Freeradius with LDAPS + mschap
Hello all, I have been trying to create a freeradius configuration to support authentication for a VPN connection. The VPN is provided by Ubiquiti's Unifi product (though I don't believe that makes any difference). Our LDAP server is providing a variety of auths already, and we do have it configured with Freeradius already. It will currently work with pap, and with our 802.1X wireless network. The VPN typically requires mschap, or mschapv2 and this is where I'm currently stuck. The authenticate section of the inner-tunnel configuration is: authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap ldap eap } And the authenticate section: authorize { filter_username chap mschap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } And here is a sample log from a failed connection: (27) Received Access-Request Id 122 from 172.17.0.1:40240 to 172.17.0.3:1812 length 135 (27) Service-Type = Framed-User (27) Framed-Protocol = PPP (27) User-Name = "andrewn" (27) MS-CHAP-Challenge = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (27) MS-CHAP2-Response = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (27) NAS-IP-Address = 127.0.1.1 (27) NAS-Port = 0 (27) # Executing section authorize from file /etc/freeradius/sites-enabled/default (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [preprocess] = ok (27) [chap] = noop (27) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (27) [mschap] = ok (27) [digest] = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "andrewn", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) eap: No EAP-Message, not doing EAP (27) [eap] = noop (27) files: users: Matched entry DEFAULT at line 181 (27) [files] = ok rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for 72 seconds rlm_ldap (ldap): Reserved connection (13) (27) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (27) ldap: --> (uid=andrewn) (27) ldap: Performing search in "dc=moodle,dc=com" with filter "(uid=andrewn)", scope "sub" (27) ldap: Waiting for search result... (27) ldap: User object found at DN "uid=andrewn,ou=people,dc=moodle,dc=com" (27) ldap: Processing user attributes (27) ldap: control:Cleartext-Password := '{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap (ldap): Released connection (13) Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (17), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldaps://auth.in.moodle.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (27) [ldap] = updated (27) [expiration] = noop (27) [logintime] = noop (27) pap: WARNING: Auth-Type already set. Not setting to PAP (27) [pap] = noop (27) if (User-Password) { (27) if (User-Password) -> FALSE (27) } # authorize = updated (27) Found Auth-Type = mschap (27) # Executing group from file /etc/freeradius/sites-enabled/default (27) authenticate { (27) mschap: Found Cleartext-Password, hashing to create NT-Password (27) mschap: Found Cleartext-Password, hashing to create LM-Password (27) mschap: Creating challenge hash with username: andrewn (27) mschap: Client is using MS-CHAPv2 (27) mschap: ERROR: MS-CHAP2-Response is incorrect (27) [mschap] = reject (27) } # authenticate = reject (27) Failed to authenticate the user (27) Using Post-Auth-Type Reject (27) # Executing group from file /etc/freeradius/sites-enabled/default (27) Post-Auth-Type REJECT { (27) attr_filter.access_reject: EXPAND %{User-Name} (27) attr_filter.access_reject: --> andrewn (27) attr_filter.access_reject: Matched entry DEFAULT at line 11 (27) [attr_filter.access_reject] = updated (27) [eap] = noop (27) policy remove_reply_message_if_eap { (27) if (&reply:EAP-Message && &reply:Reply-Message) { (27) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (27) else { (27) [noop] = noop (27) } # else = noop (27) } # policy remove_reply_message_if_eap = noop (27) } # Post-Auth-Type REJECT = updated (27) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (27) Sending delayed response (27) Sent Access-Reject Id 122 from 172.17.0.3:1812 to 172.17.0.1:40240 length 103 (27) MS-CHAP-Error = "\272E=691 R=1 C=c6a8eea80730f4b2f359e698eba21ae4 V=3 M=Authentication rejected" Waking up in 3.9 seconds. (27) Cleaning up request packet ID 122 with timestamp +804 Ready to process requests I have tried to read the various documentation, but I may well be missing something so I apologise if that is the case. Is the password in our LDAP server in an incompatible format, or have I got an error in my configuration above? Thanks in advance, Andrew Nicols
On Thu, 2020-01-23 at 12:12 +0800, Andrew Nicols via Freeradius-Users wrote:
(27) ldap: Processing user attributes (27) ldap: control:Cleartext-Password := '{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
Password is in SSHA format. (Note this should be in the Password-With- Header attribute, it's not a cleartext password.) SSHA isn't compatible with mschap. You need cleartext passwords (or NT hash). http://deployingradius.com/documents/protocols/compatibility.html -- Matthew
participants (2)
-
Andrew Nicols -
Matthew Newton