RE: peap with mysql

Fri, 19 May 2006 10:18:24 -0700 

Ok, so I think I'm doing it wrong in the db, so I changed it to look like this:


mysql> select * from radcheck;
+----+----------+-----------+----+--------+
| id | UserName | Attribute | op | Value  |
+----+----------+-----------+----+--------+
|  1 | temptest | Password  | := | authme |
+----+----------+-----------+----+--------+
1 row in set (0.00 sec)

mysql> select * from usergroup
    -> ;
+----------+-----------+----------+
| UserName | GroupName | priority |
+----------+-----------+----------+
| temptest | guests    |        1 |
+----------+-----------+----------+
1 row in set (0.00 sec)

mysql> select * from radgroupreply;
+----+-----------+------------------------+----+-------+
| id | GroupName | Attribute              | op | Value |
+----+-----------+------------------------+----+-------+
|  1 | guests    | MS-CHAP-User-NTLM-Auth | == | No    |
+----+-----------+------------------------+----+-------+
1 row in set (0.00 sec)

but I still see the call to ntlm_auth from debug
but I also see the MS-CHAP-User-NTLM-Auth getting thrown to PEAP now:


Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
  rlm_eap: EAP packet type response id 7 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
radius_xlat:  'temptest'
rlm_sql (sql): sql_set_user escaped user --> 'temptest'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM 
radcheck           WHERE Username = 'temptest'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM 
radreply           WHERE Username = 'temptest'           ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 7
  rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: 98
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=2b02206f3716571f 
--nt-response=25b7d9ed68bd1831d60c2b72008dfb7387598644f21f47c3 
--require-membership-of=ATL+wifi-secure'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=2b02206f3716571f 
--nt-response=25b7d9ed68bd1831d60c2b72008dfb7387598644f21f47c3 
--require-membership-of=ATL+wifi-secure
Exec-Program output: Logon failure (0xc000006d) 
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 7
modcall: leaving group MS-CHAP (returns reject) for request 7
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 7
modcall: leaving group authenticate (returns reject) for request 7
auth: Failed to validate the user.
Login incorrect: [temptest/<no User-Password attribute>] (from client localhost 
port 0)
  PEAP: Got tunneled reply RADIUS code 3
        MS-CHAP-User-NTLM-Auth == "No"
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x816efa0 3
        MS-CHAP-User-NTLM-Auth == "No"
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7


--
Chris Liles


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Liles
Sent: Friday, May 19, 2006 10:42 AM
To: FreeRadius users mailing list
Subject: RE: peap with mysql 

Please forgive my ignorance, but can you be a little bit more specific.

I tried putting the following in the database:

mysql> select * from radcheck;
+----+----------+------------------------+----+--------+
| id | UserName | Attribute              | op | Value  |
+----+----------+------------------------+----+--------+
|  1 | temptest | Password               | := | authme |
|  2 | temptest | MS-CHAP-User-NTLM-Auth | == | No     |
+----+----------+------------------------+----+--------+

I added the following to dictionary:
ATTRIBUTE       MS-CHAP-User-NTLM-Auth  3003    string


But I am still seeing the call made for ntlm authing:

radius_xlat:  'temptest'
rlm_sql (sql): sql_set_user escaped user --> 'temptest'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM 
radcheck           WHERE Username = 'temptest'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM 
radreply           WHERE Username = 'temptest'           ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user 
[temptest]
  modcall[authorize]: module "sql" returns notfound for request 16
modcall: leaving group authorize (returns updated) for request 16
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 16
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: d2
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=f323f6e00a6e7eef 
--nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 
--require-membership-of=DOMAIN+wifi-secure'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=f323f6e00a6e7eef 
--nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 
--require-membership-of=DOMAIN+wifi-secure
Exec-Program output: Logon failure (0xc000006d) 
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 16
modcall: leaving group MS-CHAP (returns reject) for request 16


I'm guessing that I need to put the MS-CHAP-User-NTLM-Auth somewhere else??


--
Chris Liles


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, May 18, 2006 8:31 PM
To: FreeRadius users mailing list
Subject: Re: peap with mysql 

"Chris Liles" <[EMAIL PROTECTED]> wrote:
> How can I make the mschap module use both ntlm and mysql?

  If it gets a clear-text password, it should probably default to
using that.  For now, you can set the check item MS-CHAP-User-NTLM-Auth = No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to