I'm migrating an outdated system from centos 5/freeradius 1.1.7 to ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap by mac address with an sql procedure call. It doesn't look like there's anything to configure in mschap, the old system has all the mschap stuff commented out by default and so does the new system, but mschap is failing and it looks like it's not even getting to the sql part. It really just needs to ignore the mschap since the only part of it getting used is one of a few static usernames. I can send the full debug output privately if need be... It does work if you're using pap instead of chap, so the sql part works... (0) Received Access-Request Id 176 from 10.65.23.69:47717 to 10.67.10.137:1812 length 294 (0) Message-Authenticator = 0xcc69da5fbbc2a69a88a5e18907ebcc29 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port-Type = Ethernet (0) User-Name = "CPEv2" (0) Calling-Station-Id = "64:D1:54:7A:B1:F4" (0) Calling-Station-Id = "tarana-service" (0) NAS-Port-Id = "vlan2000-tarana" (0) Acct-Session-Id = "81f01557" (0) MS-CHAP-Challenge = 0x3131366139653232316662366161376332313437343231373735346236613135 (0) MS-CHAP2-Response = 0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646 530306330366137666137376464356132313063313662623037613235363063623563333838373264 (0) NAS-Identifier = "admin03" (0) NAS-IP-Address = 207.55.16.41 (0) NAS-Port = 15762707 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/peak (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250206 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250206 (0) auth_log: EXPAND %t (0) auth_log: --> Thu Feb 6 15:44:52 2025 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = fail (0) } # authorize = fail (0) Invalid user: [CPEv2] (from client admin01 port 15762707 cli 64:D1:54:7A:B1:F4) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/peak (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: WARNING: No such configuration item .query (0) [sql] = noop (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> CPEv2
On Feb 7, 2025, at 7:44 PM, Alan Batie <alan@batie.org> wrote:
I'm migrating an outdated system from centos 5/freeradius 1.1.7
Oh boy, that is decades old.
to ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap by mac address with an sql procedure call. It doesn't look like there's anything to configure in mschap, the old system has all the mschap stuff commented out by default and so does the new system, but mschap is failing and it looks like it's not even getting to the sql part. It really just needs to ignore the mschap since the only part of it getting used is one of a few static usernames. I can send the full debug output privately if need be...
The debug log doesn't show it running sql, or getting the "known good' password from anywhere. Where are the static usernames defined?
... (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/peak (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d ... (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = fail (0) } # authorize = fail
OK, it runs preprocess, auth_log, chap, and mschap. Where is it getting the usernames / passwords from? The default configuration has it run the "files" module, and possibly even "sql". All of that has been deleted. Alan DeKok.
On 2/7/25 4:48 PM, Alan DeKok wrote:
On Feb 7, 2025, at 7:44 PM, Alan Batie <alan@batie.org> wrote:
I'm migrating an outdated system from centos 5/freeradius 1.1.7
Oh boy, that is decades old.
Yes, we've tried to update it before but other things interfered
to ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap by mac address with an sql procedure call. It doesn't look like there's anything to configure in mschap, the old system has all the mschap stuff commented out by default and so does the new system, but mschap is failing and it looks like it's not even getting to the sql part. It really just needs to ignore the mschap since the only part of it getting used is one of a few static usernames. I can send the full debug output privately if need be...
The debug log doesn't show it running sql, or getting the "known good' password from anywhere.
Where are the static usernames defined?
The client system is configured with a static user/pw, there's an sql procedure that verifies the static user/pw then checks the mac address against the db It's not getting to the sql because the mschap is failing. Which gave me the idea of putting sql first, and it passes, but mschap fails, so I tried just commenting out mschap, but then it complains that nothing is handling cleartext passwords. I'm not sure how it's working on the old system since the point of chap is to avoid *having* passwords... (0) Received Access-Request Id 23 from 10.65.23.69:40816 to 10.67.10.137:1812 length 294 (0) Message-Authenticator = 0x7a435fe1cbf36ab524723fb9be348c31 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port-Type = Ethernet (0) User-Name = "<username>" (0) Calling-Station-Id = "<macaddr>" (0) Calling-Station-Id = "tarana-service" (0) NAS-Port-Id = "vlan2000-tarana" (0) Acct-Session-Id = "81f01557" (0) MS-CHAP-Challenge = 0x3131366139653232316662366161376332313437343231373735346236613135 (0) MS-CHAP2-Response = 0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646530306330366137666137376464356132313063313662623037613235363063623563333838373264 (0) NAS-Identifier = "admin03" (0) NAS-IP-Address = 207.55.16.41 (0) NAS-Port = 15762707 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/peak (0) authorize { (0) sql: EXPAND %{User-Name} (0) sql: --> <username> (0) sql: SQL-User-Name set to '<username>' rlm_sql (sql): Reserved connection (0) (0) sql: EXPAND call onw_authorize_check('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}'); (0) sql: --> call onw_authorize_check('<username>','<secret>','<macaddr>'); (0) sql: Executing select query: call onw_authorize_check('<username>','<secret>','<macaddr>'); (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>" (0) sql: EXPAND call onw_authorize_reply('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}'); (0) sql: --> call onw_authorize_reply('<username>','<secret>','<macaddr>'); (0) sql: Executing select query: call onw_authorize_reply('<username>','<secret>','<macaddr>'); (0) sql: User found in radreply table, merging reply items (0) sql: Mikrotik-Rate-Limit := "22M/55M" (0) sql: Framed-Route := "" (0) sql: Framed-Route := "69.59.217.29/32" (0) sql: Framed-Route := "" (0) sql: EXPAND SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' (0) sql: --> SELECT GroupName FROM usergroup WHERE UserName='<username>' (0) sql: Executing select query: SELECT GroupName FROM usergroup WHERE UserName='<username>' (0) sql: User not found in any groups rlm_sql (sql): Released connection (0) Need more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version. rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.41-0ubuntu0.24.04.1, protocol version 10 (0) [sql] = ok (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Feb 7 16:59:12 2025 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = fail (0) } # authorize = fail (0) Invalid user: [<username>] (from client admin01 port 15762707 cli <macaddr>) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/peak (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: WARNING: No such configuration item .query (0) [sql] = noop (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> <username> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect: [<username>] (from client admin01 port 15762707 cli <macaddr>)
On Feb 7, 2025, at 8:09 PM, Alan Batie <alan@batie.org> wrote:
The client system is configured with a static user/pw, there's an sql procedure that verifies the static user/pw then checks the mac address against the db
OK...
It's not getting to the sql because the mschap is failing.
The reason the mschap module is failing is because it's unable to set "Auth-Type := mschap". What's happening? a) you edited the dictionaries and broken them b) you didn't put "mschap" into the "authenticate" section Pick one. One issue here is that you're not starting with the default configuration, and then gradually making it do what you want. Instead, the configuration is radically changed, and you're trying to debug many changes a at the sae tie,
Which gave me the idea of putting sql first, and it passes, but mschap fails, so I tried just commenting out mschap, but then it complains that nothing is handling cleartext passwords. I'm not sure how it's working on the old system since the point of chap is to avoid *having* passwords...
It's not efficient to make random changes and move things around just in case it works. It's better to understand how the server works, and then configure to do what you want.
(0) Received Access-Request Id 23 from 10.65.23.69:40816 to 10.67.10.137:1812 length 294 ... (0) MS-CHAP-Challenge = 0x3131366139653232316662366161376332313437343231373735346236613135 (0) MS-CHAP2-Response = 0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646530306330366137666137376464356132313063313662623037613235363063623563333838373264
So that's MS-CHAP attributes, that's good.
... (0) sql: Executing select query: call onw_authorize_check('<username>','<secret>','<macaddr>'); (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>" (0) sql: Cleartext-Password := "<secret>"
That doesn't make sense. Why are you adding multiple copies of the password?
... (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = fail
Yes... there's no "mschap" listed in the "authenticate" section. The default configuration has it listed there, going back to the v1.0 days. So mschap doesn't work, even with the sql module. The issue here is that you've made massive changes to the configuration, without really being clear what those changes are, or what they do. You're then trying to debug those changes, again without having a clear understanding of what's happening, or why you're making the changes. The default configuration works. Make your local "peak" virtual server look like the "default" one. It will work. Every change you make from the default is likely to break something. Especially if the changes are made at random. Alan DeKok.
On 2/7/25 6:32 PM, Alan DeKok wrote:
b) you didn't put "mschap" into the "authenticate" section
I missed that; one step closer at least
One issue here is that you're not starting with the default configuration, and then gradually making it do what you want.
I'm starting with an ancient version that has been working for years, and trying to map it into a vastly different configuration where both of them are confusing. I did have mschap commented out because I didn't think the clients were using it though, and didn't get it fully re-enabled when I realized that was wrong.
On Feb 8, 2025, at 3:25 AM, Alan Batie <alan@batie.org> wrote:
b) you didn't put "mschap" into the "authenticate" section
I missed that; one step closer at least
That's good, but...
One issue here is that you're not starting with the default configuration, and then gradually making it do what you want.
I'm starting with an ancient version that has been working for years, and trying to map it into a vastly different configuration where both of them are confusing. I did have mschap commented out because I didn't think the clients were using it though, and didn't get it fully re-enabled when I realized that was wrong.
This is where a methodical approach is best, along with creating tests for each piece of functionality. If the configuration is confusing, then making random changes is a guaranteed way to increase that confusion. It's best to understand how it all works, and then make directed changes in order to achieve a specific goal. Alan DeKok.
participants (2)
-
Alan Batie -
Alan DeKok