I haven't had much sleep the past few days and just wanted another set of eyes on an issue I'm having. Also, I won't be able to do more testing until tomorrow (user/equip. unavailable) and wanted to try to fix it before then.
I'm running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Anyway, the patch was working great for user auth. and failing for machine auth. I used some unlang to get around the issue. I haven't done a lot with unlang (and yes I read the man page), so I may be missing something simple. I'm doing 802.1x authentication from Windows supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my inner-tunnel server: authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { if (User-Name =~ /host\/(.*)\.energyeast\.net/i) { update request { Ntlm-Auth-Username = "%{1}$" } updated } else { update request { Ntlm-Auth-Username = "%{User-Name}" } updated } mschap-inner } Auth-Type LDAP { ldap } eap-internal eap-comodo } First, if I didn't include "updated" after the "update request" actions, then it would return reject. Is that normal (I didn't call a module in there)? Should the unlang be outside of the "Auth-Type MS-CHAP" block? Also, Ntlm-Auth-Username is expanded, there's a "[request] returns reject". I think this is the source of the problem, but I don't understand where the reject is coming from. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like: eap-comodo { ok = return } Here's the relevant debug output: Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...} Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the list Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2 Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2 Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...} Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {...} Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ -> US62695C$ Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~ /host\/(.*)\.energyeast\.net/i) returns updated Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124: Preceding "if" was taken Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_authenticate: Creating challenge hash with username: host/US62695C.energyeast.net Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for host/US62695C.energyeast.net with NT-Password Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable at %{Ntlm-Auth-UserName:-None}} Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --username=%{%{Ntlm-Auth-UserName:-None}} -> --username=US62695C$ Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1 Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat: Creating challenge hash with username: host/US62695C.energyeast.net Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=943b358133b5bcac Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=121180cc778e59746acb8c12aa6bb9ab7ab2099604c750eb Tue Aug 18 15:41:15 2009 : Debug: Exec-Program output: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF Tue Aug 18 15:41:15 2009 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 8E774D7FDDFC8300DF50499B30DA1CAF Tue Aug 18 15:41:15 2009 : Debug: Exec-Program: returned: 0 Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] adding MS-CHAPv2 MPPE keys Tue Aug 18 15:41:15 2009 : Info: ++[mschap-inner] returns ok Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Freeing handler Tue Aug 18 15:41:15 2009 : Info: ++[eap-comodo] returns reject Tue Aug 18 15:41:15 2009 : Info: Failed to authenticate the user. Tue Aug 18 15:41:15 2009 : Auth: Login incorrect: [host/US62695C.energyeast.net] (from client eedmz02app08 port 2648774147 cli 00009de11603 via TLS tunnel) } # server inner-tunnel Thank you for your time and assistance..
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html