Unlang Question/Problem

Garber, Neal Neal.Garber at energyeast.com
Wed Aug 19 01:07:52 CEST 2009


I haven't had much sleep the past few days and just wanted another set of eyes on an issue I'm having.  Also, I won't be able to do more testing until tomorrow (user/equip. unavailable) and wanted to try to fix it before then.

I'm running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to correct a problem with case-sensitive userids.  Anyway, the patch was working great for user auth. and failing for machine auth.  I used some unlang to get around the issue.  I haven't done a lot with unlang (and yes I read the man page), so I may be missing something simple.  I'm doing 802.1x authentication from Windows supplicant with PEAP/MS-CHAPv2.  Here's the authenticate section of my inner-tunnel server:

  authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {
                        update request {
                                Ntlm-Auth-Username = "%{1}$"
                        }
                        updated
                }
                else {
                        update request {
                                Ntlm-Auth-Username = "%{User-Name}"
                        }
                        updated
                }
                mschap-inner
        }
        Auth-Type LDAP {
                ldap
        }
        eap-internal
        eap-comodo
  }

First, if I didn't include "updated" after the "update request" actions, then it would return reject.  Is that normal (I didn't call a module in there)?  Should the unlang be outside of the "Auth-Type MS-CHAP" block?  Also, Ntlm-Auth-Username is expanded, there's a "[request] returns reject".  I think this is the source of the problem, but I don't understand where the reject is coming from.  The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug.  Do I need something like:

eap-comodo {
            ok = return
}

Here's the relevant debug output:

Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo
Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...}
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the list
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i)
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2]     expand: %{1}$ -> US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject
Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated
Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~ /host\/(.*)\.energyeast\.net/i) returns updated
Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124: Preceding "if" was taken
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured.  Cannot create LM-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured.  Cannot create NT-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]   Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_authenticate: Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for host/US62695C.energyeast.net with NT-Password
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable at %{Ntlm-Auth-UserName:-None}}
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]         expand: --username=%{%{Ntlm-Auth-UserName:-None}} -> --username=US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]  mschap2: d1
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]   Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat: Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]         expand: --challenge=%{mschap:Challenge:-00} -> --challenge=943b358133b5bcac
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner]         expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=121180cc778e59746acb8c12aa6bb9ab7ab2099604c750eb
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program output: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF
Tue Aug 18 15:41:15 2009 : Debug: Exec-Program: returned: 0
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] adding MS-CHAPv2 MPPE keys
Tue Aug 18 15:41:15 2009 : Info: ++[mschap-inner] returns ok
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Freeing handler
Tue Aug 18 15:41:15 2009 : Info: ++[eap-comodo] returns reject
Tue Aug 18 15:41:15 2009 : Info: Failed to authenticate the user.
Tue Aug 18 15:41:15 2009 : Auth: Login incorrect: [host/US62695C.energyeast.net] (from client eedmz02app08 port 2648774147 cli 00009de11603 via TLS tunnel)
} # server inner-tunnel

Thank you for your time and assistance..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090818/47fc3a11/attachment.html>


More information about the Freeradius-Users mailing list