Hello I have two kind of remote access on cisco asa, first ovia ssl vpn and second via l2tp/ipsec (for mobile phones with androids). Both access are made on the same cisco and both autorizen on the same freeradius server with motp ( mobile one time password). Access via ssl vpn works correct but access via l2tp/ipsec not. I see that there is some problem with auth. For l2tp/ipsec i set authorization chap ( i disabled mschap v1 and v2, they didn't work also) Thank You for any help This is debug from l2tp/ipsec connection: rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=240, length=134 User-Name = "tom3" CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504 NAS-Port = 5357568 Service-Type = Framed-User Framed-Protocol = PPP CHAP-Challenge = 0x119f01e96a9a794879f770373a39827c7463bb1cfd4c9bf6ebeac4fb1ac47b3b8b1861bee84b0273d5 Tunnel-Client-Endpoint:0 = "83.6.6.66" NAS-IP-Address = 10.162.1.1 NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'tom3' '' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [tom3/<CHAP-Password>] (from client ciscoasa port 5357568) /raddb/users: DEFAULT Auth-Type = External Exec-Program-Wait = "/usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}'", Fall-Through = Yes tom3 Secret = f11111xxxx1111a, PIN = yyyy, Offset = 0, CVPN3000-IETF-Radius-Class := "press" cat radiusd.conf ... modules { exec MOTP { wait = yes program = "/usr/local/bin/otp4freeradius.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}" input_pairs = request output_pairs = reply } $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ cat raddb/sites-enabled/default authorize { preprocess chap mschap suffix files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type External { MOTP } unix } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } and here is debug from working connection for sslvpn: rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=239, length=136 User-Name = "tom3" User-Password = "bd8d9a" NAS-Port = 5353472 Called-Station-Id = "7.24.64.182" Calling-Station-Id = "9.72.8.13" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "9.72.8.13" NAS-IP-Address = 10.162.1.1 Cisco-AVPair = "ip:source-ip=9.72.8.13" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'tom3' 'bd8d9a' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = External +- entering group External {...} [MOTP] expand: %{User-Name} -> tom3 [MOTP] expand: %{User-Password} -> bd8d9a [MOTP] expand: %{reply:Secret} -> f11111111xx111a [MOTP] expand: %{reply:Pin} -> xyzw [MOTP] expand: %{reply:Offset} -> 0 Exec-Program output: ACCEPT czas:2011-12-01 21:27:32 Exec-Program-Wait: plaintext: ACCEPT czas:2011-12-01 21:27:32 Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13) WARNING: Empty section. Using default return values. Sending Access-Accept of id 239 to 10.162.1.1 port 1025 CVPN3000-IETF-Radius-Class := "press" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 239 with timestamp +308 Ready to process requests.
On 01/12/2011 22:41, Piotr wrote:
This is debug from l2tp/ipsec connection:
CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504
[chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available):
and here is debug from working connection for sslvpn:
User-Password = "bd8d9a"
[MOTP] expand: %{User-Password} -> bd8d9a
Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13)
If you want FR to handle the CHAP for you:
[chap] Cleartext-Password is required for authentication
If FR doesn't know the correct password, you can't expect it to do CHAP. Change things so FR knows the password, or do plain text authn as per your first scenario. -James
W dniu 2011-12-01 23:51, James J J Hooper pisze:
On 01/12/2011 22:41, Piotr wrote:
This is debug from l2tp/ipsec connection:
CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504
[chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available):
and here is debug from working connection for sslvpn:
User-Password = "bd8d9a"
[MOTP] expand: %{User-Password} -> bd8d9a
Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13)
If you want FR to handle the CHAP for you:
[chap] Cleartext-Password is required for authentication
If FR doesn't know the correct password, you can't expect it to do CHAP. Change things so FR knows the password, or do plain text authn as per your first scenario.
I changed type of authentication,on cisco asa, to PAP: ASA(config)# sh run all | begin tunnel-group l2tp-ipsec ppp-attributes tunnel-group l2tp-ipsec ppp-attributes authentication pap no authentication chap no authentication ms-chap-v1 no authentication ms-chap-v2 no authentication eap-proxy but i don't know why i stil get on FR: rad_recv: Access-Request packet from host 10.62.1.1 port 1025, id=85, length=136 User-Name = "tom3" CHAP-Password = 0x01ccbbe398364421101d8b50e4cb59a46e NAS-Port = 6275072 Service-Type = Framed-User Framed-Protocol = PPP CHAP-Challenge = 0x864b681ad0fc9cbd87668f9d51a638eb9a69cda6dabbf6f2e0b7147fe8d17afc2ea401ba44cf8e7d18802e Tunnel-Client-Endpoint:0 = "13.176.76.66" NAS-IP-Address = 10.62.1.1 NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. FR try to authenticate via CHAP. I don't understand this, i'm little confused thanks for an advice kindly regards Piotr
On Sun, Dec 4, 2011 at 5:49 PM, Piotr <piotr.1234@interia.pl> wrote:
I changed type of authentication,on cisco asa, to PAP:
ASA(config)# sh run all | begin tunnel-group l2tp-ipsec ppp-attributes tunnel-group l2tp-ipsec ppp-attributes authentication pap no authentication chap no authentication ms-chap-v1 no authentication ms-chap-v2 no authentication eap-proxy
but i don't know why i stil get on FR:
rad_recv: Access-Request packet from host 10.62.1.1 port 1025, id=85, length=136 User-Name = "tom3" CHAP-Password = 0x01ccbbe398364421101d8b50e4cb59a46e
This is what the NAS send
FR try to authenticate via CHAP. I don't understand this, i'm little confused
FR doesn't try to invent something non existent. It simply process what the NAS sends. Ask your NAS vendor why it's still using CHAP. -- Fajar
Piotr wrote:
I changed type of authentication,on cisco asa, to PAP:
OK..
but i don't know why i stil get on FR:
CHAP. Go find out why the Cisco box isn't taking instructions.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
That should be pretty obvious.
[files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' ''
Uh... that really won't work at all. What's a "reply:Secret"? Did you define the attribute yourself? And even if you did, the problem is on the NAS. Fix it so it sends CHAP. This isn't a FreeRADIUS problem.
FR try to authenticate via CHAP.
ABSOLUTELY NOT. FreeRADIUS *receives* a request with CHAP password. The NAS sends it. I have no idea why this misunderstanding is so widespread. The NAS sends a packet, FreeRADIUS prints it out, and tons of people claim that FreeRADIUS has created the content of the packet. It's astonishing. Fix that misunderstanding, and most everything else becomes easy. Alan DeKok.
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
James J J Hooper -
Piotr