Forgive me if I post any careless mistakes, I apologize beforehand. But it
now being 5:00AM, I have spent the entire night trying to get freeradius to
work properly with chap and external script authentication.
Here is a synopsis of the issue I am having. I receive Proxied
authentication requests from various providers including UUNet which
requires CHAP authentication. While testing freeradius, I have taken my
current proxy which proxies all requests to either our primary radius
server running XTRadius or to other ISPs who are simply proxied to. One
realm I pointed at my new freeradius server which I am testing now to
replace my XT radius. The tests all proved successful. The chap-password
and chap-challenge were received, passed to my external script, and
authenticated.
Now, basically the ideal solution is to replace my current proxy server AND
xtradius server with one freeradius server which proxies certain realms and
authenticates the rest locally. My problem is:
1. When received requests directly to the new freeradius machine from
either UUNet or other CHAP enabled provider, freeradius is _never_ sending
the CHAP-Challenge to the script nor logging it in the radius debug
output. I show this below in some debug outputs.
First, looking at the debug of freeradius
--- freeradius debug ---
rad_recv: Access-Request packet from host 64.66.192.32:54259, id=209,
length=108
User-Name = "username"
CHAP-Password = 0x01aebd37da17a24859e072991b87818b74
NAS-IP-Address = 66.42.46.36
NAS-Port = 49525
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "2062990534"
Calling-Station-Id = "5419566016"
NAS-Port-Type = Async
--- end freeradius debug ---
All requests are sent to my external script, which for the sake of testing
this, I have simply had it output all variables which are passed to a log
file. Here are the exact vars my script is getting.
--- begin script output ---
Wed Nov 14 04:22:31 PST 2001 RUN
NAS_IP_ADDRESS=66.42.46.36
NAS_PORT=49525
CISCO_NAS_PORT="Async19"
NAS_PORT_TYPE=Async
USER_NAME="username"
CHAP_PASSWORD=0xb32b14782a44d7b52bbc22cc767b0f159c
SERVICE_TYPE=Framed-User
FRAMED_PROTOCOL=PPP
SHLVL=0
PWD=/usr/local/etc/raddb
OLDPWD=/usr/local/etc/raddb
_=/usr/bin/env
--- end script output ---
Now as this data plainly shows, the CHAP-Challenge is definitly not being
logged in the freeradius debug output, nor is it being sent to the external
script.
Now, the interesting thing which I can not explain right now is; When I
route my incoming requests from UUNet or other CHAP enabled provider
through my older freeradius proxy server (september release) to the new
freeradius server the CHAP-Challenge shows up. In order to save space, I
am copying in only the output from my script with all the vars it is receiving:
--- begin script output ---
Wed Nov 14 05:08:25 PST 2001 RUN
USER_NAME="username"
CHAP_PASSWORD=0x01919f8ee7bf3c4e8d85927ffda0764f97
NAS_IP_ADDRESS=66.42.46.36
NAS_PORT=2257
SERVICE_TYPE=Framed-User
FRAMED_PROTOCOL=PPP
CALLED_STATION_ID="2062990534"
CALLING_STATION_ID="5419566016"
NAS_PORT_TYPE=Async
PROXY_STATE=0x323532
CHAP_CHALLENGE=0x6312f40c29cf64535a46d7a85ff43784
CLIENT_IP_ADDRESS=208.8.184.16
SHLVL=0
PWD=/usr/local/etc/raddb
OLDPWD=/usr/local/etc/raddb
_=/usr/bin/env
--- end script output ---
Item #2. This has got to be just a config issue on my part. Radius is
configured to proxy first, then check the users file second. The key line
in my users file is as follows:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = "/etc/raddb/test.sh",
Fall-Through = Yes
Freeradius is properly sending the proxy request to the remote server, but
it seems IF the remote server gives the Login OK, THEN freeradius proceeds
to run my script as well and if it does not exit code 0 it will deny the
user even though the remote radius server OK'd the user. Is there a quick
modification I need to do in my users file to omit this step? If the
remote radius servers says OK, I just want the user authenticated.
So now that this has confused the heck out of me all night, I hope there's
a simple explanation so I can stay up late tomorrow getting it all fixed
and working. For reference, the new radius server is snapshot dated 11/08/01.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html