Configuring MSCHAP to use attributes from PASSWD
Dear all, Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file? I have added the expansion under authenticate in the following way: Auth-Type MS-CHAP { %{mschap:"User-Name"} } But I haven't been able to resolve the following error in the debug log: (9) Found Auth-Type = EAP (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x4c7ec85a4c96d246 (9) eap: Finished EAP session with state 0x4c7ec85a4c96d246 (9) eap: Previous EAP request found for state 0x4c7ec85a4c96d246, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2: Auth-Type MS-CHAP { (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (9) mschap: Creating challenge hash with username: test (9) mschap: Client is using MS-CHAPv2 (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject (9) eap: Sending EAP Failure (code 4) ID 232 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user Any help would be appreciated. Thanks.
On 25/01/2021 11:08, lingctam wrote:
Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file?
If you mean /etc/passwd, then it's impossible. The password hashing is incompatible. If you're using the files module then yes, you can just define Cleartext-Password as given in the examples that come with the server, and mschap will use that. You need to make sure you call "files" in authorize{} for the right users (if not all).
I have added the expansion under authenticate in the following way:
Auth-Type MS-CHAP { %{mschap:"User-Name"} }
Use the default config that comes with the server, rather than trying to make up your own syntax. There's no need to change the config here.
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
Because "files" hasn't been called in authorize{}, and passwd is incompatible. -- Matthew
Dear Matthew, Thank you for your help. I have now called "files" in authorize{} but the following error comes up in debugging: (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) { (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) { (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) { (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # policy filter_username = notfound (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "test", looking up realm NULL (9) suffix: Found realm "NULL" (9) suffix: Adding Stripped-User-Name = "test" (9) suffix: Adding Realm = "NULL" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) if (Called-Station-Id =~ /SSID/) { (9) ERROR: Failed retrieving values required to evaluate condition This is what is in the authorize section of the inner-tunnel: if (Called-Station-Id =~ /SSID/) { files } After reading the documentation, this is what I added in "files": test Clear-text Password := "password" What else could be missing? Thanks again for your help. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+lingctam=hku.hk@lists.freeradius.org> On Behalf Of Matthew Newton Sent: Monday, January 25, 2021 7:22 PM To: freeradius-users@lists.freeradius.org Subject: Re: Configuring MSCHAP to use attributes from PASSWD On 25/01/2021 11:08, lingctam wrote:
Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file?
If you mean /etc/passwd, then it's impossible. The password hashing is incompatible. If you're using the files module then yes, you can just define Cleartext-Password as given in the examples that come with the server, and mschap will use that. You need to make sure you call "files" in authorize{} for the right users (if not all).
I have added the expansion under authenticate in the following way:
Auth-Type MS-CHAP { %{mschap:"User-Name"} }
Use the default config that comes with the server, rather than trying to make up your own syntax. There's no need to change the config here.
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
Because "files" hasn't been called in authorize{}, and passwd is incompatible. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Matthew, Please disregard. Thanks for your help. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+lingctam=hku.hk@lists.freeradius.org> On Behalf Of lingctam Sent: Wednesday, January 27, 2021 10:10 AM To: freeradius-users@lists.freeradius.org Subject: RE: Configuring MSCHAP to use attributes from PASSWD Dear Matthew, Thank you for your help. I have now called "files" in authorize{} but the following error comes up in debugging: (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) { (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) { (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) { (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # policy filter_username = notfound (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "test", looking up realm NULL (9) suffix: Found realm "NULL" (9) suffix: Adding Stripped-User-Name = "test" (9) suffix: Adding Realm = "NULL" (9) suffix: Authentication realm is LOCAL (9) [suffix] = ok (9) if (Called-Station-Id =~ /SSID/) { (9) ERROR: Failed retrieving values required to evaluate condition This is what is in the authorize section of the inner-tunnel: if (Called-Station-Id =~ /SSID/) { files } After reading the documentation, this is what I added in "files": test Clear-text Password := "password" What else could be missing? Thanks again for your help. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+lingctam=hku.hk@lists.freeradius.org> On Behalf Of Matthew Newton Sent: Monday, January 25, 2021 7:22 PM To: freeradius-users@lists.freeradius.org Subject: Re: Configuring MSCHAP to use attributes from PASSWD On 25/01/2021 11:08, lingctam wrote:
Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file?
If you mean /etc/passwd, then it's impossible. The password hashing is incompatible. If you're using the files module then yes, you can just define Cleartext-Password as given in the examples that come with the server, and mschap will use that. You need to make sure you call "files" in authorize{} for the right users (if not all).
I have added the expansion under authenticate in the following way:
Auth-Type MS-CHAP { %{mschap:"User-Name"} }
Use the default config that comes with the server, rather than trying to make up your own syntax. There's no need to change the config here.
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
Because "files" hasn't been called in authorize{}, and passwd is incompatible. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
lingctam -
Matthew Newton