"Alan DeKok" <[EMAIL PROTECTED]> wrote:
>"Roy, Daniel" <[EMAIL PROTECTED]> wrote:
>> 1) valid userid and password should authorize and authenticate against
>> SQL and MSCHAP ok;
>
> That should work without any additional configuration.
Agreed.
>
>> 2) valid userid but wrong password should authorize ok against SQL but
>> fail authentication against MSCHAP; I want to configure freeRADIUS to
>> proxy this failed Access-Request to another RADIUS server/service;
>
> A fail-over section should work.
Agreed.
>
>> 3) invalid userid (regardless of password) should return "notfound" when
>> authorizing against SQL; again I want to configure freeRADIUS to proxy
>> this failed Access-Request to another RADIUS server/service.
>
> A fail-over section should work here, too.
Agreed.
>
>> This one correctly proxies for wrong userids, but it unexpectedly
>> replies with Access-Reject for correct userids and passwords even though
>> sql returned "ok". I figured out freeRADIUS does this because my client
>> is using mschap and radius doesn't find a User-Password or CHAP-Password
>> attribute in the request.
>
> Did you list the "mschap" module in the "authorize" section? It
>will take care of setting Auth-Type := MSCHAP if it finds MSCHAP
>attributes.
>
Yes, mschap is just above the group and it is not commented out. If I comment out the
group and restart the radius server and send an access-request, it does indeed do an
mschap authorization and then an mschap authentication (as per the output when running
in debug mode), proving that mschap is indeed there and active. But somehow, when I
insert a group without a mschap section within the group (as indicated in my previous
email), mschap does not occur correctly.
Here's a sample of the debug output without an mschap section in my group under the
authorize section:
rad_recv: Access-Request packet from host 207.181.118.125:1026, id=161, length=230
Acct-Session-Id = "7f102a4f"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
User-Name = "roger"
Calling-Station-Id = "00-04-75-CC-41-1F"
Called-Station-Id = "00-03-52-00-12-CC"
Framed-IP-Address = 192.168.1.21
MS-CHAP2-Response =
0xa100fe1a5134ba040abee1dd028fd45586b90000000000000000a520d9cd7d31c4062169b45aca482a530ef80bd2ed8cf065
MS-CHAP-Challenge = 0x2863c07d7c0988321e1e7ec4b652899d
NAS-Identifier = "L004-00149"
NAS-IP-Address = 207.181.118.125
Framed-MTU = 1496
Connect-Info = "HTTPS"
Service-Type = Framed-User
Message-Authenticator = 0x3ae483380745632a3152603d0f969388
Fri Jun 25 14:53:42 2004 : Debug: auth.c::rad_authenticate entered
Fri Jun 25 14:53:42 2004 : Debug: modcall: entering group authorize for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from preprocess
(rlm_preprocess) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "preprocess" returns ok
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling auth_log
(rlm_detail) for request 7
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat:
'/usr/local/var/log/radius/radacct/207.181.118.125/auth-detail-20040625'
Fri Jun 25 14:53:42 2004 : Debug: rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/usr/local/var/log/radius/radacct/207.181.118.125/auth-detail-20040625
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from auth_log
(rlm_detail) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "auth_log" returns ok
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "chap" returns noop for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap)
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "eap" returns noop for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm)
for request 7
Fri Jun 25 14:53:42 2004 : Debug: rlm_realm: No '@' in User-Name = "roger",
looking up realm NULL
Fri Jun 25 14:53:42 2004 : Debug: rlm_realm: No such realm "NULL"
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "suffix" returns noop
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling sql (rlm_sql) for
request 7
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'roger'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'roger'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'roger' ORDER BY id'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'roger' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'roger' ORDER BY id'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'roger' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): Released sql socket id: 0
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from sql (rlm_sql)
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "sql" returns ok for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap)
for request 7
Fri Jun 25 14:53:42 2004 : Debug: rlm_mschap: Found MS-CHAP attributes. Setting
'Auth-Type := MS-CHAP'
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "mschap" returns ok for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall: entering group group for request 7
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling sql (rlm_sql) for
request 7
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'roger'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'roger'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'roger' ORDER BY id'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'roger' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'roger' ORDER BY id'
Fri Jun 25 14:53:42 2004 : Debug: radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'roger' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Fri Jun 25 14:53:42 2004 : Debug: rlm_sql (sql): Released sql socket id: 4
Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: returned from sql (rlm_sql)
for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall[authorize]: module "sql" returns ok for
request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall: group group returns ok for request 7
Fri Jun 25 14:53:42 2004 : Debug: modcall: group authorize returns ok for request 7
Fri Jun 25 14:53:42 2004 : Debug: auth.c::check_expiration entered
Fri Jun 25 14:53:42 2004 : Debug: auth.c::check_expiration exited - result=0
Fri Jun 25 14:53:42 2004 : Debug: rad_check_password: Found Auth-Type Local
Fri Jun 25 14:53:42 2004 : Debug: auth: type Local
Fri Jun 25 14:53:42 2004 : Debug: auth: No User-Password or CHAP-Password attribute in
the request
Fri Jun 25 14:53:42 2004 : Debug: auth: Failed to validate the user.
Fri Jun 25 14:53:42 2004 : Auth: Login incorrect: [roger/<no User-Password attribute>]
(from client bhcn3000 port 1 cli 00-04-75-CC-41-1F)
Fri Jun 25 14:53:42 2004 : Debug: auth.c::rad_authenticate exited - location 6
Fri Jun 25 14:53:42 2004 : Debug: proxy_send: return RLM_MODULE_NOOP because neither a
proxy nor replicate pair found
Fri Jun 25 14:53:42 2004 : Debug: Delaying request 7 for 1 seconds
Fri Jun 25 14:53:42 2004 : Debug: Finished request 7
Fri Jun 25 14:53:42 2004 : Debug: Going to the next request
Fri Jun 25 14:53:42 2004 : Debug: --- Walking the entire request list ---
Fri Jun 25 14:53:42 2004 : Debug: Waking up in 1 seconds...
Fri Jun 25 14:53:43 2004 : Debug: --- Walking the entire request list ---
Fri Jun 25 14:53:43 2004 : Debug: Waking up in 1 seconds...
Fri Jun 25 14:53:44 2004 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 161 to 207.181.118.125:1026
> From the above description, it looks like the server has no
>Auth-Type set, or an Auth-Type of Local, in which case all it can do
>is PAP & CHAP.
>
>> So I changed "ok = return" to "ok = 1" and added an mschap section
>> to authorize:
>
> The first change shouldn't have happened. The second is OK.
>
Understood, thanks.
> Try using "ok = return", and listing "mschap" in "authorize", before
>the group{} thing. That should work.
>
What you state is in fact the case in my radiusd.conf, but it doesn't seem to be
working the way you (or I) expect it to work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
