Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

NdK wrote:
 Il 20/01/2012 21:46, Alan DeKok ha scritto:
 
   Yeah, I've gone and fixed that.  git is nice for updating web pages.
 Still there's Then, fine the mschap module. s/fine/find/ :)

  Fixed, thanks.

 BTW, in a real AD setup, with AD servers used as DNS, there should be no
 need to setup /etc/krb5.conf: samba can auto detect the needed settings.

  OK.  Not everyone does that, but it's good to know.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

Thanks ndk and alan I lll give it a fresh try to the testbed. I have
already deleted the DEFAULT entry from the users file and updated mschap as
indicated. I think what might be forcing NTLM_AUTH is an entry which i made
to the authorize section of default file after which ntlm_auth strated to
work for me

if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
}
I ll try removing the same and then need to see how mschap thing will work.
Would appreciate if you may point me to a further howto on the same. I aim
to connect and eap client through radius without the use of certificates
for which MSCHAP seems to be an option.

I think I ll write a howto or add a wiki entry if I can make it work fine.

regards
Dhiraj Gaur


On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok al...@deployingradius.comwrote:

 NdK wrote:
The radclient program has since been updated.
  Then it could be better to update that page, since it's the reference
  for all newbies that try to make it work.

   Yeah, I've gone and fixed that.  git is nice for updating web pages.

  It *should* work is more correct :(
  There still are many things that can go wrong.

   If it doesn't work, the web pages explain which part to blame.  99% of
 the time, it's a bug in someone else's software.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Regards

Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

Hi
I did my tests and after removing that custom block of authorize section
the following is the output.

rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2,
length=57
User-Name = 01546
User-Password = 
NAS-IP-Address = 192.168.0.99
NAS-Port = 0
Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...}
Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = 01546,
looking up realm NULL
Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm NULL
Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop
Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP
Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand:
--username=%{mschap:User-Name} - --username=01546
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand:
--password=%{User-Password} - --password=x
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0
Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop
Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No known good password
found for the user.  Authentication may fail because of this.
Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop
Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user.
Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject
Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...}
Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject]expand:
%{User-Name} - 01546
Sat Jan 21 19:21:08 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11

-

So means that ntlm_auth is still wokring good bt some access control
triggers the Access-Reject.

I am still directionless as to where should I head next, I mean how to make
tht EAP client and MSCHAP authentication work. Would appreciate if I could
get some handy quick and dirty list of works to do next OR some URL/mailing
list entry etc which explains the same.

I am reading a FreeRadius book (Packet Publishing) which just might help.

Regards
Dhiraj Gaur


On Sat, Jan 21, 2012 at 7:12 PM, Dhiraj Gaur dhiraj.g...@gmail.com wrote:

 Thanks ndk and alan I lll give it a fresh try to the testbed. I have
 already deleted the DEFAULT entry from the users file and updated mschap as
 indicated. I think what might be forcing NTLM_AUTH is an entry which i made
 to the authorize section of default file after which ntlm_auth strated to
 work for me

 if(!control:Auth-Type) {
 update control {
 Auth-Type = ntlm_auth
 }
 }
 I ll try removing the same and then need to see how mschap thing will
 work. Would appreciate if you may point me to a further howto on the same.
 I aim to connect and eap client through radius without the use of
 certificates for which MSCHAP seems to be an option.

 I think I ll write a howto or add a wiki entry if I can make it work fine.

 regards
 Dhiraj Gaur


 On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok al...@deployingradius.comwrote:

 NdK wrote:
The radclient program has since been updated.
  Then it could be better to update that page, since it's the reference
  for all newbies that try to make it work.

   Yeah, I've gone and fixed that.  git is nice for updating web pages.

  It *should* work is more correct :(
  There still are many things that can go wrong.

   If it doesn't work, the web pages explain which part to blame.  99% of
 the time, it's a bug in someone else's software.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Regards

 Dhiraj Gaur






-- 
Regards

Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[NdK]

Il 20/01/2012 21:46, Alan DeKok ha scritto:

   Yeah, I've gone and fixed that.  git is nice for updating web pages.
Uh... forgot... When using ntlm_auth with a password, --request-nt-key
seems to have no effect. Tested in different distros.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

hi Fajar
I did read the replies as well as Alan's page. Being a newbie to FR i
actually started with that only.

On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha l...@fajar.net wrote:

 Did you REALLY read the replies sent to this list?
 Did you REALLY read Alan's page,
 http://deployingradius.com/documents/configuration/active_directory.html
 to the end?


The version of radtest on my system doesnt support the -t option, hence
even after doing radtest -h I could not find anything. I settled for
jradius client to achieve the same effect already. Have tried upgrading the
package but its already in the latest version.


 If yes, you'd know that:
 - radtest can send mschap request as well (see 'radtest -h')


The only changes I have done to default config is in the inner tunnel or
default file. Attaching the same if you may have a look. I have never
blamed Alan that his recipe is flawed.


 - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
 contains detailed instruction on how to make FR works with AD and pap.
 If you can't get it to work, that means you're doing something wrong.
 Probably editing some entries you shouldn't, since your ntlm_auth
 result is OK (which means samba + AD part is working correctly). It's
 perfectly fine to be creative and edit the config file as you see fit,
 but ONLY if you know what you're doing. If you're given a recipe, and
 choose to stray from it, and messed up, don't blame the guy who
 created the recipe.


The PAP things is already working fine as I mentioned earlier and have
followed every bit of Alans guide. Would redo the things again if it works.


 - Also on Alan's page, there's the section 'Configuring FreeRADIUS to
 use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
 your question, but ONLY if you already got pap working properly.



Attaching the inner tunnel and default file, please go through the same and
point out if something is amiss.

Default File
--
authorize {
preprocess

#auth_log
chap
mschap
#digest
#wimax
#IPASS
suffix
#ntdomain
eap {
ok = return
}
#unix
#files
#sql
ntlm_auth
#etc_smbpasswd
#ldap
#checkval
expiration
logintime
pap
#if(!control:Auth-Type) {
#update control {
#Auth-Type = ntlm_auth
#}
#}
#Autz-Type Status-Server {
#
#}
}

authenticate {
Auth-Type NTLM_AUTH {
ntlm_auth
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
#digest

#pam
#unix
#Auth-Type LDAP {
#ldap
#}
eap
#Auth-Type eap {
#eap {
#handled = 1
#}
#if (handled  (Response-Packet-Type == Access-Challenge)) {
#attr_filter.access_challenge.post-auth
#handled  # override the updated code from attr_filter
#}
#}
}

INNER TUNNEL FILE
--
server inner-tunnel {

#listen {
#   ipaddr = 127.0.0.1
#   port = 18120
#   type = auth
#}

authorize {
chap
mschap
#unix
#IPASS
suffix
#ntdomain
update control {
   Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
#sql
ntlm_auth
#etc_smbpasswd
#ldap
#daily
#checkval
expiration
logintime
pap
}


authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
#pam
ntlm_auth
#unix
#Auth-Type LDAP {
#ldap
#}
eap
}



-- 
Regards

Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

Dhiraj Gaur wrote:
 The version of radtest on my system doesnt support the -t option, hence
 even after doing radtest -h I could not find anything.

  Upgrade.  It really helps.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Fajar A. Nugraha]

On Sat, Jan 21, 2012 at 11:14 PM, Dhiraj Gaur dhiraj.g...@gmail.com wrote:
 The version of radtest on my system doesnt support the -t option, hence even 
 after doing radtest -h I could not find anything. I settled for jradius 
 client to achieve the same effect already.

It doesn't really matter which client you use, IF you're
familiar-enough with it and know how to use it. However, your posted
log still shows you use pap. So that either means:
- you don't know how to send mschap request using that client, or
- you haven't got pap working correctly, or
- you don't know the difference between pap and mschap
- you posted the wrong debug output

which is it?

  Have tried upgrading the package but its already in the latest version.

You could always compile from source, or build your own package.

If you use debian or ubuntu my ppa has the latest stable freeradius
version: https://launchpad.net/~freeradius/+archive/stable
Lucid version should fit debian installations just fine.

 The PAP things is already working fine as I mentioned earlier and have 
 followed every bit of Alans guide. Would redo the things again if it works.

I take your word for it



 - Also on Alan's page, there's the section 'Configuring FreeRADIUS to
 use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
 your question, but ONLY if you already got pap working properly.



 Attaching the inner tunnel and default file, please go through the same and 
 point out if something is amiss.

Re-read that section, and do what it says. If you do it correctly, AND
send mschap request (using whatever client you're familiar with),
there should be NO debug line that says ntlm_auth with
User-Password together. That's because mschap does NOT send
User-Password attribute, and the ntlm_auth line is adjusted
accordingly per instructions on the site.

If you STILL have problems after doing that, post the updated debug logs.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

Dhiraj Gaur wrote:
 I have been trying to implement radius authetication server at my
 workplace. The idea is to have all wifi access points authenticate
 against a radius server.

  That is a common deployment, and should be easy to do.

 The radius server needs to pass authentication to a backend Active
 Directory server. I have been sucessful in authenticating wifi users
 against file based and SQL based authentication in radius. NTLM_AUTH
 using PAP also works fine, wherein plaintext password is sucessfully
 authenticated against the AD and I get an Access-Accept. However when
 I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
 not working and I end up in a Access-Reject.

  CHAP will *not* work with AD.  See my web site:

http://deployingradius.com/documents/protocols/compatibility.html

 Seems like that the
 ntlm_auth program is not parsing the received encrypted password hence
 the authetication fails. MSCHAP is a requirement as wifi clients at my
 place mostly have eap supplicant. (Read in freeradius documentation that
 eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
 same)

  You've misconfigured the server.  You have it trying to do ntlm_auth
using the User-Password, and then sending it an MS-CHAP authentication.
 There's no User-Password in MS-CHAP.

  Follow the instructions on my web site for configuring ntlm_auth:

http://deployingradius.com/documents/configuration/active_directory.html

  And then follow the other instructions for getting EAP to work.

 The freeradius logs for all the cases is listed below. Radius gurus
 please point me to the right direction as to make MS_CHAP authentication
 owrk over ntlm_auth or ldap(if possible).
 
 PS: I did all the testing using JRadius simulator.

  FreeRADIUS comes with radclient, which does PAP, CHAP, and MS-CHAP.
 That should be all you need.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Dhiraj Gaur]

HI Alan
Thanks for the reply. I already followed your site and was able to make
ntlm_auth work. For MS-CHAP the AD page of your site says

Start the server and use a test client to send an MS-CHAP authentication
request. The radclient cannot currently be used to send this request,
unfortunately, which makes testing a little difficult If everything goes
well, you should see the server returning an
Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage
as above.

Hence I was of the view radtest cannot work for MS-CHAP authentication.
Request you to point me to the right link and way to do the MS-CHAP
procedure and testing the same thorugh radtest. I could not understand
There's no User-Password in MS-CHAP.

Regards
Dhiraj Gaur

On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok al...@deployingradius.comwrote:

 Dhiraj Gaur wrote:
  I have been trying to implement radius authetication server at my
  workplace. The idea is to have all wifi access points authenticate
  against a radius server.

   That is a common deployment, and should be easy to do.

  The radius server needs to pass authentication to a backend Active
  Directory server. I have been sucessful in authenticating wifi users
  against file based and SQL based authentication in radius. NTLM_AUTH
  using PAP also works fine, wherein plaintext password is sucessfully
  authenticated against the AD and I get an Access-Accept. However when
  I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
  not working and I end up in a Access-Reject.

   CHAP will *not* work with AD.  See my web site:

 http://deployingradius.com/documents/protocols/compatibility.html

  Seems like that the
  ntlm_auth program is not parsing the received encrypted password hence
  the authetication fails. MSCHAP is a requirement as wifi clients at my
  place mostly have eap supplicant. (Read in freeradius documentation that
  eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
  same)

   You've misconfigured the server.  You have it trying to do ntlm_auth
 using the User-Password, and then sending it an MS-CHAP authentication.
  There's no User-Password in MS-CHAP.

  Follow the instructions on my web site for configuring ntlm_auth:

 http://deployingradius.com/documents/configuration/active_directory.html

  And then follow the other instructions for getting EAP to work.

  The freeradius logs for all the cases is listed below. Radius gurus
  please point me to the right direction as to make MS_CHAP authentication
  owrk over ntlm_auth or ldap(if possible).
 
  PS: I did all the testing using JRadius simulator.

   FreeRADIUS comes with radclient, which does PAP, CHAP, and MS-CHAP.
  That should be all you need.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Regards

Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[NdK]

Il 20/01/2012 17:17, Dhiraj Gaur ha scritto:

 Thanks for the reply. I already followed your site and was able to make
 ntlm_auth work. For MS-CHAP the AD page of your site says
 
 Start the server and use a test client to send an MS-CHAP
 authentication request. The |radclient| cannot currently be used to send
 this request, unfortunately, which makes testing a little difficult If
 everything goes well, you should see the server returning an
 Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept
 message as above.
Been there too.
But after that I tested with eapol_test from wpa_supplicant. With
negative results :(

 Hence I was of the view radtest cannot work for MS-CHAP authentication.
 Request you to point me to the right link and way to do the MS-CHAP
 procedure and testing the same thorugh radtest. I could not understand
 There's no User-Password in MS-CHAP.
It's not sent to the server, so you can't use --pass= for ntlm_auth.
It's only used to encrypt the challenge.


BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

Dhiraj Gaur wrote:
rt the server and use a test client to send an MS-CHAP
 authentication request. The |radclient| cannot currently be used to send
 this request, unfortunately, which makes testing a little difficult If
 everything goes well, you should see the server returning an
 Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept
 message as above.

  The radclient program has since been updated.

 Hence I was of the view radtest cannot work for MS-CHAP authentication.

  Sure.  However, see radtest -h.  If you're running a recent version,
it will tell you it can do MS-CHAP.

 Request you to point me to the right link and way to do the MS-CHAP
 procedure and testing the same thorugh radtest. I could not understand
 There's no User-Password in MS-CHAP.

  You hard-coded it to *always* do NTLM authentication, using the PAP
credentials.  Then you sent it a request which didn't contain a
cleartext password.

  Again, the guide explains this in great detail.  Follow it, and it
will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[NdK]

Il 20/01/2012 19:44, Alan DeKok ha scritto:

   The radclient program has since been updated.
Then it could be better to update that page, since it's the reference
for all newbies that try to make it work.

   You hard-coded it to *always* do NTLM authentication, using the PAP
 credentials.  Then you sent it a request which didn't contain a
 cleartext password.
That's easy, it's on the page: remove the DEFAUL added for testing :)

   Again, the guide explains this in great detail.  Follow it, and it
 will work.
It *should* work is more correct :(
There still are many things that can go wrong.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP and Freeradius authentication

[Alan DeKok]

NdK wrote:
   The radclient program has since been updated.
 Then it could be better to update that page, since it's the reference
 for all newbies that try to make it work.

  Yeah, I've gone and fixed that.  git is nice for updating web pages.

 It *should* work is more correct :(
 There still are many things that can go wrong.

  If it doesn't work, the web pages explain which part to blame.  99% of
the time, it's a bug in someone else's software.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with MSCHAP

[Mark Holmes]

OK,

Just to recap, I'm working on setting Freeradius up to authenticate users to 
our wireless network.  We want to use PEAP-MSCHAPv2 and authenticate against 
Active Directory.  I'm using samba and ntlm_auth.

Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29

Needless to say it's failing.

I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on 
Friday, and that has cleared up the warning about unknown realms.

When connecting, I still get several errors before auth fails.

I've pasted my debug output into the web tool and it picks out the following in 
red

security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
 }


(all in red)
Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject


[pap] WARNING! No known good password found for the user.  Authentication may 
fail because of this. (In yellow)


I also see (not highlighted) that I'm still getting

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect


I have configured modules/mschap to use ntlm_auth as follows

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

Am I missing something in the MSCHAP config?

Cheers,

Mark



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP

[Alan Buxey]

Hi,

 I've pasted my debug output into the web tool and it picks out the following 
 in red
 
 security {
 max_attributes = 200
 reject_delay = 1 (This line in red)
 status_server = yes
  }
 
 
 (all in red)
 Module: Instantiating attr_filter.access_reject
   attr_filter attr_filter.access_reject {
 attrsfile = /etc/raddb/attrs.access_reject

ignore those - the word 'reject' is being flagged without context.

 [pap] WARNING! No known good password found for the user.  Authentication 
 may fail because of this. (In yellow)

okay.

 I also see (not highlighted) that I'm still getting
 
 [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
 [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
 [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
 [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
 [mschap] FAILED: MS-CHAP2-Response is incorrect

and that will mean that MSCHAPv2 wont be working

 I have configured modules/mschap to use ntlm_auth as follows
 
 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
 --username=%{mschap:User-Name:-None} 
 --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} 
 --nt-response=%{mschap:NT-Response:-00}
 
 Am I missing something in the MSCHAP config?

how are you testing this - a real client, command line tool etc?  when you run 
it in full
debug mode - and you arent helping yourself by failing to post that here - you 
should
see the incantation of the ntlm_auth line - if not, then its not being 
called...and it
would be with the default configuration files.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with MSCHAP

[Mark Holmes]

Alan,

Thanks for your reply.

how are you testing this - a real client, command line tool etc?  when you run 
it in full
debug mode - and you arent helping yourself by failing to post that here

I'm testing with a real client and access point.

OK - I wasn't sure posting the whole debug would be appreciated, but I have 
posted it at

http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt

 you should see the incantation of the ntlm_auth line - if not, then it's not 
 being called

I can only see two references to ntlm_auth, this:-


Module: Instantiating ntlm_auth
  exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
  }

And another line indicating the ntlm_auth config file is being included:-

including configuration file /etc/raddb/modules/ntlm_auth

Should I also see ntlm_auth being called during the authentication - presumably 
I should...

Thanks,

Mark


-Original Message-
From: 
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
 On Behalf Of Alan Buxey
Sent: 12 October 2010 10:41
To: FreeRadius users mailing list
Subject: Re: Problem with MSCHAP

Hi,

 I've pasted my debug output into the web tool and it picks out the following 
 in red
 
 security {
 max_attributes = 200
 reject_delay = 1 (This line in red)
 status_server = yes
  }
 
 
 (all in red)
 Module: Instantiating attr_filter.access_reject
   attr_filter attr_filter.access_reject {
 attrsfile = /etc/raddb/attrs.access_reject

ignore those - the word 'reject' is being flagged without context.

 [pap] WARNING! No known good password found for the user.  Authentication 
 may fail because of this. (In yellow)

okay.

 I also see (not highlighted) that I'm still getting
 
 [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
 [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
 [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
 [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
 [mschap] FAILED: MS-CHAP2-Response is incorrect

and that will mean that MSCHAPv2 wont be working

 I have configured modules/mschap to use ntlm_auth as follows
 
 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
 --username=%{mschap:User-Name:-None} 
 --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} 
 --nt-response=%{mschap:NT-Response:-00}
 
 Am I missing something in the MSCHAP config?

how are you testing this - a real client, command line tool etc?  when you run 
it in full
debug mode - and you arent helping yourself by failing to post that here - you 
should
see the incantation of the ntlm_auth line - if not, then its not being 
called...and it
would be with the default configuration files.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with MSCHAP

[Mark Holmes]

Ah - I think I see the issue - the ntlm auth line in modules/mschap is after 
the } so presumably not being read...

-Original Message-
From: 
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
 On Behalf Of Mark Holmes
Sent: 12 October 2010 11:25
To: FreeRadius users mailing list
Subject: RE: Problem with MSCHAP

Alan,

Thanks for your reply.

how are you testing this - a real client, command line tool etc?  when you run 
it in full
debug mode - and you arent helping yourself by failing to post that here

I'm testing with a real client and access point.

OK - I wasn't sure posting the whole debug would be appreciated, but I have 
posted it at

http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt

 you should see the incantation of the ntlm_auth line - if not, then it's not 
 being called

I can only see two references to ntlm_auth, this:-


Module: Instantiating ntlm_auth
  exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
  }

And another line indicating the ntlm_auth config file is being included:-

including configuration file /etc/raddb/modules/ntlm_auth

Should I also see ntlm_auth being called during the authentication - presumably 
I should...

Thanks,

Mark


-Original Message-
From: 
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
 On Behalf Of Alan Buxey
Sent: 12 October 2010 10:41
To: FreeRadius users mailing list
Subject: Re: Problem with MSCHAP

Hi,

 I've pasted my debug output into the web tool and it picks out the following 
 in red
 
 security {
 max_attributes = 200
 reject_delay = 1 (This line in red)
 status_server = yes
  }
 
 
 (all in red)
 Module: Instantiating attr_filter.access_reject
   attr_filter attr_filter.access_reject {
 attrsfile = /etc/raddb/attrs.access_reject

ignore those - the word 'reject' is being flagged without context.

 [pap] WARNING! No known good password found for the user.  Authentication 
 may fail because of this. (In yellow)

okay.

 I also see (not highlighted) that I'm still getting
 
 [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
 [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
 [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
 [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
 [mschap] FAILED: MS-CHAP2-Response is incorrect

and that will mean that MSCHAPv2 wont be working

 I have configured modules/mschap to use ntlm_auth as follows
 
 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
 --username=%{mschap:User-Name:-None} 
 --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} 
 --nt-response=%{mschap:NT-Response:-00}
 
 Am I missing something in the MSCHAP config?

how are you testing this - a real client, command line tool etc?  when you run 
it in full
debug mode - and you arent helping yourself by failing to post that here - you 
should
see the incantation of the ntlm_auth line - if not, then its not being 
called...and it
would be with the default configuration files.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP

[Phil Mayers]

On 08/10/10 14:24, Mark Holmes wrote:


and I see the server returns Access-Accept.


Firstly, don't set Auth-Type. It's almost always the wrong thing to do.

Secondly, this is just testing PAP i.e. plain username/password auth. 
Wireless typically uses 802.1x via EAP.




I then configure MS-CHAP, removing the DEFAULT Auth-Type from users
and editing modules/mschap as follows

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}



That looks about right.



Output from radius -X at the bottom of this message.  The bit that
looks relevant to me is

++[mschap] returns noop


No, you're misreading it - see below.


[suffix] Looking up realm mydomain.ox.ac.uk for User-Name =
firstname.lastn...@mydomain.ox.ac.uk [suffix] No such realm
mydomain.ox.ac.uk

However I'm not sure I need to worry about that bit - at the moment
this is just a single, stand alone RADIUS server so I'm not sure I
need to worry about realms or do I?


Not for the moment.



Not sure where to go from here - are there some basic things I should
check?  I haven't included my conf files in this post but happy to do
so if required.


Don't post the config files. The *full* debug output (from start to 
failure) is what's needed. Something like:


/usr/sbin/radiusd -X | tee thelog.txt

EAP is a multi-pass protocol; there will be 4-8 requests, and the actual 
MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS 
tunnel is established, but before the failure is sent.



Output from -X


That's just the final packet.




 [peap]  Had sent TLV failure.  User was rejected earlier in this session.
 [eap] Handler failed in EAP/peap

This is an EAP-PEAP, not MS-CHAP request (hence the noop) The failure 
occurred in an earlier packet; please post the full debug output.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with MSCHAP

[Garber, Neal]

 [peap] Received EAP-TLV response.
 [peap]  Had sent TLV failure.  User was rejected earlier in this session.

You need to look earlier in your debug output to see why it was rejected 
(that's what this error message means)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP

[Alan Buxey]

Hi,

 I'm new to freeradius, I'm working on setting it up to authenticate users to 
 our wireless network.  We want to use PEAP-MSCHAPv2 and authenticate against 
 Active Directory.  I'm using samba and ntlm_auth.

okay - a fairly standard setup for modern 802.1X

 Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29

okay - the right 'blend'..as it were

 I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = 
 ntlm_auth in users and then do

you dont need to set Auth-Type for the MSCHAPv2 stuff... you might need it if, 
for example, you wanted
to do MSCHAPv2 AND kerberos for different type of requests - even then, you 
only need to set kerberos
to be the Auth-Type as the EAP module is intelligent

 I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and 
 editing modules/mschap as follows
 
 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
 --username=%{mschap:User-Name:-None} 
 --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} 
 --nt-response=%{mschap:NT-Response:-00}

do you REALLY want to accept what the user puts in as the gospel truth?  ie, I 
wouldnt be comfirtable
taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it 
really was a local user!)

 Output from radius -X at the bottom of this message.  The bit that looks 
 relevant to me is

what you have posted is the 'replay' of a transaction - try starting the daemon 
up and launching
the request ASAP - ie so what we have is straight after the 'listen and ready' 
line - especially
as with your current ntlm_auth line I'd expect to see a deprecated warning

 [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = 
 firstname.lastn...@mydomain.ox.ac.uk
 [suffix] No such realm mydomain.ox.ac.uk
 
 However I'm not sure I need to worry about that bit - at the moment this is 
 just a single, stand alone RADIUS server so I'm not sure I need to worry 
 about realms or do I?

it'd still be best to define that realm, if using prefix, to be local eg in 
proxy.conf

realm mydomain.ox.ac.uk {
strip  
  }

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with MSCHAP

[Mark Holmes]

All,

Many thanks for the replies.

 Firstly, don't set Auth-Type. It's almost always the wrong thing to do.

Sure - I set that just to test the AD auth was working, and removed it again 
prior to configuring mschap.

EAP is a multi-pass protocol; there will be 4-8 requests, and the actual 
MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS 
tunnel is established, but before the failure is sent.

Ah - doh!.

I wasn't sure about posting the whole lot to this list as it runs to quite a 
few lines so posted it here 

http://www.nuffield.ox.ac.uk/scratch/logfile.txt

Thanks,

Mark





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP

[Alan DeKok]

Mark Holmes wrote:
 I wasn't sure about posting the whole lot to this list as it runs to quite a 
 few lines so posted it here 
 
 http://www.nuffield.ox.ac.uk/scratch/logfile.txt

  Cut  paste that into the form on this page:

http://networkradius.com/freeradius.html

  Then, look for red / yellow text.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with MSCHAP

[Mark Holmes]

do you REALLY want to accept what the user puts in as the gospel truth?  ie, 
I wouldnt be comfirtable
taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it 
really was a local user!)

Good point.

Our existing setup uses IAS, and is configured to expect the domain to be 
appended.  I want to switch to FreeRADIUS without too many changed being 
required client side - possibly even none if I moved the cert from the IAS box 
to the FreeRADIUS machine.

Cheers,

Mark


On 8 Oct 2010, at 14:59, Alan Buxey 
a.l.m.bu...@lboro.ac.ukmailto:a.l.m.bu...@lboro.ac.uk wrote:

do you REALLY want to accept what the user puts in as the gospel truth?  ie, I 
wouldnt be comfirtable
taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it 
really was a local user!)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with mschap, ntlm_auth and a conditional syntax

[Alan DeKok]

Lukasz Lacinski wrote:
 Below is my previous e-mail, but with output from freeradius in format easier 
 to read.
 
 I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in 
 radiusd.conf:
 ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key 
 --username=%{Stripped-User-Name:-%{User-Name:-None}} 
 --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

  I've committed a fix to CVS head.  Please re-test.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with mschap, ntlm_auth and a conditional syntax

[Lukasz Lacinski]

Alan DeKok wrote:
   I've committed a fix to CVS head.  Please re-test.
   
OK. I'm going to test it as soon as possible.
It means when SIGSEGV will not be so fast ;-)


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.0.0.2 port 1645, id=160, 
length=166
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 0014.1bb6.da30
Calling-Station-Id = 0002.b306.4cf1
Service-Type = Login-User
Message-Authenticator = 0x1b86f1e76d4be2fa3bb2c0c5daf968d6
EAP-Message = 
0x0202001d01757a79737a6b6f646e696b406c6174696e2e70637a2e706c
NAS-Port-Type = Wireless-802.11
NAS-Port = 863
NAS-Port-Id = 863
NAS-IP-Address = 10.0.0.2
NAS-Identifier = ap
  Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 0

Program received signal SIGSEGV, Segmentation fault.
0xb7c13c26 in ?? ()
(gdb) where
#0  0xb7c13c26 in ?? ()
#1  0x801228a0 in ?? ()
#2  0x in ?? ()
(gdb)

Lukasz Lacinski
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with mschap, ntlm_auth and a conditional syntax

[Lukasz Lacinski]

Below is my previous e-mail, but with output from freeradius in format easier 
to read.

I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in 
radiusd.conf:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

A corresponding part of debug from radiusd -X is:

  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge:-00'
  rlm_mschap: Unknown expansion string Challenge:-00
radius_xlat:  '--challenge='
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response:-00'
  rlm_mschap: Unknown expansion string NT-Response:-00
radius_xlat:  '--nt-response='
Exec-Program output: Specify all required command line parameters!
Exec-Program-Wait: plaintext: Specify all required command line parameters!
Exec-Program: returned: 1

When I remove conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}

an athentication operates correctly:

  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: ca
radius_xlat:  '--challenge=1d6796d06b4bab53'
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat: '--nt-response=69bbd30b6a06d6be5cc2fb88c658c1582da5a8a91ebcbee8'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0

I tested freeradius 1.1.4 with conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}

and here parameters with conditional syntax are interpreted correctly:

  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: af
radius_xlat:  '--challenge=eebe17185aaa4366'
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat: '--nt-response=f668c0b7b4e32deeb49529c2f3295699561589836d73f474'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0


Lukasz Lacinski

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html