On Wed, Jul 28, 2004 at 06:06:02PM -0400, Alan DeKok wrote:
> Dave Mussulman <[EMAIL PROTECTED]> wrote:
> > Thanks for the pointer. Knock on wood, I think I have things working.
> > This project is really amazing, and it's gotten really easy to setup
> > EAP. That's a big credit to its maintainers.
>
> Thanks. I'm not sure everyone would agree on ease of use, but...
Well, almost a year ago I can recall struggling getting the certificates
made and PEAP not even being an option, so yay for progress.
> You can set up the "authorize" section with configurable failover
> (doc/configurable_failover), to say:
>
> try "users"
> try "mysql"
> if not found, do something else...
>
> Once the "authorize" section has determined which authentication
> type to try for a user, it doesn't matter if the password is in
> "users", "sql", or an NT domain.
Okay, I've done that. My authorize section looks like:
authorize {
preprocess
group {
files
#sql
mschap
chap
}
eap
}
but either I'm not doing that right, or there's something more
complicated with EAP calling mschap directly, because it's not working
how I would like. I would like it to check the local files (or sql)
first, and fail back to mschap/AD if the login is not present.
I've attached an snippet of an sdiff of the debug logs of two FreeRADIUS
configurations. The left side has the ntlm_auth line commented out, and
it's falling back to the files just fine. (I guess the rlm_mschap
module adds in the CHAP/MS encoding for plaintexted passwords.) The
code on the right has the ntlm_auth line in use, and the login fails
(since I wasn't using a valid AD login.) I don't understand enough
about how EAP tunnels to PEAP to MSCHAP, but somewhere pretty deep in
that line I'd like to interject the logic above.
Any help would be appreciated,
Dave
Processing the authorize section of radiusd.conf Processing the
authorize section of radiusd.conf
modcall: entering group authorize for request 6 modcall: entering
group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for requ modcall[authorize]:
module "preprocess" returns ok for requ
modcall: entering group group for request 6 modcall: entering
group group for request 6
users: Matched chris at 56 users: Matched
chris at 56
modcall[authorize]: module "files" returns ok for request 6 modcall[authorize]:
module "files" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for reques modcall[authorize]:
module "mschap" returns noop for reques
modcall[authorize]: module "chap" returns noop for request modcall[authorize]:
module "chap" returns noop for request
modcall: group group returns ok for request 6 modcall: group group
returns ok for request 6
rlm_eap: EAP packet type response id 7 length 64 rlm_eap: EAP packet
type response id 7 length 64
rlm_eap: No EAP Start, assuming it's an on-going EAP conver rlm_eap: No EAP
Start, assuming it's an on-going EAP conver
modcall[authorize]: module "eap" returns updated for reques modcall[authorize]:
module "eap" returns updated for reques
modcall[authorize]: module "preprocess" returns ok for requ modcall[authorize]:
module "preprocess" returns ok for requ
modcall: group authorize returns updated for request 6 modcall: group
authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP rad_check_password:
Found Auth-Type EAP
auth: type "EAP" auth: type "EAP"
Processing the authenticate section of radiusd.conf Processing the
authenticate section of radiusd.conf
modcall: entering group authenticate for request 6 modcall: entering
group authenticate for request 6
rlm_eap: Request found, released from the list rlm_eap: Request
found, released from the list
rlm_eap: EAP/mschapv2 rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2 rlm_eap: processing
type mschapv2
Processing the authenticate section of radiusd.conf Processing the
authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6 modcall: entering
group Auth-Type for request 6
rlm_mschap: Told to do MS-CHAPv2 for chris with NT-Password rlm_mschap: Told to
do MS-CHAPv2 for chris with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys | radius_xlat: Running
registered xlat function of module mscha
modcall[authenticate]: module "mschap" returns ok for reque | mschap2: bb
modcall: group Auth-Type returns ok for request 6 | radius_xlat: Running
registered xlat function of module mscha
MSCHAP Success | radius_xlat:
'/usr/bin/ntlm_auth --request-nt-key --username
modcall[authenticate]: module "eap" returns handled for req | Exec-Program:
/usr/bin/ntlm_auth --request-nt-key --username=
modcall: group authenticate returns handled for request 6 | Exec-Program output:
Logon failure (0xc000006d)
PEAP: Got tunneled reply RADIUS code 11 | Exec-Program-Wait:
plaintext: Logon failure (0xc000006d)
MS-CHAP2-Success = 0x07533d39374342463638413643413836 | Exec-Program:
returned: 1
EAP-Message = 0x010800331a0307002e533d393743424636384 | rlm_mschap: External
script failed.
> rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect
>
modcall[authenticate]: module "mschap" returns reject for r
> modcall: group
Auth-Type returns reject for request 6
> rlm_eap: Freeing
handler
>
modcall[authenticate]: module "eap" returns reject for requ
> modcall: group
authenticate returns reject for request 6
> auth: Failed to
validate the user.
> Login incorrect:
[chris/<no User-Password attribute>] (from c
> PEAP: Got tunneled
reply RADIUS code 3
> MS-CHAP-Error
= "\007E=691 R=1"
> EAP-Message =
0x04070004
