rlm_perl and PEAP/MSCHAPv2
Ryan De Kock
ryandekock1988 at gmail.com
Mon Feb 8 13:16:23 CET 2016
Hi,
I would like to know whether or not the following configuration *can* work,
and if so, what I need to know to get it to work.
I have gotten peap/mschapv2 to work from the standard users file, so that
is all working.
What I want to do know is pass all the logic to a perl script, however
eveytime I do that I get the following error
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
rlm_perl: PERL USERNAME ryan at test.com
rlm_perl: PERL USERNAME test
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair State = 0x6a981b696a90018e48312d75606ef989
rlm_perl: Added pair MS-CHAP-User-Name = ryan at test.com
rlm_perl: Added pair MS-CHAP-Challenge = 0x263fa419e8c59a51b8f7bda3b0dbd476
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair User-Name = ryan at test.com
rlm_perl: Added pair EAP-Message =
0x020800541a0208004f3197d01dac5bed333c13a1b2a4139575a600000000000000002509ca1d6892684e813e061da39c12bcc360d638c9bb2504007279616e40636f6e6e656374656473706163652e636f2e7a61
rlm_perl: Added pair MS-CHAP2-Response =
0x087997d01dac5bed333c13a1b2a4139575a600000000000000002509ca1d6892684e813e061da39c12bcc360d638c9bb2504
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Cleartext-Password = test
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[dot1x] = updated
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: ryan at test.com
[mschap] Client is using MS-CHAPv2 for ryan at test.com, we need NT-Password
*[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.*
*[mschap] FAILED: MS-CHAP2-Response is incorrect*
some more
# Executing group from file /etc/raddb/sites-enabled/8021x
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
So.
How can I fix this?
Here is my inner-tunnel authorize section
authorize {
chap
*dot1x*
mschap
}
and the dot1x module calls a script called dot1x.pl
The script is *so* basic right now, all I want it to do is to update the
Cleartext-password attribute so that the user can authenticate.
Currently it looks like this
sub authorize {
# For debugging purposes only
# &log_request_attributes;
#debugging
&radiusd::radlog(1,"PERL USERNAME " . $RAD_REQUEST{'User-Name'});
&radiusd::radlog(1,"PERL USERNAME " .
$RAD_REQUEST{'Cleartext-Password'});
#trying to update the cleartext-password to the one the user enters.
$RAD_REQUEST{'Cleartext-Password'} = "test";
$RAD_REPLY{'Cleartext-Password'} = 'test';
return RLM_MODULE_UPDATED;
}
any advice would be great
More information about the Freeradius-Users
mailing list