MAC-Auth issues with rlm_perl

Mon Mar 26 11:10:56 CEST 2012

On 03/26/2012 10:01 AM, Glen Harris wrote:
>
> Server: Debian 6 (Squeeze) 2.6.32-5-amd64
> FreeRadius: 2.1.10 (Debian package)
> Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
> Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
> MD5 and PAP.
>
> I'm trying to set up a simple MAC-Auth based network using HP 2610
> switches and MSM640 wireless APs as radius clients. I've added the AP to

This is a matter of choice, but personally I would advise against using 
MAC-auth on wireless. It provides illusory security, and 802.1x is 
pretty easy on modern equipment. You call however.

> the clients.conf and configured the AP to use MAC-based authentication
> and it appears to be talking to FreeRadius using MSCHAPv2 correctly.

Well, see below for more on this; IMO it's not "correct" to use MSCHAPv2 
for mac-auth. It's a hack, presumably created for people with dumb 
radius servers that assume ever authentication is tied to something with 
a username/password.

>
> We only have a few dozen clients, so I'm using the perl module to read
> and cache a text file of MAC addresses. My script watches the file's
> mtime and re-loads it as necessary. I've followed the instructions on
> http://wiki.freeradius.org/Rlm_perl, but I get the following error:
>
> /etc/freeradius/users[204]: Parse error (check) for entry DEFAULT:
> Unknown value Perl for attribute Auth-Type

Why are you trying to set Auth-Type to "Perl"? Since the requests are 
MSCHAP, unless you've written a full MSCHAP implementation in Perl, you 
won't be able to authenticate them.

If you just want to whitelist MACs, run perl in "authorize".

>
> After some trial and error, I found that adding perl to the authorize
> and authenticate sections of sites-available/inner-tunnel would get rid
> of the error, but I have no idea if that solved the problem or merely
> masked it and caused he next one.
>
> There appears to be something seriously wrong with the way this config
> is working, because rlm_perl is calling the AUTHORIZE function but not
> AUTHENTICATE. I've pasted the debug of an authentication attempt below.
> It appears to be taking the CLIENT mschap authentication and somehow
> applying those attributes to mangle USER authentication.

I don't understand this paragraph. What do you mean by "client mschap 
authentication" and "mangle user authentication".

In any event - the "problems" are all spelt out in the debug if you read 
carefully:

>
> rad_recv: Access-Request packet from host 192.168.0.29 port 35063,
> id=48, length
> =275
> Acct-Session-Id = "1ca83cd8-00013b2c"
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> NAS-Identifier = "CN18D332BD"
> NAS-IP-Address = 192.168.0.29
> User-Name = "984b4af5bf40"
> Calling-Station-Id = "98:4b:4a:f5:bf:40"
> Called-Station-Id = "2c:41:38:f4:f5:c0"
> Service-Type = Login-User
> MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
> MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800000000000000
> 00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
> Colubris-AVPair = "ssid=TSV-UC"
> Colubris-AVPair = "phytype=IEEE802dot11n"
> Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e

The above is an MSCHAP request. However, the username appears to be a 
MAC address, so maybe the NAS is trying to do MSCHAP "mac auth". Sigh.

> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'

The "mschap" module sets Auth-Type to itself, correctly.

> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "984b4af5bf40", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 204
<snip>

> ++[perl] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP

Auth-Type is still MSCHAP

> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.

No password is set, therefore auth is going to fail...

> [mschap] Creating challenge hash with username: 984b4af5bf40
> [mschap] Told to do MS-CHAPv2 for 984b4af5bf40 with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject

...and auth fails.

I am going to take a wild guess, that your NAS does MAC-auth via an 
mschap request. I am going to guess the password it uses is either the 
same as the username, or a fixed value.

You could try adding lines like this to the "users" file:

984b4af5bf40	Cleartext-Password := "984b4af5bf40"

Or, if your NAS can be made to do so, disable the dumb "lets do MAC-auth 
by simulating mschap so that Microsoft IAS/NPS users can play too" mode. 
Then, MAC-auth requests will come in as PAP, and you can just set 
"Auth-Type = Accept" after you've performed the "known good" MAC address 
check.

Your "perl" module is running OK in "authorize", so any checks you can 
do, you can do there.