AW: Re: using external script in virtual server config
I already have implemented mschap authentication im OTPme and use it from within the mschap module as a ntlm_auth replacement. But it would be great if i could also handle this in rlm_python. If if i could get challenge and response from authData just like its done with username and password i could verify it and return the nt_key on success. regards the2nd <div>-------- Ursprüngliche Nachricht --------</div><div>Von: Alan DeKok <aland@deployingradius.com> </div><div>Datum:01.25.2015 21:32 (GMT+01:00) </div><div>An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> </div><div>Betreff: Re: using external script in virtual server config </div><div> </div>On Jan 25, 2015, at 1:15 PM, the2nd@otpme.org wrote:
today i've written an python module for use with rlm_python and it works great for clear-text requests. but i dont know how to handle ntlm/mschap requests.
You don’t. FreeRADIUS implements MS-CHAP. You don’t want to re-implement that in python. What do you want to do with the OTP and MS-CHAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 25, 2015, at 3:56 PM, the2nd <the2nd@otpme.org> wrote:
I already have implemented mschap authentication im OTPme and use it from within the mschap module as a ntlm_auth replacement. But it would be great if i could also handle this in rlm_python.
OK.
If if i could get challenge and response from authData just like its done with username and password i could verify it and return the nt_key on success.
You have the challenge and response. See the ntlm_auth line: =%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}” Just put those strings into temporary attributes. update request { Tmp-Octets-0 := "%{mschap:Challenge}” ... } Alan DeKok.
i tried it with the config below but the attribute Tmp-Octets-0 is always "0x". it think thats because the mschap module is disabled. but if i enable it i get no auth request from rlm_python. i guess thats because the mschap module always tries to do authentication, via ntlm_auth or via users file!? or is this a configuration issue? authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { #mschap update request { Tmp-Octets-0 := "%{mschap:Challenge}" } otpme } Auth-Type OTPme { otpme } } i also noticed that authData includes a challange/response pair but they are different (longer) from what i get from mschap module when running otpme as ntlm_auth replacement. the request EAP-Type is set to MS-CHAP-V2. is this an encapsulated mschap request? On 2015-01-25 23:28, Alan DeKok wrote:
On Jan 25, 2015, at 3:56 PM, the2nd <the2nd@otpme.org> wrote:
I already have implemented mschap authentication im OTPme and use it from within the mschap module as a ntlm_auth replacement. But it would be great if i could also handle this in rlm_python.
OK.
If if i could get challenge and response from authData just like its done with username and password i could verify it and return the nt_key on success.
You have the challenge and response. See the ntlm_auth line:
=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}”
Just put those strings into temporary attributes.
update request { Tmp-Octets-0 := "%{mschap:Challenge}” ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 26, 2015, at 4:54 PM, the2nd@otpme.org wrote:
i tried it with the config below but the attribute Tmp-Octets-0 is always "0x". it think thats because the mschap module is disabled.
Well…. then fix that.
but if i enable it i get no auth request from rlm_python. i guess thats because the mschap module always tries to do authentication, via ntlm_auth or via users file!?
The MSCHAP module does MSCHAP authentication. That’s why it exists. If you *don’t* want it to set “Auth-Type = MSCHAP”, then don’t list “mschap” in the “authorize” section.
i also noticed that authData includes a challange/response pair but they are different (longer) from what i get from mschap module when running otpme as ntlm_auth replacement.
No idea...
the request EAP-Type is set to MS-CHAP-V2. is this an encapsulated mschap request?
Yes. Alan DeKok.
On 2015-01-26 23:00, Alan DeKok wrote:
On Jan 26, 2015, at 4:54 PM, the2nd@otpme.org wrote:
i tried it with the config below but the attribute Tmp-Octets-0 is always "0x". it think thats because the mschap module is disabled.
Well…. then fix that.
but if i enable it i get no auth request from rlm_python. i guess thats because the mschap module always tries to do authentication, via ntlm_auth or via users file!?
The MSCHAP module does MSCHAP authentication. That’s why it exists.
but i guess it does something more than just authentication because i can pass the mschap challenge and the nt-response to my script when configuring the mschap module like this: ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" but from inside the rlm_python module i cannot access this two attributes. it would be great to have access to them from within rlm_python....
If you *don’t* want it to set “Auth-Type = MSCHAP”, then don’t list “mschap” in the “authorize” section.
i also noticed that authData includes a challange/response pair but they are different (longer) from what i get from mschap module when running otpme as ntlm_auth replacement.
No idea...
the request EAP-Type is set to MS-CHAP-V2. is this an encapsulated mschap request?
Yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 26, 2015, at 5:13 PM, the2nd@otpme.org wrote:
The MSCHAP module does MSCHAP authentication. That’s why it exists.
but i guess it does something more than just authentication
Yes. You need to READ the file raddb/sites-available/default. Look for “mschap”.
because i can pass the mschap challenge and the nt-response to my script when configuring the mschap module like this:
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'”
Yes, you already said that.
but from inside the rlm_python module i cannot access this two attributes.
Yes, you already said that. This is getting annoying.
it would be great to have access to them from within rlm_python....
I told you what to do to fix it. Are you going to: a) ignore my instructions, and keep failing to get it to work? b) follow my instructions and fix the problem? Alan DeKok.
On 2015-01-26 23:24, Alan DeKok wrote:
On Jan 26, 2015, at 5:13 PM, the2nd@otpme.org wrote:
The MSCHAP module does MSCHAP authentication. That’s why it exists.
but i guess it does something more than just authentication
Yes. You need to READ the file raddb/sites-available/default. Look for “mschap”.
because i can pass the mschap challenge and the nt-response to my script when configuring the mschap module like this:
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'”
Yes, you already said that.
but from inside the rlm_python module i cannot access this two attributes.
Yes, you already said that.
This is getting annoying.
that was not my intention. i just wanted to be precise....
it would be great to have access to them from within rlm_python....
I told you what to do to fix it.
Are you going to:
a) ignore my instructions, and keep failing to get it to work?
b) follow my instructions and fix the problem?
i tried to follow your instructions but it does not work. this may be my fault but i dont know whats wrong with my configuration. you said i should add something like this to my config: update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } so i've added this to the authenticate section. then the attribute is accessible from within rlm_python but it contains just "0x". after re-reading sites-available/default i tried to add mschap to the authorize section. now authData looks like this: (('EAP-Message', '0x020600441a0206003f318c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c1400746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xe5d8e91ee5def3de4aba84c7d7c8b566'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x4ae7d63d38abad6a5e5cd90fc6e56420'), ('MS-CHAP2-Response', '0x06658c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c14'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x61656661316130333862306364383438'), ('Tmp-Octets-1', '0x323933343639623038663932636665363235363336386232646663333837303430626361386466623739336237633134')) so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this values are longer than whats normally in %{mschap:Challenge} and %{mschap:NT-Response}. the challenge i get from mschap module when called as an ntlm_auth replacement is 16 character long. and the response is 48 chars long. thanks a lot for any hint in the right direction....
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 26, 2015, at 6:40 PM, the2nd@otpme.org wrote:
that was not my intention. i just wanted to be precise….
It’s rude. Repeating something over and over is suggesting that the reader is an idiot who can’t remember anything.
i tried to follow your instructions but it does not work. this may be my fault but i dont know whats wrong with my configuration.
There is documentation. You’ve already shown you’re not reading it...
you said i should add something like this to my config:
update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" }
so i've added this to the authenticate section. then the attribute is accessible from within rlm_python but it contains just "0x”.
Well...
after re-reading sites-available/default i tried to add mschap to the authorize section. now authData looks like this:
I don’t care about “authData”. You’re asking *me* to figure out what some magical format you invented. At the same time, you’re refusing to give information in the *standard* FreeRADIUS format. That’s annoying and rude. The server has a debug output for a reason. If you refuse to use it, then stop posting questions here.
so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this values are longer than whats normally in %{mschap:Challenge} and %{mschap:NT-Response}.
It’s easy to figure out what the problem is.
the challenge i get from mschap module when called as an ntlm_auth replacement is 16 character long. and the response is 48 chars long.
thanks a lot for any hint in the right direction….
I’ve given you hints. I’ve given you direct instructions. So far that hasn’t helped much. Alan DeKok.
On 2015-01-27 01:51, Alan DeKok wrote:
On Jan 26, 2015, at 6:40 PM, the2nd@otpme.org wrote:
that was not my intention. i just wanted to be precise….
It’s rude. Repeating something over and over is suggesting that the reader is an idiot who can’t remember anything.
i'm sorry about that. i never wanted to annoy you or anything like this.
i tried to follow your instructions but it does not work. this may be my fault but i dont know whats wrong with my configuration.
There is documentation. You’ve already shown you’re not reading it..
i do read the documentation. but i was not able to get this special thing going yet. that's why i ask for help. btw. rlm_python examples do not show how to handle mschap requests. it would be of much help to have an example. .
you said i should add something like this to my config:
update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" }
so i've added this to the authenticate section. then the attribute is accessible from within rlm_python but it contains just "0x”.
Well...
after re-reading sites-available/default i tried to add mschap to the authorize section. now authData looks like this:
I don’t care about “authData”.
You’re asking *me* to figure out what some magical format you invented. At the same time, you’re refusing to give information in the *standard* FreeRADIUS format.
the output of authData i send in my last mail is just what i receive from rlm_python. there is nothing i have invented. its just a "log authData" from within the authenticate() function e.g.: def authenticate(authData): """ authentication """ log(radiusd.L_INFO, str(authData))
That’s annoying and rude.
The server has a debug output for a reason. If you refuse to use it, then stop posting questions here.
i do use the output of radiusd -X but i have not posted it because it contains some sensitive information and you also never asked for it. if you need it i'll get a complete debug output for one request, remove all sensitive information and send it to you. but maybe this part is enough? [mschapv2] +group MS-CHAP { [mschapv2] ++update request { [mschapv2] Creating challenge hash with username: testuser1 [mschapv2] expand: %{mschap:Challenge} -> a036060bdd7bb1ac [mschapv2] expand: %{mschap:NT-Response} -> de58b6f51cf3400e455856d499f4f83f5dac151a7153b5d3 [mschapv2] ++} # update request = noop for me it looks like the update request statement does not work. but there is no information why.
so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this values are longer than whats normally in %{mschap:Challenge} and %{mschap:NT-Response}.
It’s easy to figure out what the problem is.
for me its not that easy. so it would be great to get the solution, if you already know it. and as soon as i get it working i'd like to extend the example module (if needed) and write down how to handle mschap requests using rlm_python. maybe i should add this to the freeradius wiki?
the challenge i get from mschap module when called as an ntlm_auth replacement is 16 character long. and the response is 48 chars long.
thanks a lot for any hint in the right direction….
I’ve given you hints. I’ve given you direct instructions. So far that hasn’t helped much.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Jan 27, 2015 at 09:56:23AM +0100, the2nd@otpme.org wrote:
btw. rlm_python examples do not show how to handle mschap requests. it would be of much help to have an example.
I've not done this before, but I would start with the following and work from there - in radiusd.conf instantiate{} section, add mschap (so the xlats are available). In authorize{}, add this to expand the xlats and get them into temporary attributes:
you said i should add something like this to my config:
update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" }
In authenticate, call your python code as normal. Then read the debug output and make sure it's doing what you expect. So for an incoming request, you should see the update section (above) when the packet comes in, and then make sure the Auth-Type is set right, and see what auth-type section gets called. It should be simple - just the server outputs a *lot* of debug. For a reason.
and as soon as i get it working i'd like to extend the example module (if needed) and write down how to handle mschap requests using rlm_python. maybe i should add this to the freeradius wiki?
When you get it working then putting something on the wiki would be useful for others, yes. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jan 27, 2015, at 3:56 AM, the2nd@otpme.org wrote:
btw. rlm_python examples do not show how to handle mschap requests. it would be of much help to have an example.
No. Read RFC 2548. Or, the source code to rlm_mschap. This is already available to you.
the output of authData i send in my last mail is just what i receive from rlm_python. there is nothing i have invented. its just a "log authData" from within the authenticate() function
Which is YOUR MODULE. And YOUR PYTHON CODE. i.e. something you invented. I’ll be clear. I don’t wan to see that data. I don’t know what “authData” is, and I don’t care. You’re assuming that I magically know everything about what you’re doing, without you explaining it.
i do use the output of radiusd -X but i have not posted it because it contains some sensitive information and you also never asked for it.
That’s a ridiculous and offensive response. The FAQ, “man” page, and daily messages on this list, including my responses to you, ask for the debug output. If you’re not going to follow instructions, I don’t see why you’re asking questions on this list.
if you need it i'll get a complete debug output for one request, remove all sensitive information and send it to you.
“if” I need it? Really?
but maybe this part is enough?
No.
and as soon as i get it working i'd like to extend the example module (if needed) and write down how to handle mschap requests using rlm_python. maybe i should add this to the freeradius wiki?
No. The MSCHAP module already does MSCHAP. There is NO REASON to have another module do it. Alan DeKok.
On 2015-01-27 14:17, Alan DeKok wrote:
On Jan 27, 2015, at 3:56 AM, the2nd@otpme.org wrote:
btw. rlm_python examples do not show how to handle mschap requests. it would be of much help to have an example.
No.
Read RFC 2548. Or, the source code to rlm_mschap. This is already available to you.
the output of authData i send in my last mail is just what i receive from rlm_python. there is nothing i have invented. its just a "log authData" from within the authenticate() function
Which is YOUR MODULE. And YOUR PYTHON CODE. i.e. something you invented.
I’ll be clear. I don’t wan to see that data. I don’t know what “authData” is, and I don’t care. You’re assuming that I magically know everything about what you’re doing, without you explaining it.
sorry i dont want to be rude but it's just not true what you say. authData is send from rlm_python to the authenticate() function of the module it loads. i just used the example prepaid.py module that comes with freeradius as a "template". and it does exactly what you call "my invention". it uses authData to get a tuple with authentication data (e.g. username and password): http://fossies.org/dox/freeradius-server-2.2.6/prepaid_8py_source.html so its not my code that sets this tuple and its nothing i have invented. and all i want to know is if it is possible to get "%{mschap:Challenge}" and "%{mschap:NT-Response}" in this tuple to verify an mschap request just like it can be done with the ntlm_auth statement from within the mschap module. and i think thats a valid use case when someone wants to integrate an otp solution with freeradius using rlm_python. so here is the debug output of two request and the corresponding config. the first one is using my python script as a replacement of ntlm_auth from within the mschap module and succeeds. the second one uses rlm_python and my module. you can see in the debug ouput whats in authData (one of the lines that starts with otpme.py) because i used the provided log function to log it. # OTPme ntlm mschap otpme_ntlm { ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" } python otpme_mod { module = otpme mod_instantiate = ${.module} func_instantiate = instantiate mod_detach = ${.module} func_detach = detach mod_authenticate = ${.module} func_authenticate = authenticate } authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { otpme_ntlm } } authorize { eap mschap } radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on Jan 18 2015 at 12:00:30 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otpme including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/script including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/otpme main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "test123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file TÚJ·? modules { } # modules } # server server otpme { # from file /etc/raddb/sites-enabled/otpme modules { Module: Creating Auth-Type = OTPme Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" virtual_server = "otpme" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "otpme" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_mschap Module: Instantiating module "otpme_ntlm" from file /etc/raddb/modules/otpme mschap otpme_ntlm { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" allow_retry = yes } Module: Linked to module rlm_python Module: Instantiating module "otpme_mod" from file /etc/raddb/modules/otpme python_init done python otpme_mod { mod_instantiate = "otpme" func_instantiate = "instantiate" mod_authenticate = "otpme" func_authenticate = "authenticate" mod_detach = "otpme" func_detach = "detach" } Module: Checking authorize {...} for more modules to load Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.219.195.1 port = 1812 client 10.219.195.18 { require_message_authenticator = no secret = "123" shortname = "host1" } } Listening on authentication address 10.219.195.1 port 1812 as server otpme Ready to process requests. otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=0, length=126 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01746573747573657231 Message-Authenticator = 0xc6a9d4db12aa9a3fa241a3810c655494 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 0 to 10.219.195.1 port 37538 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7562a6491fd890a063366da0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=1, length=352 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100de190016030100d3010000cf0301a741278a0cfb95e7f7ad572b9e9003e26a0ec3d1cedb3a61ee7b35b95ad3c9f600005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x7563bf7e7562a6491fd890a063366da0 Message-Authenticator = 0x06b5d1eac47be747a523dea518b88a2a server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 1 length 222 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03b0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 1 to 10.219.195.1 port 37538 EAP-Message = 0x0102040019c000000551160301003e0200003a030112a80abf015913dfd18591767af8d31a7421918e78e906539842667c9a347e4a00c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 EAP-Message = 0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4 EAP-Message = 0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396 EAP-Message = 0xad17d75da15a7cac2ecd58db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7461a6491fd890a063366da0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=2, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x7563bf7e7461a6491fd890a063366da0 Message-Authenticator = 0xf10086a8043a391d9f34e5f93ac3d50b server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 2 to 10.219.195.1 port 37538 EAP-Message = 0x0103016119006f2a160301014b0c0001470300174104313b9aa0b47dcbd72975dce05e6792a55cfd1795f077bf4fbcd4551aceb77ad0d9c4d7b18f1519161fe31fca376fef874ec04f7500e0a080a0a4206ac1e1181901008c409456515256c7de3459d577d98c718eb260e12a90f176144628753528a4dce40e66677fe27cf8755a3693ef0db80d6bdd8a543a718cb3934a5655ebbf4b5f493608cafd6c4b102edae1eb15b740c7c1afba58620f1fc02c44ca6a490ef703291d417c09bae2d842456ef205e48ceb5f2c782e0f523c895b0d0ea06d6f3ce3eb67377fe4a16f70e6474c096b03289227db4c2f12ec3cb5dffdeb7cf4bccdf21d714a610e EAP-Message = 0x3fb128087eba6bf1a6acc03786ed2ff39ae3823f1e4f9e374204f03bfbbec021ce768b36d290f9666f60a8756cd061e70332b48dc4bac07e8c38abba380f561dd996017f4392e2199a5fa06c886057d47e170e42cc8c7a414f796a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7760a6491fd890a063366da0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=3, length=270 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0203008c190016030100461000004241043c8e62e48361799a71777b230786c6ddbd899d9257d73d5fb4d730366671f8f166c0ea2577fcc68ed3e21899edf5b82f7e401f1cb99f7a973c2d35315c619c6d1403010001011603010030543bfb94bffc0be1b81e3e1268ac126fd2d73fb6306e806798e1d651ead4190a74e521db1561c4e16f1acdc896c4afb6 State = 0x7563bf7e7760a6491fd890a063366da0 Message-Authenticator = 0xc6e998f7aef0baef668d678ad3ffd5de server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 3 length 140 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 3 to 10.219.195.1 port 37538 EAP-Message = 0x0104004119001403010001011603010030dafc2aa3b8b15dcb31e8774f67876afb903a651d8f475b94647d45668ca9abde22ffbea12f0e799b6acc4b4900860181 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7667a6491fd890a063366da0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=4, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x7563bf7e7667a6491fd890a063366da0 Message-Authenticator = 0x8e3735680df6daec47a50279795ae18c server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 4 to 10.219.195.1 port 37538 EAP-Message = 0x0105002b190017030100208fda5e20590d922d9602dbd0e299d5e1ef0027e5d663ef326913f07d313c790d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7166a6491fd890a063366da0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=5, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0205006019001703010020f3832f06ae8629d40538b61ce86c6b65a6801b4d6c40550d32837dc2aa108b2a1703010030c5e43a0106ae6b61e4d3277abb002bc86b7c0ebffba9c48199aecddad8885ad112753e1d114e2dd391572ace81722539 State = 0x7563bf7e7166a6491fd890a063366da0 Message-Authenticator = 0xf1cf3918a83a26b7efae51172bf43dfb server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser1 [peap] Got inner identity 'testuser1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000e01746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x0205000e01746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 5 to 10.219.195.1 port 37538 EAP-Message = 0x0106004b19001703010040a5594e26652fc133151ca57e9cbc052085294fc31795e67abdaf52d8b88e62fedbdb73905c7faa45de2062d5a9bdaf4291ee698b57b07f39609cac5d0cc44452 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7065a6491fd890a063366da0 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=6, length=274 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02060090190017030100206028167c17fb23fa70e50cb5672a1971e68abea603c5020ef8b19b08e5620ac317030100607afabbdd1caff01b58f4e307fbef41481f55ab7b4137d9f1807bd84a8ee609d235885d2c995004bd6bcaa467679d50c7e8706c383c326ae5cb6f573a651e2279568a55493eb3712e15b84ef90de1b0402743a46cc92a0b09bdaee4d5858a1bab State = 0x7563bf7e7065a6491fd890a063366da0 Message-Authenticator = 0x82a114c11feb9e1259540ea7e6bab80e server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need NT-Password [otpme_ntlm] expand: %{Stripped-User-Name} -> [otpme_ntlm] ... expanding second conditional [otpme_ntlm] expand: %{User-Name} -> testuser1 [otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1 [otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> testuser1 [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500 [otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500 [otpme_ntlm] expand: %{otpme_ntlm:NT-Response} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{NAS-Identifier} -> [otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1 Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 [otpme_ntlm] Exec: program returned: 0 [otpme_ntlm] adding MS-CHAPv2 MPPE keys ++[otpme_ntlm] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 6 to 10.219.195.1 port 37538 EAP-Message = 0x0107005b19001703010050b81a606209effd7af621dd30534a25262dcd73b33bb75ecbe99f623722ea4b19c97b5d573dacc032fdecdff2a035a96501daa76d8e60c8e05c1dbabc576156be1695acabc01aaad9a50ab7fe1e403163 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7364a6491fd890a063366da0 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=7, length=210 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207005019001703010020f1da00695d99bd592351f25e17e5cfc05b9d96fd110091997c4647c88e90256b1703010020d1fead54c4bf7c06d67f3146e1d450280bcbf7d5338190f43d98fb6171704322 State = 0x7563bf7e7364a6491fd890a063366da0 Message-Authenticator = 0xcdce9a9c5e9d1cf664f2543ff31f4e90 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group EAP = ok Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. } # server otpme [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8 MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser1" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8 MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser1" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 7 to 10.219.195.1 port 37538 EAP-Message = 0x0108003b19001703010030fdf7d5232e0e4e9a4e84310efa211c13c6c91e2e1fd52ff7b32d4a553db3776149177d11c40a5775df92fece70c5b47f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e726ba6491fd890a063366da0 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=8, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800601900170301002064fbbb5b85581cd88640e2d2cef6a2b4c933da3a036f165687094fd61ff8796d170301003045dcae79cc3449aaf7a524e7d9f7c341e524501c8004254369db68458339dfd3e87789d08cfa71428f400639bdbdf7ba State = 0x7563bf7e726ba6491fd890a063366da0 Message-Authenticator = 0x8ceeb6ced09ceff25ff156dbf5daef45 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "testuser1" [eap] Freeing handler ++[eap] = ok +} # group EAP = ok Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01) } # server otpme WARNING: Empty post-auth section. Using default return values. Sending Access-Accept of id 8 to 10.219.195.1 port 37538 User-Name = "testuser1" MS-MPPE-Recv-Key = 0x08dd033d2e35356c3aad01d0345683f412dcca316db9625ec07bdb697635d1e4 MS-MPPE-Send-Key = 0xcf24fb6cf74db5618f535c557eca41e00f8ad8fb82ff506fd1a690b498a23dbd EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 8. Going to the next request Waking up in 4.8 seconds. authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } otpme_mod } } authorize { eap update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } } } radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on Jan 18 2015 at 12:00:30 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otpme including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/script including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/otpme main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "test123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file T:N·? modules { } # modules } # server server otpme { # from file /etc/raddb/sites-enabled/otpme modules { Module: Creating Auth-Type = OTPme Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" virtual_server = "otpme" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "otpme" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_python Module: Instantiating module "otpme_mod" from file /etc/raddb/modules/otpme python_init done python otpme_mod { mod_instantiate = "otpme" func_instantiate = "instantiate" mod_authenticate = "otpme" func_authenticate = "authenticate" mod_detach = "otpme" func_detach = "detach" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.219.195.1 port = 1812 client 10.219.195.1 { require_message_authenticator = no secret = "123" shortname = "host1" } } Listening on authentication address 10.219.195.1 port 1812 as server otpme Ready to process requests. otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=0, length=126 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01746573747573657231 Message-Authenticator = 0xcf54d7ba4a3e53ec15ab9662706461f1 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 0 to 10.219.195.1 port 33824 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=1, length=352 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100de190016030100d3010000cf03016dd1fdb03ffdd213827520ea5f7c184dde487465683f7196aa5cbe666e837e3000005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x3263975944a89f7d15c2cdcfcea94db5 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 1 length 222 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03b0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 1 to 10.219.195.1 port 33824 EAP-Message = 0x0102040019c000000551160301003e0200003a0301e30c8c45a37d5610ca7ff2fbc4db6ebeea682cbbac43e98c8aadc1f7ecaee7f300c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 EAP-Message = 0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4 EAP-Message = 0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396 EAP-Message = 0xad17d75da15a7cac2ecd58db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=2, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xd493ce90415969edf6127c50518c4732 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 2 to 10.219.195.1 port 33824 EAP-Message = 0x0103016119006f2a160301014b0c0001470300174104c35e1963d7c639e085a97c24ea72d92f1e54a9c3d40601612667935afed91c7e062825adabadbcaaa2e5877d536c97e1c7ff4dc71b6f858ef51ab39e994893a20100ed9a2ab740d608a5af8c78409adc8740485b9272dba98663bf51085574cbbb9b62498605e8e499b209a7d60b342b66cc358cf9d60f7aae06ef74a235029005b5cb2ac163eb10055f71cd1128d08f936a488f05a0a03f28d7273842619aa230a3369d9f2f4da9e9dc5e1b723cdad594c2be13d2565f09e35af1e538132fab155aaf1d4821c29865ae5713ba1ab4f83751b9d8fa86fb72fa6f654befc3d8b7501b7d85e8f2ae EAP-Message = 0x5ae3f1212861427e208fc889607a04e9be505a4bebf43d98c1cdaf81f37d55d5e3af85e9dc6f5a62e947d766721825ad29b442a69f905c9c3e0eade42647199419879001f2ddb7e69a7dda56655e77a3ad2f1e37be2e84e64ff43616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=3, length=270 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0203008c190016030100461000004241042b60cdd4c6bdeb200c77d3d537f674a5631b755a80b7982bf733ce33320ca0407225180646fa6f0093ad6a5105188aceb1863f63f3c136aeef6c368e1502d95314030100010116030100301d71fea144c432c55f558ba0b49ff5aac18fdd3009aac62e72f7eb39968e8d48f96f2995dbe2c5710ad2f69464f980c2 State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x237e70a50554e023763eb64c066aec55 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 3 length 140 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 3 to 10.219.195.1 port 33824 EAP-Message = 0x01040041190014030100010116030100308c4cd23b129b4d6b112e48ee7cb711c51f995451c68db430c60ca062db367ee570205bff7eb8aafdd934683d574fcea4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=4, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x69e82b0f4e465e073eae3a268b674f06 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 4 to 10.219.195.1 port 33824 EAP-Message = 0x0105002b1900170301002082cd7593171297731f9bb967c298eede87b931f7d0196983be108cd4531492cc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=5, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0205006019001703010020f274ddb4f22667dabece5f95d79dc8c045a661d70905a752d35466f03c2370da1703010030ac36bcde5cf6e84853efb3151ae374c0aa7ee14e9c8006e827780b890ba08a2dea53d647d1d7cc2e3566a9ec976b9510 State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x03569fa4ad0362141f844f4a5996a0ad server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser1 [peap] Got inner identity 'testuser1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000e01746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x0205000e01746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xef3dc50aef3bdf904f03abafc54a8a4c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xef3dc50aef3bdf904f03abafc54a8a4c [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 5 to 10.219.195.1 port 33824 EAP-Message = 0x0106004b190017030100406aa431b9b62079ba567d85b917f35ae0772924c9078e8f667416ecd10508d012726fe8dc02954fbadd6cd4765eb4f330a844677a7b942260db20f71f09470a41 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=6, length=274 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02060090190017030100207a5f44949cd792d5be3b6de4a1138d8079d27c4ca89126a4d8e3fd3aaac5935e1703010060e4da27ea84d607fdb3157877e788ac0d83626bd5395d96a07e5e15657af37466f3b9924c963a823c3582b10a9e78f6a82412aeda1ee37e0fdce65d394e687036c68abf7502a489efa24de7049e236a6b4fc5f15756d873deab341407af3a1af2 State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xdda1b35918197604282ed1da107008e8 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xef3dc50aef3bdf904f03abafc54a8a4c NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [mschapv2] ++update request { [mschapv2] Creating challenge hash with username: testuser1 [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a [mschapv2] expand: %{mschap:NT-Response} -> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be [mschapv2] ++} # update request = noop otpme.py: (('EAP-Message', '0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response', '0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x37623034353563393732643163663561'), ('Tmp-Octets-1', '0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265')) ++[otpme_mod] = fail +} # group MS-CHAP = fail [eap] Freeing handler ++[eap] = reject +} # group EAP = reject Failed to authenticate the user. Login incorrect: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01 via TLS tunnel) } # server otpme [peap] Got tunneled reply code 3 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 6 to 10.219.195.1 port 33824 EAP-Message = 0x0107003b19001703010030bafab3f8b086bdb25e11ee4102f959f8a15afe60af25cb7ea51226f50fc22739f1360c3ae4f23b9c3bd64220403469b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=7, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02070060190017030100201475fdf487cb7c5cdbc28275c523942e9478b881702b3715bf41f14e37fd571517030100309264cd7daa17a72f42129836e9fa9d36b3fc98994441970908d89a5fce9831c0cc84703d6d6a4c5d027561bd9da36fe7 State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xa10e2442d21c4201b6110b4f3f0e9ef5 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group EAP = invalid Failed to authenticate the user. Login incorrect: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01) } # server otpme Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 7 to 10.219.195.1 port 33824 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
On Jan 27, 2015, at 1:05 PM, the2nd@otpme.org wrote:
sorry i dont want to be rude but it's just not true what you say. authData is send from rlm_python to the authenticate() function of the module it loads. i just used the example prepaid.py module that comes with freeradius as a "template". and it does exactly what you call "my invention". it uses authData to get a tuple with authentication data (e.g. username and password):
Ok… but I still don’t need to see that. It’s just not relevant to *anything*. The debug output is relevant.
so its not my code that sets this tuple and its nothing i have invented. and all i want to know is if it is possible to get "%{mschap:Challenge}" and "%{mschap:NT-Response}" in this tuple to verify an mschap request just like it can be done with the ntlm_auth statement from within the mschap module.
I’ve told you how to do that. And it works.. *if* the packet contains MS-CHAP. If the packet doesn’t contain MS-CHAP, it won’t work.
and i think thats a valid use case when someone wants to integrate an otp solution with freeradius using rlm_python.
Sure. Then *you* read the RFCs to figure out how MS-CHAP works. That’s what I did. And then I wrote rlm_mschap. With comments. Why should I cut & paste all of that to the list, when it’s already available to you? Why haven’t you read the RFC and source yourself?
the first one is using my python script as a replacement of ntlm_auth from within the mschap module and succeeds. the second one uses rlm_python and my module. you can see in the debug ouput whats in authData (one of the lines that starts with otpme.py) because i used the provided log function to log it. ... [eap] EAP/peap
OK… that’s not MS-CHAP, but it might still work.
[mschapv2] +group MS-CHAP { [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need NT-Password [otpme_ntlm] expand: %{Stripped-User-Name} -> [otpme_ntlm] ... expanding second conditional [otpme_ntlm] expand: %{User-Name} -> testuser1 [otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1 [otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> testuser1 [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500 [otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500 [otpme_ntlm] expand: %{otpme_ntlm:NT-Response} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{NAS-Identifier} -> [otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1 Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
Which the normal ntlm_auth program. You do realize that ntlm_auth implements all of the MS-CHAP algorithms, right? And that if you replace ntlm_auth with a python module, you’ve got to re-implement MS-CHAP? And then the second debug output:
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [mschapv2] ++update request { [mschapv2] Creating challenge hash with username: testuser1 [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a [mschapv2] expand: %{mschap:NT-Response} -> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be [mschapv2] ++} # update request = noop otpme.py: (('EAP-Message', '0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response', '0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x37623034353563393732643163663561'), ('Tmp-Octets-1', '0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265')) ++[otpme_mod] = fail +} # group MS-CHAP = fail
Which means your python module is returning “fail”. Well… don’t do that. You probably also want to do: update request { Tmp-Octets-0 := “0x%{mschap:Challenge}” Tmp-Octets-1 := “0x{mschap:NT-Response}” } Right now, the Tmp-Octets attributes contain *ASCII* text. This should be obvious from looking at them. Once you fix that, the only issue is re-implementing MS-CHAP in python. Good luck with that. There are literally hundreds of pages of documentation and sample code which should help you. Alan DeKok.
On 2015-01-27 19:21, Alan DeKok wrote:
On Jan 27, 2015, at 1:05 PM, the2nd@otpme.org wrote:
sorry i dont want to be rude but it's just not true what you say. authData is send from rlm_python to the authenticate() function of the module it loads. i just used the example prepaid.py module that comes with freeradius as a "template". and it does exactly what you call "my invention". it uses authData to get a tuple with authentication data (e.g. username and password):
Ok… but I still don’t need to see that. It’s just not relevant to *anything*. The debug output is relevant.
i think it is relevant because if it contains a challange/response that is in the format of what mschap hands over to the original ntlm_auth from samba my script is able to verify the request.
so its not my code that sets this tuple and its nothing i have invented. and all i want to know is if it is possible to get "%{mschap:Challenge}" and "%{mschap:NT-Response}" in this tuple to verify an mschap request just like it can be done with the ntlm_auth statement from within the mschap module.
I’ve told you how to do that. And it works.. *if* the packet contains MS-CHAP. If the packet doesn’t contain MS-CHAP, it won’t work.
and i think thats a valid use case when someone wants to integrate an otp solution with freeradius using rlm_python.
Sure. Then *you* read the RFCs to figure out how MS-CHAP works. That’s what I did. And then I wrote rlm_mschap. With comments.
Why should I cut & paste all of that to the list, when it’s already available to you? Why haven’t you read the RFC and source yourself?
the first one is using my python script as a replacement of ntlm_auth from within the mschap module and succeeds. the second one uses rlm_python and my module. you can see in the debug ouput whats in authData (one of the lines that starts with otpme.py) because i used the provided log function to log it. ... [eap] EAP/peap
OK… that’s not MS-CHAP, but it might still work.
[mschapv2] +group MS-CHAP { [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need NT-Password [otpme_ntlm] expand: %{Stripped-User-Name} -> [otpme_ntlm] ... expanding second conditional [otpme_ntlm] expand: %{User-Name} -> testuser1 [otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1 [otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> testuser1 [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500 [otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500 [otpme_ntlm] expand: %{otpme_ntlm:NT-Response} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{NAS-Identifier} -> [otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1 Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
Which the normal ntlm_auth program.
You do realize that ntlm_auth implements all of the MS-CHAP algorithms, right? And that if you replace ntlm_auth with a python module, you’ve got to re-implement MS-CHAP?
i already have this working with my script. it is possible to verify the challenge/response that it gets from the mschap module. i tried this with eapol_test and also with different smartphones and notebooks using a linksys access point and wpa2 enterprice that send the request to freeradius. the problem is that i was not able to get same challenge/response from rlm_python.
And then the second debug output:
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [mschapv2] ++update request { [mschapv2] Creating challenge hash with username: testuser1 [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a [mschapv2] expand: %{mschap:NT-Response} -> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be [mschapv2] ++} # update request = noop otpme.py: (('EAP-Message', '0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response', '0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x37623034353563393732643163663561'), ('Tmp-Octets-1', '0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265')) ++[otpme_mod] = fail +} # group MS-CHAP = fail
Which means your python module is returning “fail”.
it fails because in the current state it needs what is shown in the lines above otpme.py:
[mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a [mschapv2] expand: %{mschap:NT-Response} -> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be
but it gets what is in the line that starts with: otpme.py:
Well… don’t do that. You probably also want to do:
update request { Tmp-Octets-0 := “0x%{mschap:Challenge}” Tmp-Octets-1 := “0x{mschap:NT-Response}” }
Right now, the Tmp-Octets attributes contain *ASCII* text. This should be obvious from looking at them.
i just want to make sure if i got it right. should the "update request" statement make %{mschap:Challenge} and {mschap:NT-Response} available inside the tuple that my module gets from rlm_python? and should they be in the same format as what is passed to ntlm_auth from the mschap module? because thats what i thought i should get with this statement and maybe there is a misunderstanding. i changed my config now to use the update statement from above. but your example has a % before the challenge and none before the response. is this how it should be?
Once you fix that, the only issue is re-implementing MS-CHAP in python. Good luck with that. There are literally hundreds of pages of documentation and sample code which should help you.
i havent looked into the details of mschap yet. but if the challenge response format i get from rlm_python is different than what mschap hands over to ntlm_auth i guess there are python modules available to handle them (is this mschapv2?). i will check this if thats the case.... thanks for you help!
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
replying to myself as i figured it out how to handle mschapv2 requests
using rlm_python.
as supposed there are python modules to do this:
https://github.com/bit0rez/mschap-python
using the functions from these modules it was relatively easy to write a
python module that can handle mschapv2 requests. currently i'm not sure
if my module works with all variants but it works at least with all wlan
devices i've tested so far and also when using eapol_test.
everyone who is interested in this may have a look at my module which is
available here:
https://www.otpme.org/redmine/projects/otpme/repository/entry/trunk/lib/freeradius/otpme.py
also the readme and the sample freeradius configs may have some
interesting infos:
https://www.otpme.org/redmine/projects/otpme/repository/show/trunk/sample-configs/freeradius
if you only store the nt hash of the user passwords in your backend,
instead of clear-text passwords, you have to modify two functions of
python-mschap. but thats easy.
i hope this will help someone else who wants to do the same.
if there is anything wrong with my code i'm happy about every feedback.
btw. it would be really nice to have an interface (e.g. python/perl
bindings) to the freeradius mschap module to use it for mschap requests
instead of doing it in the corresponding language.
regards
the2nd
On 2015-01-27 20:37, the2nd@otpme.org wrote:
> On 2015-01-27 19:21, Alan DeKok wrote:
>> On Jan 27, 2015, at 1:05 PM, the2nd@otpme.org wrote:
>>>
>>> sorry i dont want to be rude but it's just not true what you say.
>>> authData is send from rlm_python to the authenticate() function of
>>> the module it loads. i just used the example prepaid.py module that
>>> comes with freeradius as a "template". and it does exactly what you
>>> call "my invention". it uses authData to get a tuple with
>>> authentication data (e.g. username and password):
>>
>> Ok… but I still don’t need to see that. It’s just not relevant to
>> *anything*. The debug output is relevant.
>
> i think it is relevant because if it contains a challange/response
> that is in the format of what mschap hands over to the original
> ntlm_auth from samba my script is able to verify the request.
>
>>
>>> so its not my code that sets this tuple and its nothing i have
>>> invented. and all i want to know is if it is possible to get
>>> "%{mschap:Challenge}" and "%{mschap:NT-Response}" in this tuple to
>>> verify an mschap request just like it can be done with the ntlm_auth
>>> statement from within the mschap module.
>>
>> I’ve told you how to do that. And it works.. *if* the packet
>> contains MS-CHAP. If the packet doesn’t contain MS-CHAP, it won’t
>> work.
>>
>>> and i think thats a valid use case when someone wants to integrate an
>>> otp solution with freeradius using rlm_python.
>>
>> Sure. Then *you* read the RFCs to figure out how MS-CHAP works.
>> That’s what I did. And then I wrote rlm_mschap. With comments.
>>
>> Why should I cut & paste all of that to the list, when it’s already
>> available to you? Why haven’t you read the RFC and source yourself?
>>
>>> the first one is using my python script as a replacement of ntlm_auth
>>> from within the mschap module and succeeds. the second one uses
>>> rlm_python and my module. you can see in the debug ouput whats in
>>> authData (one of the lines that starts with otpme.py) because i used
>>> the provided log function to log it.
>> ...
>>> [eap] EAP/peap
>>
>> OK… that’s not MS-CHAP, but it might still work.
>>>
>>> [mschapv2] +group MS-CHAP {
>>> [otpme_ntlm] Creating challenge hash with username: testuser1
>>> [otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need
>>> NT-Password
>>> [otpme_ntlm] expand: %{Stripped-User-Name} ->
>>> [otpme_ntlm] ... expanding second conditional
>>> [otpme_ntlm] expand: %{User-Name} -> testuser1
>>> [otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1
>>> [otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>>> -> testuser1
>>> [otpme_ntlm] Creating challenge hash with username: testuser1
>>> [otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500
>>> [otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} ->
>>> a9696cdff7c89500
>>> [otpme_ntlm] expand: %{otpme_ntlm:NT-Response} ->
>>> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
>>> [otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} ->
>>> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
>>> [otpme_ntlm] expand: %{NAS-Identifier} ->
>>> [otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1
>>> Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
>>> Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
>>
>> Which the normal ntlm_auth program.
>>
>> You do realize that ntlm_auth implements all of the MS-CHAP
>> algorithms, right? And that if you replace ntlm_auth with a python
>> module, you’ve got to re-implement MS-CHAP?
>
> i already have this working with my script. it is possible to verify
> the challenge/response that it gets from the mschap module. i tried
> this with eapol_test and also with different smartphones and notebooks
> using a linksys access point and wpa2 enterprice that send the request
> to freeradius. the problem is that i was not able to get same
> challenge/response from rlm_python.
>
>>
>> And then the second debug output:
>>>
>>> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme
>>> [mschapv2] +group MS-CHAP {
>>> [mschapv2] ++update request {
>>> [mschapv2] Creating challenge hash with username: testuser1
>>> [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a
>>> [mschapv2] expand: %{mschap:NT-Response} ->
>>> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be
>>> [mschapv2] ++} # update request = noop
>>> otpme.py: (('EAP-Message',
>>> '0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'),
>>> ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'),
>>> ('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address',
>>> '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'),
>>> ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'),
>>> ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type',
>>> 'MS-CHAP-V2'), ('MS-CHAP-Challenge',
>>> '0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response',
>>> '0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'),
>>> ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0',
>>> '0x37623034353563393732643163663561'), ('Tmp-Octets-1',
>>> '0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265'))
>>> ++[otpme_mod] = fail
>>> +} # group MS-CHAP = fail
>>
>> Which means your python module is returning “fail”.
>
>
> it fails because in the current state it needs what is shown in the
> lines above otpme.py:
>
>>> [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a
>>> [mschapv2] expand: %{mschap:NT-Response} ->
>>> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be
>
> but it gets what is in the line that starts with: otpme.py:
>
>>
>> Well… don’t do that. You probably also want to do:
>>
>> update request {
>> Tmp-Octets-0 := “0x%{mschap:Challenge}”
>> Tmp-Octets-1 := “0x{mschap:NT-Response}”
>> }
>>
>> Right now, the Tmp-Octets attributes contain *ASCII* text. This
>> should be obvious from looking at them.
>
> i just want to make sure if i got it right. should the "update
> request" statement make %{mschap:Challenge} and {mschap:NT-Response}
> available inside the tuple that my module gets from rlm_python? and
> should they be in the same format as what is passed to ntlm_auth from
> the mschap module? because thats what i thought i should get with this
> statement and maybe there is a misunderstanding.
>
> i changed my config now to use the update statement from above. but
> your example has a % before the challenge and none before the
> response. is this how it should be?
>
>>
>> Once you fix that, the only issue is re-implementing MS-CHAP in
>> python. Good luck with that. There are literally hundreds of pages
>> of documentation and sample code which should help you.
>>
>
> i havent looked into the details of mschap yet. but if the challenge
> response format i get from rlm_python is different than what mschap
> hands over to ntlm_auth i guess there are python modules available to
> handle them (is this mschapv2?). i will check this if thats the
> case....
>
> thanks for you help!
>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Matthew Newton -
the2nd -
the2nd@otpme.org