Issue with MSCHAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sun Nov 4 22:34:39 CET 2012
On 4 Nov 2012, at 21:20, Ryan Summey <ryan.summey at gmail.com> wrote:
> So how do we secure the user accounts in the database?
By securing the database.
NT4 password hashes are the only other option if you want to use MSCHAPv2, and they're trivial to break with rainbow tables.
Welcome to the wonderful world of Microsoft :)
-Arran
>
> On Sun, Nov 4, 2012 at 4:11 PM, Blake Covarrubias <blake at covarrubi.as> wrote:
> http://deployingradius.com/documents/protocols/compatibility.html
>
> md5 passwords are not compatible with MS-CHAP.
>
> --
> Blake Covarrubias
>
> On Nov 4, 2012, at 13:56, Ryan Summey <ryan.summey at gmail.com> wrote:
>
>> Below is the log. I am able to connect using clear-text passwords but not encrypted passwords... What is confusing me is if i do a radtest it works fine using the users credentials that are encrypted... But as you can see below ths is me trying to connecting from my phone using the account i created in the databse with the password md5. Again this works when i do a radtest but not in a real world test. Only clear-text pw work in the realworld test.
>>
>> Thank you for your time.
>>
>>
>>
>>
>> freeradius -X
>> FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 11 2012 at 22:27:08
>> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> Starting - reading configuration files ...
>> including configuration file /etc/freeradius/radiusd.conf
>> including configuration file /etc/freeradius/proxy.conf
>> including configuration file /etc/freeradius/clients.conf
>> including files in directory /etc/freeradius/modules/
>> including configuration file /etc/freeradius/modules/always
>> including configuration file /etc/freeradius/modules/mac2ip
>> including configuration file /etc/freeradius/modules/sql_log
>> including configuration file /etc/freeradius/modules/smbpasswd
>> including configuration file /etc/freeradius/modules/detail
>> including configuration file /etc/freeradius/modules/smsotp
>> including configuration file /etc/freeradius/modules/cui
>> including configuration file /etc/freeradius/modules/wimax
>> including configuration file /etc/freeradius/modules/replicate
>> including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
>> including configuration file /etc/freeradius/modules/sradutmp
>> including configuration file /etc/freeradius/modules/pap
>> including configuration file /etc/freeradius/modules/echo
>> including configuration file /etc/freeradius/modules/expiration
>> including configuration file /etc/freeradius/modules/files
>> including configuration file /etc/freeradius/modules/mac2vlan
>> including configuration file /etc/freeradius/modules/acct_unique
>> including configuration file /etc/freeradius/modules/krb5
>> including configuration file /etc/freeradius/modules/mschap
>> including configuration file /etc/freeradius/modules/checkval
>> including configuration file /etc/freeradius/modules/preprocess
>> including configuration file /etc/freeradius/modules/logintime
>> including configuration file /etc/freeradius/modules/pam
>> including configuration file /etc/freeradius/modules/passwd
>> including configuration file /etc/freeradius/modules/etc_group
>> including configuration file /etc/freeradius/modules/opendirectory
>> including configuration file /etc/freeradius/modules/attr_filter
>> including configuration file /etc/freeradius/modules/linelog
>> including configuration file /etc/freeradius/modules/soh
>> including configuration file /etc/freeradius/modules/attr_rewrite
>> including configuration file /etc/freeradius/modules/chap
>> including configuration file /etc/freeradius/modules/rediswho
>> including configuration file /etc/freeradius/modules/counter
>> including configuration file /etc/freeradius/modules/digest
>> including configuration file /etc/freeradius/modules/policy
>> including configuration file /etc/freeradius/modules/unix
>> including configuration file /etc/freeradius/modules/ldap
>> including configuration file /etc/freeradius/modules/otp
>> including configuration file /etc/freeradius/modules/radutmp
>> including configuration file /etc/freeradius/modules/perl
>> including configuration file /etc/freeradius/modules/dynamic_clients
>> including configuration file /etc/freeradius/modules/detail.example.com
>> including configuration file /etc/freeradius/modules/redis
>> including configuration file /etc/freeradius/modules/ntlm_auth
>> including configuration file /etc/freeradius/modules/inner-eap
>> including configuration file /etc/freeradius/modules/ippool
>> including configuration file /etc/freeradius/modules/realm
>> including configuration file /etc/freeradius/modules/detail.log
>> including configuration file /etc/freeradius/modules/exec
>> including configuration file /etc/freeradius/modules/expr
>> including configuration file /etc/freeradius/eap.conf
>> including configuration file /etc/freeradius/sql.conf
>> including configuration file /etc/freeradius/sql/mysql/dialup.conf
>> including configuration file /etc/freeradius/policy.conf
>> including files in directory /etc/freeradius/sites-enabled/
>> including configuration file /etc/freeradius/sites-enabled/default
>> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
>> main {
>> user = "freerad"
>> group = "freerad"
>> allow_core_dumps = no
>> }
>> including dictionary file /etc/freeradius/dictionary
>> main {
>> name = "freeradius"
>> prefix = "/usr"
>> localstatedir = "/var"
>> sbindir = "/usr/sbin"
>> logdir = "/var/log/freeradius"
>> run_dir = "/var/run/freeradius"
>> libdir = "/usr/lib/freeradius"
>> radacctdir = "/var/log/freeradius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 1024
>> pidfile = "/var/run/freeradius/freeradius.pid"
>> checkrad = "/usr/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> }
>> security {
>> max_attributes = 200
>> reject_delay = 1
>> status_server = yes
>> }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> proxy server {
>> retry_delay = 5
>> retry_count = 3
>> default_fallback = no
>> dead_time = 120
>> wake_all_if_all_dead = no
>> }
>> home_server localhost {
>> ipaddr = 127.0.0.1
>> port = 1812
>> type = "auth"
>> secret = "testing123"
>> response_window = 20
>> max_outstanding = 65536
>> require_message_authenticator = yes
>> zombie_period = 40
>> status_check = "status-server"
>> ping_interval = 30
>> check_interval = 30
>> num_answers_to_alive = 3
>> num_pings_to_alive = 3
>> revive_interval = 120
>> status_check_timeout = 4
>> coa {
>> irt = 2
>> mrt = 16
>> mrc = 5
>> mrd = 30
>> }
>> }
>> home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>> }
>> realm example.com {
>> auth_pool = my_auth_failover
>> }
>> realm LOCAL {
>> }
>> radiusd: #### Loading Clients ####
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = "testsecret"
>> nastype = "other"
>> }
>> client 192.168.2.24 {
>> require_message_authenticator = no
>> secret = "testsecret"
>> shortname = "cvpn-pptp"
>> nastype = "other"
>> }
>> radiusd: #### Instantiating modules ####
>> instantiate {
>> Module: Linked to module rlm_exec
>> Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
>> exec {
>> wait = no
>> input_pairs = "request"
>> shell_escape = yes
>> }
>> Module: Linked to module rlm_expr
>> Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
>> Module: Linked to module rlm_expiration
>> Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
>> expiration {
>> reply-message = "Password Has Expired "
>> }
>> Module: Linked to module rlm_logintime
>> Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
>> logintime {
>> reply-message = "You are calling outside your allowed timespan "
>> minimum-timeout = 60
>> }
>> }
>> radiusd: #### Loading Virtual Servers ####
>> server { # from file /etc/freeradius/radiusd.conf
>> modules {
>> Module: Creating Auth-Type = digest
>> Module: Creating Post-Auth-Type = REJECT
>> Module: Checking authenticate {...} for more modules to load
>> Module: Linked to module rlm_pap
>> Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
>> pap {
>> encryption_scheme = "auto"
>> auto_header = no
>> }
>> Module: Linked to module rlm_chap
>> Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
>> Module: Linked to module rlm_mschap
>> Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = yes
>> require_strong = yes
>> with_ntdomain_hack = no
>> allow_retry = yes
>> }
>> Module: Linked to module rlm_digest
>> Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
>> Module: Linked to module rlm_unix
>> Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
>> unix {
>> radwtmp = "/var/log/freeradius/radwtmp"
>> }
>> Module: Linked to module rlm_eap
>> Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
>> eap {
>> default_eap_type = "md5"
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 4096
>> }
>> Module: Linked to sub-module rlm_eap_md5
>> Module: Instantiating eap-md5
>> Module: Linked to sub-module rlm_eap_leap
>> Module: Instantiating eap-leap
>> Module: Linked to sub-module rlm_eap_gtc
>> Module: Instantiating eap-gtc
>> gtc {
>> challenge = "Password: "
>> auth_type = "PAP"
>> }
>> Module: Linked to sub-module rlm_eap_tls
>> Module: Instantiating eap-tls
>> tls {
>> rsa_key_exchange = no
>> dh_key_exchange = yes
>> rsa_key_length = 512
>> dh_key_length = 512
>> verify_depth = 0
>> CA_path = "/etc/freeradius/certs"
>> pem_file_type = yes
>> private_key_file = "/etc/freeradius/certs/server.key"
>> certificate_file = "/etc/freeradius/certs/server.pem"
>> CA_file = "/etc/freeradius/certs/ca.pem"
>> private_key_password = "whatever"
>> dh_file = "/etc/freeradius/certs/dh"
>> random_file = "/dev/urandom"
>> fragment_size = 1024
>> include_length = yes
>> check_crl = no
>> cipher_list = "DEFAULT"
>> make_cert_command = "/etc/freeradius/certs/bootstrap"
>> ecdh_curve = "prime256v1"
>> cache {
>> enable = no
>> lifetime = 24
>> max_entries = 255
>> }
>> verify {
>> }
>> ocsp {
>> enable = no
>> override_cert_url = yes
>> url = "http://127.0.0.1/ocsp/"
>> }
>> }
>> Module: Linked to sub-module rlm_eap_ttls
>> Module: Instantiating eap-ttls
>> ttls {
>> default_eap_type = "md5"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> virtual_server = "inner-tunnel"
>> include_length = yes
>> }
>> Module: Linked to sub-module rlm_eap_peap
>> Module: Instantiating eap-peap
>> peap {
>> default_eap_type = "mschapv2"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> proxy_tunneled_request_as_eap = yes
>> virtual_server = "inner-tunnel"
>> soh = no
>> }
>> Module: Linked to sub-module rlm_eap_mschapv2
>> Module: Instantiating eap-mschapv2
>> mschapv2 {
>> with_ntdomain_hack = no
>> send_error = no
>> }
>> Module: Checking authorize {...} for more modules to load
>> Module: Linked to module rlm_preprocess
>> Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
>> preprocess {
>> huntgroups = "/etc/freeradius/huntgroups"
>> hints = "/etc/freeradius/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> Module: Linked to module rlm_realm
>> Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
>> realm suffix {
>> format = "suffix"
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> Module: Linked to module rlm_files
>> Module: Instantiating module "files" from file /etc/freeradius/modules/files
>> files {
>> usersfile = "/etc/freeradius/users"
>> acctusersfile = "/etc/freeradius/acct_users"
>> preproxy_usersfile = "/etc/freeradius/preproxy_users"
>> compat = "no"
>> }
>> Module: Linked to module rlm_sql
>> Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
>> sql {
>> driver = "rlm_sql_mysql"
>> server = "mysql.claravpn.com"
>> port = "3306"
>> login = "cvpnadmin"
>> password = "106westwhiteoakstreet"
>> radius_db = "cvpnradiusdb"
>> read_groups = yes
>> sqltrace = no
>> sqltracefile = "/var/log/freeradius/sqltrace.sql"
>> readclients = no
>> deletestalesessions = yes
>> num_sql_socks = 5
>> lifetime = 0
>> max_queries = 0
>> sql_user_name = "%{User-Name}"
>> default_user_profile = ""
>> nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
>> authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
>> authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
>> authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
>> authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
>> accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
>> accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
>> accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
>> accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
>> accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
>> accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
>> accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
>> group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
>> connect_failure_retry_delay = 60
>> simul_count_query = "SELECT COUNT(*) #FROM radacct #WHERE username = '%{SQL-User-Name}' #AND acctstoptime IS NULL"
>> simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
>> postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
>> safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>> }
>> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
>> rlm_sql (sql): Attempting to connect to cvpnadmin at mysql.claravpn.com:3306/cvpnradiusdb
>> rlm_sql (sql): starting 0
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
>> rlm_sql_mysql: Starting connect to MySQL server for #0
>> rlm_sql (sql): Connected new DB handle, #0
>> rlm_sql (sql): starting 1
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
>> rlm_sql_mysql: Starting connect to MySQL server for #1
>> rlm_sql (sql): Connected new DB handle, #1
>> rlm_sql (sql): starting 2
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
>> rlm_sql_mysql: Starting connect to MySQL server for #2
>> rlm_sql (sql): Connected new DB handle, #2
>> rlm_sql (sql): starting 3
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
>> rlm_sql_mysql: Starting connect to MySQL server for #3
>> rlm_sql (sql): Connected new DB handle, #3
>> rlm_sql (sql): starting 4
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
>> rlm_sql_mysql: Starting connect to MySQL server for #4
>> rlm_sql (sql): Connected new DB handle, #4
>> Module: Checking preacct {...} for more modules to load
>> Module: Linked to module rlm_acct_unique
>> Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
>> acct_unique {
>> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
>> }
>> Module: Checking accounting {...} for more modules to load
>> Module: Linked to module rlm_detail
>> Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
>> detail {
>> detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>> header = "%t"
>> detailperm = 384
>> dirperm = 493
>> locking = no
>> log_packet_header = no
>> }
>> Module: Linked to module rlm_radutmp
>> Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
>> radutmp {
>> filename = "/var/log/freeradius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> perm = 384
>> callerid = yes
>> }
>> Module: Linked to module rlm_attr_filter
>> Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
>> attr_filter attr_filter.accounting_response {
>> attrsfile = "/etc/freeradius/attrs.accounting_response"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> Module: Checking session {...} for more modules to load
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
>> attr_filter attr_filter.access_reject {
>> attrsfile = "/etc/freeradius/attrs.access_reject"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> } # modules
>> } # server
>> server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
>> modules {
>> Module: Checking authenticate {...} for more modules to load
>> Module: Checking authorize {...} for more modules to load
>> Module: Checking session {...} for more modules to load
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> } # modules
>> } # server
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>> type = "auth"
>> ipaddr = *
>> port = 0
>> }
>> listen {
>> type = "acct"
>> ipaddr = *
>> port = 0
>> }
>> listen {
>> type = "auth"
>> ipaddr = 127.0.0.1
>> port = 18120
>> }
>> ... adding new socket proxy address * port 48747
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
>> Listening on proxy address * port 1814
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 192.168.2.24 port 37360, id=33, length=151
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> User-Name = "md5sonder"
>> MS-CHAP-Challenge = 0x0450cfc169281de4596f775878e83202
>> MS-CHAP2-Response = 0x50002036d573a3f3f443f0adaaf52b1557b300000000000000004fab1da0b14e7e7827768b24019d9c9e41dec2d11872bbad
>> Calling-Station-Id = "97.218.49.75"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>> # Executing section authorize from file /etc/freeradius/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
>> ++[mschap] returns ok
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "md5sonder", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> [files] users: Matched entry DEFAULT at line 172
>> ++[files] returns ok
>> [sql] expand: %{User-Name} -> md5sonder
>> [sql] sql_set_user escaped user --> 'md5sonder'
>> rlm_sql (sql): Reserving sql socket id: 4
>> [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'md5sonder' ORDER BY id
>> [sql] User found in radcheck table
>> [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'md5sonder' ORDER BY id
>> [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'md5sonder' ORDER BY priority
>> rlm_sql (sql): Released sql socket id: 4
>> ++[sql] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] Normalizing MD5-Password from hex encoding
>> [pap] WARNING: Auth-Type already set. Not setting to PAP
>> ++[pap] returns noop
>> Found Auth-Type = MSCHAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group MS-CHAP {...}
>> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
>> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
>> [mschap] Creating challenge hash with username: md5sonder
>> [mschap] Told to do MS-CHAPv2 for md5sonder with NT-Password
>> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
>> [mschap] FAILED: MS-CHAP2-Response is incorrect
>> ++[mschap] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} -> md5sonder
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.6 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 33 to 192.168.2.24 port 37360
>> MS-CHAP-Error = "PE=691 R=1"
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 33 with timestamp +121
>> Ready to process requests.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list