EAP-PEAP with mschap login failed MSCHAP returns reject but we want to send no Reject but Accept with GUEST Vlan AVPs
Becker, Alexander
Alexander.Becker at auconet.com
Wed Jun 18 14:09:53 CEST 2014
Hi all,
I am using FreeRADIUS for quite some time now, though I can't wrap my mind around one thing:
When a module (say, mschap with ntlm_auth) returns REJECT because of the user is not present in the AD, I want to continue processing the request to, let's say, accept the request, but provide an alternative VLAN (Tunnel-Id) to the endpoint.
In chapter 16.3.1 of http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf, section "Return Codes as Modules", it clearly states:
* reject: Causes the request to be immediately rejected
So my question boils down to:
How can I use the mscap module to check whether a user is valid, and somehow anticipate that he/she does not exist, and continue with an alternate processing (read: decide later on whether to accept/reject the user) in such a case.
I thank you very much in advance, and I appreciate your answer.
For full reference, I included my current setup with explainations:
---
Using EAP-PEAPv0 -> valid user credentials should result in an accept with AV-Pair list A and invalid credentials should result in Accept but AV-Pair list B
Example:
Using EAP-PEAP
Login OK
Sending Accept and
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "22"
Login failed
Sending Accept and
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "33"
I want to control the result via a manipulated control attribute AcnACLType. I set these attibutes from withing rlm_perl:
########### Snippet Perl Policy ###############################
if ( $RAD_CHECK{'AcnACLType'} eq "data" ) {
$RAD_CHECK{'Auth-Type'}= "Accept";
$RAD_REPLY{'Reply-Message'}= "data";
$RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802";
$RAD_REPLY{'Tunnel-Private-Group-Id'}= "22";
$RAD_REPLY{'Tunnel-Type'}= "VLAN";
return RLM_MODULE_OK;
}
elsif ( $RAD_CHECK{'AcnACLType'} eq "authfail" ) {
$RAD_CHECK{'Auth-Type'}= "Accept";
$RAD_REPLY{'Reply-Message'}= "AuthFail";
$RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802";
$RAD_REPLY{'Tunnel-Private-Group-Id'}= "33";
$RAD_REPLY{'Tunnel-Type'}= "VLAN";
return RLM_MODULE_OK;
}
########### Snippet Perl Policy ###############################
In case of MSCHAP authenticating, everything works as expected:
===================Begin LOG ================================
Wed Jun 18 09:59:50 2014 : Info: [eap] processing type mschapv2
Wed Jun 18 09:59:50 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel
Wed Jun 18 09:59:50 2014 : Info: [mschapv2] +- entering group MS-CHAP {...}
Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt
Wed Jun 18 09:59:50 2014 : Info: [mschap] Told to do MS-CHAPv2 for pschmidt with NT-Password
Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=testlab.auconet.lan
Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=pschmidt
Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt
Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9499863a8977daa3
Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=161b24c676d1a53738cdb10037111c81f1fe1d4d5407266a
Wed Jun 18 09:59:50 2014 : Debug: Exec-Program output: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886
Wed Jun 18 09:59:50 2014 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886
Wed Jun 18 09:59:50 2014 : Debug: Exec-Program: returned: 0
Wed Jun 18 09:59:50 2014 : Info: ++[mschap] returns ok
Wed Jun 18 09:59:50 2014 : Info: ++? if (ok)
Wed Jun 18 09:59:50 2014 : Info: ? Evaluating (ok) -> TRUE
Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) -> TRUE
Wed Jun 18 09:59:50 2014 : Info: ++- entering if (ok) {...}
Wed Jun 18 09:59:50 2014 : Info: +++[control] returns ok
Wed Jun 18 09:59:50 2014 : Info: ++- if (ok) returns ok
Wed Jun 18 09:59:50 2014 : Info: ++ ... skipping elsif for request 20: Preceding "if" was taken
Wed Jun 18 09:59:50 2014 : Debug: MSCHAP Success
Wed Jun 18 09:59:50 2014 : Info: ++[eap] returns handled
} # server inner-tunnel
Wed Jun 18 09:59:50 2014 : Info: ++[control] returns ok
:
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair User-Name = testlab.auconet.lan\\pschmidt
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x030b0004
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-EMSK = 0x97d3f6e398c284127ee6ad52d55d8a0e609e453971050f546c964193d18dae3c0d74518ef466560670426f120bae29e1c268494e07b5c13ce67033c7135a08d3
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 22
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair AcnACLType = data
Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept
Wed Jun 18 09:59:50 2014 : Info: ++[perlpolicy] returns ok
Wed Jun 18 09:59:50 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default
Wed Jun 18 09:59:50 2014 : Info: +- entering group post-auth {...}
Wed Jun 18 09:59:50 2014 : Info: ++[exec] returns noop
Sending Access-Accept of id 11 to 127.0.0.1 port 38368
Reply-Message = "AuthFail"
MS-MPPE-Send-Key = 0x8cc588be92973040e5f09c8ebdc30ea4480a717aaf984fdf8182c3c6c5ffbfa8
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testlab.auconet.lan\\pschmidt"
MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5
EAP-Message = 0x030b0004
Tunnel-Private-Group-Id:0 = "22"
Wed Jun 18 09:59:50 2014 : Info: Finished request 22.
=============================== END LOG =====================================
My problem begins if the credentials are invalid. In this case inner-tunnel returns with "REJECT" and then there seems to be no way to change this into an "ACCEPT". My feeling at this point is that I miss an important concept in the way FreeRADIUS processes requests.
Here is a snippet from inner-tunnel section:
############### SNIP ##########################
authenticate {
Auth-Type EAP {
eap {
ok = 1
reject = return
fail=return
}
#
if (ok) {
update control {
Auth-Type := "Accept"
AcnACLType="data"
}
}
elsif (reject) {
update control {
Auth-Type := "Accept"
AcnACLType="authfail"
LogMessage := "RadiusReject"
}
auconetLog
}
}
########################## End Inner tunnel ###########################
and in default server
############################ Default Server ###########################
Auth-Type EAP {
eap {
ok = 1
reject = return
invalid =1
}
if (ok) {
update control {
#Auth-Type := "Accept"
AcnACLType := "data"
}
#update reply {
# Tunnel-Type := VLAN
# Tunnel-Medium-Type := IEEE-802
# Tunnel-Private-Group-Id := "22"
#}
}
elsif (reject || invalid ) {
update control {
AcnACLType := "authfail"
LogMessage := "RadiusReject"
Auth-Type := "Accept"
}
auconetLog
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "33"
}
}
update control {
FreeRADIUS-Client-Shortname="%{Client-Shortname}"
}
perlpolicy
}
######################################################
The log is:
================ LOG Begin ===================================
Wed Jun 18 10:48:04 2014 : Info: [eap] processing type mschapv2
Wed Jun 18 10:48:04 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel
Wed Jun 18 10:48:04 2014 : Info: [mschapv2] +- entering group MS-CHAP {...}
Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail
Wed Jun 18 10:48:04 2014 : Info: [mschap] Told to do MS-CHAPv2 for radiusfail with NT-Password
Wed Jun 18 10:48:04 2014 : Info: [mschap] No NT-Domain was found in the User-Name.
Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=
Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=radiusfail
Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail
Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3fc42259705d168a
Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1a7a459b40d3527944a7aadcdf32a499c097cf0dc1c296ad
Wed Jun 18 10:48:04 2014 : Debug: Exec-Program output: Logon failure (0xc000006d)
Wed Jun 18 10:48:04 2014 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Wed Jun 18 10:48:04 2014 : Debug: Exec-Program: returned: 1
Wed Jun 18 10:48:04 2014 : Info: [mschap] External script failed.
Wed Jun 18 10:48:04 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Wed Jun 18 10:48:04 2014 : Info: ++[mschap] returns reject
Wed Jun 18 10:48:04 2014 : Info: [eap] Freeing handler
Wed Jun 18 10:48:04 2014 : Info: ++[eap] returns reject <<<<<<
Wed Jun 18 10:48:04 2014 : Info: Failed to authenticate the user.
} # server inner-tunnel
Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Wed Jun 18 10:48:04 2014 : Info: [peap] Tunneled authentication was rejected.
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair State = 0xe26df394eb67ea7b6c664f076e6e6a50
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Calling-Station-Id = 02:00:00:00:00:01
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x6ab434e42ece49cdb13eb90438443c03
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair User-Name = radiusfail
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x020a0050190017030100208c1c20ac2dcb12e53b8a57d494b40657b43bd5019ca84e352e57a1069a1176a917030100209ed7b46fa6d167c1aacf327ae328c70674c366c0ddeceab26e7ba5232f3b029e
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Type = PEAP
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Framed-MTU = 1400
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Reply-Message = AuthFail
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x040a0004
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 33
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair FreeRADIUS-Client-Shortname = localhost
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair LogMessage = RadiusReject
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair AcnACLType = authfail
Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept
Wed Jun 18 10:48:04 2014 : Info: ++[perlpolicy] returns ok
Wed Jun 18 10:48:04 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default
Wed Jun 18 10:48:04 2014 : Info: +- entering group post-auth {...}
Wed Jun 18 10:48:04 2014 : Info: ++[exec] returns noop
Wed Jun 18 10:48:04 2014 : Info: Using Post-Auth-Type Reject
Wed Jun 18 10:48:04 2014 : Info: # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default
Wed Jun 18 10:48:04 2014 : Info: +- entering group REJECT {...}
Wed Jun 18 10:48:04 2014 : Info: ++- group REJECT returns noop
Wed Jun 18 10:48:04 2014 : Info: Delaying reject of request 10 for 1 seconds
Wed Jun 18 10:48:04 2014 : Debug: Going to the next request
Wed Jun 18 10:48:04 2014 : Debug: Waking up in 0.9 seconds.
Wed Jun 18 10:48:05 2014 : Info: Sending delayed reject for request 10
Sending Access-Reject of id 10 to 127.0.0.1 port 51730
Reply-Message = "AuthFail"
EAP-Message = 0x040a0004
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "33"
Message-Authenticator = 0x00000000000000000000000000000000
Wed Jun 18 10:48:05 2014 : Debug: Waking up in 3.9 seconds.
================= LOG End =====================================
My naïve idea is to instead send an Access-Accept with a Tunnel-Id of 11. I disabled the filter in
Post-Auth-Type REJECT {
#attr_filter.access_reject
}
to see attributes from my perl-policy.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140618/819a69ee/attachment-0001.html>
More information about the Freeradius-Users
mailing list