RADIUS authentication using MS-CHAP - no cleartext password configured error
I have a windows client trying to set up L2TP tunnel with my linux router. The linux router talks with the RADIUS server. The authentication is failing because the request is using MS-CHAP and my server cannot handle MS-CHAP. I am not sure what is missing from the configuration on the server. I have the cleartext password in the users file for the temp user I am trying to authenticate. Following is the debug output - rad_recv: Access-Request packet from host 10.1.0.33 port 46487, id=142, length=140 Service-Type = Framed-User Framed-Protocol = PPP User-Name = temp MS-CHAP-Challenge = 0xa71f9d0753274da79dfe6f0eb2c1b693 MS-CHAP2-Response = 0xea00de5395669cc1880bf8b0020b2b96b423fada537f1a8f3b12453fc739d08219f28644ccfb11ba0225 Calling-Station-Id = l2tp NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = temp, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: temp [mschap] Told to do MS-CHAPv2 for temp with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [temp] (from client temp-radius port 0 cli l2tp) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - temp attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 142 to 10.1.0.33 port 46487 Waking up in 4.9 seconds. Cleaning up request 4 ID 142 with timestamp +1310 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS authentication using MS-CHAP - no cleartext password configured error
Deepti kulkarni wrote: I have a windows client trying to set up L2TP tunnel with my linux router. The linux router talks with the RADIUS server. The authentication is failing because the request is using MS-CHAP and my server cannot handle MS-CHAP. I am not sure what is missing from the configuration on the server. I have the cleartext password in the users file for the temp user I am trying to authenticate. No, you don't. Read the debug output: [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok What's on line 172? The FAQ contains instructions for adding test accounts to the users file. Follow the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2 error
On 01/11/12 11:22, Gokhan Gunyol wrote: Hi; We upgraded our radius to Freeradius 2.1.10 version on Ubuntu 32bit from an old version Which old version. Our problem is windows xp clients cant login to wireless and radius has “User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2” error mesages Ok. At the old version freeradius atexactly same configuration clients had not any problem The mschap code has had some changes over the years. This might be one of them. You can find debug log export at below This is an incomplete debug. It doesn't show the error message you refer to. Where is it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I Change their password where? Elsewhere, right? So, you want to prompt the clients to enter a new password, because the user has changed passwords on the server. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? Your terminiology is confusing. Do you mean change password or re-enter your password. Because the two are very, very different. To be honest, your email is sort of vague and specific at the same time, if that makes any sense - there's some LDAP, some different set of accounts, something else... I've got no idea if Windows can even behave the way you want judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to support password *change* (see why I said it was confusing?). So I'd be cautious about reading too much into it. seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. ...vague much? Seriously: radiusd -X If I have time today, I'll try to resurrect our for comparison NPS server and see what Microsoft do. It's possible you just can't prompt Windows in the way you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
Thanks for replying and sorry if I'm being vague, I'll try and be more specific. On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I Change their password where? Elsewhere, right? So, you want to prompt the clients to enter a new password, because the user has changed passwords on the server. Yes, clients change their password on the server via a custom web interface on top of the LDAP and this then obviously do not get automatically updated on the wireless settings on the clients computer. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? Your terminiology is confusing. Do you mean change password or re-enter your password. Because the two are very, very different. Re-enter the password in the wireless setup if they do not get authenticated. To be honest, your email is sort of vague and specific at the same time, if that makes any sense - there's some LDAP, some different set of accounts, something else... I've got no idea if Windows can even behave the way you want judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to support password *change* (see why I said it was confusing?). So I'd be cautious about reading too much into it. seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. ...vague much? the send_error was added to version 2.1.11 as a bug fix Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, send_error. This was said in earlier version to solve issues for some clients but *may* also cause other clients to stop working. The setting is also not included in version 2.1.12 eap.conf. Seriously: radiusd -X radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. If I have time today, I'll try to resurrect our for comparison NPS server and see what Microsoft do. It's possible you just can't prompt Windows in the way you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
On 23/10/12 10:52, Daniel Ekman wrote: the send_error was added to version 2.1.11 as a bug fix Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, send_error. I know that. I mean like I read somewhere it would was vague. Seriously: radiusd -X radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. That doesn't mean it wouldn't be helpful to see it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-V2 allow_retry on ldap authentification
Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I realize this has been discussed before because I have spent a lot of time reading through this list and other sources. So current setup is OpenLDAP in a central location, a slave is set up remote with FreeRADIUS on top of that to allow for WPA2, this also means there is no correlation between user accounts on computers and domains so when people change their LDAP password their WPA2 username/password remain the same and the user needs to change it manually. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. Thanks for reading :) Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE= $dir/.rand name_opt= ca_default cert_opt= ca_default default_days= 365 default_crl_days= 30 default_md = sha1 preserve= no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] prompt = no distinguished_name = client default_bits= 2048 input_password = INPUT_PW output_password = OUTPUT_PW [client] countryName = UK stateOrProvinceName = United Kingdom localityName= West of ENgland organizationName= UWE emailAddress= email_addr...@uwe.ac.uk commonName = UWE, Bristol P.S. Let me know if it would help to include other files. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 17 October 2011 09:21 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Hi, Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep The next problem I got was EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hi, Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep The next problem I got was EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' The next problem I got was EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. A job for tomorrow morning ... Thanks for everyone's help so far. Martin. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of James J J Hooper Sent: 14 October 2011 18:29 To: freeradius-users@lists.freeradius.org Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html The following software is installed on a Centos 6 VM: -Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind. I successfully performed basic configuration tests with the 'eapol_test' command for: - PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 EAP-MSCHAPv5. I've created production certificates successfully tested for the above protocols. Installed Kerberos 1.8.2 tested that successfully. I started to configure FreeRadius with AD and successfully tested it to use ntlm_auth. I've got to the final stage Configuring FreeRADIUS to use ntlm_auth for MS-CHAP in the deployment process. This stage says: 1) ... delete the testing entry used above from the users file, ..., which I've done. 2) ... fine (sic) the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It ... should be uncommented, ..., which I've done. 3) Start the server ... I ran 'radiusd -X'. 4) ... and use a test client to send an MS-CHAP authentication request. I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123'. I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: snip [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject snip The 'eapol_test' output reflects this: snip EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME EAP-MSCHAPV2: Generating Challenge Response MSCHAPV2: Identity - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: Username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96 ef 45 15 32 MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 MSCHAPV2: username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: password - hexdump_ascii(len=20): 77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD 6e 69 63 61 MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7 d0 72 fb e6 95 b3 ef d1 MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72 da 98 72 EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41 31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64 75 72 6f 61 6d 74 65 73 74 snip RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE The peap-mschapv2-cert-ntlm_auth.conf file contains: # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # eapol_version=1 fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity=USERNAME #anonymous_identity=anonymous password=PASSWORD phase2=auth=MSCHAPV2 priority=10 # # Uncomment the following to perform server certificate validation. ca_cert=/etc/raddb/certs/ca.der } The file /etc/raddb/modules/mschap contains: # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: snip [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject snip You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I seem to have the same issue as described in this thread, I also have XP/Novell legacy clients, and I want to move to AD from eDir. Re: Error: User-Name is not the same as MS-CHAP namehttps://lists.freeradius.org/pipermail/freeradius-users/2011-June/msg00070.html The last mention I can see of this was a few months ago, has anything changed since ? I was wondering if I can work around the issue by using realms to strip the username and then force the domain into the ntlm_auth line in the mschap module. I got some way with this approach but it still seems to wants to create the hash using the DOMAIN/USER which I'm guessing is wrong. Anyway, if there is a fix or workaround I'd be grateful if you could you let me know. Thanks, Bruce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP Auth fail, password cache ?
Hi list, I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used test password, then blabla password. Now, I use blabla and it's not working. instead test is still working ... I tested with a third string (ahaha) , there's a third error output... I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen ? radtest commands : # radtest -t mschap bsemene test 10.1.8.4 0 testing123 Sending Access-Request of id 166 to 10.1.8.4 port 1812 User-Name = bsemene NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0x244e451f6d9cec8a MS-CHAP-Response = 0x000148485d333f46de4d66241b5be289340fd16f37838c63c542 rad_recv: Access-Accept packet from host 10.1.8.4 port 1812, id=166, length=90 Framed-MTU = 1400 MS-CHAP-MPPE-Keys = 0x01fc5a6be7bc69292066656e05c22f3a995ad9ecfed913d6 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 /usr/local/etc/raddb# radtest -t mschap bsemene blabla 10.1.8.4 0 testing123 Sending Access-Request of id 87 to 10.1.8.4 port 1812 User-Name = bsemene NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xfabeb87636c4a8d1 MS-CHAP-Response = 0x000191fbe9a51db58f3684cd91ebde311aedfcbe19271848ee45 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=87, length=38 MS-CHAP-Error = \000E=691 R=1 /usr/local/etc/raddb# radtest -t mschap bsemene ahaha 10.1.8.4 0 testing123 Sending Access-Request of id 222 to 10.1.8.4 port 1812 User-Name = bsemene NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xc0d0a9ded19cb497 MS-CHAP-Response = 0x000158d55aa0e11a251eee1a70f03438ff09fd872fc81b27c614 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=222, length=38 MS-CHAP-Error = \000E=691 R=1 debug mode outputs : password test : [sql] expand: %{Stripped-User-Name} - [sql] ... expanding second conditional [sql] expand: %{User-Name} - bsemene [sql] expand: %{%{User-Name}:-DEFAULT} - bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - bsemene [sql] sql_set_user escaped user -- 'bsemene' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bsemene' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bsemene' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'bsemene' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok password blabla: [sql] expand: %{Stripped-User-Name} - [sql] ... expanding second conditional [sql] expand: %{User-Name} - bsemene [sql] expand: %{%{User-Name}:-DEFAULT} - bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - bsemene [sql] sql_set_user escaped user -- 'bsemene' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op
Re: MS-CHAP Auth fail, password cache ?
Bastien Semene wrote: I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used test password, then blabla password. Now, I use blabla and it's not working. instead test is still working ... I tested with a third string (ahaha) , there's a third error output... I have no idea what that means. I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen ? The server reads it's configuration files only when it starts. If you edit the configuration files, you will need to restart the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:06 пользователь Alan DeKok al...@deployingradius.com написал: Bastien Semene wrote: I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used test password, then blabla password. Now, I use blabla and it's not working. instead test is still working ... I tested with a third string (ahaha) , there's a third error output... I have no idea what that means. I think he mean that only first password is worked. The second and third version of tye password for the same user aren't worked. I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen The server reads it's configuration files only when it starts. If you edit the configuration files, you will need to restart the server. But is it apply for MYSQL too? Think I don't need to restart the server in case MYSQL because each time tye server does SELECT from MySQL, doesn't it? Alan DeKok. List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
Alexey Shildyakov wrote: I think he mean that only first password is worked. The second and third version of tye password for the same user aren't worked. Users have one password. You can't authenticate with any one of three passwords. The authentication protocols just don't work that way. But is it apply for MYSQL too? Think I don't need to restart the server in case MYSQL because each time tye server does SELECT from MySQL, doesn't it? It doesn't apply for MySQL. I never said it applied for MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:18 пользователь Alan DeKok al...@deployingradius.com написал: Users have one password. You can't authenticate with any one of three passwords. The authentication protocols just don't work that way. Think Bastien means this: 1. Start server, user has password password123. 2. Authentication successfull 3. Change password in MySQL to blabla without restarting the server. 4. Authentication failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
I express myself very badly, sorry. The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is blabla. The three error outputs are relative to the logs. This means that the three cases are different : old password = working (and should not at all) current password blabla = [mschap] Told to do MS-CHAPv1 with NT-Password \n [mschap] MS-CHAP-Response is incorrect. random string (not in the database) = [mschap] No Cleartext-Password configured. Cannot create LM-Password. (correct error) I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. Le 11/07/2011 13:04, Alan DeKok a écrit : Bastien Semene wrote: I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used test password, then blabla password. Now, I use blabla and it's not working. instead test is still working ... I tested with a third string (ahaha) , there's a third error output... I have no idea what that means. I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen ? The server reads it's configuration files only when it starts. If you edit the configuration files, you will need to restart the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau Système Cyanide Studio - FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
Bastien Semene wrote: I express myself very badly, sorry. The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is blabla. There is nothing magic about the server. If it authenticates the user with the wrong password, it's because you didn't update the password. I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. You probably have two databases. FreeRADIUS is using one, and you've updated the other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
... that's it. I was blind while searching for a FreeRADIUS issue. I'm sorry for the lost time, anyway thank you for the answers. Le 11/07/2011 14:22, Alan DeKok a écrit : Bastien Semene wrote: I express myself very badly, sorry. The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is blabla. There is nothing magic about the server. If it authenticates the user with the wrong password, it's because you didn't update the password. I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. You probably have two databases. FreeRADIUS is using one, and you've updated the other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau Système Cyanide Studio - FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 13:10, Paul Harris wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com Or not. I'm not downloading a torrent of copyrighted software to fix someone else's problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Johan Meiring wrote: As long as you dont get a key, it is legal. No. This list is not the place to discuss non-FreeRADIUS software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 15:09, Johan Meiring wrote: On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. This is getting farcical... Not picking on any one specific person here, but seriously - can anyone not contributing to the discussion at the level of the radius protocols just move along please? I will get to it when I get to it, and in a manner of my own choosing. If you think you can do it faster, then please - do so. I'll gladly defer. Installing a copy of Windows XP and trying to reproduce some crappy Novell client issue is very much not top of my TODO list. Grumbling, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. Did you have a chance to look at it? Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... This might help: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef Last time I check Virtualbox can also use VHD, so it should work even on Linux/Mac hosts. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/29/2011 03:10 PM, Francois Gaudreault wrote: Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. Is there a way we could work around this hard-coded check since in our case, we only have one john? Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? Correct, the machines are not member of an AD domain. However, they have the Novell Client installed, and they are using a kind of AD tree in their eDirectory structure. So machine auth works the same as if it was an AD domain. The users are not member of that special tree. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. It is possible that in Windows XP, something is broken at the supplicant level. In windows 7, the OS is brilliant enough not to send the machine name. However, mainly 80% of his machines are Windows XP. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form \full.windows.domain.name. If this is present, I use ntlm-auth. If it is not, I strip off the \host part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, On 11-05-30 9:55 AM, Phil Mayers wrote: On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/28/2011 06:33 PM, Francois Gaudreault wrote: Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = STIC08862\\TechRMC State = 0x510e2245510938eb25e1ac3222e20688 Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically That is - does this work if the Novell client isn't in the picture? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Thanks! -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/27/2011 09:04 PM, Francois Gaudreault wrote: Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). I honestly lost track of this issue; the guy had spread it over a couple of mailing list posts, and the debug output kept getting sent as either URLs I couldn't access, or heavily mangled text, so I'm afraid I drifted away. Can you summarise in brief the setup you have, and as per Alan's request, send the full debug output of radiusd -X for a failing authentication. Please don't trim or edit the output. By summarise your setup I mean: * what clients, and how they're setup * what NASes * what behaviour you're trying to achieve I'll repeat something I've had cause to say several times recently: Either: 1. The client is sending wrong/mismatching usernames 2. Something along the way is mangling the usernames 3. You have configured FreeRADIUS to mangle it There really aren't any other options. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, and Alan, I will get you the debug output for Windows XP SP3 boxes (likely Monday). I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the automatically send username thing and only send the username without the domain name. However, the user experience will definitely be terrible. The NAS Client is an Avaya Access Point. Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can. Have a nice weekend. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
-Message = 0x020700591900170301004eb1f256aa2e900c41ef37f9d0933df166344a6edbc9356301e0fdc15cb87b6cbe03f6b07e54ccfd7fca446c7ce6cca1a742794be48c57b8e2ac735d7b2a2b38fe4483984103fc270b54d6c691b4c2 State = 0x309c14c6369b0dd14b00d913c56dbe3f Message-Authenticator = 0x8d693684ec5593182b54ce7c3d5e7d8f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC [ntdomain] No such realm STIC08862 ++[ntdomain] returns noop ++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} - STIC08862\TechRMC ? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE ++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE ++[preprocess] returns ok [eap] EAP packet type response id 7 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 server { PEAP: Setting User-Name to STIC08862\TechRMC Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = STIC08862\\TechRMC State = 0x510e2245510938eb25e1ac3222e20688 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC [ntdomain] No such realm STIC08862 ++[ntdomain] returns noop ++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} - STIC08862\TechRMC ? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE ++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) - (uid=TechRMC) [ldap] expand: o=CSPI - o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) ? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) - TRUE ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) - TRUE ++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...} +++[control] returns ok ++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (STIC08862\TechRMC) is not the same as MS-CHAP Name (TechRMC) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 201 to 10.220.30.5 port 29010 EAP-Message = 0x010800261900170301001bd9addceecce69a0bbcafd532787f06f03515b539bbb8c598213707 Message-Authenticator = 0x State
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). The problem is when the HOSTNAME is sent along with the username under windows XP. I tried to set a realm specially for this HOSTNAME, but we got the same error. Well... re-writing the names in the inner-tunnel server is breaking authentication. We don't. The sites configuration are very straightforward (almost default), no fency rewrites in the default or the inner-tunnel. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? We do not rewrite anything. LDAP authorization passes properly, but when EAP authentication kicks in, we have this MS-CHAP error. We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Francois Gaudreault wrote: We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. Post the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm freeradius:/etc # diff -qr raddb raddefault Files raddb/clients.conf and raddefault/clients.conf differ Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ Files raddb/modules/ldap and raddefault/modules/ldap differ Files raddb/modules/mschap and raddefault/modules/mschap differ Files raddb/sites-available/inner-tunnel and raddefault/sites-available/inner-tunnel differ Files raddb/sites-enabled/inner-tunnel and raddefault/sites-enabled/inner-tunnel differ - freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf 206,209d205 client 10.0.0.0/8 { secret = testing123 shortname = net1 } freeradius:/etc # diff raddb/modules/attr_rewrite raddefault/modules/attr_rewrite 32,65d31 attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } -- freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap 33,36c33,36 server = 10.220.7.7 identity = cn=tics,o=test password = ldappass basedn = o=test --- server = ldap.your.domain #identity = cn=admin,o=My Org,c=UA #password = mypass basedn = o=My Org,c=UA 77,79c77,78 #start_tls = no start_tls = yes port=636 --- start_tls = no 118c117 password_attribute = nspmPassword --- 124c123 edir_account_policy_check = yes --- edir_account_policy_check = no -- freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap 37c37 with_ntdomain_hack = yes --- 65,66c65 #ntlm_auth = /path/to/nitlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --- #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} freeradius:/etc # diff raddb/sites-available/inner-tunnel raddefault/sites-available/inner-tunnel 48,52d47 if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } 97,101c92 copy.user-name remove-domain-name add-dollar-sign strip-realm-name ntdomain --- # ntdomain 151c142 ldap --- # ldap 239,241c230,232 Auth-Type LDAP { ldap } --- # Auth-Type LDAP { # ldap # } 299c290 ldap --- # ldap 311d301 ldap Robert Mc Cready wrote: I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The inner-tunnel virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202
Re: Error: User-Name is not the same as MS-CHAP name
On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
EAP-Message = 0x021300591900170301004ebc0a4c73422ad0f2958deff363d6 ... State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f Message-Authenticator = 0x7db4139bac8a822e9a923f4758080856 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 19 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... server { PEAP: Setting User-Name to CAD08862\ldapuser Sending tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = CAD08862\\ldapuser State = 0xb1d14868b1c252824a02ce38607236ef server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (User-Name !~ /^host\//) ? Evaluating (User-Name !~ /^host\//) - TRUE ++? if (User-Name !~ /^host\//) - TRUE ++- entering if (User-Name !~ /^host\//) {...} +++[control] returns notfound ++- if (User-Name !~ /^host\//) returns notfound ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [copy.user-name] expand: %{User-Name} - CAD08862\ldapuser copy.user-name: Added attribute Stripped-User-Name with value 'CAD08862\ldapuser' ++[copy.user-name] returns ok [remove-domain-name] expand: (.nw2.test.local) - (.nw2.test.local) remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[remove-domain-name] returns ok [add-dollar-sign] expand: ^(host/.*) - ^(host/.*) add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[add-dollar-sign] returns ok [strip-realm-name] expand: ^(.*[\/]+) - ^(.*[\/]+) strip-realm-name: Changed value for attribute Stripped-User-Name from 'CAD08862\ldapuser' to 'ldapuser' ++[strip-realm-name] returns ok [ntdomain] Looking up realm CAD08862 for User-Name = CAD08862\ldapuser [ntdomain] No such realm CAD08862 ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 19 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for CAD08862\ldapuser [ldap] expand: %{Stripped-User-Name} - ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=ldapuser) [ldap] expand: o=test - o=test [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=test, with filter (uid=ldapuser) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user CAD08862\ldapuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 179 to 10.220.30.5 port 29002 EAP-Message = 0x011400261900170301001b042d951bea675042a05ce3fed5c1 ... Message-Authenticator = 0x State = 0xa5fe4130adea583a08d7b8b3e893ab3f Finished request 237. Going to the next request Waking up in 4.8
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. Well... re-writing the names in the inner-tunnel server is breaking authentication. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.nw2\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/ldap: filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := %{2} } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will just work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The inner-tunnel virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = CAD08862\\ldapuser You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it. The User-Name attribute is untouch. You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/07/2011 07:50 PM, Robert Mc Cready wrote: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := %{2} } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will just work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: User-Name is not the same as MS-CHAP name
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/05/11 15:17, Robert Mc Cready wrote: We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
W dniu 2011-05-07 20:50, Robert Mc Cready pisze: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Try to uncomment the ntdomain line in the authorize section of site configuration. This will split the realm (computer name) and login. Maybe you'll also need to set the with_ntdomain_hack = yes in mschap module configuration. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: From your perspective which approach to getting retry enabled working do you recommend for 2.11 so we can be testing the same version: o my tweaks of Phil's single challenge patch o Phil's challenge and password change patches o a simpler two patch solution which does not do passwords - the challenge patch and a rearrangement patch which detects responses to retry challenges? I'd like the changes to be split logically. (1) changes to allow retry for EAP-MSCHAPv2 (2) MS-CHAP password changes. Failing that, I'd prefer to test Phil's changes as-is. They seem to do everything you need, and they're a known quantity. Is there any thing I can do to help get this accomplished? More testing. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi Alan, I just wanted to make sure you know what we are currently running - we started with 2.1.x after patches were put in place related to retry/no-retry - this version works properly for no-retry but does not operate correctly with retry allowed. We next applied the patch from Phil which corrected the challenge - this by itself still did not work properly with retry. We next tweaked that patch to send a request rather than failure if retry was being allowed and this worked as it should have. Phil indicated that he had reworked the mschap module to deal with password changes and as part of that change resulted in the correct behavior if his original patch to fix the challenge was left unmodified. I personally think his approach is better but more complex because it also has code related to password change (a feature we would not use). I think it would be highly desirable to get a version of the patch which works correctly with retry enabled since it significantly reduces support calls in environments which have required password changes. From your perspective which approach to getting retry enabled working do you recommend for 2.11 so we can be testing the same version: o my tweaks of Phil's single challenge patch o Phil's challenge and password change patches o a simpler two patch solution which does not do passwords - the challenge patch and a rearrangement patch which detects responses to retry challenges? Is there any thing I can do to help get this accomplished? johnh... On Tue, 26 Apr 2011, Alan DeKok wrote: Date: Tue, 26 Apr 2011 07:57:09 From: Alan DeKok al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: I like your changes better. It allows to in the future add a retry max so each failure could be counted and send a R=0 after a certain number of failures. The EAP module already does *some* checking of this. If there are more than ~40 or so round trips, it discards the session. However, it may be useful to limit the retries here to no more than 2. Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. 2.1.11 is a stable release, so breaking things is very, very, bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 09:56 AM, Alan DeKok wrote: If enough people test it and say it works. 2.1.11 is a stable release, so breaking things is very, very, bad. Agreed. It's an extensive change, and needs extensive testing. Personally I'd be inclined to say don't delay 2.1.11. I hope to be able to roll this out at our site in May, which will get a few tens of thousands of clients through it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi, Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 11:22 AM, Alan Buxey wrote: Hi, Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) The patch I wrote is against the v2.1.x development branch (i.e. against 2.1.11-pre, really) and comes in the form of 5 separate commits (an attempt at making it easy to review ;o) So no - not a single source patch to 2.1.10. It would be a bit tricky to generate without pulling in lots of the unrelated stuff that's going into 2.1.11, and I'm on holiday at the moment so would like to skip generating one! https://github.com/philmayers/freeradius-server/tarball/v2.1.x-mschap-changepass ...might give you the full source; it's not a feature of github I've used before. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. I think it's safe just to mark the module HUP-safe. It wasn't marked that way before because it had code to read a smbpasswd file. That has since been removed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. original patch -- with suggested changes 678 -pairmove2(response, handler-request-reply-vps, 679 -PW_MSCHAP_ERROR); 678 +pairmove2(response, handler-request-reply-vps, 679 +PW_MSCHAP_ERROR); add failure code by default data-code = PW_EAP_MSCHAPV2_FAILURE; 680 +if (response) { 681 + int n,err,retry; 682 + char buf[34]; 683 + 684 + DEBUG2( MSCHAP-Error: %s, response-vp_strvalue); 685 + 686 + /* 687 + * parse the new challenge out of the MS-CHAP-Error, so if the client 688 + * issues a re-try, we'll know the challenge value they used 689 + */ 690 + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf); 691 + if (n==3) { 692 +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); 693 +fr_hex2bin(buf, data-challenge, 16); Set code to challenge if we find a challenge data-code = PW_EAP_MSCHAPV2_CHALLENGE; 694 + } else { 695 +DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); 696 + } 697 +} 680 remove this code since set above 698 data-code = PW_EAP_MSCHAPV2_FAILURE; END OF original patch === johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. johnh... On Thu, 21 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Thu, 21 Apr 2011 10:03:30 From: john.hayw...@wheaton.edu Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. original patch -- with suggested changes 678 -pairmove2(response, handler-request-reply-vps, 679 -PW_MSCHAP_ERROR); 678 +pairmove2(response, handler-request-reply-vps, 679 +PW_MSCHAP_ERROR); add failure code by default data-code = PW_EAP_MSCHAPV2_FAILURE; 680 +if (response) { 681 + int n,err,retry; 682 + char buf[34]; 683 + 684 + DEBUG2( MSCHAP-Error: %s, response-vp_strvalue); 685 + 686 + /* 687 + * parse the new challenge out of the MS-CHAP-Error, so if the client 688 + * issues a re-try, we'll know the challenge value they used 689 + */ 690 + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf); 691 + if (n==3) { 692 +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); 693 +fr_hex2bin(buf, data-challenge, 16); Set code to challenge if we find a challenge data-code = PW_EAP_MSCHAPV2_CHALLENGE; 694 + } else { 695 +DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); 696 + } 697 +} 680 remove this code since set above 698 data-code = PW_EAP_MSCHAPV2_FAILURE; END OF original patch === johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote: Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. Hmm. I don't see that behaviour. That is probably due to the later changes I made in the EAP-MSCHAPv2 state machine, here: https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd Specifically, the old code compares client current opcode against server last opcode; the patch I wrote above does a switch over server last opcode, then permits one or more valid client opcodes. Response is specifically permitted after failure, as it change-password (opcode 7). original patch -- with suggested changes 678 - pairmove2(response, handler-request-reply-vps, This patch is a bit magic for my tastes. The only reason it works is because eapmschapv2_compose completely ignores data-code - it chooses the EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument. So essentially you're setting data-code to trick the state machine in mschapv2_authenticate, but to someone unfamiliar with the code it would read like you're sending a challenge back, which you're not - you're sending a failure back. An alternative approach would be: --- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100 +++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100 @@ -424,10 +424,6 @@ * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); - return 0; - } /* * Ensure that we have at least enough data i.e. remove the check for client opcode 'response' only valid if we sent a 'challenge'. Or of course, widen the check to: challenge or failure Anyway, they're more or less equivalent. A matter of taste I guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I like your changes better. It allows to in the future add a retry max so each failure could be counted and send a R=0 after a certain number of failures. I had briefly looked at the other area and decided it would take more changes work with a response from a failure code than adjust it over when sending the failure with a challenge. Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? johnh... On Thu, 21 Apr 2011, Phil Mayers wrote: Date: Thu, 21 Apr 2011 12:17:55 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote: Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. Hmm. I don't see that behaviour. That is probably due to the later changes I made in the EAP-MSCHAPv2 state machine, here: https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd Specifically, the old code compares client current opcode against server last opcode; the patch I wrote above does a switch over server last opcode, then permits one or more valid client opcodes. Response is specifically permitted after failure, as it change-password (opcode 7). original patch -- with suggested changes 678 - pairmove2(response, handler-request-reply-vps, This patch is a bit magic for my tastes. The only reason it works is because eapmschapv2_compose completely ignores data-code - it chooses the EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument. So essentially you're setting data-code to trick the state machine in mschapv2_authenticate, but to someone unfamiliar with the code it would read like you're sending a challenge back, which you're not - you're sending a failure back. An alternative approach would be: --- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100 +++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100 @@ -424,10 +424,6 @@ * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); - return 0; - } /* * Ensure that we have at least enough data i.e. remove the check for client opcode 'response' only valid if we sent a 'challenge'. Or of course, widen the check to: challenge or failure Anyway, they're more or less equivalent. A matter of taste I guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. johnh... On Wed, 13 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Wed, 13 Apr 2011 16:19:26 From: john.hayw...@wheaton.edu To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks for the patches - I've built a new server and hopefully will test tomorrow. On the re-reading of config I can live without the HUP not causing mschap to re-read it's config - just assumed that it would. johnh... On Wed, 20 Apr 2011, Phil Mayers wrote: Date: Wed, 20 Apr 2011 17:53:42 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying PEAP inner as MS-CHAP broken
Phil Mayers wrote: The attached patch seems to fix it. Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying PEAP inner as MS-CHAP broken (was: Freeradius and Microsoft NPS)
On 13/04/11 16:22, Alan DeKok wrote: Phil Mayers wrote: Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. Hmm... OK. Ok; the problem seems to be that mschap_postproxy is never run, because the eap module in the inner-tunnel is returning NOOP. AFAICT this can only happen if request-proxy_reply == NULL, but I don't see how that can be. On a working version of 2.1.1, we see: rad_recv: Access-Accept packet from host 155.198.30.59 port 1812, id=8, length=227 Proxy-State = 0x38 Framed-Protocol = PPP Service-Type = Framed-User Class = ... MS-MPPE-Recv-Key = 0xce2bf43311878d6da4657e39ecc46f35 MS-MPPE-Send-Key = 0x6342361df2ade968d8f02a297f16025b MS-CHAP2-Success = ... +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0xb2e4d0 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok } # server inner-tunnel [eap] Final reply from tunneled session code 11 ...and the reply has turned into an Access-Challenge. But in v2.1.x HEAD we see: rad_recv: Access-Accept packet from host 155.198.30.59 port 1812, id=130, length=227 Proxy-State = 0x38 Framed-Protocol = PPP Service-Type = Framed-User Class = ... MS-MPPE-Recv-Key = 0x19ced6034408d55a75c8f0470f208337 MS-MPPE-Send-Key = 0x7889a7dd82d892c6d40b7d58d686b1f5 MS-CHAP2-Success = ... MS-CHAP-Domain = \010IC # Executing section post-proxy from file /home/pjm3/frdev/usr/local/etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file /home/pjm3/frdev/usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group post-proxy {...} ...and then it goes off the rails: ++[eap] returns noop WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /home/pjm3/frdev/usr/local/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [eap] Final reply from tunneled session code 2 ...since mschap_postproxy hasn't run, the access-accept reply code hasn't been transformed into an access-challenge, the MS-CHAP-Success isn't tunneled back to the client and an EAP-TLV Success is sent - which the client rightly rejects. I'm a bit stuck as to why rlm_eap is returning noop for inner-tunnel in 2.1.10 but not in 2.1.1, but I guess it's related to the other changes in this area? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying PEAP inner as MS-CHAP broken
On 14/04/11 12:07, Phil Mayers wrote: On 13/04/11 16:22, Alan DeKok wrote: Phil Mayers wrote: Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. Hmm... OK. Ok; the problem seems to be that mschap_postproxy is never run, because the eap module in the inner-tunnel is returning NOOP. AFAICT this can only happen if request-proxy_reply == NULL, but I don't see how that can be. The attached patch seems to fix it. proxy-mschap.patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? http://git.freeradius.org Grab the v2.1.x branch. Read raddb/modules/mschap, and raddb/eap.conf, the mschapv2 section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: With send_error = yes, the client just hangs (and in fact crashed my phone several times) Nice to know! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) retry.patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 14:45, Phil Mayers wrote: I'll spin up an SSID and give it a try with real clients later today. Regrettably I can report that this does not work with Symbian. With send_error = no, incorrect username/password reports EAP/PEAP authentication failed With send_error = yes, the client just hangs (and in fact crashed my phone several times) :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. I've deleted the setting of the EAP code. It's set in the compose function to eap request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/09/2011 06:18 PM, James J J Hooper wrote: On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 All, People might find this helpful; if you send an invalid password for an otherwise-active account, Windows 2008R2 NPS sends an EAP request, containing an MS-CHAP error with R=1 and does *not* end the EAP/PEAP session - I am assuming a windows client could, in this case, re-try MS-CHAP without restarting the PEAP session, using the challenge sent in the MS-CHAP error. eapol_test shows this for the final packket: decapsulated EAP packet (code=1 id=7 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=7 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=53): 1a 04 06 00 34 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 EAP-PEAP: received Phase 2: code=1 identifier=7 length=57 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 7 mschapv2_id 6 EAP-MSCHAPV2: Received failure EAP-MSCHAPV2: Failure data - hexdump_ascii(len=48): 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 E=691 R=1 C=67FC 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 3DE20810E3457A0A 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 9A74BC7E10E2 V=3 EAP-MSCHAPV2: error 691 EAP-MSCHAPV2: retry is allowed EAP-MSCHAPV2: failure challenge - hexdump(len=16): 67 fc 3d e2 08 10 e3 45 7a 0a 9a 74 bc 7e 10 e2 EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: '' (retry allowed, error 691) EAPOL: EAP parameter needed EAPOL: EAP parameter needed I will try with a windows client on Monday; I suspect it'll continue inside the existing PEAP tunnel with a retry since R=1, which means if we want to get the right behaviour as defined by the Microsoft implementation (PEAP is after all their protocol) we might be doing the wrong thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. -James p4.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: Also, args to pairmove2 are wrong way around, as attached. Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** Ah... it's supposed to try the MS-CHAP stuff again. Nice! I'm travelling to networkshop soon, but I'll see if I poke at it this week. If I'm right, the fix should be pretty simple. But it will need to be tested by people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:57, James J J Hooper wrote: On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I think it needs two things now: 1) Something like: @@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); + if ((data-code != PW_EAP_MSCHAPV2_CHALLENGE) (data-code != PW_EAP_MSCHAPV2_FAILURE)) { + radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received: %d, data-code); return 0; } ... because the response to our MSCHAPV2_FAILURE seems to be a MSCHAPV2_FAILURE 2) if (inst-retry_msg) { snprintf(buffer + 9, sizeof(buffer), C=); for (i = 0; i 16; i++) { snprintf(buffer + 12 + i*2, sizeof(buffer), %02x, fr_rand() 0xff); } This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); has the correct challenge, and can then process the clients retry correctly? (help, I havn't managed to work out the mechanism from the current challenge generation bits yet!) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 ...as per attached diff? -James p3.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git v2.1.x branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/08/2011 08:26 AM, Alan DeKok wrote: James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git v2.1.x branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... I also think that, if we're aiming to make the behaviour better we should take a careful look at what IAS/NPS does; we maintain a for comparison server for just such cases, and I'll try to have a look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP-V2 with no retry
A couple of comments on how clients behave: o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure. I have not tested this. I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc). o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries. So if you are going to test macs on the MS radius server you might try both with retry and without retry. o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients. o Testing of both windows and mac with out the patch and with the patch need to be done. johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Friday, April 08, 2011 2:54 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- index c512018..3f3fc46 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST *request) response-vp_octets + 26, nthashhash, do_ntlm_auth) 0) { RDEBUG2(FAILED: MS-CHAP2-Response is incorrect); + + /* JCH - changes to include challenge and message */ +char msg[100]; +strcpy(msg, E=691 R=0 C=); +int i, offset = strlen(msg); +char *ptr = msg[offset]; +for (i=0; i16; i++, ptr+=2) { + sprintf(ptr, %02X, response-vp_octets[i+2]); +} +*ptr = 0; +strcat(msg, V=3 M=May Need to reset cached password); + mschap_add_reply(request, request-reply-vps, *response-vp_octets, -MS-CHAP-Error, E=691 R=1, 9); +MS-CHAP-Error, msg, strlen(msg)); return RLM_MODULE_REJECT; } index bdf4668..051fe71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
hi, this would be great to get into 2.1.11 release if possible if not 2.1.12 or 2.2.x as it solves one of our current problems of devices configured for our roaming SSID continually trying to authenticate to the system even if the user no longer exists - currently they just keep on and on and on... this will 'break' their settings until they put in new details (which they cant if no longer a member able to use the roaming SSID alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On Wed, 9 Mar 2011, Alan DeKok wrote: Date: Wed, 9 Mar 2011 01:25:10 From: Alan DeKok al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry John Hayward wrote: Any idea of the time frame? A long time. Should I spend my time looking at the code and proposing a patch? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: === rlm_mschap.c (from src/modules/rlm_mschap/) 1242,1252c1242 /* JCH - changes to include challenge and message */ char msg[100]; strcpy(msg, E=691 R=0 C=); int i, offset = strlen(msg); char *ptr = msg[offset]; for (i=0; i16; i++, ptr+=2) { sprintf(ptr, %02X, response-vp_octets[i+2]); } *ptr = 0; strcat(msg, V=3 M=May Need to reset cashed password ); mschap_add_reply(request, request-reply-vps, --- mschap_add_reply(request, request-reply-vps, 1254c1244 MS-CHAP-Error, msg, strlen(msg)); --- MS-CHAP-Error, E=691 R=1, 9); 1299d1288 /* JCH should we check for MS-CHAPV2 and modify the reply to include challenge ? */ from /src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c 198c198,200 length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN; --- /* JCH need to be change length to work with full v2 message */ //length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN; length = 4 + reply-length-1; 215c217,222 memcpy((eap_ds-request-type.data + 4), MSCHAPV2_FAILURE_MESSAG E, MSCHAPV2_FAILURE_MESSAGE_LEN); --- /* JCH need to copy the failure message from mschapv2 - it contains ascii version of the challenge C=... */ memcpy((eap_ds-request-type.data + 4), (reply-vp_strvalue+1), (reply-length-1)); //MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN); 487a495,505 /*JCH added - is this is an ack of a failure message */ case PW_EAP_MSCHAPV2_FAILURE: if (data-code != PW_EAP_MSCHAPV2_FAILURE) { radlog(L_ERR, rlm_eap_mschapv2: Unexpected FAILURE received); return 0; } //JCH needed??? handler-request-options = ~RAD_REQUEST_OPTION _PROXY_EAP; eap_ds-request-code = PW_EAP_FAILURE; return 1; break; 658a677,680 /* JCH this is in response to the failure ack - return failure packet - don't return
RE: MS-CHAP-V2 with no retry
Any idea of the time frame? Should I spend my time looking at the code and proposing a patch? johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Saturday, March 05, 2011 12:23 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was a response sent back to the client but there was no message in the response. It's more complicated. The server would send EAP-Failure, and nothing else. 2) The patch given resolves that problem - giving the message of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the E=691 R=1 failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
John Hayward wrote: Any idea of the time frame? A long time. Should I spend my time looking at the code and proposing a patch? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. The answer here is to use a database. FreeRADIUS doesn't keep track of any long-term data. It uses a database. If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. If you want to set E=691 R=0, you can use unlang in the post-auth-type Reject section to re-write the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. Ah gotcha. Thanks for the detail! As Alan has suggested in his other email, you can change the MS-CHAP-Error in the post-auth section: post-auth { Post-Auth-Type REJECT { if (reply:MS-CHAP-Error =~ /E=691 R=1/) { update reply { MS-CHAP-Error := E=691 R=0 } } } } If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. ...but I'm not sure this will work. The reason being, if you're using wireless you're probably using PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner - that is, it is *not* raw mschap inside the tunnel. The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 ...ignoring any errors the mschap module might have generated. So in theory at least, FreeRadius is already doing what you want for EAP-MSCHAP, and changing it won't help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html