rlm_cache NT-Password with EAP-PEAP

Alan DeKok aland at deployingradius.com
Fri Feb 27 23:48:38 CET 2015 

On Feb 27, 2015, at 4:20 PM, Sherker, Donald <Donald.Sherker at mybrighthouse.com> wrote:
> I have made this change and the server is able to cache the hashes for both EAP-PEAP and EAP-TTLS now.  I am now seeing a problem where after MSCHAPv2 finishes it's status is "updated" the first time the user tries to authenticate and then EAP fails.

  A careful reading of the debug log is helpful here:

(7) eap_mschapv2:   Auth-Type MS-CHAP {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: qaresdon
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7)     [mschap] = ok
(7) cache: EXPAND %{User-Name}%{outer.request:Calling-Station-Id}
(7) cache:    --> qaresdone899c47233d8
(7) cache: No cache entry found for "qaresdone899c47233d8"
(7) cache: Creating new cache entry
(7) cache: EXPAND %{control:NT-Password}
(7) cache:    --> 0x5835048ce94ad0564e29a924a03510ef
(7) cache:   control:NT-Password := 0x5835048ce94ad0564e29a924a03510ef
(7) cache: EXPAND %{control:LM-Password}
(7) cache:    --> 0xe52cac67419a9a2238f10713b629b565
(7) cache:   control:LM-Password := 0xe52cac67419a9a2238f10713b629b565
(7) cache: Merging cache entry into request
(7) cache:   &control:NT-Password := 0x5835048ce94ad0564e29a924a03510ef
(7) cache:   &control:LM-Password := 0xe52cac67419a9a2238f10713b629b565
(7) cache: Commited entry, TTL 86400 seconds
(7)     [cache.authorize] = updated
(7)   } # Auth-Type MS-CHAP = updated
(7) eap: Freeing handler
(7)       [eap] = reject
(7)     } # authenticate = reject

  i.e. the *cache* module returns “updated”.  That can be fixed.  Just add “ok” after “cache.authorize”:

Auth-Type MS-CHAP {
       mschap
       cache.authorize
      ok
}

>  The device will try to authenticate again and MSCHAP will finish with a status of "ok" and the user successfully authenticates.  I am adding a debug output below.  This behavior is the same with either of the Auth-Type MS-CHAP sections that you suggested.  I am only providing a debug for EAP-PEAP since the behavior appears to be the same for this and EAP-TTLS.

  Thanks.  The above change should fix it.

  Alan DeKok.

More information about the Freeradius-Users mailing list