On 07/06/13 13:15, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Ok so I've played about and can get a decent failure reply from a
script based solution.
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would
like to get a response when a failure occurs from them, but it seems
that Failure-Response-Message from the mschap isn't filled out. I've
done a test like :
Authenticate {
..
Auth-Type MS-CHAP {
mschap
if (ok) {
#
}
else {
if (Module-Failure-Message) {
update reply {
reply-message += "Failed NTLM auth"
}
reject
}
}
But the section never gets parsed - it goes straight to Post_auth reject
based on the mschap module itself returning code 1.
Yes. As I said, you'll need to override the default module return
actions, which are "return immediately" in the "authenticate" section
for everything other than fail/invalid/noop/updated. Something like:
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 1
ok = 1
}
if (!ok) {
...
}
}
}
But Module-Failure-Message is empty;
As has been suggested, be careful about which post-auth is running
(inner or outer). FreeRADIUS < 2.2.0 doesn't run post-auth reject for
PEAP inner tunnel.
++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) -> FALSE
++? if (Module-Failure-Message) -> FALSE
Am I doing something wrong?
I also wondered if I could do something like use the mschap module with
a custom script, returning NT_KEY or a failure string, but then I've no
way to return the failure string because I assume the mschap module
doesn't let you populate variables based on the output like exec does -
there's no way of specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I
would get all the mschap variables into a script and translate the
NT_KEY back. It seems a bit OTT just to get a failure response written
to the linelog/sql.
Now I'm confused.
If you're doing mschap, just run the mschap module. It *will* populate
the Module-Failure-Message attribute if ntlm_auth fails - you don't need
to handle that yourself.
If you're doing exec (i.e. checking PAP via ntlm_auth) then you don't
need to return NT_KEY.
If you're trying to do mschap via exec, you're doing it wrong. Don't do
that.
Most likely your problem is that you're getting confused by the
inner-tunnel post-auth reject not running for PEAP in 2.1.x.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html