Problems with MS-CHAP/MS-CHAPv2

Igor Maciel Macaubas Tue, 25 Mar 2003 06:46:53 -0800

Hi,

I'm not a newbie to RADIUS or FreeRADIUS, but I'm a newbie in MSCHAP/MSCHAPv2 authentication.

I have a fresh FreeRADIUS server installed on a RedHat 8.0 box, w/ kernel 2.4.20.

I'm using the latest version of FreeRADIUS at this time (FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu, built on Mar 7 2003 at 12:11:12), installed from the .tar.gz package.

The RADIUS authentication is working, and also the accounting is fine. But I can just authenticate using PAP/CHAP methods. As I need to put mppe over my connections, I must authenticate using MSCHAP/MSCHAPv2, and it has not been easy or well-documented. (in two days searching over the internet, I couldn't find any usefull article/email).

Bellow are my authentication log's (for PAP/CHAP) - those ones work:

Tue Mar 25 11:18:30 2003 : Auth: Login OK: [igor/mypassword123] (from client RAS_TEST port 0)
Tue Mar 25 11:19:16 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from client RAS_TEST port 0)

And now, when I try with MSCHAPv2:

Tue Mar 25 11:33:02 2003 : Auth: Login incorrect: [igor/<no User-Password attribute>] (from client develop-rec port 0)

And If I go to the user settings and force MSCHAP auth (Auth-type == MS-CHAP):

Tue Mar 25 11:35:16 2003 : Error: rlm_mschap: No LM/NT password configured. Check authorization.
Tue Mar 25 11:35:16 2003 : Auth: Login incorrect: [igor/<no User-Password attribute>] (from client develop-rec port 0)

When I execute the RADIUS with -X option, I got this DUMP when I try to auth using MSCHAP:

------- START ---------

rad_recv: Access-Request packet from host 192.168.2.6:32861, id=168, length=144
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "[EMAIL PROTECTED]"
        MS-CHAP-Challenge = 0x83e1cbaedd8cc8b8af29ebc4b5a922d8
        MS-CHAP2-Response = 0x01002ae59a8e96df154f317aa76840a4f05c0000000000000000fffb3d38d774b8fb2466cade8b56ed8dbcf76ea3ae7977d9
        NAS-IP-Address = 192.168.2.6
        NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
    rlm_realm: Looking up realm fastbee.net for User-Name = "[EMAIL PROTECTED]"
    rlm_realm: Found realm DEFAULT
    rlm_realm: Adding Stripped-User-Name = "igor"
rlm_realm: Proxying request from user igor to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop
    users: Checking igor at 154
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
    users: Matched DEFAULT at 182
    users: Matched DEFAULT at 201
    users: Matched DEFAULT at 213
modcall[authorize]: module "files" returns ok
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,login,radius_atributo,senha,radius_operacao FROM tb_mercurius_login WHERE login = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.GroupName,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgroupcheck.Value,tb_mercurius_radius_radgroupcheck.op FROM tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE tb_mercurius_login.login = '[EMAIL PROTECTED]' AND tb_mercurius_login.radius_grupo = tb_mercurius_radius_radgroupcheck.GroupName ORDER BY tb_mercurius_radius_radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM tb_mercurius_radius_radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.GroupName,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgroupreply.Value,tb_mercurius_radius_radgroupreply.op FROM tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE tb_mercurius_login.login = '[EMAIL PROTECTED]' AND tb_mercurius_login.radius_grupo = tb_mercurius_radius_radgroupreply.GroupName ORDER BY tb_mercurius_radius_radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authtype
rlm_mschap: No LM/NT password configured. Check authorization.
modcall[authenticate]: module "mschap" returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Login incorrect: [igor/<no User-Password attribute>] (from client RAS_TEST port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 168 to 192.168.2.6:32861
        MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 168 with timestamp 3e8069b4
Nothing to do. Sleeping until we see a request.

-------------- END ----------------

Bellow is my configuration file (I have splitted out the commented lines to be smaller):

OBS: I'm using high level-logging because this is a test server.

-------------- START -----------------

prefix = /usr/local/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = ${exec_prefix}/lib

pidfile = ${run_dir}/radiusd.pid

user = radius
group = radius

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *

port = 1812

hostname_lookups = no

allow_core_dumps = no

regular_expressions = yes
extended_expressions = yes

log_stripped_names = yes

log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = yes

lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
max_attributes = 200

reject_delay = 1

status_server = no
}

proxy_requests = no
$INCLUDE ${confdir}/proxy.conf

$INCLUDE ${confdir}/clients.conf

$INCLUDE ${confdir}/snmp.conf

thread pool {
start_servers = 5

max_servers = 32

min_spare_servers = 3
max_spare_servers = 10

max_requests_per_server = 0
}

modules {

        pap {
                encryption_scheme = clear
        }

        chap {
                authtype = CHAP
        }

        pam {
                pam_auth = radiusd
        }

unix {
cache = no

cache_reload = 600

radwtmp = ${logdir}/radwtmp
}

eap {

md5 {
}

}

mschap {

authtype = MS-CHAP

}

        ldap {
                server = "ldap.your.domain"
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

start_tls = no
tls_mode = no

access_attr = "dialupAccess"

dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

        realm suffix {
                format = suffix
                delimiter = "@"
        }

        realm realmslash {
                format = prefix
                delimiter = "/"
        }

        realm realmpercent {
                format = suffix
                delimiter = "%"
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints

with_ascend_hack = no
ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no
}

        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users

compat = no
}

detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

detailperm = 0600
}

        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
        }

$INCLUDE ${confdir}/sql.conf

radutmp {
filename = ${logdir}/radutmp

perm = 0600

callerid = "yes"
}

        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }

        attr_filter {
                attrsfile = ${confdir}/attrs
        }

        counter {
                filename = ${raddbdir}/db.counter
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }

        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

expr {
}

}

instantiate {
expr
}

authorize {
preprocess

chap

mschap

        suffix
        files
        sql

}

authenticate {
        authtype PAP {
                pap
        }

        authtype CHAP {
                chap
        }

        authtype MS-CHAP {
                mschap
        }

unix

}

preacct {
        preprocess
        suffix
        files
}

accounting {
        acct_unique
        detail
        radutmp
        sql
}

session {
radutmp
}

post-auth {
}

--- END ---

Sorry about the size of the email, but I really don't know what's going on.

Regards,

Igor
--
[EMAIL PROTECTED]

Problems with MS-CHAP/MS-CHAPv2

Reply via email to