Ms-Chap + NT-Password
Anton Kiryushkin
swood at fotofor.biz
Sat Dec 22 00:28:47 CET 2018
Hello, Alan!
Thank you very much for your explanation. I fixed one of my problems. But
there is one more, unfortunately. Could you please tell me why some clients
still can't log in:
(100) User-Name = "userlogin"
(100) NAS-Port = 158
(100) State = 0xdfe5d421d9edcd166308d87da9087b41
(100) EAP-Message =
0x020800351900170303002abc4c2d588a812994d7637b8cf7c8e557548e904bb34346565f494f3aaa80e6d18234158a7c557d7aa815
(100) Message-Authenticator = 0x2234a8c507c202ab49305ca9dfd9cd31
(100) Acct-Session-Id = "8O2.1x811d6dbc00069635"
(100) NAS-Port-Id = "ge-6/0/25.0"
(100) Calling-Station-Id = "68-05-ca-1c-a5-b0"
(100) Called-Station-Id = "88-e0-f3-b0-d6-00"
(100) NAS-IP-Address = 192.168.7.2
(100) NAS-Identifier = "sw-ex6210"
(100) NAS-Port-Type = Ethernet
(100) session-state: No cached attributes
(100) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(100) authorize {
(100) if (!control:Cleartext-Password && &User-Password) {
(100) if (!control:Cleartext-Password && &User-Password) -> FALSE
(100) if (config:User-Password && config:Cleartext-Password) {
(100) if (config:User-Password && config:Cleartext-Password) -> FALSE
(100) [preprocess] = ok
(100) [chap] = noop
(100) [mschap] = noop
(100) suffix: Checking for suffix after "@"
(100) suffix: No '@' in User-Name = "userlogin", looking up realm NULL
(100) suffix: No such realm "NULL"
(100) [suffix] = noop
(100) eap: Peer sent EAP Response (code 2) ID 8 length 53
(100) eap: Continuing tunnel setup
(100) [eap] = ok
(100) } # authorize = ok
(100) Found Auth-Type = eap
(100) # Executing group from file /etc/raddb/sites-enabled/default
(100) authenticate {
(100) eap: Expiring EAP session with state 0xf92482fcf82c861b
(100) eap: Finished EAP session with state 0xdfe5d421d9edcd16
(100) eap: Previous EAP request found for state 0xdfe5d421d9edcd16,
released from the list
(100) eap: Peer sent packet with method EAP PEAP (25)
(100) eap: Calling submodule eap_peap to process data
(100) eap_peap: Continuing EAP-TLS
(100) eap_peap: [eaptls verify] = ok
(100) eap_peap: Done initial handshake
(100) eap_peap: [eaptls process] = ok
(100) eap_peap: Session established. Decoding tunneled attributes
(100) eap_peap: PEAP state phase2
(100) eap_peap: EAP method MD5 (4)
(100) eap_peap: Got tunneled request
(100) eap_peap: EAP-Message =
0x0208001604103e503e5f6c109089add772abaf6ec360
(100) eap_peap: Setting User-Name to userlogin
(100) eap_peap: Sending tunneled request to default
(100) eap_peap: EAP-Message =
0x0208001604103e503e5f6c109089add772abaf6ec360
(100) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(100) eap_peap: User-Name = "userlogin"
(100) eap_peap: State = 0xf92482fcf82c861be33a289febd6a3c6
(100) Virtual server default received request
(100) EAP-Message = 0x0208001604103e503e5f6c109089add772abaf6ec360
(100) FreeRADIUS-Proxied-To = 127.0.0.1
(100) User-Name = "userlogin"
(100) State = 0xf92482fcf82c861be33a289febd6a3c6
(100) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(100) server default {
(100) session-state: No cached attributes
(100) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(100) authorize {
(100) if (!control:Cleartext-Password && &User-Password) {
(100) if (!control:Cleartext-Password && &User-Password) -> FALSE
(100) if (config:User-Password && config:Cleartext-Password) {
(100) if (config:User-Password && config:Cleartext-Password) -> FALSE
(100) [preprocess] = ok
(100) [chap] = noop
(100) [mschap] = noop
(100) suffix: Checking for suffix after "@"
(100) suffix: No '@' in User-Name = "userlogin", looking up realm NULL
(100) suffix: No such realm "NULL"
(100) [suffix] = noop
(100) eap: Peer sent EAP Response (code 2) ID 8 length 22
(100) eap: No EAP Start, assuming it's an on-going EAP conversation
(100) [eap] = updated
(100) sql-wifi: EXPAND %{User-Name}
(100) sql-wifi: --> userlogin
(100) sql-wifi: SQL-User-Name set to 'userlogin'
rlm_sql (sql-wifi): Reserved connection (0)
(100) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as op FROM wifiusers WHERE username =
'%{SQL-User-Name}' ORDER BY id
(100) sql-wifi: --> SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as op FROM wifiusers WHERE username =
'userlogin' ORDER BY id
(100) sql-wifi: Executing select query: SELECT wifi_id as id, username,
'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE
username = 'userlogin' ORDER BY id
(100) sql-wifi: User found in radcheck table
(100) sql-wifi: Conditional check items matched, merging assignment check
items
(100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304
(100) sql-wifi: EXPAND SELECT id, UserName, Attribute, Value, op FROM
msk_wifi_attrs WHERE username = '%{SQL-User-Name}' ORDER BY id
(100) sql-wifi: --> SELECT id, UserName, Attribute, Value, op FROM
msk_wifi_attrs WHERE username = 'userlogin' ORDER BY id
(100) sql-wifi: Executing select query: SELECT id, UserName, Attribute,
Value, op FROM msk_wifi_attrs WHERE username = 'userlogin' ORDER BY id
(100) sql-wifi: EXPAND SELECT 'Officewifi' as GroupName FROM wifiusers
WHERE UserName='%{SQL-User-Name}'
(100) sql-wifi: --> SELECT 'Officewifi' as GroupName FROM wifiusers
WHERE UserName='userlogin'
(100) sql-wifi: Executing select query: SELECT 'Officewifi' as GroupName
FROM wifiusers WHERE UserName='userlogin'
(100) sql-wifi: User found in the group table
(100) sql-wifi: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName,
'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(100) sql-wifi: --> SELECT wifi_id as id, 'Officewifi' as GroupName,
'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers
WHERE Username = 'userlogin' ORDER BY id
(100) sql-wifi: Executing select query: SELECT wifi_id as id, 'Officewifi'
as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM
wifiusers WHERE Username = 'userlogin' ORDER BY id
(100) sql-wifi: Group "Officewifi": Conditional check items matched
(100) sql-wifi: Group "Officewifi": Merging assignment check items
(100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304
(100) sql-wifi: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName,
'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(100) sql-wifi: --> SELECT wifi_id as id, 'Officewifi' as GroupName,
'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers
WHERE Username = 'userlogin' ORDER BY id
(100) sql-wifi: Executing select query: SELECT wifi_id as id, 'Officewifi'
as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op
FROM wifiusers WHERE Username = 'userlogin' ORDER BY id
(100) sql-wifi: Group "Officewifi": Merging reply items
(100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304
rlm_sql (sql-wifi): Released connection (0)
(100) [sql-wifi] = ok
(100) pap: WARNING: Auth-Type already set. Not setting to PAP
(100) [pap] = noop
(100) } # authorize = updated
(100) Found Auth-Type = eap
(100) # Executing group from file /etc/raddb/sites-enabled/default
(100) authenticate {
(100) eap: Expiring EAP session with state 0xf92482fcf82c861b
(100) eap: Finished EAP session with state 0xf92482fcf82c861b
(100) eap: Previous EAP request found for state 0xf92482fcf82c861b,
released from the list
(100) eap: Peer sent packet with method EAP MD5 (4)
(100) eap: Calling submodule eap_md5 to process data
(100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
authentication
(100) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module
failed
(100) eap: Sending EAP Failure (code 4) ID 8 length 4
(100) eap: Failed in EAP select
(100) [eap] = invalid
(100) } # authenticate = invalid
(100) Failed to authenticate the user
I suppose, the main problem from this string:
(100) eap_peap: EAP method MD5 (4)
But, I haven't enabled this type of authorization:
eap {
default_eap_type = peap
Neither in ttls-section as well:
ttls {
tls = tls-common
default_eap_type = peap
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
Probably I should have two versions of hashes for wifi and ethernet
authorization?
пт, 21 дек. 2018 г. в 00:13, Alan DeKok <aland at deployingradius.com>:
> On Dec 20, 2018, at 6:18 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> > You're right. My fault. Please see log below:
>
> Thanks.
> > ...
> > (9) sql-wifi: Conditional check items matched, merging assignment check
> > items
> > (9) sql-wifi: NT-Password :=
> > 0x6336623331333036323736373866653636626166393538616561356566363138
>
> Again... that's all ASCII data. You've taken the hex form of the string:
>
> c6b3130627678fe66baf958aea5ef618
>
> And instead of just putting this into SQL:
>
> NT-Password := 0xc6b3130627678fe66baf958aea5ef618
>
> You've converted the ASCII representation to hex again... and then set
> that as the NT password.
>
> Don't do that.
>
> > ...
> > (9) eap_mschapv2: Auth-Type MS-CHAP {
> > (9) mschap: WARNING: NT-Password found but incorrect length, expected 16
> > bytes got 12 bytes. Authentication may fail
>
> And the NT password is mangled, as noted above.
>
> Why are you converting the hex string to ASCII *twice*? Just take the
> output of smbencrypt, put a "0x" in front of it, and set it as NT-Password
> in the database:
>
> Again:
>
> $ smbencrypt hello
> LM Hash NT Hash
> -------------------------------- --------------------------------
> FDA95FBECA288D44AAD3B435B51404EE 066DDFD4EF0E9CD7C256FE77191EF43C
>
> And then:
>
> NT-Password := 0x066DDFD4EF0E9CD7C256FE77191EF43C
>
> You *don't* have to hex-encode the hex output of smbencrypt.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Best regards,
Anton Kiryushkin
More information about the Freeradius-Users
mailing list