MS-CHAP Auth fail, password cache ?
Bastien Semene
admin at cyanide-studio.com
Mon Jul 11 12:33:58 CEST 2011
Hi list,
I'm currently - trying to - set up a radius server.
The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
During my tests, for the same user I used "test" password, then "blabla"
password.
Now, I use "blabla" and it's not working. instead "test" is still
working ...
I tested with a third string ("ahaha") , there's a third error output...
I tried restarting radiusd and the jail it's running into, this does
changes nothing.
All this commands/outputs are from the same running server (I mean no
reboot).
How can this happen ?
radtest commands :
# radtest -t mschap bsemene test 10.1.8.4 0 testing123
Sending Access-Request of id 166 to 10.1.8.4 port 1812
User-Name = "bsemene"
NAS-IP-Address = 10.1.8.4
NAS-Port = 0
MS-CHAP-Challenge = 0x244e451f6d9cec8a
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000048485d333f46de4d66241b5be289340fd16f37838c63c542
rad_recv: Access-Accept packet from host 10.1.8.4 port 1812, id=166,
length=90
Framed-MTU = 1400
MS-CHAP-MPPE-Keys =
0x01fc5a6be7bc69292066656e05c22f3a995ad9ecfed913d60000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
/usr/local/etc/raddb# radtest -t mschap bsemene blabla 10.1.8.4 0 testing123
Sending Access-Request of id 87 to 10.1.8.4 port 1812
User-Name = "bsemene"
NAS-IP-Address = 10.1.8.4
NAS-Port = 0
MS-CHAP-Challenge = 0xfabeb87636c4a8d1
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000091fbe9a51db58f3684cd91ebde311aedfcbe19271848ee45
rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=87,
length=38
MS-CHAP-Error = "\000E=691 R=1"
/usr/local/etc/raddb# radtest -t mschap bsemene ahaha 10.1.8.4 0 testing123
Sending Access-Request of id 222 to 10.1.8.4 port 1812
User-Name = "bsemene"
NAS-IP-Address = 10.1.8.4
NAS-Port = 0
MS-CHAP-Challenge = 0xc0d0a9ded19cb497
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000058d55aa0e11a251eee1a70f03438ff09fd872fc81b27c614
rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=222,
length=38
MS-CHAP-Error = "\000E=691 R=1"
debug mode outputs :
password "test" :
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> bsemene
[sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
bsemene
[sql] sql_set_user escaped user --> 'bsemene'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'bsemene' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'bsemene' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'bsemene' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
password blabla:
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> bsemene
[sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
bsemene
[sql] sql_set_user escaped user --> 'bsemene'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'bsemene' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'bsemene' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'bsemene' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
password ahaha :
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> ahaha
[sql] expand: %{%{User-Name}:-DEFAULT} -> ahaha
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> ahaha
[sql] sql_set_user escaped user --> 'ahaha'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'ahaha' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'ahaha' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User ahaha not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
SQL=>radcheck table :
mysql> SELECT * FROM radcheck\G
*************************** 1. row ***************************
id: 2525
username: bsemene
attribute: dynamic
op: :=
value: blabla
1 row in set (0.00 sec)
Users file :
# cat users | grep -v "^[[:space:]]*#" | grep -v "^$"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
default server :
# cat sites-available/default | grep -v "^[[:space:]]*#" | grep -v "^$"
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
inner-tunnel server :
# cat sites-available/inner-tunnel | grep -v "^[[:space:]]*#" | grep -v "^$"
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
--
If you think experts are expensive,
wait to see what amateurs will cost you
--
Bastien Semene
Administrateur Réseau& Système
Cyanide Studio - FRANCE
More information about the Freeradius-Users
mailing list