MSCHAPV2 for PP2P VPN
Leo Giusti
leo.j.b.giusti at gmail.com
Thu Jan 11 02:12:45 UTC 2024
Hi Matthew and thankyou for your response
I am providing the full output from a new test login with a different user
but am getting the exact same result. I have added a realm definition in
proxy.conf before doing this test.
(0) Received Access-Request Id 18 from 192.168.1.1:59973 to
192.168.1.124:1812 length 161
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) User-Name = "leo.giusti at home.win"
(0) MS-CHAP-Challenge = 0x27e163edf32c2d798ef2e57f87d32767
(0) MS-CHAP2-Response =
0xa400ee83ddefe9941705484493b26d7b4c6b0000000000000000e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1
(0) Calling-Station-Id = "192.168.1.10"
(0) NAS-IP-Address = 192.168.1.1
(0) NAS-Port = 0
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "home.win" for User-Name = "leo.giusti at home.win
"
(0) suffix: Found realm "home.win"
(0) suffix: Adding Stripped-User-Name = "leo.giusti"
(0) suffix: Adding Realm = "home.win"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) mschap: Creating challenge hash with username: leo.giusti at home.win
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=leo.giusti
(0) mschap: Creating challenge hash with username: leo.giusti at home.win
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=4b2160a676fadd0d
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: -->
--nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1
(0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> leo.giusti at home.win
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 18 from 192.168.1.124:1812 to 192.168.1.1:59973
length 103
(0) MS-CHAP-Error = "\244E=691 R=1 C=d95b8528834837c7eeb0cdf6582a92cd V=3
M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 18 with timestamp +25 due to
cleanup_delay was reached
On 10/01/2024 03:01, Leo Giusti wrote:
> >> I am able to authenticate against my domain with ntlm_auth with a
> username
> >> and password.
>
> >OK
>
> I will clarify that it works using both just username and username at home.win
> >> (0) suffix: Checking for suffix after "@"
> >> (0) suffix: Looking up realm "home.win" for User-Name =
> >> "joshua.sharpe at home.win"
> >> (0) suffix: No such realm "home.win"
> >> (0) [suffix] = noop
>
> >Did not strip the realm.
>
> >You may need to add the realm to proxy.conf so that suffix can strip the
> >realm, or use the split_username_nai policy to do it in unlang.
>
I theink I have this setyup correctly now
>
> >> (0) mschap: Creating challenge hash with username:
> joshua.sharpe at home.win
> >> (0) mschap: Client is using MS-CHAPv2
> >> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --allow-mschapv2
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> >> --challenge=%{%{mschap:Challenge}:-00}
> >> --nt-response=%{%{mschap:NT-Response}:-00}:
> >> (0) mschap: EXPAND
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> >> (0) mschap: --> --username=joshua.sharpe at home.win
> >> (0) mschap: Creating challenge hash with username:
> joshua.sharpe at home.win
> >> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> >> (0) mschap: --> --challenge=9c377afcf9835f65
> >> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> >> (0) mschap: -->
> >> --nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
> >> (0) mschap: ERROR: Program returned code (1) and output 'The attempted
> >> logon is invalid. This is either due to a bad username or authentication
> >> information. (0xc000006d)'
> >> (0) mschap: External script failed
> >> (0) mschap: ERROR: External script says: The attempted logon is invalid.
> >> This is either due to a bad username or authentication information.
> >> (0xc000006d)
>
> >So the command you used to test is not the same as the command
> >FreeRADIUS is running, or the username or password is incorrect.
>
> >Does this authenticate successfully?
>
> >/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
> >--username=joshua.sharpe at home.win --challenge=9c377afcf9835f65
> >--nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
>
> >If not then you need to find out why. I suspect it's because the
> >username isn't stripped, and that just using "joshua.sharpe" would work.
leogiusti at TestRADIUS:~$ sudo ntlm_auth --request-nt-key --allow-mschapv2
--username=leo.giusti at home.win --challenge=4b2160a676fadd0d
--nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1
The attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)
leogiusti at TestRADIUS:~$ sudo ntlm_auth --request-nt-key --allow-mschapv2
--username=leo.giusti --challenge=4b2160a676fad
d0d --nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1
The attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)
>
>
--
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list