Need help with EAP-MSCHAPv2 config

Yongqiang He thehyq at gmail.com
Tue Feb 11 02:31:14 CET 2020


Thanks Alan!

Here is full output with error connecting from the real client.

(10) Received Access-Request Id 130 from 138.68.244.7:36409 to
138.68.244.7:1812 length 155
(10)   User-Name = "testing"
(10)   NAS-Port-Type = Virtual
(10)   Service-Type = Framed-User
(10)   NAS-Port = 3
(10)   NAS-Port-Id = "IOS_Mac_IKEv2"
(10)   NAS-IP-Address = 138.68.244.7
(10)   Called-Station-Id = "138.68.244.7[4500]"
(10)   Calling-Station-Id = "76.126.66.227[46978]"
(10)   EAP-Message = 0x0200000c0174657374696e67
(10)   NAS-Identifier = "my_test"
(10)   Message-Authenticator = 0x27460db81f1205bdfd1c97b652578ac7
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /\.\./ ) {
(10)         if (&User-Name =~ /\.\./ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10)         if (&User-Name =~ /\.$/)  {
(10)         if (&User-Name =~ /\.$/)   -> FALSE
(10)         if (&User-Name =~ /@\./)  {
(10)         if (&User-Name =~ /@\./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "testing", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 0 length 12
(10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10) eap: Peer sent packet with method EAP Identity (1)
(10) eap: Calling submodule eap_md5 to process data
(10) eap_md5: Issuing MD5 Challenge
(10) eap: Sending EAP Request (code 1) ID 1 length 22
(10) eap: EAP session adding &reply:State = 0xe6792945e6782dfc
(10)     [eap] = handled
(10)   } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 130 from 138.68.244.7:1812 to
138.68.244.7:36409 length 0
(10)   EAP-Message = 0x0101001604105c8b2a8b71baf1533f70d0e36633bd68
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   State = 0xe6792945e6782dfc56843e1cf30c8716
(10) Finished request
Waking up in 4.9 seconds.
(11) Received Access-Request Id 131 from 138.68.244.7:36409 to
138.68.244.7:1812 length 167
(11)   User-Name = "testing"
(11)   NAS-Port-Type = Virtual
(11)   Service-Type = Framed-User
(11)   NAS-Port = 3
(11)   NAS-Port-Id = "IOS_Mac_IKEv2"
(11)   NAS-IP-Address = 138.68.244.7
(11)   Called-Station-Id = "138.68.244.7[4500]"
(11)   Calling-Station-Id = "76.126.66.227[46978]"
(11)   EAP-Message = 0x02010006031a
(11)   NAS-Identifier = "my_test"
(11)   State = 0xe6792945e6782dfc56843e1cf30c8716
(11)   Message-Authenticator = 0x57a28bbdd943c3ee77ca446adbe65d35
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11)   authorize {
(11)     policy filter_username {
(11)       if (&User-Name) {
(11)       if (&User-Name)  -> TRUE
(11)       if (&User-Name)  {
(11)         if (&User-Name =~ / /) {
(11)         if (&User-Name =~ / /)  -> FALSE
(11)         if (&User-Name =~ /@[^@]*@/ ) {
(11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11)         if (&User-Name =~ /\.\./ ) {
(11)         if (&User-Name =~ /\.\./ )  -> FALSE
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11)         if (&User-Name =~ /\.$/)  {
(11)         if (&User-Name =~ /\.$/)   -> FALSE
(11)         if (&User-Name =~ /@\./)  {
(11)         if (&User-Name =~ /@\./)   -> FALSE
(11)       } # if (&User-Name)  = notfound
(11)     } # policy filter_username = notfound
(11)     [preprocess] = ok
(11)     [chap] = noop
(11)     [mschap] = noop
(11)     [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "testing", looking up realm NULL
(11) suffix: No such realm "NULL"
(11)     [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 6
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11)     [eap] = updated
(11)   } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xe6792945e6782dfc
(11) eap: Finished EAP session with state 0xe6792945e6782dfc
(11) eap: Previous EAP request found for state 0xe6792945e6782dfc, released
from the list
(11) eap: Peer sent packet with method EAP NAK (3)
(11) eap: Found mutually acceptable type MSCHAPv2 (26)
(11) eap: Calling submodule eap_mschapv2 to process data
(11) eap_mschapv2: Issuing Challenge
(11) eap: Sending EAP Request (code 1) ID 2 length 43
(11) eap: EAP session adding &reply:State = 0xe6792945e77b33fc
(11)     [eap] = handled
(11)   } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)   Challenge { ... } # empty sub-section is ignored
(11) Sent Access-Challenge Id 131 from 138.68.244.7:1812 to
138.68.244.7:36409 length 0
(11)   EAP-Message =
0x0102002b1a01020026108bf74d1238cc6fb438d8463cbcae5781667265657261646975732d332e302e3230
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11)   State = 0xe6792945e77b33fc56843e1cf30c8716
(11) Finished request
Waking up in 4.9 seconds.
(12) Received Access-Request Id 132 from 138.68.244.7:36409 to
138.68.244.7:1812 length 227
(12)   User-Name = "testing"
(12)   NAS-Port-Type = Virtual
(12)   Service-Type = Framed-User
(12)   NAS-Port = 3
(12)   NAS-Port-Id = "IOS_Mac_IKEv2"
(12)   NAS-IP-Address = 138.68.244.7
(12)   Called-Station-Id = "138.68.244.7[4500]"
(12)   Calling-Station-Id = "76.126.66.227[46978]"
(12)   EAP-Message =
0x020200421a0202003d3184998d176a1446dc46a5375cd3a7ab7200000000000000007d66204498f76c81b5aa6b18332d2fefe8c2ceb5cd9be0700074657374696e67
(12)   NAS-Identifier = "my_test"
(12)   State = 0xe6792945e77b33fc56843e1cf30c8716
(12)   Message-Authenticator = 0x9c7886f05a11be16e9382cd513c98f0a
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12)   authorize {
(12)     policy filter_username {
(12)       if (&User-Name) {
(12)       if (&User-Name)  -> TRUE
(12)       if (&User-Name)  {
(12)         if (&User-Name =~ / /) {
(12)         if (&User-Name =~ / /)  -> FALSE
(12)         if (&User-Name =~ /@[^@]*@/ ) {
(12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(12)         if (&User-Name =~ /\.\./ ) {
(12)         if (&User-Name =~ /\.\./ )  -> FALSE
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(12)         if (&User-Name =~ /\.$/)  {
(12)         if (&User-Name =~ /\.$/)   -> FALSE
(12)         if (&User-Name =~ /@\./)  {
(12)         if (&User-Name =~ /@\./)   -> FALSE
(12)       } # if (&User-Name)  = notfound
(12)     } # policy filter_username = notfound
(12)     [preprocess] = ok
(12)     [chap] = noop
(12)     [mschap] = noop
(12)     [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "testing", looking up realm NULL
(12) suffix: No such realm "NULL"
(12)     [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 2 length 66
(12) eap: No EAP Start, assuming it's an on-going EAP conversation
(12)     [eap] = updated
(12)   } # authorize = updated
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12)   authenticate {
(12) eap: Expiring EAP session with state 0xe6792945e77b33fc
(12) eap: Finished EAP session with state 0xe6792945e77b33fc
(12) eap: Previous EAP request found for state 0xe6792945e77b33fc, released
from the list
(12) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(12) eap: Calling submodule eap_mschapv2 to process data
(12) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/default
(12) eap_mschapv2:   authenticate {
(12) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(12) mschap: Creating challenge hash with username: testing
(12) mschap: Client is using MS-CHAPv2
(12) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
authentication
(12) mschap: ERROR: MS-CHAP2-Response is incorrect
(12) eap_mschapv2:     [mschap] = reject
(12) eap_mschapv2:   } # authenticate = reject
(12) eap: Sending EAP Failure (code 4) ID 2 length 4
(12) eap: Freeing handler
(12)     [eap] = reject
(12)   } # authenticate = reject
(12) Failed to authenticate the user
(12) Using Post-Auth-Type Reject
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12)   Post-Auth-Type REJECT {
(12)     if ( no == "yes" ) {
(12)     if ( no == "yes" )  -> FALSE
(12) attr_filter.access_reject: EXPAND %{User-Name}
(12) attr_filter.access_reject:    --> testing
(12) attr_filter.access_reject: Matched entry DEFAULT at line 11
(12)     [attr_filter.access_reject] = updated
(12)     [eap] = noop
(12)     policy remove_reply_message_if_eap {
(12)       if (&reply:EAP-Message && &reply:Reply-Message) {
(12)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(12)       else {
(12)         [noop] = noop
(12)       } # else = noop
(12)     } # policy remove_reply_message_if_eap = noop
(12)   } # Post-Auth-Type REJECT = updated
(12) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(12) Sending delayed response
(12) Sent Access-Reject Id 132 from 138.68.244.7:1812 to 138.68.244.7:36409
length 127
(12)   MS-CHAP-Error = "\002E=691 R=1 C=e8761a4b9b5c17800ee5e17ab8e67079
V=3 M=Authentication rejected"
(12)   EAP-Message = 0x04020004
(12)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(10) Cleaning up request packet ID 130 with timestamp +11689
(11) Cleaning up request packet ID 131 with timestamp +11689
(12) Cleaning up request packet ID 132 with timestamp +11689


And here is the full output from running radtest:
(13) Received Access-Request Id 98 from 138.68.244.7:40926 to
138.68.244.7:1812 length 133
(13)   User-Name = "testing"
(13)   NAS-IP-Address = 127.0.1.1
(13)   NAS-Port = 1812
(13)   Message-Authenticator = 0x3b4e57a573129d63a462a854a3f8b374
(13)   MS-CHAP-Challenge = 0x31d98bba4411b626
(13)   MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000071dac53034b42a03a735f807aa5917612dd95f43666cf8e2
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13)   authorize {
(13)     policy filter_username {
(13)       if (&User-Name) {
(13)       if (&User-Name)  -> TRUE
(13)       if (&User-Name)  {
(13)         if (&User-Name =~ / /) {
(13)         if (&User-Name =~ / /)  -> FALSE
(13)         if (&User-Name =~ /@[^@]*@/ ) {
(13)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(13)         if (&User-Name =~ /\.\./ ) {
(13)         if (&User-Name =~ /\.\./ )  -> FALSE
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(13)         if (&User-Name =~ /\.$/)  {
(13)         if (&User-Name =~ /\.$/)   -> FALSE
(13)         if (&User-Name =~ /@\./)  {
(13)         if (&User-Name =~ /@\./)   -> FALSE
(13)       } # if (&User-Name)  = notfound
(13)     } # policy filter_username = notfound
(13)     [preprocess] = ok
(13)     [chap] = noop
(13) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(13)     [mschap] = ok
(13)     [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "testing", looking up realm NULL
(13) suffix: No such realm "NULL"
(13)     [suffix] = noop
(13) eap: No EAP-Message, not doing EAP
(13)     [eap] = noop
(13)     [files] = noop
(13) sql: EXPAND %{User-Name}
(13) sql:    --> testing
(13) sql: SQL-User-Name set to 'testing'
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 11064
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for
11064 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for
11064 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (12), 1 of 32 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
rlm_sql (sql): Reserved connection (12)
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testing' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testing' ORDER BY id
(13) sql: User found in radcheck table
(13) sql: Conditional check items matched, merging assignment check items
(13) sql:   Cleartext-Password := "testuser_mypass"
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testing' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'testing' ORDER BY id
rlm_sql (sql): 1 of 1 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (13), 1 of 31 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
rlm_sql (sql): Reserved connection (13)
rlm_sql (sql): Released connection (13)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (14), 1 of 30 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 138.68.244.7 via TCP/IP,
server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(13) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'testing' ORDER BY priority
(13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testing' ORDER BY priority
(13) sql: User not found in any groups
rlm_sql (sql): Released connection (12)
(13)     [sql] = ok
(13)     [expiration] = noop
(13)     [logintime] = noop
(13) pap: WARNING: Auth-Type already set.  Not setting to PAP
(13)     [pap] = noop
(13)   } # authorize = ok
(13) Found Auth-Type = mschap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13)   authenticate {
(13) mschap: Found Cleartext-Password, hashing to create NT-Password
(13) mschap: Client is using MS-CHAPv1 with NT-Password
(13) mschap: adding MS-CHAPv1 MPPE keys
(13)     [mschap] = ok
(13)   } # authenticate = ok
(13) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(13)   post-auth {
(13)     update {
(13)       No attributes updated for RHS &session-state:
(13)     } # update = noop
(13)     if ( no == "yes" ) {
(13)     if ( no == "yes" )  -> FALSE
(13)     [exec] = noop
(13)     policy remove_reply_message_if_eap {
(13)       if (&reply:EAP-Message && &reply:Reply-Message) {
(13)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(13)       else {
(13)         [noop] = noop
(13)       } # else = noop
(13)     } # policy remove_reply_message_if_eap = noop
(13)   } # post-auth = noop
(13) Sent Access-Accept Id 98 from 138.68.244.7:1812 to 138.68.244.7:40926
length 0
(13)   MS-CHAP-MPPE-Keys =
0x0000000000000000b1ce5d77fca4da9e183b40b613ec5408
(13)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(13)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(13) Finished request
Waking up in 4.9 seconds.
(13) Cleaning up request packet ID 98 with timestamp +12005






On Mon, Feb 10, 2020 at 5:17 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 10, 2020, at 5:29 PM, Yongqiang He <thehyq at gmail.com> wrote:
> > I am new to freeradius and hope someone here can help me with my setup.
> > Thanks a lot!
> >
> > Here is what i got when running radiusd with -X option:
>
>   No... you got a lot more than that.  We will need ALL of the debug
> output to see what's going on.
>
> > If i run: radtest -t mschap ..., everything seems fine and it output
> 'Received
> > Access-Accept'. I guess its because the radtest is running with mschap,
> and
> > my client above is using mschapv2. I can't figure out what config i
> should
> > do with mschapv2.
>
>   Don't guess.  Read the debug output.  Compare the debug output between
> the two kinds of authentication.  What's different?
>
> > The radius is running with mysql. user and password are insert to with
> > sql: INSERT
> > INTO `radcheck` VALUES
> > (2,'testing','Cleartext-Password',':=','testuser_mypass');
>
>   The piece of debug output that you posted shows *nothing* about SQL.  Is
> it even querying the SQL server?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list