Need help with EAP-MSCHAPv2 config
Yongqiang He
thehyq at gmail.com
Tue Feb 11 02:31:14 CET 2020
Thanks Alan!
Here is full output with error connecting from the real client.
(10) Received Access-Request Id 130 from 138.68.244.7:36409 to
138.68.244.7:1812 length 155
(10) User-Name = "testing"
(10) NAS-Port-Type = Virtual
(10) Service-Type = Framed-User
(10) NAS-Port = 3
(10) NAS-Port-Id = "IOS_Mac_IKEv2"
(10) NAS-IP-Address = 138.68.244.7
(10) Called-Station-Id = "138.68.244.7[4500]"
(10) Calling-Station-Id = "76.126.66.227[46978]"
(10) EAP-Message = 0x0200000c0174657374696e67
(10) NAS-Identifier = "my_test"
(10) Message-Authenticator = 0x27460db81f1205bdfd1c97b652578ac7
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "testing", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 0 length 12
(10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Peer sent packet with method EAP Identity (1)
(10) eap: Calling submodule eap_md5 to process data
(10) eap_md5: Issuing MD5 Challenge
(10) eap: Sending EAP Request (code 1) ID 1 length 22
(10) eap: EAP session adding &reply:State = 0xe6792945e6782dfc
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 130 from 138.68.244.7:1812 to
138.68.244.7:36409 length 0
(10) EAP-Message = 0x0101001604105c8b2a8b71baf1533f70d0e36633bd68
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xe6792945e6782dfc56843e1cf30c8716
(10) Finished request
Waking up in 4.9 seconds.
(11) Received Access-Request Id 131 from 138.68.244.7:36409 to
138.68.244.7:1812 length 167
(11) User-Name = "testing"
(11) NAS-Port-Type = Virtual
(11) Service-Type = Framed-User
(11) NAS-Port = 3
(11) NAS-Port-Id = "IOS_Mac_IKEv2"
(11) NAS-IP-Address = 138.68.244.7
(11) Called-Station-Id = "138.68.244.7[4500]"
(11) Calling-Station-Id = "76.126.66.227[46978]"
(11) EAP-Message = 0x02010006031a
(11) NAS-Identifier = "my_test"
(11) State = 0xe6792945e6782dfc56843e1cf30c8716
(11) Message-Authenticator = 0x57a28bbdd943c3ee77ca446adbe65d35
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "testing", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 6
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xe6792945e6782dfc
(11) eap: Finished EAP session with state 0xe6792945e6782dfc
(11) eap: Previous EAP request found for state 0xe6792945e6782dfc, released
from the list
(11) eap: Peer sent packet with method EAP NAK (3)
(11) eap: Found mutually acceptable type MSCHAPv2 (26)
(11) eap: Calling submodule eap_mschapv2 to process data
(11) eap_mschapv2: Issuing Challenge
(11) eap: Sending EAP Request (code 1) ID 2 length 43
(11) eap: EAP session adding &reply:State = 0xe6792945e77b33fc
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) Sent Access-Challenge Id 131 from 138.68.244.7:1812 to
138.68.244.7:36409 length 0
(11) EAP-Message =
0x0102002b1a01020026108bf74d1238cc6fb438d8463cbcae5781667265657261646975732d332e302e3230
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xe6792945e77b33fc56843e1cf30c8716
(11) Finished request
Waking up in 4.9 seconds.
(12) Received Access-Request Id 132 from 138.68.244.7:36409 to
138.68.244.7:1812 length 227
(12) User-Name = "testing"
(12) NAS-Port-Type = Virtual
(12) Service-Type = Framed-User
(12) NAS-Port = 3
(12) NAS-Port-Id = "IOS_Mac_IKEv2"
(12) NAS-IP-Address = 138.68.244.7
(12) Called-Station-Id = "138.68.244.7[4500]"
(12) Calling-Station-Id = "76.126.66.227[46978]"
(12) EAP-Message =
0x020200421a0202003d3184998d176a1446dc46a5375cd3a7ab7200000000000000007d66204498f76c81b5aa6b18332d2fefe8c2ceb5cd9be0700074657374696e67
(12) NAS-Identifier = "my_test"
(12) State = 0xe6792945e77b33fc56843e1cf30c8716
(12) Message-Authenticator = 0x9c7886f05a11be16e9382cd513c98f0a
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "testing", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 2 length 66
(12) eap: No EAP Start, assuming it's an on-going EAP conversation
(12) [eap] = updated
(12) } # authorize = updated
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Expiring EAP session with state 0xe6792945e77b33fc
(12) eap: Finished EAP session with state 0xe6792945e77b33fc
(12) eap: Previous EAP request found for state 0xe6792945e77b33fc, released
from the list
(12) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(12) eap: Calling submodule eap_mschapv2 to process data
(12) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/default
(12) eap_mschapv2: authenticate {
(12) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(12) mschap: Creating challenge hash with username: testing
(12) mschap: Client is using MS-CHAPv2
(12) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(12) mschap: ERROR: MS-CHAP2-Response is incorrect
(12) eap_mschapv2: [mschap] = reject
(12) eap_mschapv2: } # authenticate = reject
(12) eap: Sending EAP Failure (code 4) ID 2 length 4
(12) eap: Freeing handler
(12) [eap] = reject
(12) } # authenticate = reject
(12) Failed to authenticate the user
(12) Using Post-Auth-Type Reject
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Post-Auth-Type REJECT {
(12) if ( no == "yes" ) {
(12) if ( no == "yes" ) -> FALSE
(12) attr_filter.access_reject: EXPAND %{User-Name}
(12) attr_filter.access_reject: --> testing
(12) attr_filter.access_reject: Matched entry DEFAULT at line 11
(12) [attr_filter.access_reject] = updated
(12) [eap] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # Post-Auth-Type REJECT = updated
(12) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(12) Sending delayed response
(12) Sent Access-Reject Id 132 from 138.68.244.7:1812 to 138.68.244.7:36409
length 127
(12) MS-CHAP-Error = "\002E=691 R=1 C=e8761a4b9b5c17800ee5e17ab8e67079
V=3 M=Authentication rejected"
(12) EAP-Message = 0x04020004
(12) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(10) Cleaning up request packet ID 130 with timestamp +11689
(11) Cleaning up request packet ID 131 with timestamp +11689
(12) Cleaning up request packet ID 132 with timestamp +11689
And here is the full output from running radtest:
(13) Received Access-Request Id 98 from 138.68.244.7:40926 to
138.68.244.7:1812 length 133
(13) User-Name = "testing"
(13) NAS-IP-Address = 127.0.1.1
(13) NAS-Port = 1812
(13) Message-Authenticator = 0x3b4e57a573129d63a462a854a3f8b374
(13) MS-CHAP-Challenge = 0x31d98bba4411b626
(13) MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000071dac53034b42a03a735f807aa5917612dd95f43666cf8e2
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(13) [mschap] = ok
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "testing", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: No EAP-Message, not doing EAP
(13) [eap] = noop
(13) [files] = noop
(13) sql: EXPAND %{User-Name}
(13) sql: --> testing
(13) sql: SQL-User-Name set to 'testing'
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 11064
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for
11064 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for
11064 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (12), 1 of 32 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
rlm_sql (sql): Reserved connection (12)
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testing' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testing' ORDER BY id
(13) sql: User found in radcheck table
(13) sql: Conditional check items matched, merging assignment check items
(13) sql: Cleartext-Password := "testuser_mypass"
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testing' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'testing' ORDER BY id
rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (13), 1 of 31 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
rlm_sql (sql): Reserved connection (13)
rlm_sql (sql): Released connection (13)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (14), 1 of 30 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(13) sql: --> SELECT groupname FROM radusergroup WHERE username =
'testing' ORDER BY priority
(13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testing' ORDER BY priority
(13) sql: User not found in any groups
rlm_sql (sql): Released connection (12)
(13) [sql] = ok
(13) [expiration] = noop
(13) [logintime] = noop
(13) pap: WARNING: Auth-Type already set. Not setting to PAP
(13) [pap] = noop
(13) } # authorize = ok
(13) Found Auth-Type = mschap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) authenticate {
(13) mschap: Found Cleartext-Password, hashing to create NT-Password
(13) mschap: Client is using MS-CHAPv1 with NT-Password
(13) mschap: adding MS-CHAPv1 MPPE keys
(13) [mschap] = ok
(13) } # authenticate = ok
(13) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(13) post-auth {
(13) update {
(13) No attributes updated for RHS &session-state:
(13) } # update = noop
(13) if ( no == "yes" ) {
(13) if ( no == "yes" ) -> FALSE
(13) [exec] = noop
(13) policy remove_reply_message_if_eap {
(13) if (&reply:EAP-Message && &reply:Reply-Message) {
(13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(13) else {
(13) [noop] = noop
(13) } # else = noop
(13) } # policy remove_reply_message_if_eap = noop
(13) } # post-auth = noop
(13) Sent Access-Accept Id 98 from 138.68.244.7:1812 to 138.68.244.7:40926
length 0
(13) MS-CHAP-MPPE-Keys =
0x0000000000000000b1ce5d77fca4da9e183b40b613ec5408
(13) MS-MPPE-Encryption-Policy = Encryption-Allowed
(13) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(13) Finished request
Waking up in 4.9 seconds.
(13) Cleaning up request packet ID 98 with timestamp +12005
On Mon, Feb 10, 2020 at 5:17 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Feb 10, 2020, at 5:29 PM, Yongqiang He <thehyq at gmail.com> wrote:
> > I am new to freeradius and hope someone here can help me with my setup.
> > Thanks a lot!
> >
> > Here is what i got when running radiusd with -X option:
>
> No... you got a lot more than that. We will need ALL of the debug
> output to see what's going on.
>
> > If i run: radtest -t mschap ..., everything seems fine and it output
> 'Received
> > Access-Accept'. I guess its because the radtest is running with mschap,
> and
> > my client above is using mschapv2. I can't figure out what config i
> should
> > do with mschapv2.
>
> Don't guess. Read the debug output. Compare the debug output between
> the two kinds of authentication. What's different?
>
> > The radius is running with mysql. user and password are insert to with
> > sql: INSERT
> > INTO `radcheck` VALUES
> > (2,'testing','Cleartext-Password',':=','testuser_mypass');
>
> The piece of debug output that you posted shows *nothing* about SQL. Is
> it even querying the SQL server?
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list