Re: MSCHAPv2, MySQL, Freeradius
Dan Russell [EMAIL PROTECTED] wrote: Hey, I'm not having a go at you, I believe it does work, I'm just having issue getting it working.. Yes, but too many people post messages saying Stuff went wrong... how do I fix it?. Without any context, the only possible answer is No idea... Tue Oct 4 15:10:39 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [wolfer] Well, that would appear to be useful. Here is a snippet of the radcheck table : IDUserNameAttribute op Value 25wolfer SMB-Account-CTRL== 16 27wolfer NT-Password == 0x47C8F8E50C470E37AAD3B435B51404EE See the docs for rlm_sql. '==' is a *comparison* operator. There is no NT-Password in the packet, so of course it never matches. Change both '==' to ':='. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAPv2, MySQL, Freeradius
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, 5 October 2005 1:48 AM To: FreeRadius users mailing list Subject: Re: MSCHAPv2, MySQL, Freeradius Dan Russell [EMAIL PROTECTED] wrote: Hey, I'm not having a go at you, I believe it does work, I'm just having issue getting it working.. Yes, but too many people post messages saying Stuff went wrong... how do I fix it?. Without any context, the only possible answer is No idea... Tue Oct 4 15:10:39 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [wolfer] Well, that would appear to be useful. Here is a snippet of the radcheck table : ID UserNameAttribute op Value 25 wolfer SMB-Account-CTRL== 16 27 wolfer NT-Password == 0x47C8F8E50C470E37AAD3B435B51404EE See the docs for rlm_sql. '==' is a *comparison* operator. There is no NT-Password in the packet, so of course it never matches. Change both '==' to ':='. Alan DeKok. That's fixed it.. All works well now.. Thanks for your help. Daniel Russell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAPv2, MySQL, Freeradius
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, 3 October 2005 2:48 PM To: FreeRadius users mailing list Subject: Re: MSCHAPv2, MySQL, Freeradius Dan Russell [EMAIL PROTECTED] wrote: If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate ... Is there any specific config change I would need to make to enable this? No. It should work in the default config. How does freeradius identify that the password has already been NT hashed? Because you put it into the NT-Password attribute, instead of the User-Password attribute. Okay, I've tried that and not found it to work for me. I looked through the source code to the rlm_mschap now and have found where I believe it is falling over. It tries to get the 'User-Password' attribute first (which it fails on, I don't have one), then it tried to get the 'LM-Password' attribute which it also fails on. After dealing with that it tries the same thing with 'NT-Password'. For some reason it isn't pulling these attributes out of mysql.. After looking at the debug output from freeradius, the sql statement that it executes when it receives an authentication request should return the LM-Password and NT-Password. When I try to authenticate it gives me the error : rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. And a couple of lines later I get rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. I'm not sure why it isn't picking the attributes up.. If its any help, I'm using mysql 4.1.11 and freeradius 1.0.2 What stops it from encrypting whatever it finds in the radcheck table for the password? I have no idea what question you're asking. So far as I can tell, the answer is it doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2, MySQL, Freeradius
Dan Russell [EMAIL PROTECTED] wrote: Because you put it into the NT-Password attribute, instead of the User-Password attribute. Okay, I've tried that and not found it to work for me. Sorry, it *does* work. Since you didn't provide any debug logs or config examples, I can only suggest that you probably did it wrong. It tries to get the 'User-Password' attribute first (which it fails on, I don't have one), then it tried to get the 'LM-Password' attribute which it also fails on. After dealing with that it tries the same thing with 'NT-Password'. For some reason it isn't pulling these attributes out of mysql.. Read the debug log. It will tell you what it *is* getting from MySQL. After looking at the debug output from freeradius, the sql statement that it executes when it receives an authentication request should return the LM-Password and NT-Password. Does it return those attributes when you run the query by hand? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAPv2, MySQL, Freeradius
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, 4 October 2005 3:17 PM To: FreeRadius users mailing list Subject: Re: MSCHAPv2, MySQL, Freeradius Dan Russell [EMAIL PROTECTED] wrote: Because you put it into the NT-Password attribute, instead of the User-Password attribute. Okay, I've tried that and not found it to work for me. Sorry, it *does* work. Since you didn't provide any debug logs or config examples, I can only suggest that you probably did it wrong. Hey, I'm not having a go at you, I believe it does work, I'm just having issue getting it working.. Here is the log of someone attempting to log in : rad_recv: Access-Request packet from host x.x.x.x:32775, id=33, length=177 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 422 NAS-Port-Type = Ethernet User-Name = wolfer Calling-Station-Id = 00:50:FC:68:E6:32 NAS-Port-Id = ether2 MS-CHAP-Challenge = 0x700b1e514cb6628c25441cb76ce17109 MS-CHAP2-Response = 0x010051c12db8db344c7c72d03bda36fd556d76fb28d715a538d4ae 05b012cd5edb6e86ee71d8f6d6bbc0 NAS-Identifier = NAS NAS-IP-Address = x.x.x.x Tue Oct 4 15:10:39 2005 : Debug: Processing the authorize section of radiusd.conf Tue Oct 4 15:10:39 2005 : Debug: modcall: entering group authorize for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modcall[authorize]: module chap returns noop for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 5 Tue Oct 4 15:10:39 2005 : Debug: radius_xlat: 'wolfer' Tue Oct 4 15:10:39 2005 : Debug: rlm_sql (sql): sql_set_user escaped user -- 'wolfer' Tue Oct 4 15:10:39 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'wolfer' ORDER BY id' Tue Oct 4 15:10:39 2005 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Tue Oct 4 15:10:39 2005 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'wolfer' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Tue Oct 4 15:10:39 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'wolfer' ORDER BY id' Tue Oct 4 15:10:39 2005 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'wolfer' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Tue Oct 4 15:10:39 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [wolfer] Tue Oct 4 15:10:39 2005 : Debug: rlm_sql (sql): Released sql socket id: 4 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modcall[authorize]: module sql returns notfound for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Tue Oct 4 15:10:39 2005 : Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' Tue Oct 4 15:10:39 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Tue Oct 4 15:10:39 2005 : Debug: modcall[authorize]: module mschap returns ok for request 5 Tue Oct 4 15:10:39 2005 : Debug: modcall: group authorize returns ok for request 5 Tue Oct 4 15:10:39 2005 : Debug: rad_check_password: Found Auth-Type MS-CHAP Tue Oct 4 15:10:39 2005 : Debug: auth: type MS-CHAP Tue Oct 4 15:10:39 2005 : Debug: Processing the authenticate section of radiusd.conf Tue Oct 4 15:10:39 2005 : Debug: modcall: entering group Auth-Type for request 5 Tue Oct 4 15:10:39 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 5 Tue Oct 4 15:10:39 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Tue Oct 4 15:10:39 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Tue Oct 4 15:10:39 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for wolfer with NT-Password Tue Oct 4 15:10:39 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tue Oct 4 15:10:39 2005 : Debug
Re: MSCHAPv2, MySQL, Freeradius
Dan Russell [EMAIL PROTECTED] wrote: If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate ... Is there any specific config change I would need to make to enable this? No. It should work in the default config. How does freeradius identify that the password has already been NT hashed? Because you put it into the NT-Password attribute, instead of the User-Password attribute. What stops it from encrypting whatever it finds in the radcheck table for the password? I have no idea what question you're asking. So far as I can tell, the answer is it doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2, MySQL, Freeradius
Dan Russell [EMAIL PROTECTED] wrote: Is there a way in which I can have encrypted passwords in the mysql database and use MSCHAPv2 to authenticate users? If they're NT hashed, yes. Otherwise, no. If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate Yes. or would rlm_mschap encrypt the password attribute anyway? I have no idea what that means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html