FreeRadius MSCHAP Authenticatiom With Realm Fails
Hi I have FreeRadius 2.0 server with AD as user store. Authenticating using EAP-PEAP-MSCHAP2.Local realm is defined in proxy.conf. Authentications works fine without realm added to the username. As soon as I authenticate using username with realm, i.e. username@realm.com, authentication fails. The reason for failure is clear, it fails because radius server mschap module creates challenge hash with username which includes realm. I need the radius mschap module to create hash from stripped username, i.e. which doesn't include the realm. Any ideas? Please see radius debug log below: rad_recv: Access-Request packet from host 192.168.1.254 port 55769, id=138, length=376 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@igor.local" State = 0x3ce95d9d3fed44ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x020400d01980000000c61603010086100000820080791cc56766422be7f48414f5942dda519afd607aea2fae890f9236e8af61cf71c66f4f80a5d427672d7f949a3fa163b959f0f1957f382f533a3f9c23d576dafcb5d36ca04dc7d0002203513a23b9394b75cf98f241a6c585583593f6622829a39a736160f0f83b567fa7bbc253558191630071d1889827f6118f366040f69d8814030100010116030100307173492977a9f772a302c0ecb7d2612700f9433dce8e08ff0e74b84dbc62de5fe5a95921f364f8c68dd38484550022ae Message-Authenticator = 0x9a61469cb26792ebd980f294bd9a64c9 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local" [suffix] Found realm "igor.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "igor.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 138 to 192.168.1.254 port 55769 EAP-Message = 0x0105004119001403010001011603010030b0496fb6db5990b1f6a9cf2425dd8587e12b8f4e394f4bd8ccd2c077fe9ba54077bc170e9af421dda6e1deba0235ae8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ce95d9d38ec44ec4019661d07f2a324 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 56590, id=139, length=174 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@igor.local" State = 0x3ce95d9d38ec44ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x020500061900 Message-Authenticator = 0xd034f4a268e3ac260f43575b92006929 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local" [suffix] Found realm "igor.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "igor.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 139 to 192.168.1.254 port 56590 EAP-Message = 0x0106002b190017030100205c4bae935a0f79fa0d08a9ce246433654e7edd61806e1f065cc4bdc32958e161 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ce95d9d39ef44ec4019661d07f2a324 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 53256, id=140, length=264 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@igor.local" State = 0x3ce95d9d39ef44ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x02060060190017030100209cc7c674b7a342e6bec99adea0f61331d5f99b0f6a5950927de5ae55a0bcbcbd1703010030a3f8d19a2da43ad4bee38bdadeeb8049f2ccd3b6452763ed52490a8ff701f7dddeb0d19ec99dc82884df40d0c650c45c Message-Authenticator = 0x4c2f97f2d3325123f0616a879cb73a5f NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local" [suffix] Found realm "igor.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "igor.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - user5@igor.local [peap] Got inner identity 'user5@igor.local' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020600150175736572354069676f722e6c6f63616c server { [peap] Setting User-Name to user5@igor.local Sending tunneled request EAP-Message = 0x020600150175736572354069676f722e6c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user5@igor.local" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok [eap] EAP packet type response id 6 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[mschap] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2798eb6d20828b51434e222e2c4892 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d2798eb6d20828b51434e222e2c4892 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 140 to 192.168.1.254 port 53256 EAP-Message = 0x0107004b190017030100400140898f0ff025ef80db345ef75a51b4a94d6b114a1d16ef08e1fc4c2d9de5d9895bd09efcdbc614e3886fa835507c92e6b34d2d657247692685e84c0e1f540f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ce95d9d3aee44ec4019661d07f2a324 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 47603, id=141, length=312 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@igor.local" State = 0x3ce95d9d3aee44ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x020700901900170301002045693fe624f18512a0f9c83b0b896669c3a55066d0d54494bdee159a241df7cf170301006081573695ccc8dd51297f737d1ab47a212c08801a46c831418959b106028089aac0d7cec2f5aa0740909f7ae40d4274bd4534fa24cc41b9c775c3202ad337b19d7b7062c980579e7d31ca54439954aedcb279acd9cc65df2c1fdb85039fb26142 Message-Authenticator = 0x97fd332a0965353e5459137c179a2c62 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local" [suffix] Found realm "igor.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "igor.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c server { [peap] Setting User-Name to user5@igor.local Sending tunneled request EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user5@igor.local" State = 0x6d2798eb6d20828b51434e222e2c4892 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok [eap] EAP packet type response id 7 length 75 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[mschap] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: user5@igor.local [mschap] Told to do MS-CHAPv2 for user5@igor.local with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> user5@igor.local [mschap] expand: %{%{User-Name}:-None} -> user5@igor.local [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user5@igor.local [mschap] Creating challenge hash with username: user5@igor.local [mschap] expand: %{mschap:Challenge} -> 13479bee1886303a [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=13479bee1886303a [mschap] expand: %{mschap:NT-Response} -> a333f4999fd9698891d2fbc675892007431387796abfa13b [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a333f4999fd9698891d2fbc675892007431387796abfa13b WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 141 to 192.168.1.254 port 47603 EAP-Message = 0x0108002b19001703010020849be569aa66a8021ded29e15410bf74c59467c7db34f5995d1b6f91ebe9f22f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ce95d9d3be144ec4019661d07f2a324 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 49384, id=142, length=248 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@igor.local" State = 0x3ce95d9d3be144ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x02080050190017030100200ebc17e9bd20cc45f1c1772575868316464689e08bba6f4d934e5e1e4be3b040170301002078626c70503034ac41b926af5220e841c57e097b8fe870a8a49fdf71c2e749f8 Message-Authenticator = 0x658f4273b0c1858d67761528c08eac05 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local" [suffix] Found realm "igor.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "igor.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user5@igor.local attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 142 to 192.168.1.254 port 49384 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 134 with timestamp +3480 Cleaning up request 1 ID 135 with timestamp +3480 Cleaning up request 2 ID 136 with timestamp +3480 Cleaning up request 3 ID 137 with timestamp +3480 Cleaning up request 4 ID 138 with timestamp +3480 Cleaning up request 5 ID 139 with timestamp +3480 Cleaning up request 6 ID 140 with timestamp +3480 Cleaning up request 7 ID 141 with timestamp +3480 Waking up in 1.0 seconds. Cleaning up request 8 ID 142 with timestamp +3480 Ready to process requests.
On 14/03/14 11:24, T I wrote:
Hi I have FreeRadius 2.0 server with AD as user store. Authenticating using EAP-PEAP-MSCHAP2.Local realm is defined in proxy.conf. Authentications works fine without realm added to the username. As soon as I authenticate using username with realm, i.e. username@realm.com, authentication fails. The reason for failure is clear, it fails because radius server mschap module creates challenge hash with username which includes realm. I need the radius mschap module to create hash from stripped username, i.e. which doesn't include the realm. Any ideas?
You need to strip the realm in the inner-tunnel virtual server. Either run the "suffix" module there: server inner-tunnel { authorize { ... suffix ... } } ...or strip it with unlang: server inner-tunnel { authorize { ... if (User-Name =~ /^(.*)@(.+)$/) { update request { Stripped-User-Name := "%{1}" } } ... } } Both methods have different advantages; see the list archives for discussion of manual stripping versus using the "realm" module.
participants (2)
-
Phil Mayers -
T I