Configuring MSCHAP to use attributes from PASSWD
lingctam
lingctam at hku.hk
Wed Jan 27 03:09:49 CET 2021
Dear Matthew,
Thank you for your help. I have now called "files" in authorize{} but the following error comes up in debugging:
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ ) {
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ ) {
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/) {
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /@\\./) {
(9) if (&User-Name =~ /@\\./) -> FALSE
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "test", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "test"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) if (Called-Station-Id =~ /SSID/) {
(9) ERROR: Failed retrieving values required to evaluate condition
This is what is in the authorize section of the inner-tunnel:
if (Called-Station-Id =~ /SSID/) {
files
}
After reading the documentation, this is what I added in "files":
test Clear-text Password := "password"
What else could be missing?
Thanks again for your help.
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+lingctam=hku.hk at lists.freeradius.org> On Behalf Of Matthew Newton
Sent: Monday, January 25, 2021 7:22 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Configuring MSCHAP to use attributes from PASSWD
On 25/01/2021 11:08, lingctam wrote:
> Could you please direct me to the correct way to configure the MSCHAP module to use the User-Name and Clear-Text Passwords from the PASSWD file?
If you mean /etc/passwd, then it's impossible. The password hashing is incompatible.
If you're using the files module then yes, you can just define Cleartext-Password as given in the examples that come with the server, and mschap will use that. You need to make sure you call "files" in authorize{} for the right users (if not all).
> I have added the expansion under authenticate in the following way:
>
> Auth-Type MS-CHAP {
> %{mschap:"User-Name"} }
Use the default config that comes with the server, rather than trying to make up your own syntax. There's no need to change the config here.
> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
Because "files" hasn't been called in authorize{}, and passwd is
incompatible.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list