mschapv2 and users file
Matt Cobb
mattc at lockdownnetworks.com
Wed Jun 20 03:10:18 CEST 2007
I have freeradius 1.1.4 setup as a proxy to an upstream radius server
which works. I also want to put guests in a local users file and use
MSCHAPV2 on them, but didn't get it to work. I was able to get PAP and
CHAP working. Here is the MSCHAPV2 configuration I tried:
users file:
cobb User-Password=="secret"
proxy.conf:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm guests {
type = radius
authhost = LOCAL:1812
accthost = LOCAL:1813
secret = whatever
}
realm testlab.com {
type = radius
authhost = 172.16.0.3:1812
accthost = 172.16.0.3:1813
secret = testing
}
realm DEFAULT {
type = radius
authhost = 172.16.0.3:1812
accthost = 172.16.0.3:1813
secret = testing
}
radius.conf:
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var/lib
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
listen {
ipaddr = *
port = 1645
type = auth
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
# Reload the cache every 600 seconds (10mins). 0 to
disable.
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
}
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username at realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = yes
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi
valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute
in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to
clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address
already set
override = no
# maximum-timeout: If not zero specifies the maximum time
in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
}
instantiate {
exec
expr
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
chap
mschap
suffix
ntdomain
eap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
suffix
ntdomain
#
# Read the 'acct_users' file
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
post-proxy {
eap
}
I get this error about the mschap response being incorrect. A request
form the same client that is proxied back to IAS with mschapv2 works.
rlm_realm: Looking up realm "guests" for User-Name = "cobb at guests"
rlm_realm: Found realm "guests"
rlm_realm: Adding Stripped-User-Name = "cobb"
rlm_realm: Proxying request from user cobb to realm guests
rlm_realm: Adding Realm = "guests"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "ntdomain" returns noop for request 0
modcall: leaving group (returns noop) for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry cobb at line 1
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: Told to do MS-CHAPv2 for cobb at guests with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
I also tried changing the users file to have NT-Password ==
"0xB6FFB3200061D7B7928F0D932F095128"
But then freeradius just said it couldn't create the NT-Password:
rlm_mschap: No User-Password configured. Cannot create NT-Password,
followed by the previous error.
How do I configure MSCHAPv2 to a local users file?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070619/0c9e727b/attachment.html>
More information about the Freeradius-Users
mailing list