Authenticate via AD and via local "users" file

Wed Feb 28 18:53:12 CET 2018

Hi everyone,

I'm using a pfsense server as captive portal to authenticate users on my
WiFi network. The captive portal is set to interrogate my freeradius server.

My freeradius server can already authenticate users via my AD using
winbind. I also need local account (via "users" file) to create some
temporary "WiFi" account for guests.

My problem is that it seems that when freeradius receive an mschap request,
it only interrogate the AD and do not check the local "users" file :

*Radtest output :*

*root at radius:/etc/freeradius/3.0# radtest test hello localhost 0
testing123Sent Access-Request Id 221 from 0.0.0.0:55019
<http://0.0.0.0:55019> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
74    User-Name = "test"    User-Password = "hello"    NAS-IP-Address =
127.0.1.1    NAS-Port = 0    Message-Authenticator = 0x00
Cleartext-Password = "hello"Received Access-Accept Id 221 from
127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0>
length 20root at radius:/etc/freeradius/3.0# radtest -t mschap test hello
localhost 0 testing123Sent Access-Request Id 57 from 0.0.0.0:45981
<http://0.0.0.0:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
130    User-Name = "test"    MS-CHAP-Password = "hello"    NAS-IP-Address =
127.0.1.1    NAS-Port = 0    Message-Authenticator = 0x00
Cleartext-Password = "hello"    MS-CHAP-Challenge = 0x721c5f615cce85ee
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5Received
Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
0.0.0.0:0 <http://0.0.0.0:0> length 61    MS-CHAP-Error = "\000E=648 R=0
C=36f192b64ad8bf50 V=2"(0) -: Expected Access-Accept got Access-Reject*
*freeradius -X output :*

*1) Received Access-Request Id 57 from 127.0.0.1:45981
<http://127.0.0.1:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
130(1)   User-Name = "test"(1)   NAS-IP-Address = 127.0.1.1(1)   NAS-Port =
0(1)   Message-Authenticator = 0x2ac9eeb221acb45d57e63c7670667269(1)
MS-CHAP-Challenge = 0x721c5f615cce85ee(1)   MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5(1)
# Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default(1)   authorize {(1)     policy
filter_username {(1)       if (&User-Name) {(1)       if (&User-Name)  ->
TRUE(1)       if (&User-Name)  {(1)         if (&User-Name =~ / /)
{(1)         if (&User-Name =~ / /)  -> FALSE(1)         if (&User-Name =~
/@[^@]*@/ ) {(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE(1)
if (&User-Name =~ /\.\./ ) {(1)         if (&User-Name =~ /\.\./ )  ->
FALSE(1)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))  {(1)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE(1)         if (&User-Name =~ /\.$/)
{(1)         if (&User-Name =~ /\.$/)   -> FALSE(1)         if (&User-Name
=~ /@\./)  {(1)         if (&User-Name =~ /@\./)   -> FALSE(1)       } # if
(&User-Name)  = notfound(1)     } # policy filter_username =
notfound(1)     [preprocess] = ok(1)     [chap] = noop(1) mschap: Found
MS-CHAP attributes.  Setting 'Auth-Type  = mschap'(1)     [mschap] =
ok(1)     [digest] = noop(1) suffix: Checking for suffix after "@"(1)
suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No
such realm "NULL"(1)     [suffix] = noop(1) eap: No EAP-Message, not doing
EAP(1)     [eap] = noop(1) files: users: Matched entry test at line
1(1)     [files] = ok(1)     [expiration] = noop(1)     [logintime] =
noop(1) pap: WARNING: Auth-Type already set.  Not setting to PAP(1)
[pap] = noop(1)   } # authorize = ok(1) Found Auth-Type = mschap(1) #
Executing group from file /etc/freeradius/3.0/sites-enabled/default(1)
authenticate {(1) mschap: Found Cleartext-Password, hashing to create
NT-Password(1) mschap: Found Cleartext-Password, hashing to create
LM-Password(1) mschap: Client is using MS-CHAPv1 with NT-Password(1)
mschap: EXPAND %{mschap:User-Name}(1) mschap:    --> testrlm_mschap
(mschap): Reserved connection (0)(1) mschap: sending authentication request
user='test' domain='lan.domain.tld'rlm_mschap (mschap): Released connection
(0)rlm_mschap (mschap): Need 5 more connections to reach 10
sparesrlm_mschap (mschap): Opening additional connection (5), 1 of 27
pending slots used(1) mschap: ERROR: No such user [0xC0000064](1) mschap:
ERROR: Password has expired.  User should retry authentication(1)
[mschap] = reject(1)   } # authenticate = reject(1) Failed to authenticate
the user(1) Using Post-Auth-Type Reject(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default(1)   Post-Auth-Type REJECT {(1)
attr_filter.access_reject: EXPAND %{User-Name}(1)
attr_filter.access_reject:    --> test(1) attr_filter.access_reject:
Matched entry DEFAULT at line 11(1)     [attr_filter.access_reject] =
updated(1)     [eap] = noop(1)     policy remove_reply_message_if_eap
{(1)       if (&reply:EAP-Message && &reply:Reply-Message) {(1)       if
(&reply:EAP-Message && &reply:Reply-Message)  -> FALSE(1)       else
{(1)         [noop] = noop(1)       } # else = noop(1)     } # policy
remove_reply_message_if_eap = noop(1)   } # Post-Auth-Type REJECT =
updated(1) Delaying response for 1.000000 secondsWaking up in 0.3
seconds.Waking up in 0.6 seconds.(1) Sending delayed response(1) Sent
Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
127.0.0.1:45981 <http://127.0.0.1:45981> length 61(1)   MS-CHAP-Error =
"\000E=648 R=0 C=36f192b64ad8bf50 V=2"Waking up in 3.9 seconds.(1) Cleaning
up request packet ID 57 with timestamp +19*
Does anyone has an idea how i can use both authentication methods (AD and
"local") simultaneously ?

Thanks in advance.

Regards,

*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr