freeradius, problem with chap ?

Piotr piotr.1234 at interia.pl
Thu Dec 1 23:41:25 CET 2011 

Hello

I have two kind of remote access on cisco asa, first ovia ssl vpn and 
second via l2tp/ipsec (for mobile phones with androids). Both access are 
made on the same cisco and both autorizen on the same freeradius server 
with motp ( mobile one time password). Access via ssl vpn works correct 
but access via l2tp/ipsec not. I see that there is some problem with 
auth. For l2tp/ipsec i set authorization chap ( i disabled mschap v1 and 
v2, they didn't work also) Thank You for any help


This is debug from l2tp/ipsec connection:

rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=240,
length=134
          User-Name = "tom3"
          CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504
          NAS-Port = 5357568
          Service-Type = Framed-User
          Framed-Protocol = PPP
          CHAP-Challenge =
0x119f01e96a9a794879f770373a39827c7463bb1cfd4c9bf6ebeac4fb1ac47b3b8b1861bee84b0273d5
          Tunnel-Client-Endpoint:0 = "83.6.6.66"
          NAS-IP-Address = 10.162.1.1
          NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[suffix] No '@' in User-Name = "tom3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 2
[files]         expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}'
'%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' ->
/usr/local/bin/otp4freeradius.sh 'tom3' '' '' '' ''
[files] users: Matched entry tom3 at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "tom3" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Login incorrect (rlm_chap: Clear text password not available):
[tom3/<CHAP-Password>] (from client ciscoasa port 5357568)




/raddb/users:

DEFAULT Auth-Type = External
         Exec-Program-Wait = "/usr/local/bin/otp4freeradius.sh 
'%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' 
'%{reply:Offset}'",
         Fall-Through = Yes
tom3
         Secret = f11111xxxx1111a,
         PIN = yyyy,
         Offset = 0,
         CVPN3000-IETF-Radius-Class := "press"




cat radiusd.conf
...

modules {
         exec MOTP {
                 wait = yes
                 program = "/usr/local/bin/otp4freeradius.sh 
%{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}"
                 input_pairs = request
                 output_pairs = reply
                 }
         $INCLUDE ${confdir}/modules/
         $INCLUDE eap.conf
}
instantiate {
         exec
         expr
         expiration
         logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/





cat raddb/sites-enabled/default

authorize {
         preprocess
         chap
         mschap
         suffix
         files
         expiration
         logintime
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type External {
                 MOTP
         }
         unix
}
preacct {
         preprocess
         acct_unique
         suffix
         files
}
accounting {
         detail
         unix
         radutmp
         attr_filter.accounting_response
}
session {
         radutmp
}
post-auth {
         Post-Auth-Type REJECT {
                 attr_filter.access_reject
         }
}
pre-proxy {
}
post-proxy {
}




and here is debug from working connection for sslvpn:

rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=239,
length=136
          User-Name = "tom3"
          User-Password = "bd8d9a"
          NAS-Port = 5353472
          Called-Station-Id = "7.24.64.182"
          Calling-Station-Id = "9.72.8.13"
          NAS-Port-Type = Virtual
          Tunnel-Client-Endpoint:0 = "9.72.8.13"
          NAS-IP-Address = 10.162.1.1
          Cisco-AVPair = "ip:source-ip=9.72.8.13"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "tom3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 2
[files]         expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}'
'%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' ->
/usr/local/bin/otp4freeradius.sh 'tom3' 'bd8d9a' '' '' ''
[files] users: Matched entry tom3 at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = External
+- entering group External {...}
[MOTP]  expand: %{User-Name} -> tom3
[MOTP]  expand: %{User-Password} -> bd8d9a
[MOTP]  expand: %{reply:Secret} -> f11111111xx111a
[MOTP]  expand: %{reply:Pin} -> xyzw
[MOTP]  expand: %{reply:Offset} -> 0
Exec-Program output: ACCEPT czas:2011-12-01 21:27:32
Exec-Program-Wait: plaintext: ACCEPT czas:2011-12-01 21:27:32
Exec-Program: returned: 0
++[MOTP] returns ok
Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli
9.72.8.13)
    WARNING: Empty section.  Using default return values.
Sending Access-Accept of id 239 to 10.162.1.1 port 1025
          CVPN3000-IETF-Radius-Class := "press"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 239 with timestamp +308
Ready to process requests.

More information about the Freeradius-Users mailing list