Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No
Hi list : ) With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available? I have set this in my policy.conf: policy { # Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP # e.g. "multiotp_prefix = 'otp:'" multiotp_prefix = '' multiotp.authorize { # This test force multiOTP for any MS-CHAP(v2) attempt if (control:Auth-Type == MS-CHAP) { update control { Auth-Type := multiotpmschap MS-CHAP-Use-NTLM-Auth := No } } # This test force multiOTP for any MS-CHAP(v2) attempt elsif (control:Auth-Type == mschap) { update control { Auth-Type := multiotpmschap MS-CHAP-Use-NTLM-Auth := No } } . . . radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section): # radtest -x -t mschap bob $(./totp.py) localhost 0 testing123 Sent Access-Request Id 76 from 0.0.0.0:37601 to 127.0.0.1:1812 length 129 User-Name = "bob" MS-CHAP-Password = "631266" NAS-IP-Address = 10.118.240.180 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "631266" MS-CHAP-Challenge = 0x674bc434692c64f3 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf Received Access-Reject Id 76 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=24b53a75a9d80580 V=2" (0) -: Expected Access-Accept got Access-Reject However the server component appears not to expose Cleartext-Password for my use. From raddebug: (3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob" (3) Sun Feb 2 02:19:01 2020: Debug: NAS-IP-Address = 10.118.240.180 (3) Sun Feb 2 02:19:01 2020: Debug: NAS-Port = 0 (3) Sun Feb 2 02:19:01 2020: Debug: Message-Authenticator = 0x784a3fcd0eaa0a74d07afa17da59adad (3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Challenge = 0x674bc434692c64f3 (3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf (3) Sun Feb 2 02:19:01 2020: Debug: # Executing section authorize from file /etc/raddb/sites-enabled/default (3) Sun Feb 2 02:19:01 2020: Debug: authorize { (3) Sun Feb 2 02:19:01 2020: Debug: policy filter_username { . . . (3) Sun Feb 2 02:19:02 2020: Debug: } # authorize = ok (3) Sun Feb 2 02:19:02 2020: Debug: Found Auth-Type = mschap (3) Sun Feb 2 02:19:02 2020: Debug: # Executing group from file /etc/raddb/sites-enabled/default (3) Sun Feb 2 02:19:02 2020: Debug: Auth-Type mschap { (3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create NT-Password (3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create LM-Password (3) Sun Feb 2 02:19:02 2020: Debug: multiotpmschap: Client is using MS-CHAPv1 with NT-Password (3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: FAILED: No NT/LM-Password. Cannot perform authentication (3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: MS-CHAP2-Response is incorrect (3) Sun Feb 2 02:19:02 2020: Debug: [multiotpmschap] = reject (3) Sun Feb 2 02:19:02 2020: Debug: } # Auth-Type mschap = reject (3) Sun Feb 2 02:19:02 2020: Debug: Failed to authenticate the user Thanks :) ________________________________________________________________ Richard Green IT Solution Design & Delivery | UNSW Sydney | NSW 2052 richard.green@unsw.edu.au | +61(2) 9385 8738 ABN 57 195 873 179 | CRICOS Provider Code 00098G
On Feb 1, 2020, at 9:41 PM, Richard Green <richard.green@unsw.edu.au> wrote:
With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?
Via the "users" file, or any database.
radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section):
No. Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet. radtest prints out Cleartext-Password in order to show you that it's using the password. But the actual authentication method is MS-CHAP.
However the server component appears not to expose Cleartext-Password for my use. From raddebug:
The server doesn't *see* the Cleartext-Password. Because it's not in the packet.
(3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob"
Run "radiusd -X". Not "-Xx", "-Xxxx", or anything else. This recommendation is documented *everywhere*. If you want to use PAP authentication, then have radtest send a User-Password attribute. And, don't send *both* User-Password and MS-CHAP in the same packet. Alan DeKok.
Thank you, using the files mod sets the password nicely, however the MS-CHAP2-Response is reported to be incorrect, sorry I could not find any more detailed docs to help me use the module's inbuilt functionality. . . . (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type mschap { (0) multiotpmschap: Found Cleartext-Password, hashing to create NT-Password (0) multiotpmschap: Found Cleartext-Password, hashing to create LM-Password (0) multiotpmschap: Client is using MS-CHAPv1 with NT-Password (0) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect (0) [multiotpmschap] = reject (0) } # Auth-Type mschap = reject . . . The full output from radiusd -X is at https://gist.github.com/greenaussie/13cdd90a597e46882066f01fb6492ef4 with the error report on line 780. Regards Richard ________________________________ From: Freeradius-Users <freeradius-users-bounces+richard.green=unsw.edu.au@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Sent: Sunday, 2 February 2020 1:54 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No On Feb 1, 2020, at 9:41 PM, Richard Green <richard.green@unsw.edu.au> wrote:
With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?
Via the "users" file, or any database.
radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section):
No. Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet. radtest prints out Cleartext-Password in order to show you that it's using the password. But the actual authentication method is MS-CHAP.
However the server component appears not to expose Cleartext-Password for my use. From raddebug:
The server doesn't *see* the Cleartext-Password. Because it's not in the packet.
(3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob"
Run "radiusd -X". Not "-Xx", "-Xxxx", or anything else. This recommendation is documented *everywhere*. If you want to use PAP authentication, then have radtest send a User-Password attribute. And, don't send *both* User-Password and MS-CHAP in the same packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 2, 2020, at 7:53 PM, Richard Green <richard.green@unsw.edu.au> wrote:
Thank you, using the files mod sets the password nicely, however the MS-CHAP2-Response is reported to be incorrect, sorry I could not find any more detailed docs to help me use the module's inbuilt functionality. (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type mschap { (0) multiotpmschap: Found Cleartext-Password, hashing to create NT-Password (0) multiotpmschap: Found Cleartext-Password, hashing to create LM-Password (0) multiotpmschap: Client is using MS-CHAPv1 with NT-Password (0) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect
The password entered by the client is incorrect. i.e. it doesn't match what's on the server. There really aren't any other choices. Set the password to something simple, like "hello", and retest. Alan DeKok.
participants (2)
-
Alan DeKok -
Richard Green