MSCHAPv2 with 1.1.4

Matt Cobb mattc at lockdownnetworks.com
Thu Jun 21 19:08:51 CEST 2007


Using 1.1.4, still can't get MSCHAPv2 working to a local file.  Here is
the full output and the conf files:

 

Thread 2 handling request 1, (1 handled so far)

        NAS-Identifier = "localhost"

        NAS-Port-Type = Ethernet

        Service-Type = Framed-User

        Framed-Protocol = PPP

        Calling-Station-Id = "127.0.0.1"

        User-Name = "cobb at guests"

        MS-CHAP2-Response =

0x0101e79fb5f1bd1b2c95f335275ebc9e3d5a0000000000000000be30b1b54d7e9a9785

bd07c4cb7188553e231dbfa355970a

        MS-CHAP-Challenge = 0x1d9fbe47738e455b28dd9bc9bc81a6df

        Service-Type = 47

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

  modcall[authorize]: module "mschap" returns ok for request 1

    rlm_realm: Looking up realm "guests" for User-Name = "cobb at guests"

    rlm_realm: Found realm "guests"

    rlm_realm: Adding Stripped-User-Name = "cobb"

    rlm_realm: Proxying request from user cobb to realm guests

    rlm_realm: Adding Realm = "guests"

    rlm_realm: Authentication realm is LOCAL.

  modcall[authorize]: module "suffix" returns noop for request 1

    rlm_realm: Request already proxied.  Ignoring.

  modcall[authorize]: module "ntdomain" returns noop for request 1

modcall: leaving group  (returns noop) for request 1

  rlm_eap: No EAP-Message, not doing EAP

modcall[authorize]: module "eap" returns noop for request 1

    users: Matched entry cobb at line 1

  modcall[authorize]: module "files" returns ok for request 1

modcall: leaving group authorize (returns ok) for request 1

  rad_check_password:  Found Auth-Type MS-CHAP

auth: type "MS-CHAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group MS-CHAP for request 1

  rlm_mschap: Told to do MS-CHAPv2 for cobb at guests with NT-Password

  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  modcall[authenticate]: module "mschap" returns reject for request 1

modcall: leaving group MS-CHAP (returns reject) for request 1

auth: Failed to validate the user.

Login incorrect: [cobb at guests] (from client localhost port 0 cli

127.0.0.1)

  Found Post-Auth-Type

  Processing the post-auth section of radiusd.conf

modcall: entering group REJECT for request 1

 

 

users file:

cobb User-Password=="secret"

                (also tried Cleartext-Password with same results)

 

proxy.conf:

 

proxy server {

        synchronous = no

        retry_delay = 5

        retry_count = 3

        dead_time = 120

        default_fallback = yes

        post_proxy_authorize = no

}

 

realm guests {

        type     = radius

        authhost = LOCAL:1812

        accthost = LOCAL:1813

        secret   = whatever

}

 

realm testlab.com {

        type     = radius

        authhost = 172.16.0.3:1812

        accthost = 172.16.0.3:1813

        secret   = testing

}

 

realm DEFAULT {

        type     = radius

        authhost = 172.16.0.3:1812

        accthost = 172.16.0.3:1813

        secret   = testing

}

 

radius.conf:

 

prefix = /usr

exec_prefix = ${prefix}

sysconfdir = /etc

localstatedir = /var/lib

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

 

#  Location of config and logfiles.

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/radiusd

log_file = /var/log/radius.log

libdir = ${exec_prefix}/lib

pidfile = ${run_dir}/radiusd.pid

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *

port = 1812

 

listen {

    ipaddr = *

    port = 1645

    type = auth

}

 

hostname_lookups = no

allow_core_dumps = no

regular_expressions  = yes

extended_expressions = yes

log_stripped_names = no

log_auth = yes

log_auth_badpass = no

log_auth_goodpass = no

usercollide = no

lower_user = no

lower_pass = no

nospace_user = no

nospace_pass = no

checkrad = ${sbindir}/checkrad

 

security {

       max_attributes = 200

       reject_delay = 1

       status_server = no

}

 

proxy_requests  = yes

$INCLUDE  ${confdir}/proxy.conf

 

$INCLUDE  ${confdir}/clients.conf

 

snmp   = no

$INCLUDE  ${confdir}/snmp.conf

 

thread pool {

       start_servers = 5

       max_servers = 32

       min_spare_servers = 3

       max_spare_servers = 10

       max_requests_per_server = 0

}

 

modules {

       pap {

              encryption_scheme = crypt

       }

 

       chap {

              authtype = CHAP

       }

 

       pam {

              pam_auth = radiusd

       }

 

       unix {

              cache = no

 

              # Reload the cache every 600 seconds (10mins). 0 to
disable.

              cache_reload = 600

 

              radwtmp = ${logdir}/radwtmp

       }

 

$INCLUDE ${confdir}/eap.conf

 

       mschap {

              authtype = MS-CHAP

              #use_mppe = no

              #require_encryption = yes

              #require_strong = yes

              #with_ntdomain_hack = no

       }

 

       ldap {

              server = "ldap.your.domain"

              # identity = "cn=admin,o=My Org,c=UA"

              # password = mypass

              basedn = "o=My Org,c=UA"

              filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

              # base_filter = "(objectclass=radiusprofile)"

 

              # set this to 'yes' to use TLS encrypted connections

              # to the LDAP database by using the StartTLS extended

              # operation.

              # The StartTLS operation is supposed to be used with
normal

              # ldap connections instead of using ldaps (port 689)
connections

              start_tls = no

 

              # tls_cacertfile     = /path/to/cacert.pem

              # tls_cacertdir            = /path/to/ca/dir/

              # tls_certfile             = /path/to/radius.crt

              # tls_keyfile        = /path/to/radius.key

              # tls_randfile             = /path/to/rnd

              # tls_require_cert   = "demand"

 

              # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"

              # profile_attribute = "radiusProfileDn"

              access_attr = "dialupAccess"

 

              # Mapping of RADIUS dictionary attributes to LDAP

              # directory attributes.

              dictionary_mapping = ${raddbdir}/ldap.attrmap

 

              ldap_connections_number = 5

 

              timeout = 4

              timelimit = 3

              net_timeout = 1

              # compare_check_items = yes

              # do_xlat = yes

              # access_attr_used_for_allow = yes

       }

 

       

       realm IPASS {

              format = prefix

              delimiter = "/"

              ignore_default = no

              ignore_null = no

       }

 

       #  'username at realm'

       #

       realm suffix {

              format = suffix

              delimiter = "@"

              ignore_default = no

              ignore_null = yes

       }

 

       #  'username%realm'

       #

       realm realmpercent {

              format = suffix

              delimiter = "%"

              ignore_default = no

              ignore_null = no

       }

 

       #

       #  'domain\user'

       #

       realm ntdomain {

              format = prefix

              delimiter = "\\"

              ignore_default = no

              ignore_null = no

       }      

 

       checkval {

              # The attribute to look for in the request

              item-name = Calling-Station-Id

 

              # The attribute to look for in check items. Can be multi
valued

              check-name = Calling-Station-Id

 

              # The data type. Can be

              # string,integer,ipaddr,date,abinary,octets

              data-type = string

 

              # If set to yes and we dont find the item-name attribute
in the

              # request then we send back a reject

              # DEFAULT is no

              #notfound-reject = no

       }

       

       preprocess {

              huntgroups = ${confdir}/huntgroups

              hints = ${confdir}/hints

              with_ascend_hack = no

              ascend_channels_per_line = 23

              with_ntdomain_hack = no

              with_specialix_jetstream_hack = no

              with_cisco_vsa_hack = no

       }

 

       files {

              usersfile = ${confdir}/users

              acctusersfile = ${confdir}/acct_users

              preproxy_usersfile = ${confdir}/preproxy_users

              compat = no

       }

 

       # Write a detailed log of all accounting records received.

       #

       detail {

              detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

              detailperm = 0600

       }

 

       acct_unique {

              key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"

       }

 

       $INCLUDE  ${confdir}/sql.conf

 

       radutmp {

              #  Where the file is stored.  It's not a log file,

              #  so it doesn't need rotating.

              #

              filename = ${logdir}/radutmp

              username = %{User-Name}

              case_sensitive = yes

              check_with_nas = yes       

              perm = 0600

              callerid = "yes"

       }

 

       radutmp sradutmp {

              filename = ${logdir}/sradutmp

              perm = 0644

              callerid = "no"

       }

 

       # attr_filter - filters the attributes received in replies from

       # proxied servers, to make sure we send back to our RADIUS client

       # only allowed attributes.

       attr_filter {

              attrsfile = ${confdir}/attrs

       }

 

       counter daily {

              filename = ${raddbdir}/db.daily

              key = User-Name

              count-attribute = Acct-Session-Time

              reset = daily

              counter-name = Daily-Session-Time

              check-name = Max-Daily-Session

              allowed-servicetype = Framed-User

              cache-size = 5000

       }

 

       always fail {

              rcode = fail

       }

       always reject {

              rcode = reject

       }

       always ok {

              rcode = ok

              simulcount = 0

              mpp = no

       }

 

       expr {

       }

 

       digest {

       }

 

       exec {

              wait = yes

              input_pairs = request

       }

 

       exec echo {

              wait = yes

              program = "/bin/echo %{User-Name}"

              input_pairs = request

              output_pairs = reply

       }

 

       ippool main_pool {

              #  range-start,range-stop: The start and end ip

              #  addresses for the ip pool

              range-start = 192.168.1.1

              range-stop = 192.168.3.254

 

              #  netmask: The network mask used for the ip's

              netmask = 255.255.255.0

 

              #  cache-size: The gdbm cache size for the db

              #  files. Should be equal to the number of ip's

              #  available in the ip pool

              cache-size = 800

 

              # session-db: The main db file used to allocate ip's to
clients

              session-db = ${raddbdir}/db.ippool

 

              # ip-index: Helper db index file used in multilink

              ip-index = ${raddbdir}/db.ipindex

 

              # override: Will this ippool override a Framed-IP-Address
already set

              override = no

 

              # maximum-timeout: If not zero specifies the maximum time
in seconds an

              # entry may be active. Default: 0

              maximum-timeout = 0

       }

}

 

instantiate {

       exec

       expr

#      daily

}

 

#  Authorization. First preprocess (hints and huntgroups files),

#  then realms, and finally look in the "users" file.

#

#  The order of the realm modules will determine the order that

#  we try to find a matching realm.

#

#  Make *sure* that 'preprocess' comes before any realm if you 

#  need to setup hints for the remote radius server

authorize {

       preprocess

       chap

       mschap

       suffix

       ntdomain

       eap

}

 

 

authenticate {

       Auth-Type PAP {

              pap

       }

 

       Auth-Type CHAP {

              chap

       }

 

       Auth-Type MS-CHAP {

              mschap

       }

 

       unix

 

       eap

}

 

 

#

#  Pre-accounting.  Decide which accounting type to use.

#

preacct {

       preprocess

 

       #

       #  Ensure that we have a semi-unique identifier for every

       #  request, and many NAS boxes are broken.

       acct_unique

 

       suffix

       ntdomain

 

       #

       #  Read the 'acct_users' file

       files

}

 

accounting {

       detail

       unix

       radutmp

}

 

session {

       radutmp

}

 

post-auth {

}

 

post-proxy {

       eap

}

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070621/e080b26e/attachment.html>


More information about the Freeradius-Users mailing list