Hello,
I have been asked to run through some disaster recovery checks for our
servers, and one (pair) of these servers runs RADIUS but does so in
order to talk to a Microsoft IAS server (for the actual authentication).
In the event of a disaster the IAS server may be lost, and as such I
would like to be able to put into the 'users' file a DEFAULT entry to
simply allow all users through.
Users connecting to this system for authentication are required to be
using MS-CHAPv2 with MPPE and strong encryption. There is no problem
with this, and entering users into the users file itself for
authentication works fine. However, I am having a lot of trouble trying
to get it to just let all users through.
If I have an entry in the users file such as:
fred Auth-Type := Local, User-Password == "anything"
this works fine. Debug output from radiusd shows:
==========================================================
rad_recv: Access-Request packet from host 127.0.0.1:37229, id=55,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x7ff02513996443c04f7d280a820730b5
MS-CHAP2-Response
=
0x01009d037c05f32b32648cc561c047c5e56c00000000000000000974512bcb2c65addd6edab9c9caf4d18660ae908b206e03
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 220
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [fred] (from client localhost port 0)
Sending Access-Accept of id 55 to 127.0.0.1:37229
MS-CHAP2-Success
=
0x01533d42424438423038344545373041393441463244373339324645323833434437313343424543413641
MS-MPPE-Recv-Key
=
0xdf02432bffb7b8b4313cdb04515ecba440ba63a8bc4a95a2a425f4c225cd850416dc
MS-MPPE-Send-Key
=
0xdf01d4b2fc3bf9cb6054f92175106cf105f49e8d3408586aa2af17f0e615fc5ffc01
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Finished request 0
==================================================================
This all works fine; the user is authenticated and radiusd sees that
MS-CHAPv2 is being used (and is to be used).
However, if I simply change the users file entry to:
fred Auth-Type := Local, User-Password != "anything"
Specifying that the pwd should not be 'anything' then it doesn't work.
That is, I cannot authenticate. The radiusd output shows:
===================================================================
rad_recv: Access-Request packet from host 127.0.0.1:38635, id=130,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x5079b24962676ca1fefc3a935a7c4a12
MS-CHAP2-Response =
0x0100021413eac173639764d57968f33043e30000000000000000b49cc542c3a9427787a46df5e94e67efef8c75e935267049
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 222
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: Authentication failed
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
modcall[authenticate]: module "mschap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect: [fred] (from client localhost port 0)
Delaying request 0 for 5 seconds
Finished request 0
===================================================================
My thought was to make a default entry such as:
DEFAULT Auth-Type := Local, User-Password != "something"
I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
radiusd seems to accept the user and password, the connection then
fails. The mschap module (?) expects a password but doesn't see any (it
seems) - it gives a 'notfound' error. Adding the above User-Password
attribute, and using '=*' or one of the regular expression operators
('=~') seems to make no difference. Radiusd returns the same error as
above about nothing in the packet being recognised.
Anyone got any suggestions about this. Relevant parts of the
radiusd.conf are below, but simply change the users file entry operator
from '==' to '!=' surely shouldn't cause a problem? All the encryption
stuff should work because instead of comparing the users file password
with the one the user enters when connecting should simply check for
equality or not. When '==' is used they should be equal, when '!=' is
used the should not be equal.
Thanks,
John.
================================================================
Radiusd.conf contains:
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%Y/log-%m
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
preprocess
files
mschap {
ok = return
}
suffix
}
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication
type
# is then used to pick the apropriate module from the list below.
#
# The default Auth-Type is Local. That is, whatever is not included
inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# So you should do the following:
# - Set Auth-Type to an appropriate value in the authorize modules
above.
# For example, the chap module will set Auth-Type to CHAP, ldap to
LDAP, etc.
# - After that create corresponding authtype sections in the
# authenticate section below and call the appropriate modules.
authenticate {
mschap
}
========================================================================
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
