I have freeradius 1.1.4 setup as a proxy to an upstream radius server which works. I also want to put guests in a local users file and use MSCHAPV2 on them, but didn't get it to work. I was able to get PAP and CHAP working. Here is the MSCHAPV2 configuration I tried: users file: cobb User-Password=="secret" proxy.conf: proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm guests { type = radius authhost = LOCAL:1812 accthost = LOCAL:1813 secret = whatever } realm testlab.com { type = radius authhost = 172.16.0.3:1812 accthost = 172.16.0.3:1813 secret = testing } realm DEFAULT { type = radius authhost = 172.16.0.3:1812 accthost = 172.16.0.3:1813 secret = testing } radius.conf: prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var/lib sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = /var/log/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 listen { ipaddr = * port = 1645 type = auth } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no } ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = yes } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } # Write a detailed log of all accounting records received. # detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = no # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } } instantiate { exec expr # daily } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { preprocess chap mschap suffix ntdomain eap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique suffix ntdomain # # Read the 'acct_users' file files } accounting { detail unix radutmp } session { radutmp } post-auth { } post-proxy { eap } I get this error about the mschap response being incorrect. A request form the same client that is proxied back to IAS with mschapv2 works. rlm_realm: Looking up realm "guests" for User-Name = "cobb@guests" rlm_realm: Found realm "guests" rlm_realm: Adding Stripped-User-Name = "cobb" rlm_realm: Proxying request from user cobb to realm guests rlm_realm: Adding Realm = "guests" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 0 modcall: leaving group (returns noop) for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry cobb at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. I also tried changing the users file to have NT-Password == "0xB6FFB3200061D7B7928F0D932F095128" But then freeradius just said it couldn't create the NT-Password: rlm_mschap: No User-Password configured. Cannot create NT-Password, followed by the previous error. How do I configure MSCHAPv2 to a local users file?
Use Cleartext-Password and operator := That listing seems to be from the attempt with NT-Password. That entry should also use := as the operator. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Matt Cobb" <mattc@lockdownnetworks.com> piše:
I have freeradius 1.1.4 setup as a proxy to an upstream radius server which works. I also want to put guests in a local users file and use MSCHAPV2 on them, but didn't get it to work. I was able to get PAP and CHAP working. Here is the MSCHAPV2 configuration I tried:
users file:
cobb User-Password=="secret"
How do I configure MSCHAPv2 to a local users file?
Tried: cobb Cleartext-Password:="secret" same result: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 -----Original Message----- From: freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freeradius.org [mailto:freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Wednesday, June 20, 2007 1:47 AM To: FreeRadius users mailing list Subject: Re: mschapv2 and users file Use Cleartext-Password and operator := That listing seems to be from the attempt with NT-Password. That entry should also use := as the operator. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Matt Cobb" <mattc@lockdownnetworks.com> piše:
I have freeradius 1.1.4 setup as a proxy to an upstream radius server which works. I also want to put guests in a local users file and use MSCHAPV2 on them, but didn't get it to work. I was able to get PAP and CHAP working. Here is the MSCHAPV2 configuration I tried:
users file:
cobb User-Password=="secret"
How do I configure MSCHAPv2 to a local users file?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Cobb wrote:
Tried:
cobb Cleartext-Password:="secret"
same result:
Please post the ENTIRE debug output. Trust me, MS-CHAP works in the server. Put that entry at the TOP of the "users" file, and it should work. Odds are you put it in the middle of the "users" file, and there's an earlier entry which means that the "cobb" entry is never used. Alan DeKok.
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := "secret" as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute "Cleartext-password" Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module "files". radiusd.conf[1589] Failed to parse authorize section. On 6/20/07, Alan DeKok <aland@deployingradius.com> wrote:
Matt Cobb wrote:
Tried:
cobb Cleartext-Password:="secret"
same result:
Please post the ENTIRE debug output. Trust me, MS-CHAP works in the server. Put that entry at the TOP of the "users" file, and it should work. Odds are you put it in the middle of the "users" file, and there's an earlier entry which means that the "cobb" entry is never used.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ryan Kramer wrote:
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := "secret" as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute "Cleartext-password"
You're not using the dictionaries that came with 1.1.6. See raddb/dictionary. Point it to the location of the 1.1.6 dictionaries. Alan DeKok.
I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted below. Its working fine for earlier versions of Freeradius. Do any one have the solution? Thanks in advance, Debashis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ freeradius/sbin # ./radiusd -X Config: including file: /opt/sf/freeradius/etc/raddb/radiusd.conf Config: including file: /opt/sf/freeradius/etc/raddb/proxy.conf Config: including file: /opt/sf/freeradius/etc/raddb/clients.conf Config: including file: /opt/sf/freeradius/etc/raddb/snmp.conf Config: including file: /opt/sf/freeradius/etc/raddb/eap.conf Config: including file: /opt/sf/freeradius/etc/raddb/sql.conf Config: including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on Jun 19 2007 at 10:29:22 Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = "/opt/sf/freeradius" localstatedir = "/opt/sf/freeradius/var" logdir = "/opt/sf/freeradius/var/log/radius" libdir = "/opt/sf/freeradius/lib" radacctdir = "/opt/sf/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = "/opt/sf/freeradius/var/log/radius/radius.log" log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/opt/sf/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { syslog_facility = "daemon" } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = my_auth_failover home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { ldflag = fail_over } port = 1812 listen { type = "auth" ipaddr = * port = 0 ERROR: Failed to open socket: /opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port for 0.0.0.0 port 1812 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Debashis Prusty wrote:
I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted below. Its working fine for earlier versions of Freeradius. Do any one have the solution? Thanks in advance, Debashis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ freeradius/sbin # ./radiusd -X Config: including file: /opt/sf/freeradius/etc/raddb/radiusd.conf Config: including file: /opt/sf/freeradius/etc/raddb/proxy.conf Config: including file: /opt/sf/freeradius/etc/raddb/clients.conf Config: including file: /opt/sf/freeradius/etc/raddb/snmp.conf Config: including file: /opt/sf/freeradius/etc/raddb/eap.conf Config: including file: /opt/sf/freeradius/etc/raddb/sql.conf Config: including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on Jun 19 2007 at 10:29:22 Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = "/opt/sf/freeradius" localstatedir = "/opt/sf/freeradius/var" logdir = "/opt/sf/freeradius/var/log/radius" libdir = "/opt/sf/freeradius/lib" radacctdir = "/opt/sf/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = "/opt/sf/freeradius/var/log/radius/radius.log" log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/opt/sf/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { syslog_facility = "daemon" } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = my_auth_failover home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { ldflag = fail_over } port = 1812 listen { type = "auth" ipaddr = * port = 0 ERROR: Failed to open socket: /opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port for 0.0.0.0 port 1812 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update to CVS head... This seems to be an issue with Mac OSX and maybe other BSD based operating systems. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Hi,
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := "secret" as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute "Cleartext-password" Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module "files". radiusd.conf[1589] Failed to parse authorize section.
output of `radiusd -v` please alan
Alan DeKok already hit it head on, I had an old version of the radius dictionary hanging around. -v doesn't list the version of the modules or dictionary file unfortunately. Swapped in the new one and it works Ryan On 6/20/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := "secret" as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute "Cleartext-password" Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module "files". radiusd.conf[1589] Failed to parse authorize section.
output of `radiusd -v` please
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, I believe you that is can work - I just want to know how to configure it so it does :-) Here is the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var/lib" main: logdir = "/var/lib/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/lib/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/lib/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms listen: port = 1645 listen: type = "auth" radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/lib/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = yes Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/lib/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/lib/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on authentication *:1645 Listening on proxy *:1814 Ready to process requests. ... Thread 2 handling request 1, (1 handled so far) NAS-Identifier = "localhost" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "127.0.0.1" User-Name = "cobb@guests" MS-CHAP2-Response = 0x0101e79fb5f1bd1b2c95f335275ebc9e3d5a0000000000000000be30b1b54d7e9a9785 bd07c4cb7188553e231dbfa355970a MS-CHAP-Challenge = 0x1d9fbe47738e455b28dd9bc9bc81a6df Service-Type = 47 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: Looking up realm "guests" for User-Name = "cobb@guests" rlm_realm: Found realm "guests" rlm_realm: Adding Stripped-User-Name = "cobb" rlm_realm: Proxying request from user cobb to realm guests rlm_realm: Adding Realm = "guests" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 1 modcall: leaving group (returns noop) for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry cobb at line 1 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. Login incorrect: [cobb@guests] (from client localhost port 0 cli 127.0.0.1) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 1
Can you post the whole conversation from the request. From this snip it looks like your realm isn't stripped. Try using cobb@guests as username in users file instead of cobb. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Matt Cobb" <mattc@lockdownnetworks.com> piše:
Tried:
cobb Cleartext-Password:="secret"
same result:
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0
-----Original Message----- From: freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freeradiusorg [mailto:freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Wednesday, June 20, 2007 1:47 AM To: FreeRadius users mailing list Subject: Re: mschapv2 and users file
Use Cleartext-Password and operator :=
That listing seems to be from the attempt with NT-Password. That entry should also use := as the operator.
Ivan Kalik Kalik Informatika ISP
Dana 20/6/2007, "Matt Cobb" <mattc@lockdownnetworks.com> piše:
I have freeradius 1.1.4 setup as a proxy to an upstream radius server which works. I also want to put guests in a local users file and use MSCHAPV2 on them, but didn't get it to work. I was able to get PAP and CHAP working. Here is the MSCHAPV2 configuration I tried:
users file:
cobb User-Password=="secret"
How do I configure MSCHAPv2 to a local users file?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Debashis Prusty -
Matt Cobb -
Ryan Kramer -
tnt@kalik.co.yu