Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No

Richard Green richard.green at unsw.edu.au
Sun Feb 2 03:41:17 CET 2020


Hi list : )

With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?

I have set this in my policy.conf:

policy {
  # Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP
  # e.g. "multiotp_prefix = 'otp:'"
  multiotp_prefix = ''
  multiotp.authorize {
    # This test force multiOTP for any MS-CHAP(v2) attempt
    if (control:Auth-Type == MS-CHAP) {
      update control {
        Auth-Type := multiotpmschap
        MS-CHAP-Use-NTLM-Auth := No
      }
    }
    # This test force multiOTP for any MS-CHAP(v2) attempt
    elsif (control:Auth-Type == mschap) {
      update control {
        Auth-Type := multiotpmschap
        MS-CHAP-Use-NTLM-Auth := No
      }
    }
.
.
.


radtest appears to send the a  Cleartext-Password (actually an OTP token which has been accepted in the authorize section):

# radtest -x -t mschap bob $(./totp.py) localhost 0 testing123
Sent Access-Request Id 76 from 0.0.0.0:37601 to 127.0.0.1:1812 length 129
        User-Name = "bob"
        MS-CHAP-Password = "631266"
        NAS-IP-Address = 10.118.240.180
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "631266"
        MS-CHAP-Challenge = 0x674bc434692c64f3
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf
Received Access-Reject Id 76 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
        MS-CHAP-Error = "\000E=691 R=1 C=24b53a75a9d80580 V=2"
(0) -: Expected Access-Accept got Access-Reject


However the server component appears not to expose Cleartext-Password for my use. From raddebug:

(3) Sun Feb  2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129
(3) Sun Feb  2 02:19:01 2020: Debug:   User-Name = "bob"
(3) Sun Feb  2 02:19:01 2020: Debug:   NAS-IP-Address = 10.118.240.180
(3) Sun Feb  2 02:19:01 2020: Debug:   NAS-Port = 0
(3) Sun Feb  2 02:19:01 2020: Debug:   Message-Authenticator = 0x784a3fcd0eaa0a74d07afa17da59adad
(3) Sun Feb  2 02:19:01 2020: Debug:   MS-CHAP-Challenge = 0x674bc434692c64f3
(3) Sun Feb  2 02:19:01 2020: Debug:   MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf
(3) Sun Feb  2 02:19:01 2020: Debug: # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) Sun Feb  2 02:19:01 2020: Debug:   authorize {
(3) Sun Feb  2 02:19:01 2020: Debug:     policy filter_username {
.
.
.
(3) Sun Feb  2 02:19:02 2020: Debug:   } # authorize = ok
(3) Sun Feb  2 02:19:02 2020: Debug: Found Auth-Type = mschap
(3) Sun Feb  2 02:19:02 2020: Debug: # Executing group from file /etc/raddb/sites-enabled/default
(3) Sun Feb  2 02:19:02 2020: Debug:   Auth-Type mschap {
(3) Sun Feb  2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured.  Cannot create NT-Password
(3) Sun Feb  2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured.  Cannot create LM-Password
(3) Sun Feb  2 02:19:02 2020: Debug: multiotpmschap: Client is using MS-CHAPv1 with NT-Password
(3) Sun Feb  2 02:19:02 2020: ERROR: multiotpmschap: FAILED: No NT/LM-Password.  Cannot perform authentication
(3) Sun Feb  2 02:19:02 2020: ERROR: multiotpmschap: MS-CHAP2-Response is incorrect
(3) Sun Feb  2 02:19:02 2020: Debug:     [multiotpmschap] = reject
(3) Sun Feb  2 02:19:02 2020: Debug:   } # Auth-Type mschap = reject
(3) Sun Feb  2 02:19:02 2020: Debug: Failed to authenticate the user

Thanks :)

________________________________________________________________
Richard Green
IT Solution Design & Delivery | UNSW Sydney | NSW 2052
richard.green at unsw.edu.au | +61(2) 9385 8738
ABN 57 195 873 179 | CRICOS Provider Code 00098G



More information about the Freeradius-Users mailing list