[Home server Radius in "always accept mode with mschap"]

Thomas Fagart tfagart at brozs.net
Thu Mar 29 23:22:31 CEST 2012 

Hello,

As we've got some bad ISPs or maybe because  they use other radius than 
freeradius :-), we would like, when their home server does not work 
properly (bad response time or completely down), to continue 
authenticating wimax users on our proxy. (So that users does not get 
disconnected after their lease / network entry).

So I wanted to build a "welcome" home server (meaning a home server that 
always say yes whithout checking anything).

I've tried a physical one and also a dedicated virtual server that I use 
either as fallback home server or as secondary home server.

I've successfully been able to send "Access Accept" for any Access 
Request by configuring the following :


authorize {
         preprocess
         auth_log
         chap
         mschap
         unix
         files
                if (!ok) {
                        reject
                }
                else {
                        update control {
                                Auth-Type := Accept
                        }
                }
         expiration
         logintime
         pap
}
....


But then it's not enough, Mschap Attributes are required so that it 
really work (below is "normal" authentication when ISPs home server answer).

on Dec  5 11:37:39 2011 : Debug: Received Access-Accept packet from host 
X.Y.Z.W port 1812, id=98, length=184
Mon Dec  5 11:37:39 2011 : Debug:       MS-CHAP2-Success = 
0x78533d44303235443041393935354646383733384143443137364244433544463336393436373139333937
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Recv-Key = 
0xa0d43ffe6f017d74813ad8d12b35797e
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Send-Key = 
0x5f6a95b54ef1d283134925733845429a
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Encryption-Policy = 
0x00000001
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Encryption-Types = 
0x00000006
Mon Dec  5 11:37:39 2011 : Debug:       Proxy-State = 0x323233
Mon Dec  5 11:37:39 2011 : Debug: +- entering group post-proxy {...}

As I was not very familiar with MS-CHAP, I've google a little and it 
seems to me that my goal (ie ms chapv2 welcome server without having 
user/passwd of users) is not reachable as the home server MUST have 
users/passwd to generate challenge.

Could you confirm that I'm not wrong so that I will stop looking for 
unfeasible things ?

Many thanks

Thomas

More information about the Freeradius-Users mailing list