Hi, Thank you for your advice on the use of multiple MSCHAP modules. I made the changes that were suggested but I'm still unable to authenticate users in different realms. Thanks Chris In the authorize section of inner-tunnel server. # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap I have defined two mschap modules (mschap_ds and mschap_admin) and made the following changes in the inner-tunnel authenticate section. # # MSCHAP authentication. Auth-Type MS-CHAP { if ("%{outer.request:User-Name}" =~ /@realm$/i){ mschap-ds { ok = return } } else { mschap-admin { ok = return } } } # # For old names, too. #mschap < -- I commented out this entry The authentication of a user in either realm failed with the following error message. (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x93ae5ad093a740b0 (9) eap: Finished EAP session with state 0x93ae5ad093a740b0 (9) eap: Previous EAP request found for state 0x93ae5ad093a740b0, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: Auth-Type sub-section not found. Ignoring. (9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap: Sending EAP Failure (code 4) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Login incorrect: [user_a] (from client localhost port 0 via TLS tunnel) (9) Using Post-Auth-Type Reject If I uncomment the following # For old names, too. mschap I'm able to authenticate a user in one realm but not the other. 21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (21) authenticate { (21) eap: Expiring EAP session with state 0xf0a763cef0ae799b (21) eap: Finished EAP session with state 0xf0a763cef0ae799b (21) eap: Previous EAP request found for state 0xf0a763cef0ae799b, released from the list (21) eap: Peer sent packet with method EAP MSCHAPv2 (26) (21) eap: Calling submodule eap_mschapv2 to process data (21) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (21) eap_mschapv2: authenticate { (21) mschap: Creating challenge hash with username: XXXXXX (21) mschap: Client is using MS-CHAPv2 (21) mschap: EXPAND %{Stripped-User-Name} (21) mschap: --> XXXXXX rlm_mschap (mschap): Reserved connection (1) (21) mschap: sending authentication request user='XXXXXX' domain='ADMIN' rlm_mschap (mschap): Released connection (1) rlm_mschap (mschap): Need 9 more connections to reach 20 spares rlm_mschap (mschap): Opening additional connection (11), 1 of 53 pending slots used (21) mschap: ERROR: No such user [0xC0000064] (21) mschap: ERROR: Password has expired. User should retry authentication (21) [mschap] = reject (21) } # authenticate = reject (21) eap: Sending EAP Failure (code 4) ID 9 length 4 (21) eap: Freeing handler (21) [eap] = reject (21) } # authenticate = reject (21) Failed to authenticate the user I
On Jan 30, 2017, at 6:10 AM, Chris Howley <C.P.Howley@leeds.ac.uk> wrote:
Thank you for your advice on the use of multiple MSCHAP modules. I made the changes that were suggested but I'm still unable to authenticate users in different realms.
This is why it's useful to describe the entire problem you're trying to solve, instead of just one piece.
I have defined two mschap modules (mschap_ds and mschap_admin) and made the following changes in the inner-tunnel authenticate section.
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
Change that to "Auth-Type MSCHAP" and it should work. You may also upgrade to version 3.0.13 when it comes out. Alan DeKok.
participants (2)
-
Alan DeKok -
Chris Howley