mschap
Alan Batie
alan at batie.org
Sat Feb 8 01:09:46 UTC 2025
On 2/7/25 4:48 PM, Alan DeKok wrote:
> On Feb 7, 2025, at 7:44 PM, Alan Batie <alan at batie.org> wrote:
>>
>> I'm migrating an outdated system from centos 5/freeradius 1.1.7
>
> Oh boy, that is decades old.
Yes, we've tried to update it before but other things interfered
>> to ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap by mac address with an sql procedure call. It doesn't look like there's anything to configure in mschap, the old system has all the mschap stuff commented out by default and so does the new system, but mschap is failing and it looks like it's not even getting to the sql part. It really just needs to ignore the mschap since the only part of it getting used is one of a few static usernames. I can send the full debug output privately if need be...
>
> The debug log doesn't show it running sql, or getting the "known good' password from anywhere.
>
> Where are the static usernames defined?
The client system is configured with a static user/pw, there's an sql
procedure that verifies the static user/pw then checks the mac address
against the db
It's not getting to the sql because the mschap is failing. Which gave me
the idea of putting sql first, and it passes, but mschap fails, so I
tried just commenting out mschap, but then it complains that nothing is
handling cleartext passwords. I'm not sure how it's working on the old
system since the point of chap is to avoid *having* passwords...
(0) Received Access-Request Id 23 from 10.65.23.69:40816 to
10.67.10.137:1812 length 294
(0) Message-Authenticator = 0x7a435fe1cbf36ab524723fb9be348c31
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port-Type = Ethernet
(0) User-Name = "<username>"
(0) Calling-Station-Id = "<macaddr>"
(0) Calling-Station-Id = "tarana-service"
(0) NAS-Port-Id = "vlan2000-tarana"
(0) Acct-Session-Id = "81f01557"
(0) MS-CHAP-Challenge =
0x3131366139653232316662366161376332313437343231373735346236613135
(0) MS-CHAP2-Response =
0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646530306330366137666137376464356132313063313662623037613235363063623563333838373264
(0) NAS-Identifier = "admin03"
(0) NAS-IP-Address = 207.55.16.41
(0) NAS-Port = 15762707
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/peak
(0) authorize {
(0) sql: EXPAND %{User-Name}
(0) sql: --> <username>
(0) sql: SQL-User-Name set to '<username>'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND call
onw_authorize_check('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}');
(0) sql: --> call
onw_authorize_check('<username>','<secret>','<macaddr>');
(0) sql: Executing select query: call
onw_authorize_check('<username>','<secret>','<macaddr>');
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "<secret>"
(0) sql: Cleartext-Password := "<secret>"
(0) sql: Cleartext-Password := "<secret>"
(0) sql: EXPAND call
onw_authorize_reply('%{SQL-User-Name}','<secret>','%{Calling-Station-Id}');
(0) sql: --> call
onw_authorize_reply('<username>','<secret>','<macaddr>');
(0) sql: Executing select query: call
onw_authorize_reply('<username>','<secret>','<macaddr>');
(0) sql: User found in radreply table, merging reply items
(0) sql: Mikrotik-Rate-Limit := "22M/55M"
(0) sql: Framed-Route := ""
(0) sql: Framed-Route := "69.59.217.29/32"
(0) sql: Framed-Route := ""
(0) sql: EXPAND SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'
(0) sql: --> SELECT GroupName FROM usergroup WHERE UserName='<username>'
(0) sql: Executing select query: SELECT GroupName FROM usergroup WHERE
UserName='<username>'
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a
future version.
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 8.0.41-0ubuntu0.24.04.1, protocol version 10
(0) [sql] = ok
(0) [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: -->
/var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250207
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Feb 7 16:59:12 2025
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = fail
(0) } # authorize = fail
(0) Invalid user: [<username>] (from client admin01 port 15762707 cli
<macaddr>)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/peak
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: WARNING: No such configuration item .query
(0) [sql] = noop
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> <username>
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect: [<username>] (from client admin01 port 15762707 cli
<macaddr>)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3989 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250207/bbebfc5b/attachment-0001.bin>
More information about the Freeradius-Users
mailing list