Problem with MSCHAP and Freeradius authentication

Dhiraj Gaur dhiraj.gaur at gmail.com
Fri Jan 20 16:38:48 CET 2012 

Hi

I have been trying to implement radius authetication server at my
workplace. The idea is to have all wifi access points authenticate against
a radius server.
The radius server needs to pass authentication to a backend Active
Directory server. I have been sucessful in authenticating wifi users
against file based and SQL based authentication in radius. NTLM_AUTH using
PAP also works fine, wherein plaintext password is sucessfully
authenticated against the AD and I get an "Access-Accept". However when I
pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not
working and I end up in a "Access-Reject". Seems like that the ntlm_auth
program is not parsing the received encrypted password hence the
authetication fails. MSCHAP is a requirement as wifi clients at my place
mostly have eap supplicant. (Read in freeradius documentation that eap and
ldap doesnt go hand in hand, I may be wrong at interpreting the same)

The freeradius logs for all the cases is listed below. Radius gurus please
point me to the right direction as to make MS_CHAP authentication owrk over
ntlm_auth or ldap(if possible).

PS: I did all the testing using JRadius simulator.

Regards
Dhiraj Gaur

-------------------------- LOGS ------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22,
length=69
        User-Name = "01546"
        User-Password = "xxxxxxxxxxx" --> (Plian Text password)
        NAS-IP-Address = 192.168.0.199
        Message-Authenticator = 0x008294e58343b74ea977c228f5b5
ec5d
Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=xxxxxxxxx --> (We can see the
password in plaintext)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop
Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type)
Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...}
Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop
Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth
Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 22 to 192.168.3.210 port 32854

JRADIUS CLINET LOG

Sending RADIUS Packet:
----------------------------------------------------------

Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
User-Password := [Encrypted String]

NAS-IP-Address := 192.168.0.199
 Message-Authenticator := [Binary Data (length=16)]


Received RADIUS Packet:
----------------------------------------------------------

Class: class net.jradius.packet.AccessAccept
Attributes:

-----------------------------------------------------------------------

rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22,
length=88
        User-Name = "01546"
        NAS-IP-Address = 192.168.0.199
        CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57
        CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e
        Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2
Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP'
Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok
Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> 01546
Fri Jan 20 18:29:27 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds
Fri Jan 20 18:29:27 2012 : Debug: Going to the next request
Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5
Sending Access-Reject of id 22 to 192.168.3.210 port 32854

JRADIUS CLINET LOG

Sending RADIUS Packet:
----------------------------------------------------------

Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199

CHAP-Challenge := [Binary Data (length=16)]
CHAP-Password := [Binary Data (length=17)]

Message-Authenticator := [Binary Data (length=16)]


Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:

--------------------------------------------------------------------------------------

rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23,
length=133
        User-Name = "01546"
        NAS-IP-Address = 192.168.0.199
        MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e
        MS-CHAP2-Response =
0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f
        Message-Authenticator = 0x92716bba8963b228666c070135f8245a
Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type  = mschap'
Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok
Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> 01546
Fri Jan 20 18:29:57 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds
Fri Jan 20 18:29:57 2012 : Debug: Going to the next request
Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds.
Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6
Sending Access-Reject of id 23 to 192.168.3.210 port 32854

JRADIUS CLINET LOG

Sending RADIUS Packet:
----------------------------------------------------------

Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199

MS-CHAP-Challenge := [Binary Data (length=16)]
MS-CHAP2-Response := [Binary Data (length=50)]

Message-Authenticator := [Binary Data (length=16)]


Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:

-----------------------------------------------------------------------------------------

rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24,
length=63
        User-Name = "01546"
        NAS-IP-Address = 192.168.0.199
        EAP-Message = 0x0200000a013031353436
        Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9
Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length
10
Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> 01546
Fri Jan 20 18:30:30 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds
Fri Jan 20 18:30:30 2012 : Debug: Going to the next request
Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7
Sending Access-Reject of id 24 to 192.168.3.210 port 32854

JRADIUS CLINET LOG

Sending RADIUS Packet:
----------------------------------------------------------

Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199

EAP-Message := [Binary Data (length=10)]

Message-Authenticator := [Binary Data (length=16)]


Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120120/17ea5e27/attachment.html>

More information about the Freeradius-Users mailing list