Hi I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server. The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject". Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same)
The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible). PS: I did all the testing using JRadius simulator. Regards Dhiraj Gaur -------------------------- LOGS ------------------------------ rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=69 User-Name = "01546" User-Password = "xxxxxxxxxxx" --> (Plian Text password) NAS-IP-Address = 192.168.0.199 Message-Authenticator = 0x008294e58343b74ea977c228f5b5 ec5d Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxxx --> (We can see the password in plaintext) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...} Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...} Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...} Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxx Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0 Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop Sending Access-Accept of id 22 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 User-Password := [Encrypted String] NAS-IP-Address := 192.168.0.199 Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessAccept Attributes: ----------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22, length=88 User-Name = "01546" NAS-IP-Address = 192.168.0.199 CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57 CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2 Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP' Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds Fri Jan 20 18:29:27 2012 : Debug: Going to the next request Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds. Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 22 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 CHAP-Challenge := [Binary Data (length=16)] CHAP-Password := [Binary Data (length=17)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes: -------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23, length=133 User-Name = "01546" NAS-IP-Address = 192.168.0.199 MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e MS-CHAP2-Response = 0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f Message-Authenticator = 0x92716bba8963b228666c070135f8245a Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds Fri Jan 20 18:29:57 2012 : Debug: Going to the next request Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds. Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6 Sending Access-Reject of id 23 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 MS-CHAP-Challenge := [Binary Data (length=16)] MS-CHAP2-Response := [Binary Data (length=50)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes: ----------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24, length=63 User-Name = "01546" NAS-IP-Address = 192.168.0.199 EAP-Message = 0x0200000a013031353436 Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9 Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...} Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL" Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length 10 Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546 Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password= Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1 Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...} Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546 Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns updated Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds Fri Jan 20 18:30:30 2012 : Debug: Going to the next request Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds. Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7 Sending Access-Reject of id 24 to 192.168.3.210 port 32854 JRADIUS CLINET LOG Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessRequest Attributes: User-Name := 01546 NAS-IP-Address := 192.168.0.199 EAP-Message := [Binary Data (length=10)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------- Class: class net.jradius.packet.AccessReject Attributes:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html