Ms-Chap + NT-Password
Anton Kiryushkin
swood at fotofor.biz
Mon Dec 31 15:56:57 CET 2018
Hello, Alan.
As I understand I need two sites for authorizing clients via wifi and
ethernet. I made a different site, and I wrote a rule to redirect users.
But. When I'm checking this solution I can't understand why freeradius
expecting Cleartext-Password instead MD5-password (Please see log below):
(9) Received Access-Request Id 143 from 127.0.0.1:45799 to 127.0.0.1:1812
length 72
(9) User-Name = “testier"
(9) User-Password = “password"
(9) NAS-IP-Address = 127.0.0.1
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) if (!control:Cleartext-Password && &User-Password) {
(9) if (!control:Cleartext-Password && &User-Password) -> TRUE
(9) if (!control:Cleartext-Password && &User-Password) {
(9) update control {
(9) EXPAND %{control:User-Password}
(9) -->
(9) Password-With-Header :=
(9) EXPAND %{control:User-Password}
(9) -->
(9) control:Cleartext-Password :=
(9) User-Password := ""
(9) } # update control = noop
(9) update reply {
(9) EXPAND %{control:User-Password}
(9) -->
(9) User-Password -=
(9) } # update reply = noop
(9) } # if (!control:Cleartext-Password && &User-Password) = noop
(9) if (config:User-Password && config:Cleartext-Password) {
(9) if (config:User-Password && config:Cleartext-Password) -> TRUE
(9) if (config:User-Password && config:Cleartext-Password) {
(9) update config {
(9) User-Password !* ANY
(9) } # update config = noop
(9) } # if (config:User-Password && config:Cleartext-Password) = noop
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "testuser", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: No EAP-Message, not doing EAP
(9) [eap] = noop
(9) if (NAS-IP-Address == 127.0.0.1) {
(9) if (NAS-IP-Address == 127.0.0.1) -> TRUE
(9) if (NAS-IP-Address == 127.0.0.1) {
(9) sql-wifi-ethernet: EXPAND %{User-Name}
(9) sql-wifi-ethernet: --> testuser
(9) sql-wifi-ethernet: SQL-User-Name set to 'testuser'
rlm_sql (sql-wifi-ethernet): Reserved connection (13)
(9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, username,
'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE
username = '%{SQL-User-Name}' ORDER BY id
(9) sql-wifi-ethernet: --> SELECT wifi_id as id, username,
'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE
username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
username, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers
WHERE username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: User found in radcheck table
(9) sql-wifi-ethernet: Conditional check items matched, merging assignment
check items
(9) sql-wifi-ethernet: MD5-Password :=
0x6c375752517179667431416e4c4f6462714d365679413d3d
(9) sql-wifi-ethernet: EXPAND SELECT id, UserName, Attribute, Value, op
FROM msk_wifi_attrs WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql-wifi-ethernet: --> SELECT id, UserName, Attribute, Value, op
FROM msk_wifi_attrs WHERE username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: Executing select query: SELECT id, UserName,
Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'testuser' ORDER
BY id
(9) sql-wifi-ethernet: EXPAND SELECT 'Officewifi' as GroupName FROM
wifiusers WHERE UserName='%{SQL-User-Name}'
(9) sql-wifi-ethernet: --> SELECT 'Officewifi' as GroupName FROM
wifiusers WHERE UserName='testuser'
(9) sql-wifi-ethernet: Executing select query: SELECT 'Officewifi' as
GroupName FROM wifiusers WHERE UserName='testuser'
(9) sql-wifi-ethernet: User found in the group table
(9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as
GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(9) sql-wifi-ethernet: --> SELECT wifi_id as id, 'Officewifi' as
GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers
WHERE Username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op
FROM wifiusers WHERE Username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: Group "Officewifi": Conditional check items matched
(9) sql-wifi-ethernet: Group "Officewifi": Merging assignment check items
(9) sql-wifi-ethernet: MD5-Password :=
0x6c375752517179667431416e4c4f6462714d365679413d3d
(9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as
GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM
wifiusers WHERE Username = '%{SQL-User-Name}' ORDER BY
id
(9) sql-wifi-ethernet: --> SELECT wifi_id as id, 'Officewifi' as
GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM
wifiusers WHERE Username = 'testuser' ORDER BY id
(9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id,
'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as
op FROM wifiusers WHERE Username = 'testuser'
ORDER BY id
(9) sql-wifi-ethernet: Group "Officewifi": Merging reply items
(9) sql-wifi-ethernet: MD5-Password :=
0x6c375752517179667431416e4c4f6462714d365679413d3d
rlm_sql (sql-wifi-ethernet): Released connection (13)
(9) [sql-wifi-ethernet] = ok
(9) } # if (NAS-IP-Address == 127.0.0.1) = ok
(9) ... skipping else: Preceding "if" was taken
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Config already contains a "known good" password
(&control:Cleartext-Password). Ignoring &config:Password-With-Header
(9) pap: Normalizing MD5-Password from base64 encoding, 24 bytes -> 16 bytes
(9) [pap] = updated
(9) } # authorize = updated
(9) Found Auth-Type = PAP
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) Auth-Type PAP {
(9) pap: Login attempt with password
(9) pap: Comparing with "known good" Cleartext-Password
(9) pap: ERROR: Cleartext password does not match "known good" password
(9) pap: Passwords don't match
(9) [pap] = reject
(9) } # Auth-Type PAP = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> testuser
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) } # Post-Auth-Type REJECT = updated
I wish you Happy New Year. Thanks for the future answer.
сб, 22 дек. 2018 г. в 13:43, Alan DeKok <aland at deployingradius.com>:
> On Dec 21, 2018, at 6:28 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> >
> > Thank you very much for your explanation. I fixed one of my problems. But
> > there is one more, unfortunately. Could you please tell me why some
> clients
> > still can't log in:
>
> The debug messages are clear...
> >
> > (100) eap: Peer sent packet with method EAP MD5 (4)
> > (100) eap: Calling submodule eap_md5 to process data
> > (100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> > authentication
>
> You need a Cleartext-Password to do EAP-MD5.
>
> The rest of the debug messages make it clear that the EAP-MD5 method is
> being used *inside* of PEAP.
>
> > I suppose, the main problem from this string:
> >
> > (100) eap_peap: EAP method MD5 (4)
> >
> > But, I haven't enabled this type of authorization:
>
> Yes, you have. You've listed "md5" inside of the "eap" module
> configuration. If you didn't list "md5" there, then FreeRADIUS would
> complain that EAP-MD5 wasn't permitted. Instead, it runs EAP-MD5.
>
> > Probably I should have two versions of hashes for wifi and ethernet
> > authorization?
>
> The debug log says you need the Cleartext-Password, not a hashed
> password. And once you have that, FreeRADIUS can do PEAP/MS-CHAP, too.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Best regards,
Anton Kiryushkin
More information about the Freeradius-Users
mailing list