[Home server Radius in "always accept mode with mschap"]
Hello, As we've got some bad ISPs or maybe because they use other radius than freeradius :-), we would like, when their home server does not work properly (bad response time or completely down), to continue authenticating wimax users on our proxy. (So that users does not get disconnected after their lease / network entry). So I wanted to build a "welcome" home server (meaning a home server that always say yes whithout checking anything). I've tried a physical one and also a dedicated virtual server that I use either as fallback home server or as secondary home server. I've successfully been able to send "Access Accept" for any Access Request by configuring the following : authorize { preprocess auth_log chap mschap unix files if (!ok) { reject } else { update control { Auth-Type := Accept } } expiration logintime pap } .... But then it's not enough, Mschap Attributes are required so that it really work (below is "normal" authentication when ISPs home server answer). on Dec 5 11:37:39 2011 : Debug: Received Access-Accept packet from host X.Y.Z.W port 1812, id=98, length=184 Mon Dec 5 11:37:39 2011 : Debug: MS-CHAP2-Success = 0x78533d44303235443041393935354646383733384143443137364244433544463336393436373139333937 Mon Dec 5 11:37:39 2011 : Debug: MS-MPPE-Recv-Key = 0xa0d43ffe6f017d74813ad8d12b35797e Mon Dec 5 11:37:39 2011 : Debug: MS-MPPE-Send-Key = 0x5f6a95b54ef1d283134925733845429a Mon Dec 5 11:37:39 2011 : Debug: MS-MPPE-Encryption-Policy = 0x00000001 Mon Dec 5 11:37:39 2011 : Debug: MS-MPPE-Encryption-Types = 0x00000006 Mon Dec 5 11:37:39 2011 : Debug: Proxy-State = 0x323233 Mon Dec 5 11:37:39 2011 : Debug: +- entering group post-proxy {...} As I was not very familiar with MS-CHAP, I've google a little and it seems to me that my goal (ie ms chapv2 welcome server without having user/passwd of users) is not reachable as the home server MUST have users/passwd to generate challenge. Could you confirm that I'm not wrong so that I will stop looking for unfeasible things ? Many thanks Thomas
On Fri, Mar 30, 2012 at 4:22 AM, Thomas Fagart <tfagart@brozs.net> wrote:
As I was not very familiar with MS-CHAP, I've google a little and it seems to me that my goal (ie ms chapv2 welcome server without having user/passwd of users) is not reachable as the home server MUST have users/passwd to generate challenge.
Exactly. To be accurate, the home server MUST have cleartext or nt-hash of the user's password. -- Fajar
On Fri, Mar 30, 2012 at 7:26 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Fri, Mar 30, 2012 at 4:22 AM, Thomas Fagart <tfagart@brozs.net> wrote:
As I was not very familiar with MS-CHAP, I've google a little and it seems to me that my goal (ie ms chapv2 welcome server without having user/passwd of users) is not reachable as the home server MUST have users/passwd to generate challenge.
Exactly.
To be accurate, the home server MUST have cleartext or nt-hash of the user's password.
Is it possible on the proxy server, to catch the challenge and response when the normal server is running, store them, and then issue the same challenge and same chap-success from the "welcome" server when another request is made? Just a thought, I only do normal CHAP and would have thought you could just do an access-accept for any request unless the client needs a special key from it. Tim
On Fri, Mar 30, 2012 at 6:54 AM, Timothy White <timwhite88@gmail.com> wrote:
Is it possible on the proxy server, to catch the challenge and response when the normal server is running, store them, and then issue the same challenge and same chap-success from the "welcome" server when another request is made?
You mean similar to replay attack? Nope.
From http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol " CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plaintext, but has other drawbacks. "
More complete information should be available on the RFCs, but that short summary is good enough for me :) -- FAN
Hello, We currently authenticate FTTH Subscribers with FreeRadius. It works like that : Subscriber --> DHCP Request --> NAS that does DHCP to Radius --> Access Request --> Proxy Freeradius --> ISP Home server In the Authentication/Autorization phases, The Freeradius Proxy gets the ADSL-Agent-Circuit-Id Attribute from the Request and ask a SQL database to provide the information to who it should proxy (Proxy-To-Realm), then in Preproxy phase, it does some Attribute change and send the request to the correct home server. This has been working very well since many years now. (eg Authentication Proxification based on SQL) Recently, We've been ask by ISP to do the same for accounting. So we manage to tell our NAS to speak Accounting (based on DHCP), and the Proxy Freeradius does receive Accounting. But for now I've not been able to proxy this accounting using the same way We do it for Authentication requets. When we use SQL module, in accounting part, it does insert accounting information into the SQL, but does not request information from the database. I know that I could change this SQL request in sql.conf (eg SELECT instead of INSERT), but will it work ? Thanks Thomas
On 20/04/12 11:39, Thomas Fagart wrote:
When we use SQL module, in accounting part, it does insert accounting information into the SQL, but does not request information from the database. I know that I could change this SQL request in sql.conf (eg SELECT instead of INSERT), but will it work ?
No. rlm_sql will not perform the radcheck/radreply processing by default for accounting. Two options: 1. Force use of the "authorize" processing path in your accounting section: accounting { ... sql.authorize ... } 2. Use SQL xlat to perform your query: accounting { ... update control { Tmp-String-0 := "%{sql: query goes here}" } if (control:Tmp-String-0) { ... some conditional processing? } ... }
Many thanks, we took Option 1 which is the most "embedded one" :-). It works great, I didn't know we could change sql module use in another part of the AAA process. Thomas On 20.04.2012 13:21, Phil Mayers wrote:
On 20/04/12 11:39, Thomas Fagart wrote:
When we use SQL module, in accounting part, it does insert accounting information into the SQL, but does not request information from the database. I know that I could change this SQL request in sql.conf (eg SELECT instead of INSERT), but will it work ?
No. rlm_sql will not perform the radcheck/radreply processing by default for accounting.
Two options:
1. Force use of the "authorize" processing path in your accounting section:
accounting { ... sql.authorize ... }
2. Use SQL xlat to perform your query:
accounting { ... update control { Tmp-String-0 := "%{sql: query goes here}" } if (control:Tmp-String-0) { ... some conditional processing? } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 20/04/12 14:32, Thomas Fagart wrote:
Many thanks, we took Option 1 which is the most "embedded one" :-).
It works great, I didn't know we could change sql module use in another part of the AAA process.
It's generic, and works on all modules, in all parts of the server; you can call: module.postauth ...in accounting, for example.
participants (4)
-
Fajar A. Nugraha -
Phil Mayers -
Thomas Fagart -
Timothy White