could be done right back at the start of the thread yesterday: On 2018-11-11 at 16:46 +0000, Alan DeKok wrote:
If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
-- Matthew
OMG:... What a stupid misstake of myself.... Sorry guys I had a bad lapse in thought.. :/ Thank you all for helping and bringing me back to the right track. xD Am Montag, November 12, 2018 12:35 CET, Matthew Newton <mcn@freeradius.org> schrieb: On Mon, 2018-11-12 at 10:43 +0000, Adam Bishop wrote:
On 12 Nov 2018, at 10:09, Markus Maurer <lists@v-net.tk> wrote:
You *cannot* make this work using MSCHAP and AD.It is working.
Did you send the right debug log? That shows a user being authenticated from a cleartext password in the users file and the stripped-user-name not being discarded:
Debug: (1) mschap: Found Cleartext-Password, hashing to create NT-Password Debug: (1) mschap: Found Cleartext-Password, hashing to create LM-Password Debug: (1) mschap: Creating challenge hash with username: johndoe:123456
On 2018-11-11 at 16:46 +0000, Alan DeKok wrote:
If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key *--username=%{Stripped-User-Name}* --domain=%{%{mschap:NT-Domain}:-EXAMPLEDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: Am Montag, November 12, 2018 10:27 CET, Adam Bishop <Adam.Bishop@jisc.ac.uk> schrieb: On 11 Nov 2018, at 20:56, Markus Maurer <lists@v-net.tk> wrote:
Hmm... Meanwhile I think that you didn‘t understand the problem. You’re just talking around the problem, not about the problem neither trying to help solving it...
I'm reasonably sure the maintainer of the server has a better idea of how it works than yourself.
The nt hash is calculated from the password, not from the username
That's 100% correct, but unfortunately 100% unrelated. MSCHAP uses the username to create the *challenge hash* not the *NT hash*. If you change the username, the authentication process fails because you've changed the challenge hash. You *cannot* make this work using MSCHAP and AD. If you want to use OTP you have to change EAP method, or as Alan told you several messages ago, store clear text passwords. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email was Malware checked by UTM 9. http://www.sophos.com
Hello, I use freeradius 3 + SQL. I have some issues on sqlcounter. It's doesn't work when there is a periodical count. Exemple : sqlcounter dailycounter { sql_module_instance = sql dialect = ${modules.sql.dialect} counter_name = Daily-Session-Time check_name = Max-Daily-Session reply_name = Session-Timeout key = User-Name reset = daily $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf } It works on the first connexion and stop after the fixed period but it can connect again on the same day. There is the same issues for reset = monthly, reset = hourly ... While, all work fun if is not a periodical count, when the user is stoped it can't reconnect after expired values. Can you help please ? JMLZ --- L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast. https://www.avast.com/antivirus
On Nov 15, 2018, at 4:20 PM, Philemon Jaomalaza <philemon.jaomalaza@gmail.com> wrote:
I have some issues on sqlcounter. It's doesn't work when there is a periodical count.
See the FAQ for "it doesn't work".
It works on the first connexion and stop after the fixed period but it can connect again on the same day. There is the same issues for reset = monthly, reset = hourly ...
Is the NAS sending accounting packets?
While, all work fun if is not a periodical count, when the user is stoped it can't reconnect after expired values.
Can you help please ?
The module only works if the NAS sends accounting packets that update the relevant counters. Alan DeKok.
participants (5)
-
Adam Bishop -
Alan DeKok -
Markus Maurer -
Matthew Newton -
Philemon Jaomalaza