Re: peap/mschapv2 + mysql + filter-id
Adam W. Sewell wrote: I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know. Read the debug output. Or, post the output here, and maybe a sample of your config files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap/mschapv2 + mysql + filter-id
an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} - generic rlm_sql (sql): sql_set_user escaped user -- 'generic' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok Login OK: [generic/via Auth-Type = EAP] (from client TestSwitches port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS ++[eap] returns handled Sending Access-Challenge of id 25 to 192.16.240.77 port 1930 EAP-Message = 0x01df002b1900170301002007b66e03cf1277bb89b88a78357462d463bce87424d6f2c889a218e607e2b958 Message-Authenticator = 0x State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0 Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=26, length=232 Message-Authenticator = 0xf246ed24c1d8cdece97a0b0814fc0d81 User-Name = generic State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0 NAS-IP-Address = 192.16.240.77 NAS-Port = 8 NAS-Port-Type = Ethernet Calling-Station-Id = 00-16-D3-30-E5-74 Called-Station-Id = 00-01-F4-93-14-00 Framed-MTU = 1000 EAP-Message = 0x02df00501900170301002090c5a627b284c660af3348c538297fc2b3e59ebbfa74ed335ebfdf782e3df0721703010020c24cb49475b2e47d8dbd0afb64f429081c610acdac786c7c26f1b28d152927a7 NAS-Identifier = TEST_M48 NAS-Port-Id = fe.0.8 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = generic, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 223 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [generic/via Auth-Type = EAP] (from client TestSwitches port 8 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 26 to 192.16.240.77 port 1930 MS-MPPE-Recv-Key = 0x680f34a977769aa71a178722683534da074169a1b7f994e643785f0f90ba5930 MS-MPPE-Send-Key = 0x502aacfc317b2197d001bc706b1581972ec6e97ffd344b2fe434dbda852a81c3 EAP-Message = 0x03df0004 Message-Authenticator = 0x User-Name = generic Finished request 9. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 17 with timestamp +15 Cleaning up request 1 ID 18 with timestamp +15 Cleaning up request 2 ID 19 with timestamp +15 Cleaning up request 3 ID 20 with timestamp +15 Waking up in 0.1 seconds. Cleaning up request 4 ID 21 with timestamp +15 Cleaning up request 5 ID 22 with timestamp +15 Cleaning up request 6 ID 23 with timestamp +15 Cleaning up request 7 ID 24 with timestamp +15 Cleaning up request 8 ID 25 with timestamp +15 Cleaning up request 9 ID 26 with timestamp +15 Ready to process requests. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 2:32 AM To: FreeRadius users mailing list Subject: Re: peap/mschapv2 + mysql + filter-id Adam W. Sewell wrote: I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql
RE: peap with mysql
) for request 7 -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Liles Sent: Friday, May 19, 2006 10:42 AM To: FreeRadius users mailing list Subject: RE: peap with mysql Please forgive my ignorance, but can you be a little bit more specific. I tried putting the following in the database: mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | temptest | Password | := | authme | | 2 | temptest | MS-CHAP-User-NTLM-Auth | == | No | ++--++++ I added the following to dictionary: ATTRIBUTE MS-CHAP-User-NTLM-Auth 3003string But I am still seeing the call made for ntlm authing: radius_xlat: 'temptest' rlm_sql (sql): sql_set_user escaped user -- 'temptest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'temptest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'temptest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [temptest] modcall[authorize]: module sql returns notfound for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 16 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d2 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 16 modcall: leaving group MS-CHAP (returns reject) for request 16 I'm guessing that I need to put the MS-CHAP-User-NTLM-Auth somewhere else?? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 18, 2006 8:31 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: How can I make the mschap module use both ntlm and mysql? If it gets a clear-text password, it should probably default to using that. For now, you can set the check item MS-CHAP-User-NTLM-Auth = No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap with mysql
Chris Liles [EMAIL PROTECTED] wrote: mysql select * from radgroupreply; ++---+++---+ | id | GroupName | Attribute | op | Value | ++---+++---+ | 1 | guests| MS-CHAP-User-NTLM-Auth | == | No| It's a check attribute, not a reply attribute. You had that right the first time. I said to correct the attribute name. You didn't. I said to correct the operator. You didn't. Please read the responses to your messages. If you don't, there's no point in posting questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap with mysql
Thanks Alan, That worked perfectly. Now the next problem: I'm trying to set up freeradius to do ntlm and mysql. Currently mysql only works when I comment out the ntlm_auth line in the mschap section. I'm thinking because it is sending the username/password to the Domain Controller, which won't auth it because the info is in the mysql database when the ntlm line is present. How can I make the mschap module use both ntlm and mysql? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, May 17, 2006 7:08 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? No. I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | You should :=, not ==. Currently it works fine with NTRadPing, but not from the MS Supplicant :( Debug mode will tell you why: there's no User-Password in the MS-CHAP request to do == comparisons on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap with mysql
Chris Liles [EMAIL PROTECTED] wrote: How can I make the mschap module use both ntlm and mysql? If it gets a clear-text password, it should probably default to using that. For now, you can set the check item MS-CHAP-User-NTLM-Auth = No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap with mysql
Chris Liles [EMAIL PROTECTED] wrote: To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? No. I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | You should :=, not ==. Currently it works fine with NTRadPing, but not from the MS Supplicant :( Debug mode will tell you why: there's no User-Password in the MS-CHAP request to do == comparisons on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html