Problems with DBM and MS-CHAP

Tom Griffin t.griffin at sheffield.ac.uk
Tue Aug 7 17:58:43 CEST 2007


Hello All,

See below for the original problem.

This issue is still present in 1.1.7. Please can you confirm whether 
this bug has been rectified? The debug output is showing exactly the 
same messages as before.

Many thanks,
Tom Griffin

-------

Alan DeKok wrote:
...
 >/ rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' /
...
 >/ rad_check_password: Found Auth-Type Local /

Whoops. That looks to be a bug. 1.1.7 should be released this week, to 
fix that, and other issues. Alan DeKok.

-------

Tom Griffin wrote:

Hello,

I am having a problem with Freeradius v1.1.6. We have one server 
(running v1.0.1) which works as we want it to, but when trying to build 
a new v1.1.6 server to act in the same way is proving to be difficult.

All our users are stored in a local DBM database and authentication is 
either by MS-CHAP (when coming via a Cisco VPN 3000 concentrator) or by 
EAP (when coming via Cisco Aironet 1200).

Using the Cisco client (and also the VPN concentrator test function) the 
authentication is successful, the same is true with EAP (ie. the DBM 
module is working). But when using MS-CHAP authentication is rejected. 
Here is the debug output;

rad_recv: Access-Request packet from host xx.xx.xx.xx:1044, id=176, 
length=154
        User-Name = "cs1tg"
        NAS-Port = 4054
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Tunnel-Client-Endpoint:0 = "xx.xx.xx.xx"
        MS-CHAP-Challenge = 0xd1076979a50becf0731656741b3a469a
        MS-CHAP2-Response = 
0x0200ca320fdd144e34edc132ba42560c4619000000000000000064a36039b976de05bc0e340fbd2b5b0b1bff37a302ccc3f2
        NAS-IP-Address = xx.xx.xx.xx
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
    rlm_realm: No '@' in User-Name = "cs1tg", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_dbm: try open database file: /usr/local/etc/raddb/../usradmin/users
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add cs1tg to user list
sm_parse_user: start parsing: user: cs1tg
parse buffer: <<Auth-Type := Local, User-Password == "BLANKED">>
rlm_dbm: recod parsed
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Service-Type = Framed-User, Framed-Protocol = PPP, Class 
= "OU=Unishef">>
rlm_dbm: recod parsed
rlm_dbm: Reply found
Remove cs1tg from user list
  modcall[authorize]: module "dbm" returns ok for request 1
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
  modcall[authorize]: module "mschap" returns ok for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [cs1tg] (from client vpn2 port 4054)


My main concern is the apparent incorrect Auth-Type of 'mschap' rather 
than 'MS-CHAP' that I would have expected to see (which is most likely 
why rad_check_password is falling back to Local).

The interesting thing is that when I disable DBM and add a test user 
locally, the MS-CHAP module successfully authenticates the user, 
suggesting there is some incompatibility between newer versions of 
freeradius, dbm and mschap (since we are using this combination on 
another server with v1.0.1)

Here are the main sections of the config;

modules {
    mschap {
        authtype = MS-CHAP # I have tried with this line blanked also
    }
    dbm {
        usersfile = ${confdir}/../usradmin/users
    }
}
authorize {
        preprocess
        suffix
        dbm
        mschap
        eap
}
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}

I have tried many different orderings of the authorize section as well 
as combinations of variables in the mschap module config, but these have 
all given the same result. The config shown above is the version that is 
working on the older server.

Any help would be greatly appreciated.

Regards,
Tom Griffin





More information about the Freeradius-Users mailing list