mschap: eapol_test peap/mschap fails
Peter Kain
peter.kain at pepperdine.edu
Tue Feb 26 22:36:24 CET 2019
Hi,
First time poster.
I've been tasked with setting up a freeRADIUS (FR) server in order to
join eduroam under the following conditions: authentication against
Active Directory where we have two domains, the realm passed doesn't
indicate the AD domain, and I can only join one domain "domainA", but
there's trust between the domains.
realm = user at uni.edu
domainA.ad.uni.edu
domainB.ad.uni.edu
I've built a CentOS 7 server with FR 3.0.13 and winbind 4.8.3. Joined
the server to the first domain and I'm able to authenticate users
against both domains using the ntlm_auth command.
As a first step, following the posted instructions "Configuring
Authentication with Active Directory" I edited the mschap to use
ntlm_auth setting "--domain=domainA". And I've set radiusd to run as
root. Using the eapol_test program I'm able to authenticate as userA
using both "-c ttls-mschap.conf" & "-c peap-mschap.conf" and I'm able
to authenticate my iPad to our wireless . So far everything works as
expected when setup for a single domain.
file: mods-enabled/mschap
mschap {
...
ntlm_auth --domain=domainA ...
In order to authenticate to both AD domains I followed a forum posting
"PEAP and multiple domains" and created two additional domain
instances for mschap
in the radius.conf and updated both the default and inner-tunnels.
raddb/radius.conf
...
modules {
$INCLUDE mods-enabled/
mschap mschap.domainA{
ntlm_auth = "/usr/bin/ntlm_auth --domain=domainA --allow-mschapv2 ...
}
mschap mschap.domainB{
ntlm_auth = "/usr/bin/ntlm_auth --domain=domainB --allow-mschapv2 ...
}
}
sites-enabled/inner-tunnel (updated both default and inner-tunnel)
In the "authorize section {" if mschap isn't commented out then it
sets "Auth-Type = mschap". This seems contrary to the documentation
within the file. Again running FR 3.0.13.
Commented out mschap adding "mschap.domainA". This appears to set
"Auth-Type = MS-CHAP". I'm not sure how the "Auth-Type" is determine,
why one configuration results in "Auth-Type = mschap" and another
"Auth-Type = MS-CHAP".
aurhorized {
...
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
#mschap
mschap.domainA
...
authenticate {
...
Auth-Type MS-CHAP {
# mschap
group {
mschap.domainA {
reject = 1
ok = return
}
mschap.domainB {
ok = return
}
}
}
#
# For old names, too.
#
mschap
In order to make it clear in the logs, I edited mods-enabled/mschap
setting "--domain=FOO" in the ntml_auth command.
--> eapol_test -c ttls-mshchap.conf -s testing123 ... WORKS
Looking at the logs I see "Auth-Type = MS-CHAP" being set and my
defined mschap.domainA module being used. Works exactly as expected
using the modules I defined. If a user isn't found in domainA it then
searches domainB. I can authenticate to my wireless (ssid eduroam)
using an Android phone where I can set the authentication to
TTLS/mschapv2.
(6) Virtual server inner-tunnel received request
(6) User-Name = "userA"
(6) MS-CHAP-Challenge = 0x74624904a951c158262f9cd8b0abc750
(6) MS-CHAP2-Response =
0x70008158d62efd7635c9fb5b701e2fb44ee300000000000000005390d893765b4f1900adee9e21dd10f5827472b58eeb8e48
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) mschap.domainA: Found MS-CHAP attributes. Setting 'Auth-Type =
mschap.domainA'
(6) [mschap.domainA] = ok
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "userA", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = ok
(6) Found Auth-Type = MS-CHAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type MS-CHAP {
(6) group {
(6) mschap.domainA: Creating challenge hash with username: userA
(6) mschap.domainA: Client is using MS-CHAPv2
(6) mschap.domainA: Executing: /usr/bin/ntlm_auth --request-nt-key
--allow-mschapv2
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
...
--> eapol_test -c peap-mschapv2.conf -s testing123 ... FAILS
The above test is using mods-enabled/mschap where I've set
"--domain=FOO". Tracing through the logs, it looks like the eap module
is called (expected), within eap it executes the peap section
(expected) which sets "default_eap_type = mschapv2". Not sure if I'm
saying this correctly, but the mschapv2 section is executes using the
default mschap module.
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap.domainA] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "userA", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 65
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xa3eaf94ca3e2e3ae
(8) eap: Finished EAP session with state 0xa3eaf94ca3e2e3ae
(8) eap: Previous EAP request found for state 0xa3eaf94ca3e2e3ae,
released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: Creating challenge hash with username: userA
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-FOO}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
My apologies for not posting the "radius -X" for the failed
eapol_test. There are restrictions at my site about posting server
logs, I'm working on it.
Questions:
1) Does it look like I've made any glaring mistakes or am I on the
correct path?
2) What can I do to make peap/mschap work under this circumstances?
Any help is appreciated.
Pete K.
More information about the Freeradius-Users
mailing list