Hi 3APA3A,
My authorization section looks like this:
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
# counter
# attr_filter
# eap
suffix
files
sql
# etc_smbpasswd
# The ldap module will set Auth-Type to LDAP if it has not already been set
# ldap
}
Where should I move MSCHAP?
Regards,
Igor
--
[EMAIL PROTECTED]
----- Original Message -----
From: "3APA3A" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Igor Maciel Macaubas"
<[EMAIL PROTECTED]>
Cc: "freeradius users" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 11:54 AM
Subject: Re: Problems with MS-CHAP/MS-CHAPv2
Dear Igor Maciel Macaubas,
Put mschap after users in authorization.
--Tuesday, March 25, 2003, 5:50:22 PM, you wrote to
[EMAIL PROTECTED]:
IMM> Hi,
IMM> I'm not a newbie to RADIUS or FreeRADIUS, but I'm a newbie in
MSCHAP/MSCHAPv2 authentication.
IMM> I have a fresh FreeRADIUS server installed on a RedHat 8.0 box, w/
kernel 2.4.20.
IMM> I'm using the latest version of FreeRADIUS at this time (FreeRADIUS
Version 0.8.1, for host i686-pc-linux-gnu, built on Mar 7 2003 at
12:11:12), installed from the .tar.gz package.
IMM> The RADIUS authentication is working, and also the accounting is fine.
But I can just authenticate using PAP/CHAP methods. As I need to put mppe
over my connections, I must authenticate using
IMM> MSCHAP/MSCHAPv2, and it has not been easy or well-documented. (in two
days searching over the internet, I couldn't find any usefull
article/email).
IMM> Bellow are my authentication log's (for PAP/CHAP) - those ones work:
IMM> Tue Mar 25 11:18:30 2003 : Auth: Login OK: [igor/mypassword123] (from
client RAS_TEST port 0)
IMM> Tue Mar 25 11:19:16 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from
client RAS_TEST port 0)
IMM> And now, when I try with MSCHAPv2:
IMM> Tue Mar 25 11:33:02 2003 : Auth: Login incorrect: [igor/<no
User-Password attribute>] (from client develop-rec port 0)
IMM> And If I go to the user settings and force MSCHAP auth (Auth-type ==
MS-CHAP):
IMM> Tue Mar 25 11:35:16 2003 : Error: rlm_mschap: No LM/NT password
configured. Check authorization.
IMM> Tue Mar 25 11:35:16 2003 : Auth: Login incorrect: [igor/<no
User-Password attribute>] (from client develop-rec port 0)
IMM> When I execute the RADIUS with -X option, I got this DUMP when I try to
auth using MSCHAP:
IMM> ------- START ---------
IMM> rad_recv: Access-Request packet from host 192.168.2.6:32861, id=168,
length=144
IMM> Service-Type = Framed-User
IMM> Framed-Protocol = PPP
IMM> User-Name = "[EMAIL PROTECTED]"
IMM> MS-CHAP-Challenge = 0x83e1cbaedd8cc8b8af29ebc4b5a922d8
IMM> MS-CHAP2-Response =
0x01002ae59a8e96df154f317aa76840a4f05c0000000000000000fffb3d38d774b8fb2466ca
de8b56ed8dbcf76ea3ae7977d9
IMM> NAS-IP-Address = 192.168.2.6
IMM> NAS-Port = 0
IMM> modcall: entering group authorize
IMM> modcall[authorize]: module "preprocess" returns ok
IMM> rlm_chap: Could not find proper Chap-Password attribute in request
IMM> modcall[authorize]: module "chap" returns noop
IMM> modcall[authorize]: module "mschap" returns notfound
IMM> rlm_realm: Looking up realm fastbee.net for User-Name =
"[EMAIL PROTECTED]"
IMM> rlm_realm: Found realm DEFAULT
IMM> rlm_realm: Adding Stripped-User-Name = "igor"
IMM> rlm_realm: Proxying request from user igor to realm DEFAULT
IMM> rlm_realm: Adding Realm = "DEFAULT"
IMM> rlm_realm: Authentication realm is LOCAL.
IMM> modcall[authorize]: module "suffix" returns noop
IMM> users: Checking igor at 154
IMM> rad_check_password: Found Auth-Type Local
IMM> auth: type Local
IMM> auth: No User-Password or CHAP-Password attribute in the request
IMM> users: Matched DEFAULT at 182
IMM> users: Matched DEFAULT at 201
IMM> users: Matched DEFAULT at 213
IMM> modcall[authorize]: module "files" returns ok
IMM> radius_xlat: '[EMAIL PROTECTED]'
IMM> rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
IMM> radius_xlat: 'SELECT id,login,radius_atributo,senha,radius_operacao
FROM tb_mercurius_login WHERE login = '[EMAIL PROTECTED]' ORDER BY id'
IMM> rlm_sql (sql): Reserving sql socket id: 4
IMM> radius_xlat: 'SELECT
IMM>
tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.Group
Name,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgrou
pcheck.Value,tb_mercurius_radius_radgroupcheck.op
IMM> FROM tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupcheck.GroupName
IMM> ORDER BY tb_mercurius_radius_radgroupcheck.id'
IMM> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
tb_mercurius_radius_radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY
id'
IMM> radius_xlat: 'SELECT
IMM>
tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.Group
Name,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgrou
preply.Value,tb_mercurius_radius_radgroupreply.op
IMM> FROM tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupreply.GroupName
IMM> ORDER BY tb_mercurius_radius_radgroupreply.id'
IMM> rlm_sql (sql): Released sql socket id: 4
IMM> modcall[authorize]: module "sql" returns ok
IMM> modcall: group authorize returns ok
IMM> rad_check_password: Found Auth-Type MS-CHAP
IMM> auth: type "MS-CHAP"
IMM> modcall: entering group authtype
IMM> rlm_mschap: No LM/NT password configured. Check authorization.
IMM> modcall[authenticate]: module "mschap" returns invalid
IMM> modcall: group authtype returns invalid
IMM> auth: Failed to validate the user.
IMM> Login incorrect: [igor/<no User-Password attribute>] (from client
RAS_TEST port 0)
IMM> Delaying request 0 for 1 seconds
IMM> Finished request 0
IMM> Going to the next request
IMM> --- Walking the entire request list ---
IMM> Waking up in 1 seconds...
IMM> --- Walking the entire request list ---
IMM> Waking up in 1 seconds...
IMM> --- Walking the entire request list ---
IMM> Sending Access-Reject of id 168 to 192.168.2.6:32861
IMM> MS-CHAP-Error = "\001E=691 R=1"
IMM> Waking up in 4 seconds...
IMM> --- Walking the entire request list ---
IMM> Cleaning up request 0 ID 168 with timestamp 3e8069b4
IMM> Nothing to do. Sleeping until we see a request.
IMM> -------------- END ----------------
IMM> Bellow is my configuration file (I have splitted out the commented
lines to be smaller):
IMM> OBS: I'm using high level-logging because this is a test server.
IMM> -------------- START -----------------
IMM> prefix = /usr/local/freeradius
IMM> exec_prefix = ${prefix}
IMM> sysconfdir = ${prefix}/etc
IMM> localstatedir = ${prefix}/var
IMM> sbindir = ${exec_prefix}/sbin
IMM> logdir = ${localstatedir}/log/radius
IMM> raddbdir = ${sysconfdir}/raddb
IMM> radacctdir = ${logdir}/radacct
IMM> confdir = ${raddbdir}
IMM> run_dir = ${localstatedir}/run/radiusd
IMM> log_file = ${logdir}/radius.log
IMM> libdir = ${exec_prefix}/lib
IMM> pidfile = ${run_dir}/radiusd.pid
IMM> user = radius
IMM> group = radius
IMM> max_request_time = 30
IMM> delete_blocked_requests = no
IMM> cleanup_delay = 5
IMM> max_requests = 1024
IMM> bind_address = *
IMM> port = 1812
IMM> hostname_lookups = no
IMM> allow_core_dumps = no
IMM> regular_expressions = yes
IMM> extended_expressions = yes
IMM> log_stripped_names = yes
IMM> log_auth = yes
IMM> log_auth_badpass = yes
IMM> log_auth_goodpass = yes
IMM> usercollide = yes
IMM> lower_user = no
IMM> lower_pass = no
IMM> nospace_user = no
IMM> nospace_pass = no
IMM> checkrad = ${sbindir}/checkrad
IMM> security {
IMM> max_attributes = 200
IMM> reject_delay = 1
IMM> status_server = no
IMM> }
IMM> proxy_requests = no
IMM> $INCLUDE ${confdir}/proxy.conf
IMM> $INCLUDE ${confdir}/clients.conf
IMM> $INCLUDE ${confdir}/snmp.conf
IMM> thread pool {
IMM> start_servers = 5
IMM> max_servers = 32
IMM> min_spare_servers = 3
IMM> max_spare_servers = 10
IMM> max_requests_per_server = 0
IMM> }
IMM> modules {
IMM> pap {
IMM> encryption_scheme = clear
IMM> }
IMM> chap {
IMM> authtype = CHAP
IMM> }
IMM> pam {
IMM> pam_auth = radiusd
IMM> }
IMM> unix {
IMM> cache = no
IMM> cache_reload = 600
IMM> radwtmp = ${logdir}/radwtmp
IMM> }
IMM> eap {
IMM> md5 {
IMM> }
IMM> }
IMM> mschap {
IMM> authtype = MS-CHAP
IMM> }
IMM> ldap {
IMM> server = "ldap.your.domain"
IMM> basedn = "o=My Org,c=UA"
IMM> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
IMM> start_tls = no
IMM> tls_mode = no
IMM> access_attr = "dialupAccess"
IMM> dictionary_mapping = ${raddbdir}/ldap.attrmap
IMM> ldap_connections_number = 5
IMM> timeout = 4
IMM> timelimit = 3
IMM> net_timeout = 1
IMM> }
IMM> realm suffix {
IMM> format = suffix
IMM> delimiter = "@"
IMM> }
IMM> realm realmslash {
IMM> format = prefix
IMM> delimiter = "/"
IMM> }
IMM> realm realmpercent {
IMM> format = suffix
IMM> delimiter = "%"
IMM> }
IMM> preprocess {
IMM> huntgroups = ${confdir}/huntgroups
IMM> hints = ${confdir}/hints
IMM> with_ascend_hack = no
IMM> ascend_channels_per_line = 23
IMM> with_ntdomain_hack = no
IMM> with_specialix_jetstream_hack = no
IMM> with_cisco_vsa_hack = no
IMM> }
IMM> files {
IMM> usersfile = ${confdir}/users
IMM> acctusersfile = ${confdir}/acct_users
IMM> compat = no
IMM> }
IMM> detail {
IMM> detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
IMM> detailperm = 0600
IMM> }
IMM> acct_unique {
IMM> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
IMM> }
IMM> $INCLUDE ${confdir}/sql.conf
IMM> radutmp {
IMM> filename = ${logdir}/radutmp
IMM> perm = 0600
IMM> callerid = "yes"
IMM> }
IMM> radutmp sradutmp {
IMM> filename = ${logdir}/sradutmp
IMM> perm = 0644
IMM> callerid = "no"
IMM> }
IMM> attr_filter {
IMM> attrsfile = ${confdir}/attrs
IMM> }
IMM> counter {
IMM> filename = ${raddbdir}/db.counter
IMM> key = User-Name
IMM> count-attribute = Acct-Session-Time
IMM> reset = daily
IMM> counter-name = Daily-Session-Time
IMM> check-name = Max-Daily-Session
IMM> allowed-servicetype = Framed-User
IMM> cache-size = 5000
IMM> }
IMM> always fail {
IMM> rcode = fail
IMM> }
IMM> always reject {
IMM> rcode = reject
IMM> }
IMM> always ok {
IMM> rcode = ok
IMM> simulcount = 0
IMM> mpp = no
IMM> }
IMM> expr {
IMM> }
IMM> }
IMM> instantiate {
IMM> expr
IMM> }
IMM> authorize {
IMM> preprocess
IMM> chap
IMM> mschap
IMM> suffix
IMM> files
IMM> sql
IMM> }
IMM> authenticate {
IMM> authtype PAP {
IMM> pap
IMM> }
IMM> authtype CHAP {
IMM> chap
IMM> }
IMM> authtype MS-CHAP {
IMM> mschap
IMM> }
IMM> unix
IMM> }
IMM> preacct {
IMM> preprocess
IMM> suffix
IMM> files
IMM> }
IMM> accounting {
IMM> acct_unique
IMM> detail
IMM> radutmp
IMM> sql
IMM> }
IMM> session {
IMM> radutmp
IMM> }
IMM> post-auth {
IMM> }
IMM> --- END ---
IMM> Sorry about the size of the email, but I really don't know what's going
on.
IMM> Regards,
IMM> Igor
IMM> --
IMM> [EMAIL PROTECTED]
--
~/ZARAZA
��������� ����������! ��� �� ��� ���������� �����. (����)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
