MS-CHAP Auth fail, password cache ?
Hi list, I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used "test" password, then "blabla" password. Now, I use "blabla" and it's not working. instead "test" is still working ... I tested with a third string ("ahaha") , there's a third error output... I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen ? radtest commands : # radtest -t mschap bsemene test 10.1.8.4 0 testing123 Sending Access-Request of id 166 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0x244e451f6d9cec8a MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000048485d333f46de4d66241b5be289340fd16f37838c63c542 rad_recv: Access-Accept packet from host 10.1.8.4 port 1812, id=166, length=90 Framed-MTU = 1400 MS-CHAP-MPPE-Keys = 0x01fc5a6be7bc69292066656e05c22f3a995ad9ecfed913d60000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 /usr/local/etc/raddb# radtest -t mschap bsemene blabla 10.1.8.4 0 testing123 Sending Access-Request of id 87 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xfabeb87636c4a8d1 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091fbe9a51db58f3684cd91ebde311aedfcbe19271848ee45 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=87, length=38 MS-CHAP-Error = "\000E=691 R=1" /usr/local/etc/raddb# radtest -t mschap bsemene ahaha 10.1.8.4 0 testing123 Sending Access-Request of id 222 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xc0d0a9ded19cb497 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000058d55aa0e11a251eee1a70f03438ff09fd872fc81b27c614 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=222, length=38 MS-CHAP-Error = "\000E=691 R=1" debug mode outputs : password "test" : [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> bsemene [sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bsemene [sql] sql_set_user escaped user --> 'bsemene' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bsemene' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bsemene' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bsemene' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok password blabla: [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> bsemene [sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bsemene [sql] sql_set_user escaped user --> 'bsemene' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bsemene' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bsemene' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bsemene' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. password ahaha : [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> ahaha [sql] expand: %{%{User-Name}:-DEFAULT} -> ahaha [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> ahaha [sql] sql_set_user escaped user --> 'ahaha' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ahaha' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'ahaha' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User ahaha not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. SQL=>radcheck table : mysql> SELECT * FROM radcheck\G *************************** 1. row *************************** id: 2525 username: bsemene attribute: dynamic op: := value: blabla 1 row in set (0.00 sec) Users file : # cat users | grep -v "^[[:space:]]*#" | grep -v "^$" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP default server : # cat sites-available/default | grep -v "^[[:space:]]*#" | grep -v "^$" authorize { preprocess chap mschap digest suffix eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } inner-tunnel server : # cat sites-available/inner-tunnel | grep -v "^[[:space:]]*#" | grep -v "^$" server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block -- If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE
Bastien Semene wrote:
I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
During my tests, for the same user I used "test" password, then "blabla" password. Now, I use "blabla" and it's not working. instead "test" is still working ... I tested with a third string ("ahaha") , there's a third error output...
I have no idea what that means.
I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot).
How can this happen ?
The server reads it's configuration files only when it starts. If you edit the configuration files, you will need to restart the server. Alan DeKok.
I express myself very badly, sorry. The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is "blabla". The three error outputs are relative to the logs. This means that the three cases are different : old password => working (and should not at all) current password "blabla" => [mschap] Told to do MS-CHAPv1 with NT-Password \n [mschap] MS-CHAP-Response is incorrect. random string (not in the database) => [mschap] No Cleartext-Password configured. Cannot create LM-Password. (correct error) I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. Le 11/07/2011 13:04, Alan DeKok a écrit :
Bastien Semene wrote:
I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
During my tests, for the same user I used "test" password, then "blabla" password. Now, I use "blabla" and it's not working. instead "test" is still working ... I tested with a third string ("ahaha") , there's a third error output... I have no idea what that means.
I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot).
How can this happen ? The server reads it's configuration files only when it starts. If you edit the configuration files, you will need to restart the server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau& Système
Cyanide Studio - FRANCE
Bastien Semene wrote:
I express myself very badly, sorry.
The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is "blabla".
There is nothing magic about the server. If it authenticates the user with the "wrong" password, it's because you didn't update the password.
I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored.
You probably have two databases. FreeRADIUS is using one, and you've updated the other. Alan DeKok.
... that's it. I was blind while searching for a FreeRADIUS issue. I'm sorry for the lost time, anyway thank you for the answers. Le 11/07/2011 14:22, Alan DeKok a écrit :
Bastien Semene wrote:
I express myself very badly, sorry.
The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is "blabla". There is nothing magic about the server. If it authenticates the user with the "wrong" password, it's because you didn't update the password.
I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. You probably have two databases. FreeRADIUS is using one, and you've updated the other.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau& Système
Cyanide Studio - FRANCE
participants (2)
-
Alan DeKok -
Bastien Semene