rlm_perl and PEAP/MSCHAPv2

Ryan De Kock ryandekock1988 at gmail.com
Mon Feb 8 13:16:23 CET 2016


I would like to know whether or not the following configuration *can* work,
and if so, what I need to know to get it to work.

I have gotten peap/mschapv2 to work from the standard users file, so that
is all working.

What I want to do know is pass all the logic to a perl script, however
eveytime I do that I get the following error

+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
rlm_perl: PERL USERNAME ryan at test.com
rlm_perl: PERL USERNAME test
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair State = 0x6a981b696a90018e48312d75606ef989
rlm_perl: Added pair MS-CHAP-User-Name = ryan at test.com
rlm_perl: Added pair MS-CHAP-Challenge = 0x263fa419e8c59a51b8f7bda3b0dbd476
rlm_perl: Added pair FreeRADIUS-Proxied-To =
rlm_perl: Added pair User-Name = ryan at test.com
rlm_perl: Added pair EAP-Message =
rlm_perl: Added pair MS-CHAP2-Response =
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[dot1x] = updated
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: ryan at test.com
[mschap] Client is using MS-CHAPv2 for ryan at test.com, we need NT-Password
*[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.*
*[mschap] FAILED: MS-CHAP2-Response is incorrect*

some more

# Executing group from file /etc/raddb/sites-enabled/8021x
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.


How can I fix this?

Here is my inner-tunnel authorize section

authorize {



and the dot1x module calls a script called dot1x.pl

The script is *so* basic right now, all I want it to do is to update the
Cleartext-password attribute so that the user can authenticate.

Currently it looks like this

sub authorize {
    # For debugging purposes only
#       &log_request_attributes;

        &radiusd::radlog(1,"PERL USERNAME " . $RAD_REQUEST{'User-Name'});
        &radiusd::radlog(1,"PERL USERNAME " .

        #trying to update the cleartext-password to the one the user enters.
        $RAD_REQUEST{'Cleartext-Password'} = "test";
        $RAD_REPLY{'Cleartext-Password'} = 'test';


any advice would be great

More information about the Freeradius-Users mailing list