Accept eap-mschapv2 and proxy only mschapv2
Jacob Julian
julia1j at cmich.edu
Mon Dec 7 20:49:07 CET 2015
Hey all,
Apologies if this is a commonly asked question, I did search and tried to
mimic similar attempts.
I'm looking to accept eap-mschapv2 auths and proxy only mschapv2 to another
RADIUS server, which is set up to authenticate that user and return an
Accept or Reject.
My understanding is that this is easily accomplishable using FreeRADIUS. I
have no prior experience with FreeRADIUS, so excuse any mistakes...
This is the output of freeradius -X using RadEapTest on a remote machine,
username Administrator. It seems that FreeRadius is attempting to auth the
user instead of just proxying it along; this does work when I attempt a PAP
connection from that same machine, it gets proxy'd through and auths just
fine.
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=0,
length=134
User-Name = "Administrator"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020000120141646d696e6973747261746f72
Message-Authenticator = 0x67f16acfd64e0bf55afb823fbc79ce2f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 172.16.201.10 port 63636
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd42c15c7d42d0ce1d2efe40d1ce734d1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=1,
length=140
User-Name = "Administrator"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006031a
State = 0xd42c15c7d42d0ce1d2efe40d1ce734d1
Message-Authenticator = 0xe370cdc45d637d5ce7aa63f10cd3fc45
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 172.16.201.10 port 63636
EAP-Message =
0x010200271a0102002210ae3862a5bd6aa644366843b6155ed7d641646d696e6973747261746f72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd42c15c7d52e0fe1d2efe40d1ce734d1
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=2,
length=206
User-Name = "Administrator"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020200481a0202004331268cba76a73d54ea5fb5be72cdcd1b3b000000000000000077ae735bd2f46f781b886e02ff342f798677b30559e5d3830041646d696e6973747261746f72
State = 0xd42c15c7d52e0fe1d2efe40d1ce734d1
Message-Authenticator = 0xe08f96787e24a651d4ae379b44288612
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[eap] EAP packet type response id 2 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/default
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: Administrator
[mschap] Client is using MS-CHAPv2 for Administrator, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> Administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 2 for 1 seconds
Going to the next request
More information about the Freeradius-Users
mailing list