rlm_perl with WinXP MS-CHAP clients ?

Michael Gale michael.gale at pason.com
Wed Sep 20 21:50:15 CEST 2006 

Hello,

	It seems that it is not using rlm_perl for authentication. I would 
assume that this is because according the document I was following, it 
had me add:

Auth-Type Perl {
              perl
          }

To the authentication section, which means if the Auth-Type is set to 
perl then using the module perl. However I think that since the client 
or server is setting the auth type to MS-CHAP since that is what the 
client is using, it is trying to use the mschap module.

I did make the following change under the users file:

#DEFAULT        Auth-Type = System
#       Fall-Through = 1

DEFAULT         Auth-Type = Perl
         Fall-Through = 1


As the documention (http://wiki.freeradius.org/index.php/Rlm_perl) said 
to do so.

If anyone has any info it would be helpful.

Michael

Michael Gale wrote:
> Hello,
> 
>     I have a freeradius 1.0.X server setup with ppp and pptp using a 
> mysql DB for user authentication.
> 
> Here I assign static IP's and users to groups. We wish to use rlm_perl 
> instead of the sql module so we can authenticate the users against a in 
> house application.
> 
> I have build freeradius 1.1.3 from source and it seems to work however 
> since the client is WinXP and the auth type is MS-CHAP it seems to be 
> calling the mschap section under authentication and then exiting.
> 
> Here is my debug output:
> 
> rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, 
> length=141
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         User-Name = "baduser"
>         MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6
>         MS-CHAP2-Response = 
> 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b 
> 
>         Calling-Station-Id = ".271"
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 0
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>   modcall[authorize]: module "mschap" returns ok for request 0
>     rlm_realm: No '@' in User-Name = "baduser", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched entry DEFAULT at line 155
>     users: Matched entry DEFAULT at line 173
>     users: Matched entry DEFAULT at line 185
>   modcall[authorize]: module "files" returns ok for request 0
> perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1
> found interpetator at address 0x9d5ad20
> rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User
> rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271
> rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 
> 0x0c09ad640ce7275613b8a0dd51d2f4c6
> rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1
> rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP
> rlm_perl: MG RAD_REQUEST: User-Name = baduser
> rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 
> 0x630065cbdfea16f542fbda8cdc65d7fd30930000000000000000ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b 
> 
> rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1
> rlm_perl: MG RAD_REQUEST: NAS-Port = 0
> rlm_perl: Added pair Framed-Protocol = PPP
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
> rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
> rlm_perl: Added pair Framed-MTU = 576
> rlm_perl: Added pair Framed-Protocol = PPP
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Auth-Type = MS-CHAP
> perl_pool total/active/spare [32/0/32]
> Unreserve perl at address 0x9d5ad20
>   modcall[authorize]: module "perl" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type MS-CHAP
> auth: type "MS-CHAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 0
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 0
> modcall: leaving group MS-CHAP (returns reject) for request 0
> auth: Failed to validate the user.
> Login incorrect: [baduser/<no User-Password attribute>] (from client 
> localhost port 0 cli .271)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 51 to 127.0.0.1 port 32768
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 51 with timestamp 451194b6
> Nothing to do.  Sleeping until we see a request.
> 
> 
> 

-- 
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.

More information about the Freeradius-Users mailing list