MS-CHAPv2, allow_retry=yes, but no code to handle the retry?
James J J Hooper
jjj.hooper at bristol.ac.uk
Wed Apr 11 18:24:32 CEST 2012
Hi All,
FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with:
allow_retry = yes [in modules/mschap]
and
send_error = yes [in modules/eap]
...FR has the functionality to take the second password attempt, and re-try
it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759:
<http://tools.ietf.org/html/rfc2759#section-9.1.4>
I can't get it to work: Configuring as above does indeed make Windows
re-prompt for the password if the first attempt is bad, but when this comes
back to FR, nothing seems to be done with it.
I've had a look at the code. From the little I can understand of it, the
new challenge is generated into 'buffer', and sent back to the client in
the MS-CHAP-Error attribute (C=<new-challenge>). However the challenge in
buffer is not then "put somewhere safe" until the client sends it's
response against the new challenge [having re-prompted the user for the
correct password], and when the response comes in it isn't sent to
do_mschap()
Am I mistaken and this functionality hasn't been written yet? ...or have I
mis-configured something?
Debug snippet appended.
Thanks,
James
## INITIAL ATTEMPT WITH BAD PASSWORD:
Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap)
for request 629
Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 9 length 80
Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going
EAP conversation
Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca
(rlm_eap) for request 629
Debug: +++[eduroamlocaleap-bris-ca] returns updated
Debug: ++- else else returns updated
Debug: Found Auth-Type = eduroamlocaleap-bris-ca
Debug: # Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: +- entering group eduroamlocaleap-bris-ca {...}
Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap)
for request 629
Debug: [eduroamlocaleap-bris-ca] Request found, released from the list
Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2
Debug: [eduroamlocaleap-bris-ca] processing type mschapv2
Debug: [mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: [mschapv2] +- entering group MS-CHAP {...}
Debug: [mschapv2] modsingle[authenticate]: calling eduroamlocalmschap
(rlm_mschap) for request 629
Debug: [eduroamlocalmschap] Creating challenge hash with username:
jh01761 at bristol.ac.uk
Debug: [eduroamlocalmschap] Told to do MS-CHAPv2 for jh01761 at bristol.ac.uk
with NT-Password
Debug: [eduroamlocalmschap] expand: %{Stripped-User-Name} -> jh01761
Debug: [eduroamlocalmschap] expand:
--username=%{%{Stripped-User-Name}:-%{eduroamlocalmschap:User-Name}} ->
--username=jh01761
Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function
of module eduroamlocalmschap for string 'Challenge'
Debug: [eduroamlocalmschap] Creating challenge hash with username:
jh01761 at bristol.ac.uk
Debug: [eduroamlocalmschap] expand:
--challenge=%{eduroamlocalmschap:Challenge} -> --challenge=3db717d83ec4e184
Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function
of module eduroamlocalmschap for string 'NT-Response'
Debug: [eduroamlocalmschap] expand:
--nt-response=%{eduroamlocalmschap:NT-Response} ->
--nt-response=0b7588b2a33b43f7379d4bded3d69adcfbe5da07911b8485
Debug: [eduroamlocalmschap] External script failed.
Debug: [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect
Debug: modsingle[authenticate]: returned from eduroamlocalmschap
(rlm_mschap) for request 629
Debug: ++[eduroamlocalmschap] returns reject
Debug: ++? if (reject)
Debug: >>> RECURSING WITH ... reject)
Debug: >>> LOOKING AT reject)
Debug: >>> Comparison returned 1
Debug: ? Evaluating (reject) -> TRUE
Debug: >>> GOT result 1
Debug: >>> AT EOL -> 1
Debug: >>> AFTER RECURSION ... )
Debug: >>> AT EOL -> 1
Debug: ++? if (reject) -> TRUE
Debug: ++- entering if (reject) {...}
Debug: ::: FROM 1 TO 25 MAX 26
Debug: ::: Examining UOB-Info-Type
Debug: ::: APPENDING UOB-Info-Type FROM 0 TO 25
Debug: ::: TO in 25 out 26
Debug: ::: to[0] = EAP-Message
Debug: ::: to[1] = FreeRADIUS-Proxied-To
Debug: ::: to[2] = User-Name
Debug: ::: to[3] = State
Debug: ::: to[4] = Calling-Station-Id
Debug: ::: to[5] = Called-Station-Id
Debug: ::: to[6] = NAS-Port
Debug: ::: to[7] = Cisco-AVPair
Debug: ::: to[8] = NAS-IP-Address
Debug: ::: to[9] = NAS-Identifier
Debug: ::: to[10] = Airespace-Wlan-Id
Debug: ::: to[11] = Service-Type
Debug: ::: to[12] = Framed-MTU
Debug: ::: to[13] = NAS-Port-Type
Debug: ::: to[14] = Tunnel-Type
Debug: ::: to[15] = Tunnel-Medium-Type
Debug: ::: to[16] = Tunnel-Private-Group-Id
Debug: ::: to[17] = UOB-Stripped-MAC
Debug: ::: to[18] = Stripped-User-Name
Debug: ::: to[19] = Realm
Debug: ::: to[20] = EAP-Type
Debug: ::: to[21] = MS-CHAP-Challenge
Debug: ::: to[22] = MS-CHAP2-Response
Debug: ::: to[23] = NTLM-User-Name
Debug: ::: to[24] = Module-Failure-Message
Debug: ::: to[25] = UOB-Info-Type
Debug: +++[request] returns reject
Debug: modsingle[authenticate]: calling eduroaminfo (rlm_linelog) for
request 629
Debug: [eduroaminfo] expand: %{UOB-Info-Type} -> BADP
Debug: [eduroaminfo] expand: %{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN}
-> eduroamlocal-inner.BADP
Debug: [eduroaminfo] expand: BADP, %{UOB-Stripped-MAC}, USER PASSWORD or
ADS GROUP INCORRECT [%{User-Name}] [%{Virtual-Server}],
[%{Module-Failure-Message}] [%{reply:MS-CHAP-Error}] -> BADP,
68:7f:74:f2:a3:4e, USER PASSWORD or ADS GROUP INCORRECT
[jh01761 at bristol.ac.uk] [eduroamlocal-inner], [eduroamlocalmschap: External
script says Logon failure (0xc000006d)] [\011E=691 R=1
C=077b54f94a5230c9ecb273bfff3ef93b V=3 M=Verify username and re-enter your
password]
Debug: modsingle[authenticate]: returned from eduroaminfo (rlm_linelog)
for request 629
Debug: +++[eduroaminfo] returns ok
Debug: modsingle[authenticate]: calling reject (rlm_always) for request
629
Debug: modsingle[authenticate]: returned from reject (rlm_always) for
request 629
Debug: +++[reject] returns reject
Debug: ++- if (reject) returns reject
Debug: modsingle[authenticate]: returned from eduroamlocaleap-bris-ca
(rlm_eap) for request 629
Debug: ++[eduroamlocaleap-bris-ca] returns handled
## THEN 4 SECONDS LATER (user has re-typed their password)
Debug: ++- entering else else {...}
Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap)
for request 673
Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 10 length 80
Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going
EAP conversation
Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca
(rlm_eap) for request 673
Debug: +++[eduroamlocaleap-bris-ca] returns updated
Debug: ++- else else returns updated
Debug: Found Auth-Type = eduroamlocaleap-bris-ca
Debug: # Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamlocal-inner
Debug: +- entering group eduroamlocaleap-bris-ca {...}
Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap)
for request 673
Debug: [eduroamlocaleap-bris-ca] Request found, released from the list
Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2
Debug: [eduroamlocaleap-bris-ca] processing type mschapv2
Debug: [eduroamlocaleap-bris-ca] Freeing handler
Debug: modsingle[authenticate]: returned from eduroamlocaleap-bris-ca
(rlm_eap) for request 673
Debug: ++[eduroamlocaleap-bris-ca] returns reject
Debug: Failed to authenticate the user.
Wed Apr 11 15:53:04 2012 : Auth: Login incorrect: [jh01761 at bristol.ac.uk]
(from client WISM4 port 13 cli 68:7f:74:f2:a3:4e via TLS tunnel)
More information about the Freeradius-Users
mailing list