problems authenticating
I am trying to do EAP-PEAP, using FreeRadius 1.0.4. Here are the debug logs, at the breaking points: rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: group Auth-Type returns reject for request 8 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 8 modcall: group authenticate returns reject for request 8 auth: Failed to validate the user. Login incorrect: [johnk/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE and again later on... eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [johnk/<no User-Password attribute>] (from client xXxXx1100 port 821 cli 000e.35b5.eb8f) Here is how my two auth sections look: radiusd.conf: authorize { preprocess auth_log mschap eap sql } authenticate { Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap } Here are a few excerpts from eap.conf: eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = mschapv2 .... peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication. I have tried this, and it does not work for me. I really have no idea of what I am doing, although I have read the documentation. I am storing NTLM passwords in my SQL server. mysql> select * from radcheck where UserName = "johnk"; +------+----------+---------------+----+-------------------------------------------------------------------+ | id | UserName | Attribute | op | Value | +------+----------+---------------+----+-------------------------------------------------------------------+ | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 | +------+----------+---------------+----+-------------------------------------------------------------------+ 1 row in set (0.00 sec) (The password above has been assigned a false value) mysql> select * from usergroup where UserName = "johnk"; +------+----------+------------+ | id | UserName | GroupName | +------+----------+------------+ | 2502 | johnk | pirate | +------+----------+------------+ 1 row in set (0.01 sec) mysql> select * from radgroupreply; +----+------------+---------------------------+----+----------+------+ | id | GroupName | Attribute | op | Value | prio | +----+------------+---------------------------+----+----------+------+ | 39 | pirate | Tunnel-Medium-Type:0 | = | IEEE-802 | 0 | | 40 | pirate | Tunnel-Type:0 | = | VLAN | 0 | | 41 | pirate | Tunnel-Private-Group-ID:0 | = | 111 | 0 | +----+------------+---------------------------+----+----------+------+ 3 rows in set (0.00 sec) What can be suggested, so that my authentication phase goes as well as my authorization phase? --johnk
jck-freeradius@southwestern.edu wrote:
rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
That's pretty definitive.
My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication.
"eap" should be in the "authorize" section, too. That's the way the server comnes configured.
I am storing NTLM passwords in my SQL server. ... | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
No, you're not. You're telling the server that the clear-text password is a hex string, which it's not. If you want to store the NT-hashed passwords in SQL, use the "NT-Password" attribute, and ensure that the value is 32 bytes of hex data. But before you do that, I would STRONGLY suggest storing a simple clear-text password in SQL, like "test". Verify that it works, and THEN start storing NT password. By trying to configure 3 things at the same time, you guarantee that you can't possible figure out which one of the three is failing. Alan DeKok.
On Mon, Jul 11, 2005 at 05:26:54PM -0400, Alan DeKok wrote:
jck-freeradius@southwestern.edu wrote:
rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
That's pretty definitive.
I thought so as well. I am 99% sure that the NTLM passwords I am using are valid.
My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication.
"eap" should be in the "authorize" section, too. That's the way the server comnes configured.
radiusd.conf now reads, in part: authorize { preprocess auth_log sql mschap eap } authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } mschap eap }
I am storing NTLM passwords in my SQL server. ... | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
No, you're not.
You're telling the server that the clear-text password is a hex string, which it's not.
If you want to store the NT-hashed passwords in SQL, use the "NT-Password" attribute, and ensure that the value is 32 bytes of hex data.
When using NT-Password, I was noticing that the sql authorization phase would not return OK. Switching it to User-Password seemed to fix that (albeit not correctly). I have switched radcheck back to using Attributes of NT-Password.
But before you do that, I would STRONGLY suggest storing a simple clear-text password in SQL, like "test". Verify that it works, and THEN start storing NT password.
I have a test account, named testacct. I have switched his values in radcheck to "Password == monkey" host:/etc/raddb # radtest testacct monkey host:1645 0 testing123 Sending Access-Request of id 77 to 127.0.0.1:1645 User-Name = "testacct" User-Password = "monkey" NAS-IP-Address = hecate NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=77, length=37 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "111" host:/etc/raddb #
By trying to configure 3 things at the same time, you guarantee that you can't possible figure out which one of the three is failing.
Agreed. I am including two URLs. One with debug logs showing user 'johnk' trying to AAA, using NT-Password. The other shows testacct (using the same supplicant as johnk, XP) using Password (cleartext). NT-Password, logging in as johnk: http://www.southwestern.edu/~johnk/johnk_NT-Password_debug.txt Password, logging in as testacct: http://www.southwestern.edu/~johnk/testacct_Password_debug.txt Notice that with changing the Attribute in radcheck to Password, and assigning the Value a cleartext, Access-Accept is generated. --johnk
jck-freeradius@southwestern.edu wrote:
When using NT-Password, I was noticing that the sql authorization phase would not return OK. Switching it to User-Password seemed to fix that (albeit not correctly). I have switched radcheck back to using Attributes of NT-Password.
Make sure you have both NT-Password and LM-Password. Those are two different hashes. You can't just use one. From your previous example separate password at colon and stick it in NT and LM passwords attributes. Vladimir
jck-freeradius@southwestern.edu wrote:
I thought so as well. I am 99% sure that the NTLM passwords I am using are valid.
What you put into SQL wasn't valid.
I am including two URLs. One with debug logs showing user 'johnk' trying to AAA, using NT-Password. The other shows testacct (using the same supplicant as johnk, XP) using Password (cleartext). ... Password, logging in as testacct: http://www.southwestern.edu/~johnk/testacct_Password_debug.txt
Notice that with changing the Attribute in radcheck to Password, and assigning the Value a cleartext, Access-Accept is generated.
As I said. ...
NT-Password, logging in as johnk: http://www.southwestern.edu/~johnk/johnk_NT-Password_debug.txt
Which shows it not finding the NT password. Try using just MS-CHAP with an NT password in SQL. Once that works, PEAP will work. Alan DeKok.
On Mon, Jul 11, 2005 at 06:56:44PM -0400, Alan DeKok wrote:
Try using just MS-CHAP with an NT password in SQL. Once that works, PEAP will work.
Alan DeKok.
I am not entirely sure what you mean, so I tried a two different combinations. johnk has only a NT-Password. testacct has both NT-Password and LM-Password. EAP removed from authorization stanza: http://www.southwestern.edu/~johnk/eap_removed_authorization.txt authorize { preprocess auth_log sql mschap #eap } authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } mschap eap } EAP removed from authentication stanza: http://www.southwestern.edu/~johnk/eap_removed_authentication.txt authorize { preprocess auth_log sql mschap eap } authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } mschap #eap } --johnk
jck-freeradius@southwestern.edu wrote:
Try using just MS-CHAP with an NT password in SQL. Once that works, PEAP will work.
I am not entirely sure what you mean, so I tried a two different combinations.
Find a RADIUS client that implements MS-CHAPv. See src/tests/mschapv1 for a sample script which can be used with "radclient" to test MSCHAP.
EAP removed from authorization stanza: http://www.southwestern.edu/~johnk/eap_removed_authorization.txt
If you tell the server not to use EAP, and then send it EAP requests, it won't work. Alan DeKok.
On Mon, Jul 11, 2005 at 08:12:09PM -0400, Alan DeKok wrote:
jck-freeradius@southwestern.edu wrote:
Try using just MS-CHAP with an NT password in SQL. Once that works, PEAP will work.
I am not entirely sure what you mean, so I tried a two different combinations.
Find a RADIUS client that implements MS-CHAPv.
The native windows XP client uses MS-CHAPv2. Unless I decide to use a smartcard, the built-in client uses EAP type of PEAP and authentication of MS-CHAP-V2, /only/.
See src/tests/mschapv1 for a sample script which can be used with "radclient" to test MSCHAP.
I do not understand how radclient is any different compared to radtest. If I use the src/tests/mschapv1 script as input to radclient, do I not need to put some information in for user "Bob" into my SQL database? I am unsure how I need to change my radiusd.conf or authorization backend, to accommodate the script. If it is MS-CHAP-V2 which is failing, how will testing MS-CHAP-V2 with a MS-CHAP client help? I should see the same error when testing, that I see now, correct? rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: MS-CHAP-Response is incorrect. modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [bob/<no User-Password attribute>] (from client localhost port 0)
EAP removed from authorization stanza: http://www.southwestern.edu/~johnk/eap_removed_authorization.txt
If you tell the server not to use EAP, and then send it EAP requests, it won't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk
On Tue, Jul 12, 2005 at 10:30:22AM -0500, jck-freeradius@southwestern.edu wrote: What I find interesting, is if I use NT-Password and or LM-Password, in the radcheck table, the sql authorization complains: modcall[authorize]: module "auth_log" returns ok for request 18 radius_xlat: 'johnk' rlm_sql (sql): sql_set_user escaped user --> 'johnk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'johnk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'johnk' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [johnk] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 18 however, if I use User-Password, I see: modcall[authorize]: module "auth_log" returns ok for request 29 radius_xlat: 'johnk' rlm_sql (sql): sql_set_user escaped user --> 'johnk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'johnk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'johnk' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 29 Does this not mean that my supplicant is sending a password response in the form of User-Password, and not in NT/LM form? --johnk
jck-freeradius@southwestern.edu wrote:
What I find interesting, is if I use NT-Password and or LM-Password, in the radcheck table, the sql authorization complains: ... rlm_sql (sql): No matching entry in the database for request from user [johnk]
The documentation for the SQL module says that "==" is a comparison operator. The debug log shows there is no "NT-Password" attribute in the request, so you can't use "==" in the debug log to compare to anything. Use ":="
Does this not mean that my supplicant is sending a password response in the form of User-Password, and not in NT/LM form?
No. Read the debug log. There is no User-Password or NT-Password in the packet. Alan DeKok.
jck-freeradius@southwestern.edu wrote:
Find a RADIUS client that implements MS-CHAPv.
The native windows XP client uses MS-CHAPv2. Unless I decide to use a smartcard, the built-in client uses EAP type of PEAP and authentication of MS-CHAP-V2, /only/.
That's not what I said. I said "MSCHAPv2", not "PEAP with MSCHAPv2". By trying to configure PEAP + TLS + MSCHAPv2 all at the same time, it's difficult to figure out what's going wrong. A standard technique is "divide and conquer". Get the pieces working one by one, and then put the pieces together to get a solution.
I do not understand how radclient is any different compared to radtest.
Then read the "man" pages.
If I use the src/tests/mschapv1 script as input to radclient, do I not need to put some information in for user "Bob" into my SQL database?
That would appear to make sense.
I am unsure how I need to change my radiusd.conf or authorization backend, to accommodate the script.
In the default config, you don't have to change anything, other than telling the server about user "bob" with password "bob".
If it is MS-CHAP-V2 which is failing, how will testing MS-CHAP-V2 with a MS-CHAP client help? I should see the same error when testing, that I see now, correct?
Because you can now do simple tests without using an XP supplicant. This means that the test cycle will be faster, and you will solve your problem faster. But if you want to go slowly and be confused, by all means, make the configuration as complicated as possible, and make the test as complicated as possible. You'll have fun getting anything to work the way you expect. Alan DeKok.
jck-freeradius@southwestern.edu wrote:
I am trying to do EAP-PEAP, using FreeRadius 1.0.4. Here are the debug logs, at the breaking points:
It doesn't appear you are sending the whole log. There should be another section where the user is being authorized against the SQL database. It appears your password is "incorrect". Read at the end of the message
rlm_sql (sql): Released sql socket id: 4
My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication. I have tried this, and it does not work for me. I really have no idea of what I am doing, although I have read the documentation.
I am storing NTLM passwords in my SQL server.
mysql> select * from radcheck where UserName = "johnk"; +------+----------+---------------+----+-------------------------------------------------------------------+ | id | UserName | Attribute | op | Value | +------+----------+---------------+----+-------------------------------------------------------------------+ | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 | +------+----------+---------------+----+-------------------------------------------------------------------+
I believe this is incorrect. You may want to split off the two password hashes and put them in separate variables ie. LM-Password and NT-Password. User-Password usually refers to either a crypted or cleartext password.
On Mon, Jul 11, 2005 at 03:40:32PM -0600, Vladimir Vuksan wrote:
I believe this is incorrect. You may want to split off the two password hashes and put them in separate variables ie. LM-Password and NT-Password. User-Password usually refers to either a crypted or cleartext password.
I think you are correct! I have tried splitting the password into two seperate parts: mysql> select * from radcheck where UserName ="testacct"; +------+----------+-------------+----+----------------------------------+ | id | UserName | Attribute | op | Value | +------+----------+-------------+----+----------------------------------+ | 697 | testacct | NT-Password | == | 8503P0UI042LADKP3M13B449051404EE | | 2513 | testacct | LM-Password | == | BEO04PD4LA909194D58181AFS44KE005 | +------+----------+-------------+----+----------------------------------+ 2 rows in set (0.00 sec) I receive logs similar to what is received when logging in with a "bad password", as before. I have even swapped two values with each other (NT for LM). MS-CHAP failed. --johnk
participants (3)
-
Alan DeKok -
jck-freeradius@southwestern.edu -
Vladimir Vuksan