I have a vpn that is
talking mschapv2 to freeRadius. I get a MS-CHAP mismatch and
authentication failure even when I configure FR to use MS-CHAPv2. Am I
missing a configuration spot? I can't put it in the user file since it
only takes ms-chap as an argument.
I've read the
docs, I bought the book (finished it last night at about 3), but I can't get
this dog to hunk. Any assistance is greatly
appreciated.
Anyway, here
is the failure trace followed by the mschap portion of radius.conf, the users
section for demo user steve, and the startup trace which shows that it read
mschap2?
TIA
======================================================
Listening on IP
address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.2:32770, id=11, length=121
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "steve"
MS-CHAP-Challenge = 0x0c530d958865359599f730d1efcef034
MS-CHAP2-Response = 0x010049f496e0e4edd9b5de36d648ff27c03d0000000000000000aa8dbe307bda7b321f02ad554eff263ceddcbeaed6301747
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 11 to 192.168.0.2:32770
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 11 with timestamp 3daedbaa
============================================================
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.2:32770, id=11, length=121
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "steve"
MS-CHAP-Challenge = 0x0c530d958865359599f730d1efcef034
MS-CHAP2-Response = 0x010049f496e0e4edd9b5de36d648ff27c03d0000000000000000aa8dbe307bda7b321f02ad554eff263ceddcbeaed6301747
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 11 to 192.168.0.2:32770
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 11 with timestamp 3daedbaa
============================================================
Here is the part of
radiusd.conf where I tell it to use mschapv2..
# Microsoft
CHAP authentication
#
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication. However, we recommend
# using the 'passwd' module, below, as it's more general.
#
mschap {
# if given, passwd shows location of
# SAMBA passwd file
# passwd = /etc/smbpasswd
# please note that smbpasswd authorization in
# mschap is for compatibility only. It works
# slow and shouldn't be used.
# use rlm_passwd module instead in authorize section
# you can find configuration example for
# passwd etc_smbpasswd
# below
#
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication. However, we recommend
# using the 'passwd' module, below, as it's more general.
#
mschap {
# if given, passwd shows location of
# SAMBA passwd file
# passwd = /etc/smbpasswd
# please note that smbpasswd authorization in
# mschap is for compatibility only. It works
# slow and shouldn't be used.
# use rlm_passwd module instead in authorize section
# you can find configuration example for
# passwd etc_smbpasswd
# below
#
authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAPv2
# if ignore_password set to yes mschap will
# ignore password set by any other module during
# authorization and will always use password file
ignore_password = yes
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAPv2
# if ignore_password set to yes mschap will
# ignore password set by any other module during
# authorization and will always use password file
ignore_password = yes
# if
use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
use_mppe = yes
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
use_mppe = yes
# if
mppe is enabled require_encryption makes
# encryption moderate
require_encryption = yes
# encryption moderate
require_encryption = yes
#
require_strong always requires 128 bit key
# encryption
require_strong = yes
}
# encryption
require_strong = yes
}
============================================================
Here is the user
section for steve (I think the Chap-Password instead of Password is
correct...
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
steve Auth-Type := MS-CHAP, Chap-Password == "testing9"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#
============================================================
Here is the startup
of the trace that shows that mschapv2 was loaded by modules!
HASH: Stored
37 entries from /etc/passwd
HASH: Stored 47 entries from /etc/group
Module: Instantiated unix (unix)
Module: Loaded MS-CHAP
mschap: ignore_password = yes
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAPv2"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
HASH: Stored 47 entries from /etc/group
Module: Instantiated unix (unix)
Module: Loaded MS-CHAP
mschap: ignore_password = yes
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAPv2"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
============================================================
This is
interesting. It is the authorize section. I don't think I can put
ms-chapv2 anywhere becuase it just says mschap, which I think just refers up
higher in the radiusd.conf document to the mschap section. Is this
correct?
authorize
{
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
#
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
#
# chap
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
#
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
#
# chap
# counter
# attr_filter
# eap
suffix
files
# etc_smbpasswd
# attr_filter
# eap
suffix
files
# etc_smbpasswd
#
# Uncomment 'mschap' if the users are logging in with an
# MS-CHAP-Challenge attribute for authentication. The mschap
# module will find the MS-CHAP-Challenge attribute, and add
# 'Auth-Type := MS-CHAP' to the request, which makes it use
# the mschap module for authentication.
#
mschap
# Uncomment 'mschap' if the users are logging in with an
# MS-CHAP-Challenge attribute for authentication. The mschap
# module will find the MS-CHAP-Challenge attribute, and add
# 'Auth-Type := MS-CHAP' to the request, which makes it use
# the mschap module for authentication.
#
mschap
============================================================
Also from
radiusd.conf, just below the section above.
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
#
# The default Auth-Type is Local. That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local
#
# So you should do the following:
# Set Auth-Type to an appropriate value in the authorize section. For example chap
# will set Auth-Type to CHAP, ldap to LDAP etc
# After that create corresponding authtype sections in the authenticate section below
# and call the appropriate modules (chap for CHAP etc)
authenticate {
# pam
unix
# Uncomment it if you want to use ldap for
authentication
# authtype LDAP {
# ldap
# }
mschap
# eap
# authtype LDAP {
# ldap
# }
mschap
# eap
# Uncomment it if you want to support CHAP
# authtype CHAP {
# chap
# }
# authtype CHAP {
# chap
# }
# Uncomment the following if you want to support PAP and
you
# extract user passwords from the user database (LDAP,SQL, etc).
# You should use the 'files'module to set 'Auth-Type := PAP' for
# this to work.
# authtype PAP {
# pap
# }
#
}
# extract user passwords from the user database (LDAP,SQL, etc).
# You should use the 'files'module to set 'Auth-Type := PAP' for
# this to work.
# authtype PAP {
# pap
# }
#
}
============================================================
============================================================
