MS-CHAP modules
Chris Howley
C.P.Howley at leeds.ac.uk
Mon Jan 30 12:10:32 CET 2017
Hi,
Thank you for your advice on the use of multiple MSCHAP modules. I made the changes that were suggested but I'm still unable to
authenticate users in different realms.
Thanks
Chris
In the authorize section of inner-tunnel server.
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
I have defined two mschap modules (mschap_ds and mschap_admin) and made the following changes in the inner-tunnel authenticate section.
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
if ("%{outer.request:User-Name}" =~ /@realm$/i){
mschap-ds {
ok = return
}
}
else {
mschap-admin {
ok = return
}
}
}
#
# For old names, too.
#mschap < -- I commented out this entry
The authentication of a user in either realm failed with the following error message.
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x93ae5ad093a740b0
(9) eap: Finished EAP session with state 0x93ae5ad093a740b0
(9) eap: Previous EAP request found for state 0x93ae5ad093a740b0, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: Auth-Type sub-section not found. Ignoring.
(9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) eap: Sending EAP Failure (code 4) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = reject
(9) } # authenticate = reject
(9) Failed to authenticate the user
(9) Login incorrect: [user_a] (from client localhost port 0 via TLS tunnel)
(9) Using Post-Auth-Type Reject
If I uncomment the following
# For old names, too.
mschap
I'm able to authenticate a user in one realm but not the other.
21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0xf0a763cef0ae799b
(21) eap: Finished EAP session with state 0xf0a763cef0ae799b
(21) eap: Previous EAP request found for state 0xf0a763cef0ae799b, released from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) eap_mschapv2: authenticate {
(21) mschap: Creating challenge hash with username: XXXXXX
(21) mschap: Client is using MS-CHAPv2
(21) mschap: EXPAND %{Stripped-User-Name}
(21) mschap: --> XXXXXX
rlm_mschap (mschap): Reserved connection (1)
(21) mschap: sending authentication request user='XXXXXX' domain='ADMIN'
rlm_mschap (mschap): Released connection (1)
rlm_mschap (mschap): Need 9 more connections to reach 20 spares
rlm_mschap (mschap): Opening additional connection (11), 1 of 53 pending slots used
(21) mschap: ERROR: No such user [0xC0000064]
(21) mschap: ERROR: Password has expired. User should retry authentication
(21) [mschap] = reject
(21) } # authenticate = reject
(21) eap: Sending EAP Failure (code 4) ID 9 length 4
(21) eap: Freeing handler
(21) [eap] = reject
(21) } # authenticate = reject
(21) Failed to authenticate the user
I
More information about the Freeradius-Users
mailing list