2 Factor Authentication
Dudás Péter
peter.pdudas at gmail.com
Thu Jan 5 00:17:06 CET 2017
Dear Alan!
Please find the debug of the successful mschap authentication below.
The Duo Auth removed from the post auth section.
Ready to process requests
(0) Received Access-Request Id 209 from 10.101.168.3:59819 to
10.148.64.67:1812 length 161
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "Peter Dudas"
(0) NAS-IP-Address = 89.212.168.XYZ
(0) NAS-Port = 0
(0) MS-CHAP-Challenge = 0x8ef379a65af2caa31bc58658cecfb468
(0) MS-CHAP2-Response =
0x3200b3c3cbfae01b4a336b36a956fd00a6010000000000000000b8e93f963a8a27ecd54c3bda0ffed73bf110dfae7bc9868b
(0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000d1
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/
10.101.168.3/auth-detail-20170105
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/auth-detail-20170105
(0) auth_log: EXPAND %t
(0) auth_log: --> Thu Jan 5 00:10:27 2017
(0) [auth_log] = ok
(0) if (User-Name != "" && Service-Type !* "") {
(0) if (User-Name != "" && Service-Type !* "") -> FALSE
(0) else {
(0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") {
(0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") -> TRUE
(0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") {
(0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol ==
"PPP") {
(0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol ==
"PPP") -> TRUE
(0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol ==
"PPP") {
(0) if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" ) {
(0) EXPAND Packet-Type
(0) --> Access-Request
(0) if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" ) -> TRUE
(0) if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" ) {
(0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) {
(0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) -> TRUE
(0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) {
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) Filter-Id := "L2TP-Users"
(0) } # update reply = noop
(0) } # if (ok) = noop
(0) } # if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) = ok
(0) } # if (Service-Type == "Framed-User" && Packet-Type ==
"Access-Request" ) = ok
(0) } # if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol
== "PPP") = ok
(0) } # if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") = ok
(0) } # else = ok
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type mschap {
(0) mschap: Creating challenge hash with username: Peter Dudas
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{request:User-Name} --domain=site.domain.local
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
--require-membership-of=site.domain.local\l2tp-users:
(0) mschap: EXPAND --username=%{request:User-Name}
(0) mschap: --> --username=Peter Dudas
(0) mschap: Creating challenge hash with username: Peter Dudas
(0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(0) mschap: --> --challenge=a378e306f1156a0d
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(0) mschap: -->
--nt-response=b8e93f963a8a27ecd54c3bda0ffed73bf110dfae7bc9868b
(0) mschap: Program returned code (0) and output 'NT_KEY:
A1A055BBCC2133B2E1FCD8213C6B03FE'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) } # Auth-Type mschap = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0) post-auth {
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/freeradius/radacct/
10.101.168.3/reply-detail-20170105
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170105
(0) reply_log: EXPAND %t
(0) reply_log: --> Thu Jan 5 00:10:27 2017
(0) [reply_log] = ok
(0) [exec] = noop
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/freeradius/radacct/
10.101.168.3/reply-detail-20170105
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170105
(0) reply_log: EXPAND %t
(0) reply_log: --> Thu Jan 5 00:10:27 2017
(0) [reply_log] = ok
(0) } # post-auth = ok
(0) Login OK: [Peter Dudas/<via Auth-Type = mschap>] (from client dc1 port
0)
(0) Sent Access-Accept Id 209 from 10.148.64.67:1812 to 10.101.168.3:59819
length 0
(0) Filter-Id := "L2TP-Users"
(0) MS-CHAP2-Success =
0x32533d37394230393541463633444633413145353737343239303830353046363142434245353136424336
(0) MS-MPPE-Recv-Key = 0xbe1f6bc006bce75b35eea9768b019de5
(0) MS-MPPE-Send-Key = 0x76698eb2f646753c148e41dc1184bf5a
(0) MS-MPPE-Encryption-Policy = Encryption-Required
(0) MS-MPPE-Encryption-Types = 4
(0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000d1
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 209 with timestamp +70
I don't see any difference in the reply - checked the logs.
With this I was able to login from and Android phone.
MPPE encryption type I changed to Required (at module mschap) - but as you
can see it is working with that as well.
This is the only defference at the reply packet.
Peter Dudas
More information about the Freeradius-Users
mailing list