Dear Jonn-Erik Farmen, It was my fault, I ment MS-CHAP-Response attribute.
Anyway it will will not be easy to test MS-CHAP with radtest. Because MS-CHAP-Response is not some kind of password, it's composed as DES hash of MS-CHAP-Challenge and NT and LM hashes of password (NT is MD4 hash of Unicode password, LM is DES hash of OEM password). So, you have some reading tonight (RFC 2433 and RFC 2548) if you wanna calculate MS-CHAP-Response manually. --Monday, December 9, 2002, 5:19:44 PM, you wrote to [EMAIL PROTECTED]: JEF> On Mon, 9 Dec 2002, 3APA3A wrote: >> Dear Jonn-Erik Farmen, >> >> First, MS-CHAP uses MS-CHAP-Password, not CHAP-Password attribute. >> Second, in order to configure Password for user for MS-CHAP you need := >> operator instead of ==. >> >> --Monday, December 9, 2002, 1:46:32 PM, you wrote to >[EMAIL PROTECTED]: >> JEF> Thank you for your reponse, JEF> I wasn't able to see that MS-CHAP-Password was among the standard RADIUS JEF> attributes, and replacing == with := in the users file didn't help much: JEF> # echo "User-Name = jonn, MS-CHAP-Password = MEMEME" | radclient -x JEF> xxx.xxx.xxx.xxx:1812 auth testing123 JEF> radclient:Unknown attribute MS-CHAP-Password >> >> JEF> I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, >> JEF> but I'm not >> JEF> very successful. I'm obviously missing a point a point here when it comes >> JEF> to >> JEF> authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: >> >> >> JEF> echo "User-Name = jonn, CHAP-Password = MEMEME" | radclient -x >> JEF> xxx.xxx.xx.xxx:1812 auth testing123 >> JEF> Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 >> JEF> User-Name = "jonn" >> JEF> CHAP-Password = 0x704552484cb6fb830e6584c947df285671 >> JEF> rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, >> JEF> length=20 >> >> JEF> The output of the radius server is: >> >> JEF> rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, >> JEF> length=45 >> JEF> User-Name = "jonn" >> JEF> CHAP-Password = 0x704552484cb6fb830e6584c947df285671 >> JEF> modcall: entering group authorize >> JEF> modcall[authorize]: module "preprocess" returns ok >> JEF> rlm_realm: No '@' in User-Name = "jonn", looking up realm NULL >> JEF> rlm_realm: No such realm NULL >> JEF> modcall[authorize]: module "suffix" returns noop >> JEF> users: Matched DEFAULT at 79 >> JEF> modcall[authorize]: module "files" returns ok >> JEF> modcall[authorize]: module "mschap" returns notfound >> JEF> modcall: group authorize returns ok >> JEF> rad_check_password: Found Auth-Type MS-CHAP >> JEF> auth: type "MS-CHAP" >> JEF> modcall: entering group authenticate >> JEF> rlm_mschap: No LM/NT password configured. Check authorization. >> JEF> modcall[authenticate]: module "mschap" returns invalid >> JEF> modcall: group authenticate returns invalid >> JEF> auth: Failed to validate the user. >> >> JEF> in the users file, I have the following: >> >> JEF> # >> JEF> # Please read the documentation file ../doc/processing_users_file, >> JEF> # or 'man 5 users' (after installing the server) for more >> JEF> information. >> JEF> # >> JEF> # This file contains authentication security and configuration >> JEF> # information for each user. Accounting requests are NOT processed >> JEF> # through this file. Instead, see 'acct_users', in this directory. >> JEF> # >> JEF> # The first field is the user's name and can be up to >> JEF> # 253 characters in length. This is followed (on the same line) >> JEF> with >> JEF> # the list of authentication requirements for that user. This can >> JEF> # include password, comm server name, comm server port number, >> JEF> protocol >> JEF> # type (perhaps set by the "hints" file), and huntgroup name (set by >> JEF> # the "huntgroups" file). >> JEF> # >> JEF> # If you are not sure why a particular reply is being sent by the >> JEF> # server, then run the server in debugging mode (radiusd -X), and >> JEF> # you will see which entries in this file are matched. >> JEF> # >> JEF> # When an authentication request is received from the comm server, >> JEF> # these values are tested. Only the first match is used unless the >> JEF> # "Fall-Through" variable is set to "Yes". >> JEF> [root@pc13-62 raddb]# cat /tmp/tmp2 >> JEF> I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, >> JEF> but I'm not >> JEF> very successful. I'm obviously missing a point a point here when it comes >> JEF> to >> JEF> authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: >> >> >> JEF> echo "User-Name = jonn, CHAP-Password = MEMEME" | radclient -x >> JEF> xxx.xxx.xx.xxx:1812 auth testing123 >> JEF> Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 >> JEF> User-Name = "jonn" >> JEF> CHAP-Password = 0x704552484cb6fb830e6584c947df285671 >> JEF> rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, >> JEF> length=20 >> >> JEF> The output of the radius server is: >> >> JEF> rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, >> JEF> length=45 >> JEF> User-Name = "jonn" >> JEF> CHAP-Password = 0x704552484cb6fb830e6584c947df285671 >> JEF> modcall: entering group authorize >> JEF> modcall[authorize]: module "preprocess" returns ok >> JEF> rlm_realm: No '@' in User-Name = "jonn", looking up realm NULL >> JEF> rlm_realm: No such realm NULL >> JEF> modcall[authorize]: module "suffix" returns noop >> JEF> users: Matched DEFAULT at 79 >> JEF> modcall[authorize]: module "files" returns ok >> JEF> modcall[authorize]: module "mschap" returns notfound >> JEF> modcall: group authorize returns ok >> JEF> rad_check_password: Found Auth-Type MS-CHAP >> JEF> auth: type "MS-CHAP" >> JEF> modcall: entering group authenticate >> JEF> rlm_mschap: No LM/NT password configured. Check authorization. >> JEF> modcall[authenticate]: module "mschap" returns invalid >> JEF> modcall: group authenticate returns invalid >> JEF> auth: Failed to validate the user. >> >> JEF> in the users file, I have the following: >> >> JEF> # >> JEF> # Please read the documentation file ../doc/processing_users_file, >> JEF> # or 'man 5 users' (after installing the server) for more >> JEF> information. >> JEF> # >> JEF> # This file contains authentication security and configuration >> JEF> # information for each user. Accounting requests are NOT processed >> JEF> # through this file. Instead, see 'acct_users', in this directory. >> JEF> # >> JEF> # The first field is the user's name and can be up to >> JEF> # 253 characters in length. This is followed (on the same line) >> JEF> with >> JEF> # the list of authentication requirements for that user. This can >> JEF> # include password, comm server name, comm server port number, >> JEF> protocol >> JEF> # type (perhaps set by the "hints" file), and huntgroup name (set by >> JEF> # the "huntgroups" file). >> JEF> # >> JEF> # If you are not sure why a particular reply is being sent by the >> JEF> # server, then run the server in debugging mode (radiusd -X), and >> JEF> # you will see which entries in this file are matched. >> JEF> # >> JEF> # When an authentication request is received from the comm server, >> JEF> # these values are tested. Only the first match is used unless the >> JEF> # "Fall-Through" variable is set to "Yes". >> JEF> # >> JEF> # A special user named "DEFAULT" matches on all usernames. >> JEF> # You can have several DEFAULT entries. All entries are processed >> JEF> # in the order they appear in this file. The first entry that >> JEF> # matches the login-request will stop processing unless you use >> JEF> # the Fall-Through variable. >> JEF> # >> JEF> # If you use the database support to turn this file into a .db or >> JEF> .dbm >> JEF> # file, the DEFAULT entries _have_ to be at the end of this file and >> JEF> # you can't have multiple entries for one username. >> JEF> # >> JEF> # You don't need to specify a password if you set Auth-Type += >> JEF> System >> JEF> # on the list of authentication requirements. The RADIUS server >> JEF> # will then check the system password file. >> JEF> # >> JEF> # Indented (with the tab character) lines following the first >> JEF> # line indicate the configuration values to be passed back to >> JEF> # the comm server to allow the initiation of a user session. >> JEF> # This can include things like the PPP configuration values >> JEF> # or the host to log the user onto. >> JEF> # >> JEF> # You can include another `users' file with `$INCLUDE users.other' >> JEF> # >> >> JEF> # >> JEF> # For a list of RADIUS attributes, and links to their definitions, >> JEF> # see: >> JEF> # >> JEF> # http://www.freeradius.org/rfc/attributes.html >> JEF> # >> >> JEF> # >> JEF> # Deny access for a specific user. Note that this entry MUST >> JEF> # be before any other 'Auth-Type' attribute which results in the user >> JEF> # being authenticated. >> JEF> # >> JEF> # Note that there is NO 'Fall-Through' attribute, so the user will not >> JEF> # be given any additional resources. >> JEF> # >> JEF> #lameuser Auth-Type := Reject >> JEF> # Reply-Message = "Your account has been disabled." >> >> JEF> # >> JEF> # Deny access for a group of users. >> JEF> # >> JEF> # Note that there is NO 'Fall-Through' attribute, so the user will not >> JEF> # be given any additional resources. >> JEF> # >> JEF> #DEFAULT Group == "disabled", Auth-Type := Reject >> JEF> # Reply-Message = "Your account has been disabled." >> JEF> # >> >> JEF> # >> JEF> # This is a complete entry for "steve". Note that there is no Fall-Through >> JEF> # entry so that no DEFAULT entry will be used, and the user will NOT >> JEF> # get any attributes in addition to the ones listed here. >> JEF> DEFAULT Auth-Type = MS-CHAP >> JEF> # >> JEF> #steve Auth-Type := Local, User-Password == "testing" >> JEF> # Service-Type = Framed-User, >> JEF> # Framed-Protocol = PPP, >> JEF> # Framed-IP-Address = 172.16.3.33, >> JEF> # Framed-IP-Netmask = 255.255.255.0, >> JEF> # Framed-Routing = Broadcast-Listen, >> JEF> # Framed-Filter-Id = "std.ppp", >> JEF> # Framed-MTU = 1500, >> JEF> # Framed-Compression = Van-Jacobsen-TCP-IP >> >> JEF> jonn Auth-Type := MS-CHAP, Password == "MEMEME" >> JEF> Reply-message = "Hallo jonn", >> JEF> # Service-Type = Framed-User, >> JEF> # Framed-Routing = Broadcast-Listen, >> JEF> Fall-Through = No, >> JEF> # Framed-Protocol = PPP, >> JEF> # Framed-IP-Address = 172.16.3.33, >> JEF> # Framed-IP-Netmask = 255.255.255.0, >> JEF> # Framed-Filter-Id = "std.ppp", >> JEF> # Framed-MTU = 1500, >> JEF> # Framed-Compression = Van-Jacobsen-TCP-IP >> >> JEF> # >> JEF> # >> JEF> # This is an entry for a user with a space in their name. >> JEF> # Note the double quotes surrounding the name. >> JEF> # >> JEF> #"John Doe" Auth-Type := Local, User-Password == "hello" >> JEF> # Reply-Message = "Hello, %u" >> >> JEF> # >> JEF> # Dial user back and telnet to the default host for that port >> JEF> # >> JEF> #Deg Auth-Type := Local, User-Password == "ge55ged" >> JEF> # Service-Type = Callback-Login-User, >> JEF> # Login-IP-Host = 0.0.0.0, >> JEF> # Callback-Number = "9,5551212", >> JEF> # Login-Service = Telnet, >> JEF> # Login-TCP-Port = Telnet >> >> JEF> # >> JEF> # Another complete entry. After the user "dialbk" has logged in, the >> JEF> # connection will be broken and the user will be dialed back after which >> JEF> # he will get a connection to the host "timeshare1". >> JEF> # >> JEF> #dialbk Auth-Type := Local, User-Password == "callme" >> JEF> # Service-Type = Callback-Login-User, >> JEF> # Login-IP-Host = timeshare1, >> JEF> # Login-Service = PortMaster, >> JEF> # Callback-Number = "9,1-800-555-1212" >> >> JEF> # >> JEF> # user "swilson" will only get a static IP number if he logs in with >> JEF> # a framed protocol on a terminal server in Alphen (see the huntgroups >> JEF> file). >> JEF> # >> JEF> # Note that by setting "Fall-Through", other attributes will be added from >> JEF> # the following DEFAULT entries >> JEF> # >> JEF> #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" >> JEF> # Framed-IP-Address = 192.168.1.65, >> JEF> # Fall-Through = Yes >> >> JEF> # >> JEF> # If the user logs in as 'username.shell', then authenticate them >> JEF> # against the system database, give them shell access, and stop processing >> JEF> # the rest of the file. >> JEF> # >> JEF> #DEFAULT Suffix == ".shell", Auth-Type := System >> JEF> # Service-Type = Login-User, >> JEF> # Login-Service = Telnet, >> JEF> # Login-IP-Host = your.shell.machine >> >> >> JEF> # >> JEF> # The rest of this file contains the several DEFAULT entries. >> JEF> # DEFAULT entries match with all login names. >> JEF> # Note that DEFAULT entries can also Fall-Through (see first entry). >> JEF> # A name-value pair from a DEFAULT entry will _NEVER_ override >> JEF> # an already existing name-value pair. >> JEF> # >> >> JEF> # >> JEF> # First setup all accounts to be checked against the UNIX /etc/passwd. >> JEF> # (Unless a password was already given earlier in this file). >> JEF> # >> JEF> DEFAULT Auth-Type := System >> JEF> Fall-Through = 1 >> >> JEF> # >> JEF> # Set up different IP address pools for the terminal servers. >> JEF> # Note that the "+" behind the IP address means that this is the "base" >> JEF> # IP address. The Port-Id (S0, S1 etc) will be added to it. >> JEF> # >> JEF> #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" >> JEF> # Framed-IP-Address = 192.168.1.32+, >> JEF> # Fall-Through = Yes >> >> JEF> #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" >> JEF> # Framed-IP-Address = 192.168.2.32+, >> JEF> # Fall-Through = Yes >> >> JEF> # >> JEF> # Defaults for all framed connections. >> JEF> # >> JEF> DEFAULT Service-Type == Framed-User >> JEF> Framed-IP-Address = 255.255.255.254, >> JEF> Framed-MTU = 576, >> JEF> Service-Type = Framed-User, >> JEF> Fall-Through = Yes >> >> JEF> # >> JEF> # Default for PPP: dynamic IP address, PPP mode, VJ-compression. >> JEF> # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected >> JEF> # by the terminal server in which case there may not be a "P" >> JEF> suffix. >> JEF> # The terminal server sends "Framed-Protocol = PPP" for auto PPP. >> JEF> # >> JEF> DEFAULT Framed-Protocol == PPP >> JEF> Framed-Protocol = PPP, >> JEF> Framed-Compression = Van-Jacobson-TCP-IP >> >> JEF> # >> JEF> # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. >> JEF> # >> JEF> DEFAULT Hint == "CSLIP" >> JEF> Framed-Protocol = SLIP, >> JEF> Framed-Compression = Van-Jacobson-TCP-IP >> >> JEF> # >> JEF> # Default for SLIP: dynamic IP address, SLIP mode. >> JEF> # >> JEF> DEFAULT Hint == "SLIP" >> JEF> Framed-Protocol = SLIP >> >> JEF> # >> JEF> # Last default: rlogin to our main server. >> JEF> # >> JEF> #DEFAULT >> JEF> # Service-Type = Login-User, >> JEF> # Login-Service = Rlogin, >> JEF> # Login-IP-Host = shellbox.ispdomain.com >> >> JEF> # # >> JEF> # # Last default: shell on the local terminal server. >> JEF> # # >> JEF> # DEFAULT >> JEF> # Service-Type = Shell-User >> >> JEF> # On no match, the user is denied access. >> >> JEF> If somebody wants to give me an RTFM, that's fine, just give me a FM to >> JEF> read. >> >> >> JEF> Jonn-Erik Farmen >> >> >> JEF> - >> JEF> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> >> >> -- ~/ZARAZA Почтенные ископаемые! Жду от вас дальнейших писем. (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
