rlm_python learnings - PAP and MSCHAPv2
FreeRADIUS is working, using rlm_python to do authentication for WPA2-Personal and WPA2-Enterprise Wi-Fi clients. This is a summary of the issues I found and suggested improvements. Using FreeRADIUS 3.0.15 package on Ubuntu 18.04. We previously had FreeRADIUS configured to exec a python process for each PAP or MSCHAPv2 authentication, which then called a REST API to check the user. This was slow (120ms) due to the time taken to start a process and load python. To speed this up, I first tried to use rlm_rest. This didn't work because we don't have the cleartext password, only the NT hash. Next I tried rlm_python, which I did get working. For PAP, during FreeRADIUS default authorize processing, it says no cleartext password, so it does not set Auth-Type=PAP, and so it does not call the PAP authenticate code. My workaround is python authorize code to set config:Auth-Type=python if User-Name and User-Password are set, but not EAP-Message. The default site config has "python" in the authorize section, and "Auth-Type python { python }" in the authenticate section. This is fragile, so if you have any better suggestions... For PEAP-MSCHAPv2, the default site config is unchanged. The inner-tunnel authenticate config has "Auth-Type mschap { python }". In the python authenticate code, I take the params and pass them to a REST API as JSON, then take the response from the REST API and return this as the reply. This means I am passing MS-CHAP-User-Name, MS-CHAP-Challenge and MS-CHAP2-Response into the API, and getting MS-CHAP2-Success as the reply. MS-CHAP-Challenge is in the expected format. Issue 1: MS-CHAP2-Response is NOT in the format defined in the RFC. The first byte is unknown. Second byte is the flag, moved from the end of the response, which is still wrong because it isn't 0. Subsequent bytes are as expected (16 bytes peer challenge, 8 bytes padding, 24 bytes NT response). I reformat the response to the RFC format before handing to the REST API. MS-CHAP-Response is also wrong in the same way, although the flag byte is the expected 1 (to indicate NT response is present). Issue 2: I generate the correct MS-CHAP2-Success packet "S=40hex" and include it in the python module reply. FreeRADIUS removes the first byte of this (source code confirms this) and sends the remainder, making it incorrect. My kludge is to add a padding byte at the start of the MS-CHAP2-Success python reply, for FreeRADIUS to remove. Suggestions: Have a fall-through authenticate method if Auth-Type is not set. This would avoid my fragile python authorize code, and allow PAP authentication without a cleartext password. Allow PAP authorize and rlm_rest to work if the NT hash of the password is available.
Allow PAP authorize and rlm_rest to work if the NT hash of the password is available.
Why are you trying to use PAP to process MSCHAP data? Set control:NT-Password in your rest response and use the MSCHAP module to process MSCHAP data... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Why are you trying to use PAP to process MSCHAP data?
I'm not. PAP is used for WPA2-Personal clients, and PEAP/MSCHAPv2 for WPA2-Enterprise. We need to authenticate both with the NT-Password.
Set control:NT-Password in your rest response and use the MSCHAP module to process MSCHAP data...
rlm_rest.c won't authenticate unless User-Password is available. Are you saying that the REST authorize can return the NT-Password in the JSON repsonse, and let FreeRADIUS handle both PAP and PEAP-MSCHAPv2 authentication? Is there a quick way to get all attributes passed to the REST API? The following rest config gives an empty body to the POST: authorize { uri = "http://nginx:8000/radiusRest?action=authorize" method = 'post' body = 'post' } -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+russell.lang=team.telstra.com@lists.freeradius.org> On Behalf Of Arran Cudbard-Bell Sent: Friday, 17 January 2020 15:04 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: rlm_python learnings - PAP and MSCHAPv2 [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.
Allow PAP authorize and rlm_rest to work if the NT hash of the password is available.
Why are you trying to use PAP to process MSCHAP data? Set control:NT-Password in your rest response and use the MSCHAP module to process MSCHAP data... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you set the REST authorize 'body'='json' you do get the attributes, if you 'body'='post' you get none. In what format should the REST API return NT-Password? {'control:NT-Password': {'type': 'string', 'value': ['0x0123456789ABCDEF0123456789ABCDEF ']}} -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+russell.lang=team.telstra.com@lists.freeradius.org> On Behalf Of Lang, Russell Sent: Friday, 17 January 2020 16:25 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: rlm_python learnings - PAP and MSCHAPv2
Why are you trying to use PAP to process MSCHAP data?
I'm not. PAP is used for WPA2-Personal clients, and PEAP/MSCHAPv2 for WPA2-Enterprise. We need to authenticate both with the NT-Password.
Set control:NT-Password in your rest response and use the MSCHAP module to process MSCHAP data...
rlm_rest.c won't authenticate unless User-Password is available. Are you saying that the REST authorize can return the NT-Password in the JSON repsonse, and let FreeRADIUS handle both PAP and PEAP-MSCHAPv2 authentication? Is there a quick way to get all attributes passed to the REST API? The following rest config gives an empty body to the POST: authorize { uri = "http://nginx:8000/radiusRest?action=authorize" method = 'post' body = 'post' } -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+russell.lang=team.telstra.com@lists.freeradius.org> On Behalf Of Arran Cudbard-Bell Sent: Friday, 17 January 2020 15:04 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: rlm_python learnings - PAP and MSCHAPv2 [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.
Allow PAP authorize and rlm_rest to work if the NT hash of the password is available.
Why are you trying to use PAP to process MSCHAP data? Set control:NT-Password in your rest response and use the MSCHAP module to process MSCHAP data... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 17, 2020, at 1:20 AM, Lang, Russell <Russell.Lang@team.telstra.com> wrote:
If you set the REST authorize 'body'='json' you do get the attributes, if you 'body'='post' you get none.
And if you don't set it at all the REST module figures out the correct parsing scheme to use based on the Content-Type header...
In what format should the REST API return NT-Password? { {'type': 'string', 'value': []}}
{ 'control:NT-Password': '0123456789ABCDEF0123456789ABCDEF' } -Arran
participants (2)
-
Arran Cudbard-Bell -
Lang, Russell