MS-CHAPv2, allow_retry=yes, but no code to handle the retry?

James J J Hooper jjj.hooper at bristol.ac.uk
Wed Apr 11 18:24:32 CEST 2012


Hi All,

FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with:

allow_retry = yes  [in modules/mschap]
and
send_error = yes [in modules/eap]

...FR has the functionality to take the second password attempt, and re-try 
it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: 
<http://tools.ietf.org/html/rfc2759#section-9.1.4>

I can't get it to work: Configuring as above does indeed make Windows 
re-prompt for the password if the first attempt is bad, but when this comes 
back to FR, nothing seems to be done with it.

I've had a look at the code. From the little I can understand of it, the 
new challenge is generated into 'buffer', and sent back to the client in 
the MS-CHAP-Error attribute (C=<new-challenge>). However the challenge in 
buffer is not then "put somewhere safe" until the client sends it's 
response against the new challenge [having re-prompted the user for the 
correct password], and when the response comes in it isn't sent to 
do_mschap()

Am I mistaken and this functionality hasn't been written yet? ...or have I 
mis-configured something?

Debug snippet appended.

Thanks,
  James

## INITIAL ATTEMPT WITH BAD PASSWORD:
Debug:   modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) 
for request 629
Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 9 length 80
Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going 
EAP conversation
Debug:   modsingle[authorize]: returned from eduroamlocaleap-bris-ca 
(rlm_eap) for request 629
Debug: +++[eduroamlocaleap-bris-ca] returns updated
Debug: ++- else else returns updated
Debug: Found Auth-Type = eduroamlocaleap-bris-ca
Debug: # Executing group from file 
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: +- entering group eduroamlocaleap-bris-ca {...}
Debug:   modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) 
for request 629
Debug: [eduroamlocaleap-bris-ca] Request found, released from the list
Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2
Debug: [eduroamlocaleap-bris-ca] processing type mschapv2
Debug: [mschapv2] # Executing group from file 
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: [mschapv2] +- entering group MS-CHAP {...}
Debug: [mschapv2]   modsingle[authenticate]: calling eduroamlocalmschap 
(rlm_mschap) for request 629
Debug: [eduroamlocalmschap] Creating challenge hash with username: 
jh01761 at bristol.ac.uk
Debug: [eduroamlocalmschap] Told to do MS-CHAPv2 for jh01761 at bristol.ac.uk 
with NT-Password
Debug: [eduroamlocalmschap] 	expand: %{Stripped-User-Name} -> jh01761
Debug: [eduroamlocalmschap] 	expand: 
--username=%{%{Stripped-User-Name}:-%{eduroamlocalmschap:User-Name}} -> 
--username=jh01761
Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function 
of module eduroamlocalmschap for string 'Challenge'
Debug: [eduroamlocalmschap] Creating challenge hash with username: 
jh01761 at bristol.ac.uk
Debug: [eduroamlocalmschap] 	expand: 
--challenge=%{eduroamlocalmschap:Challenge} -> --challenge=3db717d83ec4e184
Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function 
of module eduroamlocalmschap for string 'NT-Response'
Debug: [eduroamlocalmschap] 	expand: 
--nt-response=%{eduroamlocalmschap:NT-Response} -> 
--nt-response=0b7588b2a33b43f7379d4bded3d69adcfbe5da07911b8485
Debug: [eduroamlocalmschap] External script failed.
Debug: [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect
Debug:   modsingle[authenticate]: returned from eduroamlocalmschap 
(rlm_mschap) for request 629
Debug: ++[eduroamlocalmschap] returns reject
Debug: ++? if (reject)
Debug: >>> RECURSING WITH ... reject)
Debug: >>> LOOKING AT reject)
Debug: >>> Comparison returned 1
Debug: ? Evaluating (reject) -> TRUE
Debug: >>> GOT result 1
Debug: >>> AT EOL -> 1
Debug: >>> AFTER RECURSION ... )
Debug: >>> AT EOL -> 1
Debug: ++? if (reject) -> TRUE
Debug: ++- entering if (reject) {...}
Debug: ::: FROM 1 TO 25 MAX 26
Debug: ::: Examining UOB-Info-Type
Debug: ::: APPENDING UOB-Info-Type FROM 0 TO 25
Debug: ::: TO in 25 out 26
Debug: ::: to[0] = EAP-Message
Debug: ::: to[1] = FreeRADIUS-Proxied-To
Debug: ::: to[2] = User-Name
Debug: ::: to[3] = State
Debug: ::: to[4] = Calling-Station-Id
Debug: ::: to[5] = Called-Station-Id
Debug: ::: to[6] = NAS-Port
Debug: ::: to[7] = Cisco-AVPair
Debug: ::: to[8] = NAS-IP-Address
Debug: ::: to[9] = NAS-Identifier
Debug: ::: to[10] = Airespace-Wlan-Id
Debug: ::: to[11] = Service-Type
Debug: ::: to[12] = Framed-MTU
Debug: ::: to[13] = NAS-Port-Type
Debug: ::: to[14] = Tunnel-Type
Debug: ::: to[15] = Tunnel-Medium-Type
Debug: ::: to[16] = Tunnel-Private-Group-Id
Debug: ::: to[17] = UOB-Stripped-MAC
Debug: ::: to[18] = Stripped-User-Name
Debug: ::: to[19] = Realm
Debug: ::: to[20] = EAP-Type
Debug: ::: to[21] = MS-CHAP-Challenge
Debug: ::: to[22] = MS-CHAP2-Response
Debug: ::: to[23] = NTLM-User-Name
Debug: ::: to[24] = Module-Failure-Message
Debug: ::: to[25] = UOB-Info-Type
Debug: +++[request] returns reject
Debug:   modsingle[authenticate]: calling eduroaminfo (rlm_linelog) for 
request 629
Debug: [eduroaminfo] 	expand: %{UOB-Info-Type} -> BADP
Debug: [eduroaminfo] 	expand: %{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN} 
-> eduroamlocal-inner.BADP
Debug: [eduroaminfo] 	expand: BADP, %{UOB-Stripped-MAC}, USER PASSWORD or 
ADS GROUP INCORRECT [%{User-Name}] [%{Virtual-Server}], 
[%{Module-Failure-Message}] [%{reply:MS-CHAP-Error}] -> BADP, 
68:7f:74:f2:a3:4e, USER PASSWORD or ADS GROUP INCORRECT 
[jh01761 at bristol.ac.uk] [eduroamlocal-inner], [eduroamlocalmschap: External 
script says Logon failure (0xc000006d)] [\011E=691 R=1 
C=077b54f94a5230c9ecb273bfff3ef93b V=3 M=Verify username and re-enter your 
password]
Debug:   modsingle[authenticate]: returned from eduroaminfo (rlm_linelog) 
for request 629
Debug: +++[eduroaminfo] returns ok
Debug:   modsingle[authenticate]: calling reject (rlm_always) for request 
629
Debug:   modsingle[authenticate]: returned from reject (rlm_always) for 
request 629
Debug: +++[reject] returns reject
Debug: ++- if (reject) returns reject
Debug:   modsingle[authenticate]: returned from eduroamlocaleap-bris-ca 
(rlm_eap) for request 629
Debug: ++[eduroamlocaleap-bris-ca] returns handled

## THEN 4 SECONDS LATER (user has re-typed their password)

Debug: ++- entering else else {...}
Debug:   modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) 
for request 673
Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 10 length 80
Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going 
EAP conversation
Debug:   modsingle[authorize]: returned from eduroamlocaleap-bris-ca 
(rlm_eap) for request 673
Debug: +++[eduroamlocaleap-bris-ca] returns updated
Debug: ++- else else returns updated
Debug: Found Auth-Type = eduroamlocaleap-bris-ca
Debug: # Executing group from file 
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: +- entering group eduroamlocaleap-bris-ca {...}
Debug:   modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) 
for request 673
Debug: [eduroamlocaleap-bris-ca] Request found, released from the list
Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2
Debug: [eduroamlocaleap-bris-ca] processing type mschapv2
Debug: [eduroamlocaleap-bris-ca] Freeing handler
Debug:   modsingle[authenticate]: returned from eduroamlocaleap-bris-ca 
(rlm_eap) for request 673
Debug: ++[eduroamlocaleap-bris-ca] returns reject
Debug: Failed to authenticate the user.
Wed Apr 11 15:53:04 2012 : Auth: Login incorrect: [jh01761 at bristol.ac.uk] 
(from client WISM4 port 13 cli 68:7f:74:f2:a3:4e via TLS tunnel)




More information about the Freeradius-Users mailing list