Unlang Question/Problem
Garber, Neal
Neal.Garber at energyeast.com
Wed Aug 19 01:07:52 CEST 2009
I haven't had much sleep the past few days and just wanted another set of eyes on an issue I'm having. Also, I won't be able to do more testing until tomorrow (user/equip. unavailable) and wanted to try to fix it before then.
I'm running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Anyway, the patch was working great for user auth. and failing for machine auth. I used some unlang to get around the issue. I haven't done a lot with unlang (and yes I read the man page), so I may be missing something simple. I'm doing 802.1x authentication from Windows supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my inner-tunnel server:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {
update request {
Ntlm-Auth-Username = "%{1}$"
}
updated
}
else {
update request {
Ntlm-Auth-Username = "%{User-Name}"
}
updated
}
mschap-inner
}
Auth-Type LDAP {
ldap
}
eap-internal
eap-comodo
}
First, if I didn't include "updated" after the "update request" actions, then it would return reject. Is that normal (I didn't call a module in there)? Should the unlang be outside of the "Auth-Type MS-CHAP" block? Also, Ntlm-Auth-Username is expanded, there's a "[request] returns reject". I think this is the source of the problem, but I don't understand where the reject is coming from. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like:
eap-comodo {
ok = return
}
Here's the relevant debug output:
Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo
Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...}
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the list
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i)
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ -> US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject
Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated
Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~ /host\/(.*)\.energyeast\.net/i) returns updated
Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124: Preceding "if" was taken
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create LM-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create NT-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_authenticate: Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for host/US62695C.energyeast.net with NT-Password
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable at %{Ntlm-Auth-UserName:-None}}
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --username=%{%{Ntlm-Auth-UserName:-None}} -> --username=US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat: Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=943b358133b5bcac
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=121180cc778e59746acb8c12aa6bb9ab7ab2099604c750eb
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program output: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program: returned: 0
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] adding MS-CHAPv2 MPPE keys
Tue Aug 18 15:41:15 2009 : Info: ++[mschap-inner] returns ok
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Freeing handler
Tue Aug 18 15:41:15 2009 : Info: ++[eap-comodo] returns reject
Tue Aug 18 15:41:15 2009 : Info: Failed to authenticate the user.
Tue Aug 18 15:41:15 2009 : Auth: Login incorrect: [host/US62695C.energyeast.net] (from client eedmz02app08 port 2648774147 cli 00009de11603 via TLS tunnel)
} # server inner-tunnel
Thank you for your time and assistance..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090818/47fc3a11/attachment.html>
More information about the Freeradius-Users
mailing list