MAC-Auth issues with rlm_perl

Glen Harris astfgl at iamnota.org
Mon Mar 26 11:01:14 CEST 2012


Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP 
MD5 and PAP.

I'm trying to set up a simple MAC-Auth based network using HP 2610 
switches and MSM640 wireless APs as radius clients. I've added the AP to 
the clients.conf and configured the AP to use MAC-based authentication 
and it appears to be talking to FreeRadius using MSCHAPv2 correctly.

We only have a few dozen clients, so I'm using the perl module to read 
and cache a text file of MAC addresses. My script watches the file's 
mtime and re-loads it as necessary. I've followed the instructions on 
http://wiki.freeradius.org/Rlm_perl, but I get the following error:

/etc/freeradius/users[204]: Parse error (check) for entry DEFAULT: 
Unknown value Perl for attribute Auth-Type

After some trial and error, I found that adding perl to the authorize 
and authenticate sections of sites-available/inner-tunnel would get rid 
of the error, but I have no idea if that solved the problem or merely 
masked it and caused he next one.

There appears to be something seriously wrong with the way this config 
is working, because rlm_perl is calling the AUTHORIZE function but not 
AUTHENTICATE. I've pasted the debug of an authentication attempt below. 
It appears to be taking the CLIENT mschap authentication and somehow 
applying those attributes to mangle USER authentication.

rad_recv: Access-Request packet from host 192.168.0.29 port 35063, 
id=48, length
=275
         Acct-Session-Id = "1ca83cd8-00013b2c"
         NAS-Port = 0
         NAS-Port-Type = Wireless-802.11
         NAS-Identifier = "CN18D332BD"
         NAS-IP-Address = 192.168.0.29
         User-Name = "984b4af5bf40"
         Calling-Station-Id = "98:4b:4a:f5:bf:40"
         Called-Station-Id = "2c:41:38:f4:f5:c0"
         Service-Type = Login-User
         MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
         MS-CHAP2-Response = 
0x3000f12947d93103bfe476001a4f8d6fcc6800000000000000
00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
         Colubris-AVPair = "ssid=TSV-UC"
         Colubris-AVPair = "phytype=IEEE802dot11n"
         Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "984b4af5bf40", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 204
++[files] returns ok
rlm_perl: AUTHORIZE
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Acct-Session-Id = 1ca83cd8-00013b2c
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: Called-Station-Id = 2c:41:38:f4:f5:c0
rlm_perl: RAD_REQUEST: Calling-Station-Id = 98:4b:4a:f5:bf:40
rlm_perl: RAD_REQUEST: Message-Authenticator = 
0xf6affdfe1901c35141d3128eed2c515e
rlm_perl: RAD_REQUEST: MS-CHAP-Challenge = 
0x5ec43b8666ef945c1db7a14cc42da516
rlm_perl: RAD_REQUEST: User-Name = 984b4af5bf40
rlm_perl: RAD_REQUEST: NAS-Identifier = CN18D332BD
rlm_perl: RAD_REQUEST: MS-CHAP2-Response = 
0x3000f12947d93103bfe476001a4f8d6fcc680000000000000000fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
rlm_perl: RAD_REQUEST: Colubris-AVPair = ARRAY(0x127d4d8)
rlm_perl: RAD_REQUEST: NAS-Port = 0
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.0.29
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Acct-Session-Id = 1ca83cd8-00013b2c
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 2c:41:38:f4:f5:c0
rlm_perl: Added pair Calling-Station-Id = 98:4b:4a:f5:bf:40
rlm_perl: Added pair Message-Authenticator = 
0xf6affdfe1901c35141d3128eed2c515e
rlm_perl: Added pair MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
rlm_perl: Added pair User-Name = 984b4af5bf40
rlm_perl: Added pair NAS-Identifier = CN18D332BD
rlm_perl: Added pair MS-CHAP2-Response = 
0x3000f12947d93103bfe476001a4f8d6fcc680000000000000000fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
rlm_perl: Added pair Colubris-AVPair = ssid=TSV-UC
rlm_perl: Added pair Colubris-AVPair = phytype=IEEE802dot11n
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 192.168.0.29
rlm_perl: Added pair Auth-Type = MSCHAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: 984b4af5bf40
[mschap] Told to do MS-CHAPv2 for 984b4af5bf40 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 984b4af5bf40
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 48 to 192.168.0.29 port 35063

Regards, Glen.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120326/2251735e/attachment.html>


More information about the Freeradius-Users mailing list