authenticate against SHA2 hash in EAP-MSCHAPv2

Volodymyr Litovka doka.ua at gmx.com
Wed Feb 28 11:34:46 CET 2018 

Hi colleagues,

I'm pretty new in FreeRadius and looks missing something that will allow 
me to authenticate MSCHAP users agains stored SHA256 hashes.

Having the following entries in the "users" file :

#doka   Cleartext-Password := "q1w2e3"
doka    SHA2-Password := 
"AE5A853873043C7B011C6300C464D8D4014BF833697A3C01817D83AA91A53166"

I'm trying to authenticate Stronswan connections, which use 
EAP-MSCHAPv2. In both cases, FreeRadius notes that "pap: WARNING: 
Auth-Type already set. Not setting to PAP" but while it's not required 
with Cleartext-Password, it's required (but not called) for SHA2-Password:

There are two different debugs:

1) for clear-text password it works:

(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) files: users: Matched entry doka at line 68
(1) files: EXPAND Hello, %{User-Name}
(1) files:    --> Hello, doka
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xa83c0023a83d1a89
(1) eap: Finished EAP session with state 0xa83c0023a83d1a89
(1) eap: Previous EAP request found for state 0xa83c0023a83d1a89, 
released from the list
(1) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(1) eap: Calling submodule eap_mschapv2 to process data
(1) eap_mschapv2: # Executing group from file 
/etc/freeradius/3.0/sites-enabled/default
(1) eap_mschapv2:   authenticate {
(1) mschap: Found Cleartext-Password, hashing to create NT-Password
(1) mschap: Found Cleartext-Password, hashing to create LM-Password
(1) mschap: Creating challenge hash with username: doka
(1) mschap: Client is using MS-CHAPv2
(1) mschap: Adding MS-CHAPv2 MPPE keys
(1)     [mschap] = ok
(1)   } # authenticate = ok
(1) MSCHAP Success

2) while as soon as I switch to SHA2-Password, it stops authenticate 
requests

(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) files: users: Matched entry doka at line 69
(1) files: EXPAND Hello, %{User-Name}
(1) files:    --> Hello, doka
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 bytes
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x1ba8bb871ba9a1a0
(1) eap: Finished EAP session with state 0x1ba8bb871ba9a1a0
(1) eap: Previous EAP request found for state 0x1ba8bb871ba9a1a0, 
released from the list
(1) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(1) eap: Calling submodule eap_mschapv2 to process data
(1) eap_mschapv2: # Executing group from file 
/etc/freeradius/3.0/sites-enabled/default
(1) eap_mschapv2:   authenticate {
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
NT-Password
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
LM-Password
(1) mschap: Creating challenge hash with username: doka
(1) mschap: Client is using MS-CHAPv2
(1) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(1) mschap: ERROR: MS-CHAP2-Response is incorrect
(1)     [mschap] = reject
(1)   } # authenticate = reject
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Freeing handler
(1)     [eap] = reject
(1)   } # authenticate = reject
(1) Failed to authenticate the user

Configuration is the following:

1) sites-enabled/default :
authorize {
     filter_username
     preprocess
     auth_log
     chap
     mschap
     digest
     suffix
     eap {
         ok = return
     }
     files
     -sql
     -ldap
     expiration
     logintime
     pap
}
authenticate {
     Auth-Type PAP {
         pap
     }
     Auth-Type CHAP {
         chap
     }
     Auth-Type MS-CHAP {
         mschap
     }
     mschap
     digest
     eap
}

2) mods-enabled/eap :
eap {
     default_eap_type = mschapv2
     timer_expire     = 60
     ignore_unknown_eap_types = no
     cisco_accounting_username_bug = no
     max_sessions = ${max_requests}
     md5 {
     }
     mschapv2 {
     }
}

3) mods-enabled/mschap (unmodified) :
mschap {
     pool {
         start = ${thread[pool].start_servers}
         min = ${thread[pool].min_spare_servers}
         max = ${thread[pool].max_servers}
         spare = ${thread[pool].max_spare_servers}
         uses = 0
         retry_delay = 30
         lifetime = 86400
         cleanup_interval = 300
         idle_timeout = 600
     }
     passchange {
     }
}

4) mod-enabled/pap (unmodified) :
pap {
}

I will greatly appreciate any help on working around this issue. Please.

Thank you!

--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison

More information about the Freeradius-Users mailing list