hi Dhiraj, Ideally your test setup should be supplicant ---> access_point ------> Radius --->Active directory directly having the radius authenticate using MSCHAP for AD does not solve your problem. here you can change Active directory to local authentication first and then if it is done check if your access point is able to understand session states for MSCHAP. the problem is with adding states(MSCHAP) to stateless prtotcol(Radius), though it is possible in theory if your access_point understands the session states and take appropriate action. some of the wifi access_points and corresponding routers are able to do that. In your logs it appears that decryption is not properly done leading to failure in authentication. As you are saying PAP works fine I would suggest first get the above mentioned setup first with PAP and then work through the permutation and combination. HTH, Regards, Abhishek kumar
> Date: Fri, 20 Jan 2012 20:58:48 +0530 > From: [email protected] > To: [email protected] > Subject: [ilugd] Problem with MSCHAP authentication in FreeRadius > > Hi > > I have been trying to implement radius authetication server at my > workplace. The idea is to have all wifi access points authenticate against > a radius server. > The radius server needs to pass authentication to a backend Active > Directory server. I have been sucessful in authenticating wifi users > against file based and SQL based authentication in radius. NTLM_AUTH using > PAP also works fine, wherein plaintext password is sucessfully > authenticated against the AD and I get an "Access-Accept". However when I > pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not > working and I end up in a "Access-Reject". Seems like that the ntlm_auth > program is not parsing the received encrypted password hence the > authetication fails. MSCHAP is a requirement as wifi clients at my place > mostly have eap supplicant. (Read in freeradius documentation that eap and > ldap doesnt go hand in hand, I may be wrong at interpreting the same) > > The freeradius logs for all the cases is listed below. Radius gurus please > point me to the right direction as to make MS_CHAP authentication owrk over > ntlm_auth or ldap(if possible). > > PS: I did all the testing using JRadius simulator. > > Regards > Dhiraj Gaur > > -------------------------- LOGS ------------------------------ > rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, > length=69 > User-Name = "01546" > User-Password = "xxxxxxxxxxx" --> (Plian Text password) > NAS-IP-Address = 192.168.0.199 > Message-Authenticator = 0x008294e58343b74ea977c228f5b5ec5d > Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...} > Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok > Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop > Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop > Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546", > looking up realm NULL > Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL" > Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop > Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP > Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password=xxxxxxxxx --> (We can see the > password in plaintext) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: > Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_OK: Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 > Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok > Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop > Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop > Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password > found for the user. Authentication may fail because of this. > Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop > Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) > Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE > Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE > Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...} > Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop > Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop > Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth > Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...} > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password=xxxxxxxx > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: > Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_OK: Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 > Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok > Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...} > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password=xxxxxxxx > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: > Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_OK: Success (0x0) > Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 > Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok > Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop > Sending Access-Accept of id 22 to 192.168.3.210 port 32854 > > JRADIUS CLINET LOG > > Sending RADIUS Packet: > ---------------------------------------------------------- > > Class: class net.jradius.packet.AccessRequest > Attributes: > User-Name := 01546 > User-Password := [Encrypted String] > > NAS-IP-Address := 192.168.0.199 > Message-Authenticator := [Binary Data (length=16)] > > > Received RADIUS Packet: > ---------------------------------------------------------- > > Class: class net.jradius.packet.AccessAccept > Attributes: > > ----------------------------------------------------------------------- > > rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, > length=88 > User-Name = "01546" > NAS-IP-Address = 192.168.0.199 > CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57 > CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e > Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2 > Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...} > Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok > Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP' > Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok > Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop > Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546", > looking up realm NULL > Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL" > Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop > Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP > Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop > Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password= > Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1 > Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject > Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject > Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...} > Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand: > %{User-Name} -> 01546 > Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at > line 11 > Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns > updated > Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds > Fri Jan 20 18:29:27 2012 : Debug: Going to the next request > Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds. > Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5 > Sending Access-Reject of id 22 to 192.168.3.210 port 32854 > > JRADIUS CLINET LOG > > Sending RADIUS Packet: > ---------------------------------------------------------- > > Class: class net.jradius.packet.AccessRequest > Attributes: > User-Name := 01546 > NAS-IP-Address := 192.168.0.199 > > CHAP-Challenge := [Binary Data (length=16)] > CHAP-Password := [Binary Data (length=17)] > > Message-Authenticator := [Binary Data (length=16)] > > > Received RADIUS Packet: > ---------------------------------------------------------- > Class: class net.jradius.packet.AccessReject > Attributes: > > -------------------------------------------------------------------------------------- > > rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23, > length=133 > User-Name = "01546" > NAS-IP-Address = 192.168.0.199 > MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e > MS-CHAP2-Response = > 0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f > Message-Authenticator = 0x92716bba8963b228666c070135f8245a > Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...} > Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok > Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop > Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes. > Setting 'Auth-Type = mschap' > Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok > Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546", > looking up realm NULL > Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL" > Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop > Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP > Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop > Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password= > Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1 > Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject > Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject > Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...} > Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand: > %{User-Name} -> 01546 > Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at > line 11 > Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns > updated > Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds > Fri Jan 20 18:29:57 2012 : Debug: Going to the next request > Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds. > Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6 > Sending Access-Reject of id 23 to 192.168.3.210 port 32854 > > JRADIUS CLINET LOG > > Sending RADIUS Packet: > ---------------------------------------------------------- > > Class: class net.jradius.packet.AccessRequest > Attributes: > User-Name := 01546 > NAS-IP-Address := 192.168.0.199 > > MS-CHAP-Challenge := [Binary Data (length=16)] > MS-CHAP2-Response := [Binary Data (length=50)] > > Message-Authenticator := [Binary Data (length=16)] > > > Received RADIUS Packet: > ---------------------------------------------------------- > Class: class net.jradius.packet.AccessReject > Attributes: > > ----------------------------------------------------------------------------------------- > > rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24, > length=63 > User-Name = "01546" > NAS-IP-Address = 192.168.0.199 > EAP-Message = 0x0200000a013031353436 > Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9 > Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...} > Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok > Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop > Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop > Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546", > looking up realm NULL > Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL" > Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop > Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length > 10 > Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an > on-going EAP conversation > Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated > Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: > --username=%{mschap:User-Name} -> --username=01546 > Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: > --password=%{User-Password} -> --password= > Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext: > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1 > Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject > Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject > Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...} > Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand: > %{User-Name} -> 01546 > Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at > line 11 > Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns > updated > Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds > Fri Jan 20 18:30:30 2012 : Debug: Going to the next request > Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds. > Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7 > Sending Access-Reject of id 24 to 192.168.3.210 port 32854 > > JRADIUS CLINET LOG > > Sending RADIUS Packet: > ---------------------------------------------------------- > > Class: class net.jradius.packet.AccessRequest > Attributes: > User-Name := 01546 > NAS-IP-Address := 192.168.0.199 > > EAP-Message := [Binary Data (length=10)] > > Message-Authenticator := [Binary Data (length=16)] > > > Received RADIUS Packet: > ---------------------------------------------------------- > Class: class net.jradius.packet.AccessReject > Attributes: > _______________________________________________ > Ilugd mailing list > [email protected] > http://frodo.hserus.net/mailman/listinfo/ilugd _______________________________________________ Ilugd mailing list [email protected] http://frodo.hserus.net/mailman/listinfo/ilugd
