MAC-Auth issues with rlm_perl
Phil Mayers
p.mayers at imperial.ac.uk
Mon Mar 26 11:10:56 CEST 2012
On 03/26/2012 10:01 AM, Glen Harris wrote:
>
> Server: Debian 6 (Squeeze) 2.6.32-5-amd64
> FreeRadius: 2.1.10 (Debian package)
> Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
> Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
> MD5 and PAP.
>
> I'm trying to set up a simple MAC-Auth based network using HP 2610
> switches and MSM640 wireless APs as radius clients. I've added the AP to
This is a matter of choice, but personally I would advise against using
MAC-auth on wireless. It provides illusory security, and 802.1x is
pretty easy on modern equipment. You call however.
> the clients.conf and configured the AP to use MAC-based authentication
> and it appears to be talking to FreeRadius using MSCHAPv2 correctly.
Well, see below for more on this; IMO it's not "correct" to use MSCHAPv2
for mac-auth. It's a hack, presumably created for people with dumb
radius servers that assume ever authentication is tied to something with
a username/password.
>
> We only have a few dozen clients, so I'm using the perl module to read
> and cache a text file of MAC addresses. My script watches the file's
> mtime and re-loads it as necessary. I've followed the instructions on
> http://wiki.freeradius.org/Rlm_perl, but I get the following error:
>
> /etc/freeradius/users[204]: Parse error (check) for entry DEFAULT:
> Unknown value Perl for attribute Auth-Type
Why are you trying to set Auth-Type to "Perl"? Since the requests are
MSCHAP, unless you've written a full MSCHAP implementation in Perl, you
won't be able to authenticate them.
If you just want to whitelist MACs, run perl in "authorize".
>
> After some trial and error, I found that adding perl to the authorize
> and authenticate sections of sites-available/inner-tunnel would get rid
> of the error, but I have no idea if that solved the problem or merely
> masked it and caused he next one.
>
> There appears to be something seriously wrong with the way this config
> is working, because rlm_perl is calling the AUTHORIZE function but not
> AUTHENTICATE. I've pasted the debug of an authentication attempt below.
> It appears to be taking the CLIENT mschap authentication and somehow
> applying those attributes to mangle USER authentication.
I don't understand this paragraph. What do you mean by "client mschap
authentication" and "mangle user authentication".
In any event - the "problems" are all spelt out in the debug if you read
carefully:
>
> rad_recv: Access-Request packet from host 192.168.0.29 port 35063,
> id=48, length
> =275
> Acct-Session-Id = "1ca83cd8-00013b2c"
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> NAS-Identifier = "CN18D332BD"
> NAS-IP-Address = 192.168.0.29
> User-Name = "984b4af5bf40"
> Calling-Station-Id = "98:4b:4a:f5:bf:40"
> Called-Station-Id = "2c:41:38:f4:f5:c0"
> Service-Type = Login-User
> MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
> MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800000000000000
> 00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
> Colubris-AVPair = "ssid=TSV-UC"
> Colubris-AVPair = "phytype=IEEE802dot11n"
> Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e
The above is an MSCHAP request. However, the username appears to be a
MAC address, so maybe the NAS is trying to do MSCHAP "mac auth". Sigh.
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
The "mschap" module sets Auth-Type to itself, correctly.
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "984b4af5bf40", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 204
<snip>
> ++[perl] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
Auth-Type is still MSCHAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
No password is set, therefore auth is going to fail...
> [mschap] Creating challenge hash with username: 984b4af5bf40
> [mschap] Told to do MS-CHAPv2 for 984b4af5bf40 with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
...and auth fails.
I am going to take a wild guess, that your NAS does MAC-auth via an
mschap request. I am going to guess the password it uses is either the
same as the username, or a fixed value.
You could try adding lines like this to the "users" file:
984b4af5bf40 Cleartext-Password := "984b4af5bf40"
Or, if your NAS can be made to do so, disable the dumb "lets do MAC-auth
by simulating mschap so that Microsoft IAS/NPS users can play too" mode.
Then, MAC-auth requests will come in as PAP, and you can just set
"Auth-Type = Accept" after you've performed the "known good" MAC address
check.
Your "perl" module is running OK in "authorize", so any checks you can
do, you can do there.
More information about the Freeradius-Users
mailing list