Freeradius not expanding %{User-Password} (EAP-TTLS with MD5 authentication)
Hi, I've stumbled upon a nasty problem: - I need to set up FreeRadius as an authentication server where I have to authenticate users from two external databases. I've set up FreeRadius to use ntlm_auth module and swapped the 'ntlm_auth' command with my own script (see debug output). This script must be called with full username and password in cleartext so that I can then connect to the databases and check if user's credentials are correct and (s)he is allowed to connect to service. Both databases save user passwords encrypted according to their rules (SHA256 with and without salt) and for that reason I need a password supplied from the Radius client in cleartext. However, when everything is set up, somehow '%{User-Password}' or '%{Cleartext-Password}' (I've tried them both) does not expand to anything when executing ntlm_auth authentication and my script always rejects the user. For testing purposes, I've set up a bash script that exits with status 0 if the username is 'testuser@med.bg.ac.rs' and password is 'proba.321' or with status 1 otherwise. The script works when called from command line. The OS is CentOS 5.8 64-bit and FreeRADIUS version is 2.1.12. I have tried to check the auth with 'eapol_test' with the following configuration: network={ key_mgmt=IEEE8021X eap=TTLS identity="testuser@med.bg.ac.rs" password="proba.321" anonymous_identity="anonymous" phase2="auth=MD5" ca_cert="/etc/raddb/certs/ca.pem" } The output from the 'radiusd -X' is as follows: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Feb 22 2012 at 14:59:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/eduroam including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm med.bg.ac.rs { authhost = LOCAL accthost = LOCAL } realm LOCAL { } realm NULL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" virtual_server = "eduroam" } client ftlr1.ac.rs { ipaddr = 147.91.4.204 require_message_authenticator = no secret = "******" shortname = "ftlr1" nastype = "other" virtual_server = "eduroam" } client ftlr2.ac.rs { ipaddr = 147.91.1.101 require_message_authenticator = no secret = "******" shortname = "ftlr2" nastype = "other" virtual_server = "eduroam" } client netiis.monitor { ipaddr = 147.91.3.12 require_message_authenticator = no secret = "******" shortname = "netiis" nastype = "other" virtual_server = "eduroam" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "******" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "eduroam-inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "eduroam-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server eduroam { # from file /etc/raddb/sites-enabled/eduroam modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } # modules } # server server eduroam-inner-tunnel { # from file /etc/raddb/sites-enabled/eduroam-inner-tunnel modules { Module: Creating Auth-Type = ntlm_auth Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/local/sbin/medauth %{User-Name} %{Cleartext-Password} >& /dev/null" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 36934 ... adding new socket proxy address * port 33386 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x1ce7f102551d22fcc6ba9815d29d098f server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 0 to 127.0.0.1 port 57434 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x453e5638453f433c1dde145a555d75ae Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=1, length=225 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201005f150016030100540100005003014fdefc0a35aa637e8a3b2e436e90f60e9e83e5b6c5631ebb720ffbd5e117812800002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100 State = 0x453e5638453f433c1dde145a555d75ae Message-Authenticator = 0x960996a07cd20c784ce8b254694b6c90 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 95 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0054], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0920], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 1 to 127.0.0.1 port 57434 EAP-Message = 0x0102040015c000000b7616030100310200002d03014fdefc0a8aff87adf2ab470247564a15f475076cf5c27c0b81400b87be48c892000039010005ff0100010016030109200b00091c0009190003e8308203e4308202cca003020102020101300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031 EAP-Message = 0x0603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a308193310b3009060355040613025253310f300d0603550408130653657262696131333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c6772616465311c301a060355040313137261646975732e6d65642e62672e61632e72733120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727330820122300d06092a864886f70d0101010500038201 EAP-Message = 0x0f003082010a0282010100d7b1a23166efda162efe3b619671dc16aa89e337d70c55b4deb769d0b5136e8f7a098d83f6d30b7a60896ca1067f5b94de49d56bc1db3a7c874eab1f41101061886a1ef7d1f3b184cea254719a9f5781e8305cf2cd06921923b964ec94020e95fd53a9f7b8b00dad9c821901e53705f9763fdae2d9cb72167b4c770bc9c5b527fd3f11bd83ebbf957716c36764743ef8e3a93b8e8392ef4b5e0f1c3fcc6196d5796f444633c397f350367aa16d85db0dff74d66c3f7d664fbd1c64690e41e15b23a0dae9fabcb439455eb91054f348b605156f6167c4010fdc57e0fd286bd93ae5a31636c2b601f360191384afc480131583 EAP-Message = 0x33a45b144e4308383fd57a8630730203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010044b74245061b3b22760405c9d5f91cbd59e99c6c69716a2b9e73709f453bc962760dfde83c429c28970c9360e03760886604d99c33a9ea869a4a415bb2eb288421c193583e8fd440af40feda2db008a03160be444eb111e8441b4ff3f072dda6b456b52e0270aa9bacd3a08226f6ad01b0f480b5656433b56fabea5484f2eb2b0900aaea34603de355fc1084c7fe7ed3762e506a4da9188dc04616785bf3f42562ad4f9871df0d7559f0b42380995a4cd5167b2b1a6456b0585bce4a82 EAP-Message = 0xc332ff74a92620533a7b61da Message-Authenticator = 0x00000000000000000000000000000000 State = 0x453e5638443c433c1dde145a555d75ae Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=2, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061500 State = 0x453e5638443c433c1dde145a555d75ae Message-Authenticator = 0xa3b3094ac897f879e1f4d836e982f0ee server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 2 to 127.0.0.1 port 57434 EAP-Message = 0x0103040015c000000b767190effa7c037121c8eaa8702f555ead739aceed753b5959e59bc050b756d274cc85e5d6e6701f3981baae062502de1480a1695c0f54d500052b308205273082040fa003020102020900cb73058e093a87dc300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031060355 EAP-Message = 0x0403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a3081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e6520436572746966 EAP-Message = 0x69636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cd1d33bc86769aab2584b35488d4adbb56935d320ca011116d7a3da9aa7b331cd98db824215b4328f742a62825df0cc2b8cf7a0e3599e5cf54080334bca0d7360bec4961d34c58525302fb74a140b32e2815c67ebdf46d470759c6e55398bbe822efb14fb1e94338cb37cf12814f6c2c69af576bda232a01cbe7ba1a2f48f740f44a2942c7ea50c3be896372d6a972b0c29fc39e8de188891c9b273a90bcf8021d6185fb679d77f482bee8d8ec727535aaf66c93b41bb8c4e5499e3b7f7894cbbd1505c5fa9c3e4c8d1166 EAP-Message = 0x9c58ce4f2d041fc783d9397acf87d083a5041a77a534f0fb5dfe8d8d85cc011fb63af7060a54ebcd5e1667a9874284430c3be348e90203010001a382012630820122301d0603551d0e04160414b7dc49418f1a1fe4235e3a3a53de7b35691c8c9c3081f20603551d230481ea3081e78014b7dc49418f1a1fe4235e3a3a53de7b35691c8c9ca181c3a481c03081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a8648 EAP-Message = 0x86f70d010901161163696b74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x453e5638473d433c1dde145a555d75ae Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=3, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061500 State = 0x453e5638473d433c1dde145a555d75ae Message-Authenticator = 0xab683dac1c19264b7cefbfb39f1036e4 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 3 to 127.0.0.1 port 57434 EAP-Message = 0x01040394158000000b76406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479820900cb73058e093a87dc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101006069bb5c8707f0caca80d1998f57a5ab0bf43843b6359b91085100a3fcd29348b669e5cfdff8ef56a583af32823d20a34f213a0bee64d360319eab9b6cb936a78f4345e96139b36caa0f394e850a20e9b2b96cbda103eabf7533af89f84731b82d7599a592455a0d8f10c6fc3eaebff1939d74609589fc820372df3d16414aa5c4f14e0d EAP-Message = 0xe6d9375f29d21aa334834aefe4de97c9076f6f59d538c973884a5929440962f02c1f05692564b636bd8f2b33dab7e387c5190e0d4a9894304d4c41651ff78feec39bba7d9590ac6e5a423cc83a63c26d47bea741cb0af86017727c7d2a16b611a9374d3d8c2a7d6773eef0d0a3f15b0288d7d4d2f0d0376d9dc0d91b160301020d0c00020900809581c2d77458ae39e8ced3fc1c136cdf0e5c874f0145a1ba3b1cadd518c96731cf5ce5ffdb56d03d05fd3920b7e19d3bd0435ca1ae9bd7c7888e953c4f4c572bb511a70579b804f7f7cc5392222e6fe69cac502f39bf2166c7281fd6ddedfc9a5934dbdb44133155fe1f89cf6b33db04059e65164fb0 EAP-Message = 0xf060679b652950dab40b00010200800ed41ea9a51c998c4f28af7bfa7e70b31a5baf43a288bf5c40ed11226423740f5a79393a18b936d417fe3156726fd8d3017faa90807b1924beb8ba713b585c03fdd8e401576caee1d777b6b7e876afd14a5b4fc9902484c04a28cb14a04718f45e294c86bdb06bce91c9002d345bd7411e77bc4e07cea999589bbdebc0f20c1701004b5fac779365dafeca7ef4696018786c2fa7c9b70579b45182df31d5c1f70751076524d3196265774ed43c460fa8991a6aad5506125c17f46614d8ec7ad5ad621aab6be4f7cf7d21d17f37b3bad0bcb1a8206a77a3c2f1789ef2bebf81926b429255f1e513f97e00c71540b6 EAP-Message = 0x2f4821bea23b5cff0a7d3990578d637d2644223669454da8f87a85d22cb30008a01230edcfeee10c19cab0697e3c1e98ca88ec691eebb16e6b3ecba362ed16e0d01690f4264191dc2e3d77f4af8a6481968a0c936d3e69c9f818d724f1c7e8cda71a1d424b016c9c669c153607d196eaa753a20ef07ee60b920849cd38087231067a53bc5cde17c3664302856b61f434968c22bf16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x453e5638463a433c1dde145a555d75ae Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=4, length=334 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400cc150016030100861000008200804947f508ab581679165a93c50e5588f04e8e34bef4b96e49115c604a5012d77ed91e7003b1e5d72cd2585c830fe047329ece54be7e4b482d67ead0b996de2c7036893af0bf556b8c2d0a345756b5f4f6c34ef3d7a438ef6596de4b722eebc538222a1ae3141433123867a99fca7debea94caf233eee09c4d1f8fc4986355b771140301000101160301003024c728b211d0593f1a575c7f570f7cd38dfbfe14c76a92baf855b3d245407a1ac4497e4349e0450a70857a9685355d39 State = 0x453e5638463a433c1dde145a555d75ae Message-Authenticator = 0x6cb71a422ffeaad397d8c36e03ff6703 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 4 to 127.0.0.1 port 57434 EAP-Message = 0x0105004515800000003b1403010001011603010030d13042ffaa9f5208530f9d196691755fe795dbe60c277e81e11947821f2698414cce5df41150a18716654f9fee2c4068 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x453e5638413b433c1dde145a555d75ae Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=5, length=242 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02050070150017030100202b83edb5b87ff66b7b5d13339196f62f8e44061ac02821a6ab8f5fe44aa5ff6b17030100404de9cda8169d8c9e0969a9fb2245697166f27290ce6f23473c57364c7d5ae08e85039938f8cbb126727f888bf92807c008c7f46f8b1e0f9c42e504b25f8c3bb2 State = 0x453e5638413b433c1dde145a555d75ae Message-Authenticator = 0x6197eff33cfffb5b484c44e49735b5d4 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of testuser@med.bg.ac.rs [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser@med.bg.ac.rs" server eduroam-inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner-tunnel +- entering group authorize {...} [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618 [auth_log] expand: %t -> Mon Jun 18 11:59:38 2012 ++[auth_log] returns ok [suffix] Looking up realm "med.bg.ac.rs" for User-Name = "testuser@med.bg.ac.rs" [suffix] Found realm "med.bg.ac.rs" [suffix] Adding Stripped-User-Name = "testuser" [suffix] Adding Realm = "med.bg.ac.rs" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: %{User-Name} -> testuser@med.bg.ac.rs [ntlm_auth] expand: %{Cleartext-Password} -> Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Invalid user: [testuser@med.bg.ac.rs/<via Auth-Type = ntlm_auth>] (from client localhost port 0 via TLS tunnel) } # server eduroam-inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user testuser@med.bg.ac.rs [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01) } # server eduroam Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 5 to 127.0.0.1 port 57434 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +5 Cleaning up request 1 ID 1 with timestamp +5 Cleaning up request 2 ID 2 with timestamp +5 Cleaning up request 3 ID 3 with timestamp +5 Cleaning up request 4 ID 4 with timestamp +5 Waking up in 1.0 seconds. Cleaning up request 5 ID 5 with timestamp +5 Ready to process requests. -- *Veselin Mijus(kovic'* Senior System Administrator School of Electrical Engineering's Computing Centre University of Belgrade * Serbia * www.etf.bg.ac.rs
MS-CHAP doesn't send a password; it's a challenge/response authentication type, that requires the server to have access to the plaintext password, NT hash, or an oracle. See here: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html In short - what you're doing is impossible, with the auth types you're using. Only TTLS/PAP gives you access to the password. Even if it were possible, you're doing it entirely wrong; you don't return a succeed/fail in the authorize section. And if you know the plaintext password for comparison reasons, you should just tell it to FreeRADIUS. You've also broken the default configs horribly by removing all the modules in the inner tunnel config (which is why the request isn't detected as MSCHAP). Basically - don't do that, it won't work.
Hi, On Mon, Jun 18, 2012 at 12:53:52PM +0200, Veselin Mijuskovic wrote:
and without salt) and for that reason I need a password supplied from the Radius client in cleartext.
You're using EAP-TTLS/MD5. Why do you think there is going to be a cleartext password anywhere in that request? Change to EAP-TTLS/PAP, for example, and try again. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 06/18/2012 01:25 PM, Matthew Newton wrote:
Hi,
On Mon, Jun 18, 2012 at 12:53:52PM +0200, Veselin Mijuskovic wrote:
and without salt) and for that reason I need a password supplied from the Radius client in cleartext. You're using EAP-TTLS/MD5. Why do you think there is going to be a cleartext password anywhere in that request?
Change to EAP-TTLS/PAP, for example, and try again.
Matthew
Thanks Matthew, it worked with EAP-TTLS/PAP. Silly me. Best regards, -- *Veselin Mijus(kovic'* Senior System Administrator School of Electrical Engineering's Computing Centre University of Belgrade * Serbia * www.etf.bg.ac.rs
Veselin Mijuskovic wrote:
However, when everything is set up, somehow '%{User-Password}' or '%{Cleartext-Password}' (I've tried them both) does not expand to anything when executing ntlm_auth authentication and my script always rejects the user.
There is very little magic here. The expansion %{...} means "refer to an attribute". If you don't see the attribute in the debug output, then the expansion will result in nothing. As always, read the debug output to see what's going on. Alan DeKok.
participants (4)
-
Alan DeKok -
Matthew Newton -
Phil Mayers -
Veselin Mijuskovic