mschap confusion

[Christian Salway]

Is it possible to have 2 paths for authentication on the same freeRadius server?

1) In on UDP:1812 from VPN server which uses eap-mschapv2 and authenticates against Active Directory using LDAP and ntlm_auth.
2) In on UDP:1812 from AWS which uses PAP and needs to send a request to Duo over TCP:443.

Or is it better to have two radius servers?



> On 16 Nov 2018, at 07:13, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> Hi Alan,
> 
> Thank you for your reply.  I found the issue.  AWS Directory services does not send the password but the OTP (Multi Factor Authentication) as the password as shown below.  AWS Directory Services does it's own authentication against AD before sending the MFA code to the Radius server... 
> 
> (2) Received Access-Request Id 2 from 10.0.14.211:54344 to 10.0.0.247:1812 length 80
> (2)   NAS-IP-Address = 127.0.0.1
> (2)   User-Name = "christian.salway"
> (2)   User-Password = "12345"  <-- this is the MFA OTP
> (2)   Message-Authenticator = 0xcb2db23d5324ea83618f807cec4c6c6d
> 
> C
> 
>> On 16 Nov 2018, at 00:00, Alan DeKok <aland at deployingradius.com <mailto:aland at deployingradius.com>> wrote:
>> 
>> On Nov 15, 2018, at 9:01 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>> wrote:
>>> 
>>> I dont understand what is failing here...
>>> 
>>> when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123`
>>> 
>>> the response is
>> 
>>  It's typically good to look at *ALL* of the debug output.  You can't just look at a tiny piece of the output and expect to understand the whole thing.
>> 
>>> (3)   authenticate {
>>> (3) mschap: Client is using MS-CHAPv1 with NT-Password
>> ...
>>> (3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge
>> 
>>  That seems to be clear enough.
>> 
>>  The server isn't receiving an MS-CHAP2-Response attribute.
>> 
>>> and if i try it with MS-CHAPv2
>>> 
>>> (7)   authenticate {
>>> (7) mschap: Creating challenge hash with username: christian.salway
>>> (7) mschap: Client is using MS-CHAPv2
>>> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
>>> (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>>> (7) mschap:    --> --username=christian.salway
>>> (7) mschap: Creating challenge hash with username: christian.salway
>>> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>>> (7) mschap:    --> --challenge=87096cbcc288f585
>>> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>>> (7) mschap:    --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2
>>> (7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
>> 
>>  AD its rejecting the user.  This unfortunately is out of the control of FreeRADIUS.
>> 
>>> whats going on?!
>> 
>>  AD is rejecting the user.  Ask AD what the users password is.  And, why it's rejecting the user.
>> 
>>  The MS-CHAP calculations have been known, and known to work, for about 20 years.  If AD is rejecting this with "Logon failure", then:
>> 
>> a) the users password in AD is not what the user entered on their system
>> 
>> b) the users account is locked out, or doesn't exist, or has another administrative setting that says "reject them"
>> 
>>  There really are no other options here.
>> 
>>  Try *simplifying* the problem.  Instead of going to AD, configure a local password for the user.  One that you can't get wrong.  Then, try it with AWS.  If that fails, then my guess is that AWS is broken.
>> 
>>  And post the *full* debug output here.  ALL of it.
>> 
>>  Alan DeKok.
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>