Problem with MSCHAP and Freeradius authentication

Dhiraj Gaur dhiraj.gaur at gmail.com
Sat Jan 21 14:58:03 CET 2012 

Hi
I did my tests and after removing that custom block of authorize section
the following is the output.

rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2,
length=57
        User-Name = "01546"
        User-Password = "xxxxxxxx"
        NAS-IP-Address = 192.168.0.99
        NAS-Port = 0
Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...}
Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm "NULL"
Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop
Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP
Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]    expand:
--username=%{mschap:User-Name} -> --username=01546
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]    expand:
--password=%{User-Password} -> --password=xxxxxxxxx
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0
Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop
Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop
Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user.
Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject
Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...}
Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> 01546
Sat Jan 21 19:21:08 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11

---------------------------------------------------------

So means that ntlm_auth is still wokring good bt some access control
triggers the Access-Reject.

I am still directionless as to where should I head next, I mean how to make
tht EAP client and MSCHAP authentication work. Would appreciate if I could
get some handy quick and dirty list of works to do next OR some URL/mailing
list entry etc which explains the same.

I am reading a FreeRadius book (Packet Publishing) which just might help.

Regards
Dhiraj Gaur


On Sat, Jan 21, 2012 at 7:12 PM, Dhiraj Gaur <dhiraj.gaur at gmail.com> wrote:

> Thanks ndk and alan I lll give it a fresh try to the testbed. I have
> already deleted the DEFAULT entry from the users file and updated mschap as
> indicated. I think what might be forcing NTLM_AUTH is an entry which i made
> to the authorize section of default file after which ntlm_auth strated to
> work for me
>
> if(!control:Auth-Type) {
>                 update control {
>                         Auth-Type = "ntlm_auth"
>                 }
>         }
> I ll try removing the same and then need to see how mschap thing will
> work. Would appreciate if you may point me to a further howto on the same.
> I aim to connect and eap client through radius without the use of
> certificates for which MSCHAP seems to be an option.
>
> I think I ll write a howto or add a wiki entry if I can make it work fine.
>
> regards
> Dhiraj Gaur
>
>
> On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok <aland at deployingradius.com>wrote:
>
>> NdK wrote:
>> >>   The radclient program has since been updated.
>> > Then it could be better to update that page, since it's the reference
>> > for all newbies that try to make it work.
>>
>>   Yeah, I've gone and fixed that.  "git" is nice for updating web pages.
>>
>> > "It *should* work" is more correct :(
>> > There still are many things that can go wrong.
>>
>>   If it doesn't work, the web pages explain which part to blame.  99% of
>> the time, it's a bug in someone else's software.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Regards
>
> Dhiraj Gaur
>
>
>
>


-- 
Regards

Dhiraj Gaur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120121/79a06f59/attachment.html>

More information about the Freeradius-Users mailing list