Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No
Richard Green
richard.green at unsw.edu.au
Sun Feb 2 03:41:17 CET 2020
Hi list : )
With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?
I have set this in my policy.conf:
policy {
# Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP
# e.g. "multiotp_prefix = 'otp:'"
multiotp_prefix = ''
multiotp.authorize {
# This test force multiOTP for any MS-CHAP(v2) attempt
if (control:Auth-Type == MS-CHAP) {
update control {
Auth-Type := multiotpmschap
MS-CHAP-Use-NTLM-Auth := No
}
}
# This test force multiOTP for any MS-CHAP(v2) attempt
elsif (control:Auth-Type == mschap) {
update control {
Auth-Type := multiotpmschap
MS-CHAP-Use-NTLM-Auth := No
}
}
.
.
.
radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section):
# radtest -x -t mschap bob $(./totp.py) localhost 0 testing123
Sent Access-Request Id 76 from 0.0.0.0:37601 to 127.0.0.1:1812 length 129
User-Name = "bob"
MS-CHAP-Password = "631266"
NAS-IP-Address = 10.118.240.180
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "631266"
MS-CHAP-Challenge = 0x674bc434692c64f3
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf
Received Access-Reject Id 76 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
MS-CHAP-Error = "\000E=691 R=1 C=24b53a75a9d80580 V=2"
(0) -: Expected Access-Accept got Access-Reject
However the server component appears not to expose Cleartext-Password for my use. From raddebug:
(3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129
(3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob"
(3) Sun Feb 2 02:19:01 2020: Debug: NAS-IP-Address = 10.118.240.180
(3) Sun Feb 2 02:19:01 2020: Debug: NAS-Port = 0
(3) Sun Feb 2 02:19:01 2020: Debug: Message-Authenticator = 0x784a3fcd0eaa0a74d07afa17da59adad
(3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Challenge = 0x674bc434692c64f3
(3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf
(3) Sun Feb 2 02:19:01 2020: Debug: # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) Sun Feb 2 02:19:01 2020: Debug: authorize {
(3) Sun Feb 2 02:19:01 2020: Debug: policy filter_username {
.
.
.
(3) Sun Feb 2 02:19:02 2020: Debug: } # authorize = ok
(3) Sun Feb 2 02:19:02 2020: Debug: Found Auth-Type = mschap
(3) Sun Feb 2 02:19:02 2020: Debug: # Executing group from file /etc/raddb/sites-enabled/default
(3) Sun Feb 2 02:19:02 2020: Debug: Auth-Type mschap {
(3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create NT-Password
(3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create LM-Password
(3) Sun Feb 2 02:19:02 2020: Debug: multiotpmschap: Client is using MS-CHAPv1 with NT-Password
(3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: FAILED: No NT/LM-Password. Cannot perform authentication
(3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: MS-CHAP2-Response is incorrect
(3) Sun Feb 2 02:19:02 2020: Debug: [multiotpmschap] = reject
(3) Sun Feb 2 02:19:02 2020: Debug: } # Auth-Type mschap = reject
(3) Sun Feb 2 02:19:02 2020: Debug: Failed to authenticate the user
Thanks :)
________________________________________________________________
Richard Green
IT Solution Design & Delivery | UNSW Sydney | NSW 2052
richard.green at unsw.edu.au | +61(2) 9385 8738
ABN 57 195 873 179 | CRICOS Provider Code 00098G
More information about the Freeradius-Users
mailing list