FreeRadius 3.0.11 [Best method to log access accept requests to DB]
Hi, We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication. So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures. Ibrahim --
On Nov 15, 2018, at 4:34 AM, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
You can use the "linelog" module to log requests to a file on disk. Alan DeKok.
I dont understand what is failing here... when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123` the response is (4) authenticate { (4) mschap: Client is using MS-CHAPv1 with NT-Password (4) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (4) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (4) mschap: --> --username=christian.salway (4) mschap: mschap1: e5 (4) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (4) mschap: --> --challenge=e5305944c91f56f9 (4) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (4) mschap: --> --nt-response=17d86fe7e55770aa8e3f5e6545c45578844f5fd7e18888d3 (4) mschap: Program returned code (0) and output 'NT_KEY: 7EAE67D582A054C071FC841CE38DCC98' (4) mschap: adding MS-CHAPv1 MPPE keys (4) [mschap] = ok (4) } # authenticate = ok but when i try to connect AWS Management console up to freeradius (which worked with NPS) I get the following error (3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password (3) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (3) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (3) mschap: --> --username=christian.salway (3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge (3) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (3) mschap: --> --challenge=00 (3) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (3) mschap: --> --nt-response=f42cfed85f0dab20ae4f6be4820ee4b0579baf7e05a879e7 hex decode of 00 failed! (only got 1 bytes) (3) mschap: ERROR: Program returned code (1) and output '' (3) mschap: External script failed (3) mschap: ERROR: External script says: (3) mschap: ERROR: MS-CHAP2-Response is incorrect (3) [mschap] = reject (3) } # authenticate = reject and if i try it with MS-CHAPv2 (7) authenticate { (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=christian.salway (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=87096cbcc288f585 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2 (7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (7) mschap: External script failed (7) mschap: ERROR: External script says: Logon failure (0xc000006d) (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # authenticate = reject whats going on?!
On Nov 15, 2018, at 9:01 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I dont understand what is failing here...
when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123`
the response is
It's typically good to look at *ALL* of the debug output. You can't just look at a tiny piece of the output and expect to understand the whole thing.
(3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password ... (3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge
That seems to be clear enough. The server isn't receiving an MS-CHAP2-Response attribute.
and if i try it with MS-CHAPv2
(7) authenticate { (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=christian.salway (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=87096cbcc288f585 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2 (7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
AD its rejecting the user. This unfortunately is out of the control of FreeRADIUS.
whats going on?!
AD is rejecting the user. Ask AD what the users password is. And, why it's rejecting the user. The MS-CHAP calculations have been known, and known to work, for about 20 years. If AD is rejecting this with "Logon failure", then: a) the users password in AD is not what the user entered on their system b) the users account is locked out, or doesn't exist, or has another administrative setting that says "reject them" There really are no other options here. Try *simplifying* the problem. Instead of going to AD, configure a local password for the user. One that you can't get wrong. Then, try it with AWS. If that fails, then my guess is that AWS is broken. And post the *full* debug output here. ALL of it. Alan DeKok.
Hi Alan, Thank you for your reply. I found the issue. AWS Directory services does not send the password but the OTP (Multi Factor Authentication) as the password as shown below. AWS Directory Services does it's own authentication against AD before sending the MFA code to the Radius server... (2) Received Access-Request Id 2 from 10.0.14.211:54344 to 10.0.0.247:1812 length 80 (2) NAS-IP-Address = 127.0.0.1 (2) User-Name = "christian.salway" (2) User-Password = "12345" <-- this is the MFA OTP (2) Message-Authenticator = 0xcb2db23d5324ea83618f807cec4c6c6d C
On 16 Nov 2018, at 00:00, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 15, 2018, at 9:01 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I dont understand what is failing here...
when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123`
the response is
It's typically good to look at *ALL* of the debug output. You can't just look at a tiny piece of the output and expect to understand the whole thing.
(3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password ... (3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge
That seems to be clear enough.
The server isn't receiving an MS-CHAP2-Response attribute.
and if i try it with MS-CHAPv2
(7) authenticate { (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=christian.salway (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=87096cbcc288f585 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2 (7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
AD its rejecting the user. This unfortunately is out of the control of FreeRADIUS.
whats going on?!
AD is rejecting the user. Ask AD what the users password is. And, why it's rejecting the user.
The MS-CHAP calculations have been known, and known to work, for about 20 years. If AD is rejecting this with "Logon failure", then:
a) the users password in AD is not what the user entered on their system
b) the users account is locked out, or doesn't exist, or has another administrative setting that says "reject them"
There really are no other options here.
Try *simplifying* the problem. Instead of going to AD, configure a local password for the user. One that you can't get wrong. Then, try it with AWS. If that fails, then my guess is that AWS is broken.
And post the *full* debug output here. ALL of it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to have 2 paths for authentication on the same freeRadius server? 1) In on UDP:1812 from VPN server which uses eap-mschapv2 and authenticates against Active Directory using LDAP and ntlm_auth. 2) In on UDP:1812 from AWS which uses PAP and needs to send a request to Duo over TCP:443. Or is it better to have two radius servers?
On 16 Nov 2018, at 07:13, Christian Salway <christian.salway@naimuri.com> wrote:
Hi Alan,
Thank you for your reply. I found the issue. AWS Directory services does not send the password but the OTP (Multi Factor Authentication) as the password as shown below. AWS Directory Services does it's own authentication against AD before sending the MFA code to the Radius server...
(2) Received Access-Request Id 2 from 10.0.14.211:54344 to 10.0.0.247:1812 length 80 (2) NAS-IP-Address = 127.0.0.1 (2) User-Name = "christian.salway" (2) User-Password = "12345" <-- this is the MFA OTP (2) Message-Authenticator = 0xcb2db23d5324ea83618f807cec4c6c6d
C
On 16 Nov 2018, at 00:00, Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote:
On Nov 15, 2018, at 9:01 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org>> wrote:
I dont understand what is failing here...
when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123`
the response is
It's typically good to look at *ALL* of the debug output. You can't just look at a tiny piece of the output and expect to understand the whole thing.
(3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password ... (3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge
That seems to be clear enough.
The server isn't receiving an MS-CHAP2-Response attribute.
and if i try it with MS-CHAPv2
(7) authenticate { (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=christian.salway (7) mschap: Creating challenge hash with username: christian.salway (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=87096cbcc288f585 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2 (7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
AD its rejecting the user. This unfortunately is out of the control of FreeRADIUS.
whats going on?!
AD is rejecting the user. Ask AD what the users password is. And, why it's rejecting the user.
The MS-CHAP calculations have been known, and known to work, for about 20 years. If AD is rejecting this with "Logon failure", then:
a) the users password in AD is not what the user entered on their system
b) the users account is locked out, or doesn't exist, or has another administrative setting that says "reject them"
There really are no other options here.
Try *simplifying* the problem. Instead of going to AD, configure a local password for the user. One that you can't get wrong. Then, try it with AWS. If that fails, then my guess is that AWS is broken.
And post the *full* debug output here. ALL of it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Nov 16, 2018, at 2:24 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Is it possible to have 2 paths for authentication on the same freeRadius server?
1) In on UDP:1812 from VPN server which uses eap-mschapv2 and authenticates against Active Directory using LDAP and ntlm_auth. 2) In on UDP:1812 from AWS which uses PAP and needs to send a request to Duo over TCP:443.
Yes. Read raddb/sites-available/README Alan DeKok.
please don’t send email On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please don’t send email On Nov 19, 2018, at 20:23, Song Zou via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
please don’t send email
On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please don’t send email On Nov 19, 2018, at 20:23, Song Zou via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
please don’t send email
On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what a jackass On 19/11/2018 22:28, Song Zou via Freeradius-Users wrote: > please don't send email > > On Nov 19, 2018, at 20:23, Song Zou via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: > >> please don't send email >> >> On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: >> >> Hi, >> >> We are trying to log users access accept requests in a database for later >> statistics and analysis for the network. Firstly, we accomplished this >> requirement using the post-auth section by using sql module to inserting >> users request and it worked perfectly, however, and obviously, if the >> database is down for any reason, the radius won't process further requests >> which will prevent users from authentication. >> >> So we are wondering if there is any method to log radius accept request in >> a similar fashion like "Post-Auth-Type REJECT" where we noticed that >> FreeRadius can keep accepting radius requests and tolerate DB failures. >> >> Ibrahim >> >> -- >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: ------ [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
please don’t send email On Nov 19, 2018, at 20:23, Song Zou via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
please don’t send email
On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please don’t send email On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please don’t send email On Nov 15, 2018, at 17:34, Ibrahim Nezar Al-Mahfooz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi,
We are trying to log users access accept requests in a database for later statistics and analysis for the network. Firstly, we accomplished this requirement using the post-auth section by using sql module to inserting users request and it worked perfectly, however, and obviously, if the database is down for any reason, the radius won't process further requests which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in a similar fashion like "Post-Auth-Type REJECT" where we noticed that FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Christian Salway -
Ibrahim Nezar Al-Mahfooz -
Noel Butler -
Song Zou