Password change after expire with Cisco ASA to local FR user DB (text file) Not Working
special thx to phil and alex for inital help testing FR with password change. With some help today, I managed to download, compile and install the latest copy of FR source code on centOS server. I cannot however get a password change prompt to appear on my calling-station device. any ideas? I am running this in test lab with cisco ASA, which is sending MS-CHAPv2 request to FR server, as some debug output shows: MS-CHAP-Challenge = 0x0d786b3e916d7e (shortened) MS-CHAP2-Response = 0x008ebeb5e7b5 (shortened) My local user account in users file is configured with NT-LM Hash, and set to expire: wrichmond NT-Password :="64f12cddaa88057e06a81b54e73b949b", Expiration :="Dec 04 1994" I can login fine when Expiration filed is commented out. I have configured dictionary file for password expiration: VALUE Server-Config Password-Expiration 30 VALUE Server-Config Password-Warning 5 When I send AUTH request, I am denied login, with an account password is expired message. I should get a prompt on my calling-station device to change password. The cisco ASA is configure with password-management: tunnel-group TG_VPN_1 general-attributes default-group-policy GPOL_1 password-management password-expire-in-days 5 On FR server, I get this debug output: rad_recv: Access-Request packet from host 2.2.2.2 port 1025, id=28, length=217 User-Name = "wrichmond" NAS-Port = 188416 Called-Station-Id = "3.3.3.3" Calling-Station-Id = "1.1.1.1" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "1.1.1.1" MS-CHAP-Challenge = XXXXXXXXXXXXXXXXXXXX MS-CHAP2-Response = XXXXXXXXXXXXXXXXXXXXXX NAS-IP-Address = 2.2.2.2 Cisco-AVPair = "ip:source-ip=1.1.1.1" (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix : No '@' in User-Name = "wrichmond", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry wrichmond at line 76 (0) [files] = ok (0) expiration : Checking Expiration time: 'ÐLá.04 1994' (0) expiration : Account has expired (0) expiration : expand: Password Has Expired -> Password Has Expired (0) [expiration] = userlock (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group REJECT { (0) - entering group REJECT {...} (0) attr_filter.access_reject : expand: %{User-Name} -> wrichmond (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop (0) Finished request 0.
Will Richmond wrote:
special thx to phil and alex for inital help testing FR with password change. With some help today, I managed to download, compile and install the latest copy of FR source code on centOS server. I cannot however get a password change prompt to appear on my calling-station device. any ideas?
Did you follow the instructions in doc/mschap.rst? Did you read the mods-available/mschap file, the "passchange" section?
I am running this in test lab with cisco ASA, which is sending MS-CHAPv2 request to FR server, as some debug output shows:
MS-CHAP-Challenge = 0x0d786b3e916d7e (shortened) MS-CHAP2-Response = 0x008ebeb5e7b5 (shortened)
That doesn't matter.
My local user account in users file is configured with NT-LM Hash, and set to expire:
wrichmond NT-Password :="64f12cddaa88057e06a81b54e73b949b", Expiration :="Dec 04 1994"
That is NOT what the documentation says to do.
I can login fine when Expiration filed is commented out.
Because the expiration attribute enforces ACCOUNT expiration. Again, this is documented.
I have configured dictionary file for password expiration:
VALUE Server-Config Password-Expiration 30 VALUE Server-Config Password-Warning 5
Why the heck did you do that? NOTHING in the documentation says to do this. You might as well have typed random words into the dictionaries for all the good it will do. Follow the documentation. Honestly, it isn't hard. Alan DeKok.
participants (2)
-
Alan DeKok -
Will Richmond