Configuring MSCHAP to use attributes from PASSWD

lingctam lingctam at hku.hk
Wed Jan 27 03:09:49 CET 2021


Dear Matthew, 

Thank you for your help. I have now called "files" in authorize{} but the following error comes up in debugging: 

(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9)     authorize {
(9)       policy filter_username {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@.*@/ ) {
(9)         if (&User-Name =~ /@.*@/ )  -> FALSE
(9)         if (&User-Name =~ /\\.\\./ ) {
(9)         if (&User-Name =~ /\\.\\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\\.$/)  {
(9)         if (&User-Name =~ /\\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\\./)  {
(9)         if (&User-Name =~ /@\\./)   -> FALSE
(9)       } # policy filter_username = notfound
(9)       [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "test", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "test"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9)       [suffix] = ok
(9)       if (Called-Station-Id =~ /SSID/) {
(9)       ERROR: Failed retrieving values required to evaluate condition

This is what is in the authorize section of the inner-tunnel: 

if (Called-Station-Id =~ /SSID/) { 
	files
}

After reading the documentation, this is what I added in "files":

test                Clear-text Password := "password"

What else could be missing? 

Thanks again for your help. 





-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+lingctam=hku.hk at lists.freeradius.org> On Behalf Of Matthew Newton
Sent: Monday, January 25, 2021 7:22 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Configuring MSCHAP to use attributes from PASSWD



On 25/01/2021 11:08, lingctam wrote:
> Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file?

If you mean /etc/passwd, then it's impossible. The password hashing is incompatible.

If you're using the files module then yes, you can just define Cleartext-Password as given in the examples that come with the server, and mschap will use that. You need to make sure you call "files" in authorize{} for the right users (if not all).

> I have added the expansion under authenticate in the following way:
> 
> Auth-Type MS-CHAP {
>                  %{mschap:"User-Name"} }

Use the default config that comes with the server, rather than trying to make up your own syntax. There's no need to change the config here.


> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password

Because "files" hasn't been called in authorize{}, and passwd is 
incompatible.

-- 
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list