Re: MS-CHAP-V2 allow_retry on ldap authentification
On 23/10/12 10:52, Daniel Ekman wrote: the send_error was added to version 2.1.11 as a bug fix "Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error"." I know that. I mean "like I read somewhere it would" was vague. Seriously: "radiusd -X" radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. That doesn't mean it wouldn't be helpful to see it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
Thanks for replying and sorry if I'm being vague, I'll try and be more specific. On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers wrote: > On 10/22/2012 09:13 AM, Daniel Ekman wrote: >> >> Hi list, >> >> I have a fairly large user base doing WPA2-enterprise from various >> OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is >> authenticating via LDAP and things are running pretty well, only snag >> I have currently with this is when people change their password. I > > > Change their password where? Elsewhere, right? So, you want to prompt the > clients to enter a new password, because the user has changed passwords on > the server. > Yes, clients change their password on the server via a custom web interface on top of the LDAP and this then obviously do not get automatically updated on the wireless settings on the clients computer. > >> in the latest version allow_retry and retry_msg in the mschap module >> was implemented and this works great on my mac and linux userbase, >> however it does not work for the windows users, the FreeRADIUS server >> is still sending the same things to the user but for some reason there >> is no popup telling the user to change their password so here is my >> actual question, is this supposed to work? should the windows users >> also get the popup saying "please change password"? > > > Your terminiology is confusing. Do you mean "change password" or "re-enter > your password". Because the two are very, very different. Re-enter the password in the wireless setup if they do not get authenticated. > > To be honest, your email is sort of vague and specific at the same time, if > that makes any sense - there's some LDAP, some different set of accounts, > something else... > > I've got no idea if Windows can even behave the way you want > > >> >> judging from what some threads say like this for example >> >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html > > > That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to > support password *change* (see why I said it was confusing?). So I'd be > cautious about reading too much into it. > > >> seems to indicate there are problems but it also sounds like there is >> a solution. >> >> I have also tried adding the send_error setting in eap.conf but that >> only broke things like I read somewhere it would. > > > ...vague much? the send_error was added to version 2.1.11 as a bug fix "Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error"." This was said in earlier version to solve issues for some clients but *may* also cause other clients to stop working. The setting is also not included in version 2.1.12 eap.conf. > > Seriously: "radiusd -X" radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. > > If I have time today, I'll try to resurrect our "for comparison" NPS server > and see what Microsoft do. It's possible you just can't prompt Windows in > the way you want. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I Change their password where? Elsewhere, right? So, you want to prompt the clients to enter a new password, because the user has changed passwords on the server. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying "please change password"? Your terminiology is confusing. Do you mean "change password" or "re-enter your password". Because the two are very, very different. To be honest, your email is sort of vague and specific at the same time, if that makes any sense - there's some LDAP, some different set of accounts, something else... I've got no idea if Windows can even behave the way you want judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to support password *change* (see why I said it was confusing?). So I'd be cautious about reading too much into it. seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. ...vague much? Seriously: "radiusd -X" If I have time today, I'll try to resurrect our "for comparison" NPS server and see what Microsoft do. It's possible you just can't prompt Windows in the way you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
... that's it. I was blind while searching for a FreeRADIUS issue. I'm sorry for the lost time, anyway thank you for the answers. Le 11/07/2011 14:22, Alan DeKok a écrit : Bastien Semene wrote: I express myself very badly, sorry. The configuration I put in my first mail is the current configuration, running, after restart. The debug and commands output are from the current - reloaded - configuration. There's only 1 entry in the radcheck table, and it's current password is "blabla". There is nothing magic about the server. If it authenticates the user with the "wrong" password, it's because you didn't update the password. I don't understand how radius can still authenticate with the old password. An output of the users file and MySQL table is available in my first mail. I don't know where the old password can be still stored. You probably have two databases. FreeRADIUS is using one, and you've updated the other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
Bastien Semene wrote: > I express myself very badly, sorry. > > The configuration I put in my first mail is the current configuration, > running, after restart. > The debug and commands output are from the current - reloaded - > configuration. > There's only 1 entry in the radcheck table, and it's current password is > "blabla". There is nothing magic about the server. If it authenticates the user with the "wrong" password, it's because you didn't update the password. > I don't understand how radius can still authenticate with the old password. > An output of the users file and MySQL table is available in my first > mail. I don't know where the old password can be still stored. You probably have two databases. FreeRADIUS is using one, and you've updated the other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
I express myself very badly, sorry.
The configuration I put in my first mail is the current configuration,
running, after restart.
The debug and commands output are from the current - reloaded -
configuration.
There's only 1 entry in the radcheck table, and it's current password is
"blabla".
The three error outputs are relative to the logs. This means that the
three cases are different :
old password => working (and should not at all)
current password "blabla" => [mschap] Told to do MS-CHAPv1 with
NT-Password \n [mschap] MS-CHAP-Response is incorrect.
random string (not in the database) => [mschap] No Cleartext-Password
configured. Cannot create LM-Password. (correct error)
I don't understand how radius can still authenticate with the old password.
An output of the users file and MySQL table is available in my first
mail. I don't know where the old password can be still stored.
Le 11/07/2011 13:04, Alan DeKok a écrit :
Bastien Semene wrote:
I'm currently - trying to - set up a radius server.
The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
During my tests, for the same user I used "test" password, then "blabla"
password.
Now, I use "blabla" and it's not working. instead "test" is still
working ...
I tested with a third string ("ahaha") , there's a third error output...
I have no idea what that means.
I tried restarting radiusd and the jail it's running into, this does
changes nothing.
All this commands/outputs are from the same running server (I mean no
reboot).
How can this happen ?
The server reads it's configuration files only when it starts. If you
edit the configuration files, you will need to restart the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
If you think experts are expensive,
wait to see what amateurs will cost you
--
Bastien Semene
Administrateur Réseau& Système
Cyanide Studio - FRANCE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:18 пользователь "Alan DeKok" написал: > > Users have one password. You can't authenticate with any one of three > passwords. The authentication protocols just don't work that way. > Think Bastien means this: 1. Start server, user has password "password123". 2. Authentication successfull 3. Change password in MySQL to "blabla" without restarting the server. 4. Authentication failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
Alexey Shildyakov wrote: > I think he mean that only first password is worked. The second and third > version of tye password for the same user aren't worked. Users have one password. You can't authenticate with any one of three passwords. The authentication protocols just don't work that way. > But is it apply for MYSQL too? Think I don't need to restart the server > in case MYSQL because each time tye server does SELECT from MySQL, > doesn't it? It doesn't apply for MySQL. I never said it applied for MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:06 пользователь "Alan DeKok"
написал:
>
> Bastien Semene wrote:
> > I'm currently - trying to - set up a radius server.
> > The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
> >
> > During my tests, for the same user I used "test" password, then "blabla"
> > password.
> > Now, I use "blabla" and it's not working. instead "test" is still
> > working ...
> > I tested with a third string ("ahaha") , there's a third error output...
>
> I have no idea what that means.
I think he mean that only first password is worked. The second and third
version of tye password for the same user aren't worked.
>
> > I tried restarting radiusd and the jail it's running into, this does
> > changes nothing.
> > All this commands/outputs are from the same running server (I mean no
> > reboot).
> >
> > How can this happen
>
> The server reads it's configuration files only when it starts. If you
> edit the configuration files, you will need to restart the server.
But is it apply for MYSQL too? Think I don't need to restart the server in
case MYSQL because each time tye server does SELECT from MySQL, doesn't it?
>
> Alan DeKok.
>
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
Bastien Semene wrote:
> I'm currently - trying to - set up a radius server.
> The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
>
> During my tests, for the same user I used "test" password, then "blabla"
> password.
> Now, I use "blabla" and it's not working. instead "test" is still
> working ...
> I tested with a third string ("ahaha") , there's a third error output...
I have no idea what that means.
> I tried restarting radiusd and the jail it's running into, this does
> changes nothing.
> All this commands/outputs are from the same running server (I mean no
> reboot).
>
> How can this happen ?
The server reads it's configuration files only when it starts. If you
edit the configuration files, you will need to restart the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: >> From your perspective which approach to getting retry enabled working do > you recommend for 2.11 so we can be testing the same version: > > o my tweaks of Phil's single "challenge" patch > o Phil's challenge and password change patches > o a simpler two patch solution which does not do passwords - the > challenge patch and a rearrangement patch which detects responses to > retry challenges? I'd like the changes to be split logically. (1) changes to allow retry for EAP-MSCHAPv2 (2) MS-CHAP password changes. Failing that, I'd prefer to test Phil's changes as-is. They seem to do everything you need, and they're a known quantity. > Is there any thing I can do to help get this accomplished? More testing. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi Alan, I just wanted to make sure you know what we are currently running - we started with 2.1.x after patches were put in place related to retry/no-retry - this version works properly for no-retry but does not operate correctly with retry allowed. We next applied the patch from Phil which corrected the challenge - this by itself still did not work properly with retry. We next tweaked that patch to send a request rather than failure if retry was being allowed and this worked as it should have. Phil indicated that he had reworked the mschap module to deal with password changes and as part of that change resulted in the correct behavior if his original patch to fix the challenge was left unmodified. I personally think his approach is better but more complex because it also has code related to password change (a feature we would not use). I think it would be highly desirable to get a version of the patch which works correctly with retry enabled since it significantly reduces support calls in environments which have required password changes. From your perspective which approach to getting retry enabled working do you recommend for 2.11 so we can be testing the same version: o my tweaks of Phil's single "challenge" patch o Phil's challenge and password change patches o a simpler two patch solution which does not do passwords - the challenge patch and a rearrangement patch which detects responses to retry challenges? Is there any thing I can do to help get this accomplished? johnh... On Tue, 26 Apr 2011, Alan DeKok wrote: Date: Tue, 26 Apr 2011 07:57:09 From: Alan DeKok Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no "contact your network administrator" or other messages occur. Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: > Just a brief update. > > In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as > expected with this retry patch - user is presented with a password > dialog box and the connection is not aborted - user only needs to enter > the correct password to be connected and no "contact your network > administrator" or other messages occur. > > Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 11:22 AM, Alan Buxey wrote: Hi, Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) The patch I wrote is against the v2.1.x development branch (i.e. against 2.1.11-pre, really) and comes in the form of 5 separate commits (an attempt at making it "easy" to review ;o) So no - not a single source patch to 2.1.10. It would be a bit tricky to generate without pulling in lots of the unrelated stuff that's going into 2.1.11, and I'm on holiday at the moment so would like to skip generating one! https://github.com/philmayers/freeradius-server/tarball/v2.1.x-mschap-changepass ...might give you the full source; it's not a feature of github I've used before. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi, > > Do we know if the password change (and adjustments to retry which make > > it work) will be included in 2.1.11? > > If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 09:56 AM, Alan DeKok wrote: If enough people test it and say it works. 2.1.11 is a "stable" release, so breaking things is very, very, bad. Agreed. It's an extensive change, and needs extensive testing. Personally I'd be inclined to say don't delay 2.1.11. I hope to be able to roll this out at our site in May, which will get a few tens of thousands of clients through it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: > I like your changes better. It allows to in the future add a retry max > so each failure could be counted and send a R=0 after a certain number > of failures. The EAP module already does *some* checking of this. If there are more than ~40 or so round trips, it discards the session. However, it may be useful to limit the retries here to no more than 2. > Do we know if the password change (and adjustments to retry which make > it work) will be included in 2.1.11? If enough people test it and say it works. 2.1.11 is a "stable" release, so breaking things is very, very, bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I like your changes better. It allows to in the future add a retry max so
each failure could be counted and send a R=0 after a certain number of
failures.
I had briefly looked at the other area and decided it would take more
changes work with a response from a failure code than adjust it over when
sending the failure with a challenge.
Do we know if the password change (and adjustments to retry which make it
work) will be included in 2.1.11?
johnh...
On Thu, 21 Apr 2011, Phil Mayers wrote:
Date: Thu, 21 Apr 2011 12:17:55
From: Phil Mayers
Reply-To: FreeRadius users mailing list
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is that when we do a retry in addition to setting the
challenge value we also need to change the data->code to challenge
rather than failure. When the response comes back we can correctly deal
with it.
Hmm. I don't see that behaviour. That is probably due to the later changes I
made in the EAP-MSCHAPv2 state machine, here:
https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd
Specifically, the old code compares client current opcode against server last
opcode; the patch I wrote above does a switch over server last opcode, then
permits one or more valid client opcodes. Response is specifically permitted
after failure, as it change-password (opcode 7).
original patch -- with suggested changes
678 - pairmove2(&response, &handler->request->reply->vps,
This patch is a bit "magic" for my tastes. The only reason it works is
because eapmschapv2_compose completely ignores data->code - it chooses the
EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument.
So essentially you're setting data->code to trick the state machine in
mschapv2_authenticate, but to someone unfamiliar with the code it would read
like you're sending a challenge back, which you're not - you're sending a
failure back.
An alternative approach would be:
--- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100
+++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100
@@ -424,10 +424,6 @@
* a challenge.
*/
case PW_EAP_MSCHAPV2_RESPONSE:
- if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
- radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response
received");
- return 0;
- }
/*
* Ensure that we have at least enough data
i.e. remove the check for "client opcode 'response' only valid if we sent a
'challenge'". Or of course, widen the check to:
challenge
or
failure
Anyway, they're more or less equivalent. A matter of taste I guess.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is that when we do a retry in addition to setting the
challenge value we also need to change the data->code to challenge
rather than failure. When the response comes back we can correctly deal
with it.
Hmm. I don't see that behaviour. That is probably due to the later
changes I made in the EAP-MSCHAPv2 state machine, here:
https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd
Specifically, the old code compares client current opcode against server
last opcode; the patch I wrote above does a switch over server last
opcode, then permits one or more valid client opcodes. Response is
specifically permitted after failure, as it change-password (opcode 7).
original patch -- with suggested changes
678 - pairmove2(&response, &handler->request->reply->vps,
This patch is a bit "magic" for my tastes. The only reason it works is
because eapmschapv2_compose completely ignores data->code - it chooses
the EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument.
So essentially you're setting data->code to trick the state machine in
mschapv2_authenticate, but to someone unfamiliar with the code it would
read like you're sending a challenge back, which you're not - you're
sending a failure back.
An alternative approach would be:
--- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100
+++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100
@@ -424,10 +424,6 @@
* a challenge.
*/
case PW_EAP_MSCHAPV2_RESPONSE:
- if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
- radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response
received");
- return 0;
- }
/*
* Ensure that we have at least enough data
i.e. remove the check for "client opcode 'response' only valid if we
sent a 'challenge'". Or of course, widen the check to:
challenge
or
failure
Anyway, they're more or less equivalent. A matter of taste I guess.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Just a brief update.
In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as
expected with this retry patch - user is presented with a password
dialog box and the connection is not aborted - user only needs to enter
the correct password to be connected and no "contact your network
administrator" or other messages occur.
Our support people are thrilled.
johnh...
On Thu, 21 Apr 2011, john.hayw...@wheaton.edu wrote:
Date: Thu, 21 Apr 2011 10:03:30
From: john.hayw...@wheaton.edu
Reply-To: FreeRadius users mailing list
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I could
get the retry to work properly on a windows7 machine.
The problem is that when we do a retry in addition to setting the challenge
value we also need to change the data->code to challenge rather than failure.
When the response comes back we can correctly deal with it.
original patch -- with suggested changes
678 -pairmove2(&response, &handler->request->reply->vps,
679 -PW_MSCHAP_ERROR);
678 +pairmove2(&response, &handler->request->reply->vps,
679 +PW_MSCHAP_ERROR);
add failure code by default
data->code = PW_EAP_MSCHAPV2_FAILURE;
680 +if (response) {
681 + int n,err,retry;
682 + char buf[34];
683 + 684 + DEBUG2(" MSCHAP-Error: %s", response->vp_strvalue);
685 +
686 + /*
687 + * parse the new challenge out of the MS-CHAP-Error, so if the
client
688 + * issues a re-try, we'll know the challenge value they used
689 + */
690 + n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err,
&retry, &buf);
691 + if (n==3) {
692 +DEBUG2(" Found new challenge from MS-CHAP-Error: err=%d
retry=%d challenge=%s", err, retry, buf);
693 +fr_hex2bin(buf, data->challenge, 16);
Set code to challenge if we find a challenge
data->code = PW_EAP_MSCHAPV2_CHALLENGE;
694 + } else {
695 +DEBUG2(" Could not parse new challenge from MS-CHAP-Error: %d",
n);
696 + }
697 +}
680
remove this code since set above
698 data->code = PW_EAP_MSCHAPV2_FAILURE;
END OF original patch ===
johnh...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is that when we do a retry in addition to setting the challenge
value we also need to change the data->code to challenge rather than
failure. When the response comes back we can correctly deal with it.
original patch -- with suggested changes
678 -pairmove2(&response, &handler->request->reply->vps,
679 -PW_MSCHAP_ERROR);
678 +pairmove2(&response, &handler->request->reply->vps,
679 +PW_MSCHAP_ERROR);
add failure code by default
data->code = PW_EAP_MSCHAPV2_FAILURE;
680 +if (response) {
681 + int n,err,retry;
682 + char buf[34];
683 +
684 + DEBUG2(" MSCHAP-Error: %s", response->vp_strvalue);
685 +
686 + /*
687 + * parse the new challenge out of the MS-CHAP-Error, so if the client
688 + * issues a re-try, we'll know the challenge value they used
689 + */
690 + n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry,
&buf);
691 + if (n==3) {
692 +DEBUG2(" Found new challenge from MS-CHAP-Error: err=%d retry=%d
challenge=%s", err, retry, buf);
693 +fr_hex2bin(buf, data->challenge, 16);
Set code to challenge if we find a challenge
data->code = PW_EAP_MSCHAPV2_CHALLENGE;
694 + } else {
695 +DEBUG2(" Could not parse new challenge from MS-CHAP-Error: %d",
n);
696 + }
697 +}
680
remove this code since set above
698 data->code = PW_EAP_MSCHAPV2_FAILURE;
END OF original patch ===
johnh...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't > be terribly hard to write one - the module is fairly stateless. It's > probably best to just restart the server though. I think it's safe just to mark the module HUP-safe. It wasn't marked that way before because it had code to read a "smbpasswd" file. That has since been removed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks for the patches - I've built a new server and hopefully will test tomorrow. On the re-reading of config I can live without the HUP not causing mschap to re-read it's config - just assumed that it would. johnh... On Wed, 20 Apr 2011, Phil Mayers wrote: Date: Wed, 20 Apr 2011 17:53:42 From: Phil Mayers Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the "support password change" code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the "support password change" code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. johnh... On Wed, 13 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Wed, 13 Apr 2011 16:19:26 From: john.hayw...@wheaton.edu To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to "git" to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C= needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number > num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is "password expired" and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: > Can someone point me to exactly what I need to "git" to get the current > version of freeradius with the patches so I can do some testing at our > site? http://git.freeradius.org Grab the v2.1.x branch. Read raddb/modules/mschap, and raddb/eap.conf, the "mschapv2" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to "git" to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C= needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number > num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is "password expired" and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > With "send_error = yes", the client just hangs (and in fact crashed my > phone several times) Nice to know! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 14:45, Phil Mayers wrote: I'll spin up an SSID and give it a try with real clients later today. Regrettably I can report that this does not work with Symbian. With "send_error = no", incorrect username/password reports "EAP/PEAP authentication failed" With "send_error = yes", the client just hangs (and in fact crashed my phone several times) :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C= needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number > num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is "password expired" and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) retry.patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/11 15:41, James J J Hooper wrote: This C= needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:57, James J J Hooper wrote:
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP
failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attached.
After that last change (p4.txt.gz), I think it's now doing the right thing:
* wpa_supplicant output matches Phil's (against W2k8 NPS), with the
exception that M=... is always present.
* With allow_retry = no, XP pop's up the usual 'enter credentials...'
bubble, and box.
* With allow_retry = yes, XP pops a "click to process credentials" bubble,
then a "type your password again" box:
http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png
...Although, when you correct the password in the 'allow_retry = yes"
popup, I don't think FR has got the bit to handle that yet:
Found Auth-Type = eduroamalieneap-bris-sha-ca
# Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamalien-inner
+- entering group eduroamalieneap-bris-sha-ca {...}
[eduroamalieneap-bris-sha-ca] Request found, released from the list
[eduroamalieneap-bris-sha-ca] EAP/mschapv2
[eduroamalieneap-bris-sha-ca] processing type mschapv2
rlm_eap_mschapv2: Unexpected response received << ***
[eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamalieneap-bris-sha-ca] Failed in EAP select
++[eduroamalieneap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli
00-1a-4d-35-b0-5a via TLS tunnel)
} # server eduroamalien-inner
[peap] Got tunneled reply code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I think it needs two things now:
1)
Something like:
@@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg,
EAP_HANDLER *handler)
* a challenge.
*/
case PW_EAP_MSCHAPV2_RESPONSE:
- if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
- radlog(L_ERR, "rlm_eap_mschapv2: Unexpected
response received");
+ if ((data->code != PW_EAP_MSCHAPV2_CHALLENGE) &&
(data->code != PW_EAP_MSCHAPV2_FAILURE)) {
+ radlog(L_ERR, "rlm_eap_mschapv2: Unexpected
response received: %d", data->code);
return 0;
}
... because the response to our MSCHAPV2_FAILURE seems to be a
MSCHAPV2_FAILURE
2)
if (inst->retry_msg) {
snprintf(buffer + 9, sizeof(buffer), " C=");
for (i = 0; i < 16; i++) {
snprintf(buffer + 12 + i*2,
sizeof(buffer), "%02x",
fr_rand() & 0xff);
}
This C= needs to be saved and eventually make it's way in to
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
has the correct challenge, and can then process the clients "retry" correctly?
(help, I havn't managed to work out the mechanism from the current
challenge generation bits yet!)
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote:
> ...Although, when you correct the password in the 'allow_retry = yes"
> popup, I don't think FR has got the bit to handle that yet:
>
> Found Auth-Type = eduroamalieneap-bris-sha-ca
> # Executing group from file
> /usr/local/etc/raddb/sites-enabled/eduroamalien-inner
> +- entering group eduroamalieneap-bris-sha-ca {...}
> [eduroamalieneap-bris-sha-ca] Request found, released from the list
> [eduroamalieneap-bris-sha-ca] EAP/mschapv2
> [eduroamalieneap-bris-sha-ca] processing type mschapv2
> rlm_eap_mschapv2: Unexpected response received << ***
Ah... it's supposed to try the MS-CHAP stuff again. Nice!
I'm travelling to networkshop soon, but I'll see if I poke at it this
week. If I'm right, the fix should be pretty simple. But it will need
to be tested by people.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: > Also, args to pairmove2 are wrong way around, as attached. Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attached.
After that last change (p4.txt.gz), I think it's now doing the right thing:
* wpa_supplicant output matches Phil's (against W2k8 NPS), with the
exception that M=... is always present.
* With allow_retry = no, XP pop's up the usual 'enter credentials...'
bubble, and box.
* With allow_retry = yes, XP pops a "click to process credentials" bubble,
then a "type your password again" box:
http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png
...Although, when you correct the password in the 'allow_retry = yes"
popup, I don't think FR has got the bit to handle that yet:
Found Auth-Type = eduroamalieneap-bris-sha-ca
# Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamalien-inner
+- entering group eduroamalieneap-bris-sha-ca {...}
[eduroamalieneap-bris-sha-ca] Request found, released from the list
[eduroamalieneap-bris-sha-ca] EAP/mschapv2
[eduroamalieneap-bris-sha-ca] processing type mschapv2
rlm_eap_mschapv2: Unexpected response received << ***
[eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamalieneap-bris-sha-ca] Failed in EAP select
++[eduroamalieneap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli
00-1a-4d-35-b0-5a via TLS tunnel)
} # server eduroamalien-inner
[peap] Got tunneled reply code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a "click to process credentials" bubble, then a "type your password again" box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. -James p4.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/09/2011 06:18 PM, James J J Hooper wrote: On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 All, People might find this helpful; if you send an invalid password for an otherwise-active account, Windows 2008R2 NPS sends an EAP request, containing an MS-CHAP error with R=1 and does *not* end the EAP/PEAP session - I am assuming a windows client could, in this case, re-try MS-CHAP without restarting the PEAP session, using the challenge sent in the MS-CHAP error. eapol_test shows this for the final packket: decapsulated EAP packet (code=1 id=7 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=7 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=53): 1a 04 06 00 34 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 EAP-PEAP: received Phase 2: code=1 identifier=7 length=57 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 7 mschapv2_id 6 EAP-MSCHAPV2: Received failure EAP-MSCHAPV2: Failure data - hexdump_ascii(len=48): 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 E=691 R=1 C=67FC 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 3DE20810E3457A0A 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 9A74BC7E10E2 V=3 EAP-MSCHAPV2: error 691 EAP-MSCHAPV2: retry is allowed EAP-MSCHAPV2: failure challenge - hexdump(len=16): 67 fc 3d e2 08 10 e3 45 7a 0a 9a 74 bc 7e 10 e2 EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: '' (retry allowed, error 691) EAPOL: EAP parameter needed EAPOL: EAP parameter needed I will try with a windows client on Monday; I suspect it'll continue inside the existing PEAP tunnel with a retry since R=1, which means if we want to get the "right" behaviour as defined by the Microsoft implementation (PEAP is after all their protocol) we might be doing the wrong thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: > I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 > Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. I've deleted the setting of the EAP code. It's set in the "compose" function to "eap request". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 ...as per attached diff? -James p3.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP-V2 with no retry
A couple of comments on how clients behave: o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure. I have not tested this. I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc). o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries. So if you are going to test macs on the MS radius server you might try both with retry and without retry. o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients. o Testing of both windows and mac with out the patch and with the patch need to be done. johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Friday, April 08, 2011 2:54 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry Phil Mayers wrote: > +1 - In my experience it's necessary to cater for windows' weirdness > *first*. Most other clients have sane behaviours. I'm concerned about > the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > +1 - In my experience it's necessary to cater for windows' weirdness > *first*. Most other clients have sane behaviours. I'm concerned about > the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/08/2011 08:26 AM, Alan DeKok wrote: James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git "v2.1.x" branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the "we didn't do much windows testing" line... I also think that, if we're aiming to make the behaviour "better" we should take a careful look at what IAS/NPS does; we maintain a "for comparison" server for just such cases, and I'll try to have a look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: > It works on Mac OS and iOS, but I havn't been able to get it to work > as expected on XP or Win7: > * Win7 does as it did before That's not all bad. > * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' > message. That's not good. > Could you forward your patches gzipped [so they don't get mangled] so I > can verify I have patched the source correctly? I'll put some fixes into git "v2.1.x" branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: "E=ee R=r C= V=vv M=" where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
hi, this would be great to get into 2.1.11 release if possible if not 2.1.12 or 2.2.x as it solves one of our current problems of devices configured for our roaming SSID continually trying to authenticate to the system even if the user no longer exists - currently they just keep on and on and on... this will 'break' their settings until they put in new details (which they cant if no longer a member able to use the roaming SSID alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu
wrote:
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
When there is a failure of the client to match the challenge of the
server:
According to rfc2759 a failure packet in section 6 a failure packet
includes a message like:
"E=ee R=r C= V=vv M="
where E is the error code, R 1/0 allow/disallow retry C an ascii version
of the challenge V=3 and M= some text message.
After this mschap failure message is sent by the server an acknowledgment
which seems to be have a failure code should be returned from the client.
At that point the server can close the eap connection with a failure.
What the 2.1.10 code (and earlier) appears to do is after mschap is
detected immediately close the eap connection with a failure.
The effect for windows XP/7 machines connecting wirelessly using mschapv2
is that they are presented with a dialog box and can enter new
credentials.
What happens with mac/iphones/androids/ubuntu is that they appear to be
confused and time out and re-send (at various rates) authentication
attempts without presenting a dialog box to the user.
For some environments (such as using Novell NDS to authenticate) if
configured modules/ldap edir_account_policy_check=yes then these repeated
failures result in account lock outs.
Scenario: Institution requires periodic change of password - user uses a
web site to change password - user forgets to update their
mac/iphone/android - user turns on their mac/iphone/android - shortly
after user cannot access any resources (such as blackboard/portal etc)
because their account is locked out.
== proposed fix
Modify freeradius to follow rfc2759.
This requires patches to two source files:
o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms
to rfc2759
o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the
response created by rlm_mschap.c and send that back, also accept an
authentication failure acknowledgment before sending eap failure
packet.
Below are the diffs:
==
Comments
o Results:
We have implemented this patch (along with the configuration change
edir_account_policy_check=no) and observe:
1) no more lockouts
2) Mac/Iphones users are now presented with a dialog box where they
can update their password.
o Code:
a) I don't like the 100 character msg variable - there is probably a
better way to do this.
b) There is probably a function in free radius library to do the
sprintf
which should be used.
c) samba locked accounts should probably have a similar message
generated if they are mschapv2.
I would be happy if someone could look over these patches and incorporate
the ideas into freeradius for future releases.
Hi John,
I had trouble applying the patches to 2.1.x git -- maybe because they got
mushed during the email process.
Adding the bits by hand seemed to work, and I can confirm the result is as
you describe on an iPhone (that's all I had to hand to test).
Attached are the two 'git diff' that I ended up with.
-James
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
index c512018..3f3fc46 100644
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST
*request)
response->vp_octets + 26, nthashhash,
do_ntlm_auth) < 0) {
RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
+
+ /* JCH - changes to include challenge and message */
+char msg[100];
+strcpy(msg, "E=691 R=0 C=");
+int i, offset = strlen(msg);
+char *ptr = &msg[offset];
+for (i=0; i<16; i++, ptr+=2) {
+ sprintf(ptr, "%02X", response->vp_octets[i+2]);
+}
+*ptr = 0;
+strcat(msg, " V=3 M=May Need to reset cached
password");
+
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
-"MS-CHAP-Error", "E=691 R=1", 9);
+"MS-CHAP-Error", msg, strlen(msg));
return RLM_MODULE_REJECT;
}
index bdf4668..051fe71 100644
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler,
VALUE_PAIR *reply)
Re: MS-CHAP-V2 with no retry
On Wed, 9 Mar 2011, Alan DeKok wrote:
Date: Wed, 9 Mar 2011 01:25:10
From: Alan DeKok
Reply-To: FreeRadius users mailing list
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
John Hayward wrote:
Any idea of the time frame?
A long time.
Should I spend my time looking at the code and proposing a patch?
Sure.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
When there is a failure of the client to match the challenge of the
server:
According to rfc2759 a failure packet in section 6 a failure packet
includes a message like:
"E=ee R=r C= V=vv M="
where E is the error code, R 1/0 allow/disallow retry C an ascii version
of the challenge V=3 and M= some text message.
After this mschap failure message is sent by the server an acknowledgment
which seems to be have a failure code should be returned from the client.
At that point the server can close the eap connection with a failure.
What the 2.1.10 code (and earlier) appears to do is after mschap is
detected immediately close the eap connection with a failure.
The effect for windows XP/7 machines connecting wirelessly using mschapv2
is that they are presented with a dialog box and can enter new
credentials.
What happens with mac/iphones/androids/ubuntu is that they appear to be
confused and time out and re-send (at various rates) authentication
attempts without presenting a dialog box to the user.
For some environments (such as using Novell NDS to authenticate) if
configured modules/ldap edir_account_policy_check=yes then these repeated
failures result in account lock outs.
Scenario: Institution requires periodic change of password - user uses a
web site to change password - user forgets to update their
mac/iphone/android - user turns on their mac/iphone/android - shortly
after user cannot access any resources (such as blackboard/portal etc)
because their account is locked out.
== proposed fix
Modify freeradius to follow rfc2759.
This requires patches to two source files:
o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms
to rfc2759
o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the
response created by rlm_mschap.c and send that back, also accept an
authentication failure acknowledgment before sending eap failure packet.
Below are the diffs:
=== rlm_mschap.c (from src/modules/rlm_mschap/)
1242,1252c1242
< /* JCH - changes to include challenge and message */
< char msg[100];
< strcpy(msg, "E=691 R=0 C=");
< int i, offset = strlen(msg);
< char *ptr = &msg[offset];
< for (i=0; i<16; i++, ptr+=2) {
<sprintf(ptr, "%02X", response->vp_octets[i+2]);
< }
< *ptr = 0;
< strcat(msg, " V=3 M=May Need to reset cashed password"
);
< mschap_add_reply(request, &request->reply->vps,
---
mschap_add_reply(request, &request->reply->vps,
1254c1244
<"MS-CHAP-Error", msg, strlen(msg));
---
"MS-CHAP-Error", "E=691 R=1", 9);
1299d1288
< /* JCH should we check for MS-CHAPV2 and modify the reply to include challenge
? */
from /src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
198c198,200
< length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN;
---
/* JCH need to be change length to work with full v2 message */
//length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN;
length = 4 + reply->length-1;
215c217,222
< memcpy((eap_ds->request->type.data + 4),
MSCHAPV2_FAILURE_MESSAG
E, MSCHAPV2_FAILURE_MESSAGE_LEN);
---
/* JCH need to copy the failure message from mschapv2 - it contains
ascii
version of the challenge C=...
*/
memcpy((eap_ds->request->type.data + 4),
(reply->vp_strvalue+1),
(reply->length-1));
//MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN);
487a495,505
/*JCH added - is this is an ack of a failure message */
case PW_EAP_MSCHAPV2_FAILURE:
if (data->code != PW_EAP_MSCHAPV2_FAILURE) {
radlog(L_ERR, "rlm_eap_mschapv2: Unexpected FAILURE
received");
return 0;
}
//JCH needed??? handler->request->options &=
~RAD_REQUEST_OPTION
_PROXY_EAP;
eap_ds->request->code = PW_EAP_FAILURE;
return 1;
Re: MS-CHAP-V2 with no retry
John Hayward wrote: > Any idea of the time frame? A long time. > Should I spend my time looking at the code and proposing a patch? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP-V2 with no retry
Any idea of the time frame? Should I spend my time looking at the code and proposing a patch? johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Saturday, March 05, 2011 12:23 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: > 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was >a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was >a response sent back to the client but there was no message in the >response. It's more complicated. The server would send EAP-Failure, and nothing else. > 2) The patch given resolves that problem - giving the message >of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. > 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: > 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was >a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was >a response sent back to the client but there was no message in the >response. It's more complicated. The server would send EAP-Failure, and nothing else. > 2) The patch given resolves that problem - giving the message >of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. > 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
See comments below - johnh...
Phil Mayers wrote:
On 04/03/11 09:46, Alan DeKok wrote:
Isn't that what this code does in rlm_eap_mschapv2.c:
It's *supposed* to add the error message. But so far as I can see,
it's never called when the PW_MSCHAP_ERROR is used.
Perhaps I'm mis-reading it?
Nope. It's just never used.
Anyways, due to that (and other) issues, I've attached a new patch.
That *should* just re-use the MS-CHAP-Error string from the MS-CHAP
module, without over-writing it with a fixed error.
Is this a proper statement of the summary of where we are:
1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
a response sent back to the client but there was no message in the
response.
2) The patch given resolves that problem - giving the message
of the rlm_mschap.c module of E=691 R=1
3) It is possible to configure in radius.conf the message on failure by:
post-auth {
Post-Auth-Type REJECT {
if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
update reply {
MS-CHAP-Error := "E=691 R=0"
}
}
}
}
Let me know where I am wrong in these assertions.
I will try to test the patch in our environment and let the results be
known next week.
johnh...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote:
...
> *** With a locked out user it does:
>
> server eduroamlocal-inner {
> Exec-Program output: Account locked out (0xc234)
> Exec-Program-Wait: plaintext: Account locked out (0xc234)
> Exec-Program: returned: 1
> rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
> Login incorrect (eduroamlocalmschap: External script says Account locked
But that doesn't set SMB-Acct-Ctrl = 0x400. That's needed for the
rlm_mschap module.
> * Also, each time MS-CHAP-Error seems to be prefixed with a character -
> Is that intended?
Yes. It's how MS-CHAP works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok
wrote:
Alan DeKok wrote:
James J J Hooper wrote:
rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
rlm_eap_mschapv2.c:658: error: called object is not a function
rlm_eap_mschapv2.c:658: error: too few arguments to function
`pairmove2'
I've added the missing comma, and it's building now :-)
Then you're using the git "master" branch, and not 2.1.x.
Nope, my mistake. See the recent message for a better patch.
*** With a bad password it does:
[eduroamlocalmschap] expand:
--nt-response=%{eduroamlocalmschap:NT-Response} ->
--nt-response=58a58ef81a7975443ce2f2ea61d6e66b11974cd3fbbf2b2d
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[eduroamlocalmschap] External script failed.
[eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect
++[eduroamlocalmschap] returns reject
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
[eduroamlocaleap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamlocaleap-bris-sha-ca] Failed in EAP select
++[eduroamlocaleap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect (eduroamlocalmschap: External script says Logon failure
(0xc06d)): [jh1...@bris.ac.uk] (from client custard-66 port 0 cli
99-88-77-66-55-44 via TLS tunnel)
} # server eduroamlocal-inner
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eduroamlocaleap-bris-sha-ca] returns handled
*** With a locked out user it does:
server eduroamlocal-inner {
Exec-Program output: Account locked out (0xc234)
Exec-Program-Wait: plaintext: Account locked out (0xc234)
Exec-Program: returned: 1
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
Login incorrect (eduroamlocalmschap: External script says Account locked
out (0xc234)): [jh176...@bris.ac.uk] (from client custard-66 port 0 cli
99-88-77-66-55-44 via TLS tunnel)
} # server eduroamlocal-inner
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x
attr_filter: Matched entry DEFAULT at line 1
Sending Access-Challenge of id 7 to 137.222.253.66 port 48817
EAP-Message =
0x0108002b19001703010020bfba7af9865436c3cbcd179868046228adb578769d6312fd4cb3caaf3626edc0
Message-Authenticator = 0x
State = 0x2183e4ed268bfd6e277ccbd19a06e21c
* Also, each time MS-CHAP-Error seems to be prefixed with a character - Is
that intended?
-James
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Alan DeKok wrote: > James J J Hooper wrote: >>> rlm_eap_mschapv2.c: In function `mschapv2_authenticate': >>> rlm_eap_mschapv2.c:658: error: called object is not a function >>> rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' >> I've added the missing comma, and it's building now :-) > > Then you're using the git "master" branch, and not 2.1.x. Nope, my mistake. See the recent message for a better patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > On 04/03/11 09:46, Alan DeKok wrote: > Isn't that what this code does in rlm_eap_mschapv2.c: It's *supposed* to add the error message. But so far as I can see, it's never called when the PW_MSCHAP_ERROR is used. > Perhaps I'm mis-reading it? Nope. It's just never used. Anyways, due to that (and other) issues, I've attached a new patch. That *should* just re-use the MS-CHAP-Error string from the MS-CHAP module, without over-writing it with a fixed error. Alan DeKok. eap.diff.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: >> rlm_eap_mschapv2.c: In function `mschapv2_authenticate': >> rlm_eap_mschapv2.c:658: error: called object is not a function >> rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' > > I've added the missing comma, and it's building now :-) Then you're using the git "master" branch, and not 2.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/03/11 09:46, Alan DeKok wrote:
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
Isn't that what this code does in rlm_eap_mschapv2.c:
static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply)
{
...
case PW_MSCHAP_ERROR:
DEBUG2("MSCHAP Failure\n");
length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN;
memcpy((eap_ds->request->type.data + 4),
MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN);
...and MSCHAPV2_FAILURE_MESSAGE is defined in eap_mschapv2.h:
#define MSCHAPV2_FAILURE_MESSAGE "E=691 R=0"
#define MSCHAPV2_FAILURE_MESSAGE_LEN 9
Perhaps I'm mis-reading it?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 12:04:51 + James J J Hooper wrote: --On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see "MSCHAP Failure" in the debug log, where it wasn't there before. Try it for normal && accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error (& result of patch .c attached): rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see "MSCHAP Failure" in the debug log, where it wasn't there before. Try it for normal && accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error (& result of patch .c attached): Making all in rlm_eap_mschapv2... gmake[9]: Entering directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' /usr/local/dnsnode/src/radiusd/20110105/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c -fPIC -DPIC -o .libs/rlm_eap_mschapv2.o rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' gmake[9]: *** [rlm_eap_mschapv2.lo] Error 1 gmake[9]: Leaving directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' gmake[8]: *** [rlm_eap_mschapv2] Error 2 -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- rlm_eap_mschapv2.c--new1.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: >> That could be fixed for 2.1.11, I guess. If someone can test it... > > Yes please, and will do. Try this patch. You should see "MSCHAP Failure" in the debug log, where it wasn't there before. Try it for normal && accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. eap.diff.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On 04 March 2011 10:46 +0100 Alan DeKok wrote: Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: > The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: > > E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I am asking that it be configurable as to how many retries are allowed
(eg how many E=691 R=1) before a no retries failed authentication
message (E=691 R=0) is sent.
Ah gotcha. Thanks for the detail!
As Alan has suggested in his other email, you can change the
"MS-CHAP-Error" in the post-auth section:
post-auth {
Post-Auth-Type REJECT {
if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
update reply {
MS-CHAP-Error := "E=691 R=0"
}
}
}
}
If a no retries failed authentication message (E=691 R=0) is sent I
believe that that the apple device to re-prompt the user to update the
password.
...but I'm not sure this will work.
The reason being, if you're using wireless you're probably using
PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner -
that is, it is *not* raw mschap inside the tunnel.
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
...ignoring any errors the "mschap" module might have generated.
So in theory at least, FreeRadius is already doing what you want for
EAP-MSCHAP, and changing it won't help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: > I am asking that it be configurable as to how many retries are allowed > (eg how many E=691 R=1) before a no retries failed authentication > message (E=691 R=0) is sent. The answer here is to use a database. FreeRADIUS doesn't keep track of any long-term data. It uses a database. > If a no retries failed authentication message (E=691 R=0) is sent I > believe that that the apple device to re-prompt the user to update the > password. If you want to set "E=691 R=0", you can use "unlang" in the "post-auth-type Reject" section to re-write the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On Thu, 3 Mar 2011, Phil Mayers wrote: Date: Thu, 3 Mar 2011 17:09:42 From: Phil Mayers Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry? Obviously it's possible. It's not clear it would help though; are you using plain MS-CHAP or EAP-MSCHAP? EAP-MSCHAP Can you explain what you're trying to accomplish; I didn't really understand your email in full (not sure what the stuff about Macs was all about; not sure whether "change password" means "user tries again with a different password string" or "user executes the change-password protocol because their old one has expired) We have most things (portal authentication, blackboard, wireless) using freeradius with Novell NDSLdap for authentication. We also have a password change policy which requires user periodically change their password. They can most easily do so by going to a website set up for that. Here is the sequence of events which leads to a heavy support load. 1) User initially set up their wireless connection using a current password. 2) The device caches the password. 3) The user operates for a long period of time without issue. 4) The user is notified their password will expire in a short time in the future by e-mail - telling them to change their password at the password change web site. 5) The user goes to the password change web site and changes their password. 6) After the password change has occurred - When the user attempts to connect to the wireless network: a) for wireless Windows running xp they see a message indicating they need to re-enter their password for the computer (the cashed old password no longer works) and the user enters the current password and life goes on. *** b) for wireless apple devices (os 10.6, iphones, ipads) they get no such message the device just keeps trying to authenticate and failing without prompting the user - after a certain number of failures the Novell NDS Ldap locks the user because intruder lock out facility. Now the user cannot login to systems which use uses NDSLdap authentication. User shows up at support center confused. It is known that the apple supplicant fails to increment the ID on the retry which is required by the MS-CHAP protocol. At least one person report that if the radius server responds with a failed authentication error message (E=691 R=0) - which indicates the client should not retry - causes the apple device to prompt the user for a new password. This is the same behavior which windows xp users see. I am not asking that freeradius server be used to change the password. I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. johnh... > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry? Obviously it's possible. It's not clear it would help though; are you using plain MS-CHAP or EAP-MSCHAP? Can you explain what you're trying to accomplish; I didn't really understand your email in full (not sure what the stuff about Macs was all about; not sure whether "change password" means "user tries again with a different password string" or "user executes the change-password protocol because their old one has expired) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Alan,
Well spotted! - yes there was a bit missing from the end of that line in mschap
- response=%(mschap:NT-Response:-00}" Twas indeed a cut-and-paste error.
Thanks very much - it now works!
Cheers,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 12 October 2010 15:04
To: FreeRadius users mailing list
Subject: Re: MS-CHAP failing?
Hi,
> my /modules/ntlm_auth looks like this:-
>
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> }
I'd hope it doesnt look like that- fix the /path/to bit to give it the proper
details.
> and modules/mschap looks like this
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response$
> }
and that entry looks a little broken too - ending in $ - a cut and paste issue?
> Sending Access-Challenge of id 5 to 192.168.30.1 port 1162
> EAP-Message =
> 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4
> Message-Authenticator = 0x
> State = 0xbc7efc4cb978e53c4bf33c60bc849290
> Finished request 11.
and waiting and challenging what client are you using? this looks like a
windows client that doesnt have the RADIUS CA installed on it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Stephen,
Thanks for this.
Actually I messed up - my ntlm_auth looks like this (which I think is correct)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
The /path/to/ntlm_auth line is commented out in my config.
Cheers
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: 12 October 2010 15:03
To: FreeRadius users mailing list
Subject: RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config
right?
>exec ntlm_auth {
> wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}
I understand if you left it out on purpose but this code WILL NOT work
in production ; )
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in
the debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
}
and modules/mschap looks like this
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL
as below?
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"testu...@mydomain.ox.ac.uk"
[suffix] Found realm "mydomain.ox.ac.uk"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "mydomain.ox.ac.uk"
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /e
Re: MS-CHAP failing?
Hi,
> my /modules/ntlm_auth looks like this:-
>
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> }
I'd hope it doesnt look like that- fix the /path/to bit to give it the proper
details.
> and modules/mschap looks like this
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response$
> }
and that entry looks a little broken too - ending in $ - a cut and paste issue?
> Sending Access-Challenge of id 5 to 192.168.30.1 port 1162
> EAP-Message =
> 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4
> Message-Authenticator = 0x
> State = 0xbc7efc4cb978e53c4bf33c60bc849290
> Finished request 11.
and waiting and challenging what client are you using? this looks like a
windows client that doesnt have the RADIUS CA installed on it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config
right?
>exec ntlm_auth {
> wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}
I understand if you left it out on purpose but this code WILL NOT work
in production ; )
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in
the debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
}
and modules/mschap looks like this
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL
as below?
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"testu...@mydomain.ox.ac.uk"
[suffix] Found realm "mydomain.ox.ac.uk"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "mydomain.ox.ac.uk"
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expr
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb
Re: MS-CHAP Authentication / Bug 17
Hi, >>> http://www.googlefight.com/index.php?lang=en_GB&word1=delimiter&word2=delimeter >> >> your point is? (I win the fight ;-) ) >> > > Oops > I (like an idiot) read you comment the wrong way around! 8-) thats okay - I've got a useful URL to settle arguments with now - thanks! :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Authentication / Bug 17
Alan Buxey wrote: Hi, a few changes though (?) - its 'delimiter', not 'delimeter' ;-) and...some RDEBUG2 starts with a white space and others print tight to the line - reason for such differences? http://www.googlefight.com/index.php?lang=en_GB&word1=delimiter&word2=delimeter your point is? (I win the fight ;-) ) Oops I (like an idiot) read you comment the wrong way around! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
> google search for 'define:delimeter' > Did you mean: define:delimiter Top 2 results shown :-) You are clearly correct given the root of the word "delimiter" is "delimit" (not delimet) :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
> hmm, okay - I'll only be able to introduce core systrems > with this patch in place after 2nd October - we currently > have a change freeze on main systems until then That's fabulous. Thanks for your time and willingness to test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Authentication / Bug 17
Hi, > Actually, the problem definitely impacts PEAP/MSCHAPv2 (and I believe > TTLS/MSCHAPv2 also because it's an error in MS-CHAP, but we don't use TTLS so > I can't test that). (I haven't thought about it enough to know whether it > affects v1, but it definitely occurs with v2 as that's where I found it.) > > The problem occurs when the client creates the MS-CHAPv2 response and uses a > userid whose case differs from what FR subsequently uses to create the > challenge for ntlm_auth. hmm, okay - I'll only be able to introduce core systrems with this patch in place after 2nd October - we currently have a change freeze on main systems until then alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Authentication / Bug 17
Hi, >> a few changes though (?) - its 'delimiter', not 'delimeter' ;-) >> and...some RDEBUG2 starts with a white space and others print tight to >> the line - reason for such differences? >> > > http://www.googlefight.com/index.php?lang=en_GB&word1=delimiter&word2=delimeter your point is? (I win the fight ;-) ) google search for 'define:delimeter' Did you mean: define:delimiter Top 2 results shown :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
Alan, Thank you for taking the time to review the patch and for your feedback.
> has a look at this but it's only of interest for classic MS-CHAP
> activity rather than MSCHAPv2 in PEAP or TTLS - correct?
> (in this case we wouldnt use this function or be able to test
> this at our site...but logically it all looks sane)
Actually, the problem definitely impacts PEAP/MSCHAPv2 (and I believe
TTLS/MSCHAPv2 also because it's an error in MS-CHAP, but we don't use TTLS so I
can't test that). (I haven't thought about it enough to know whether it affects
v1, but it definitely occurs with v2 as that's where I found it.)
The problem occurs when the client creates the MS-CHAPv2 response and uses a
userid whose case differs from what FR subsequently uses to create the
challenge for ntlm_auth.
> a few changes though (?) - its 'delimiter', not 'delimeter' ;-)
True, but I just copied that line from what was already in the code. I'm ok
with fixing the spelling error as part of this patch though ;-)
> and...some RDEBUG2 starts with a white space and others print tight to
> the line - reason for such differences?
I was trying to mimic some of the existing code (when in Rome ;-) )... For
instance, there was already an RDEBUG2 for:
RDEBUG2(" NT Domain delimeter found, should we have enabled
with_ntdomain_hack?");
I'm not opposed to eliminating the leading spaces if you think it is more
readable.
BTW, I just fixed one of the attachments (rlm_eap_mschapv2.c patch). I
inadvertently had all 3 patches included in that one file - the replacement now
only contains the changes for rlm_eap_mschapv2.c. Sorry about the confusion..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Authentication / Bug 17
Alan Buxey wrote: Hi, has a look at this but it's only of interest for classic MS-CHAP activity rather than MSCHAPv2 in PEAP or TTLS - correct? (in this case we wouldnt use this function or be able to test this at our site...but logically it all looks sane) a few changes though (?) - its 'delimiter', not 'delimeter' ;-) and...some RDEBUG2 starts with a white space and others print tight to the line - reason for such differences? http://www.googlefight.com/index.php?lang=en_GB&word1=delimiter&word2=delimeter -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Authentication / Bug 17
Hi, has a look at this but it's only of interest for classic MS-CHAP activity rather than MSCHAPv2 in PEAP or TTLS - correct? (in this case we wouldnt use this function or be able to test this at our site...but logically it all looks sane) a few changes though (?) - its 'delimiter', not 'delimeter' ;-) and...some RDEBUG2 starts with a white space and others print tight to the line - reason for such differences? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP cannot login
hi, intel supplicant? loks like the outerid is anonym...@abc.com therefore you are trying to proxy to that realm... fix/reconfigure the supplicant? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP cannot login
On 13/8/09 06:07, Sanhenra Sinaga wrote: > [eap] Request found, released from the list > [eap] EAP/peap > [eap] processing type peap > [peap] processing EAP-TLS > [peap] eaptls_verify returned 7 > [peap] Done initial handshake > [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate > TLS Alert read:fatal:bad certificate > TLS_accept:failed in SSLv3 read client certificate A > rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert > bad certificate > SSL: SSL_read failed inside of TLS (-1), TLS session fails. > TLS receive handshake failed during operation > [peap] eaptls_process returned 4 > [peap] EAPTLS_OTHERS > [eap] Handler failed in EAP/peap > [eap] Failed in EAP select > ++[eap] returns invalid > Failed to authenticate the user. The SSL/TLS handshake failed. Did the client reject the certificate? if it's a Windows box and you are using a self-signed cert you will either need to add the CA cert to the Trusted Root Certificates or configure the Wireless connection not to validate the server certificates. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Alan DeKok wrote: Phil Mayers wrote: Could you point me towards the place in the FR2 source code that does the RFC cleaning? I can't seem to find it. raddb/attrs.access_reject seems to be the place. Ahh. The light dawns - I assumed it was hard-coded in like the rfc_clean() function in 1.1.7 and didn't even think to look elsewhere. Doh! Thanks - I'll re-rest with 2.0.3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Phil Mayers wrote: > Could you point me towards the place in the FR2 source code that does > the RFC cleaning? I can't seem to find it. raddb/attrs.access_reject seems to be the place. There's code in src/main/auth.c to remove all reply attributes on "too many logins", but that's different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Alan DeKok wrote: Phil Mayers wrote: ... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = "\000E=648 R=0 V=3" ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd "radius.so" plugin) so my patches to pppd are unable to act on the error code. That is arguably something that could be included in an Access-Reject. Could you point me towards the place in the FR2 source code that does the RFC cleaning? I can't seem to find it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Phil Mayers wrote: ... > rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, > length=46 > Proxy-State = 0x3633 > MS-CHAP-Error = "\000E=648 R=0 V=3" > > ...however FreeRadius obeys the RFCs, and doesn't proxy the > MS-CHAP-Error packet back to the radius client (pppd "radius.so" plugin) > so my patches to pppd are unable to act on the error code. That is arguably something that could be included in an Access-Reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Hi, > Sending Access-Request of id 7 to 192.168.29.34 port 1812 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "test" > MS-CHAP-Challenge = 0xSNIP > MS-CHAP2-Response = 0xSNIP > Calling-Station-Id = 192.168.55.55 > NAS-IP-Address = 192.168.54.54 > NAS-Port = 0 > Proxy-State = 0x3633 > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 > Proxy-State = 0x3633 > MS-CHAP-Error = "\000E=648 R=0 V=3" > > ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error > packet back to the radius client (pppd "radius.so" plugin) so my patches to > pppd are unable to act on the error code. how about using ulang to check for the MS-CHAP-Error - and if that code exists, create a new attribute that WILL be sent back to the radius client. ...one on which other bits of code could act. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP: what password backends can be used?
Alain Fauconnet <[EMAIL PROTECTED]> wrote: > Then I must have missed it. I probably have searched for the wrong > keywords... yes, I see now in the FAQ, I should have searched for > "chap" and not "ms-chap" or "mschap". Sorry. You're not the first person to ask this question. Google should return a *lot* of answers. > This PPTP so encryption is MPPE. > When you configure a Windows client for a VPN (PPTP) > connection, if you enable encryption and allow anything but MS-CHAP > and MS-CHAP-V2, it says that if anything else is used (such as PAP), > encryption will be disabled. Ah. That would appear to be definitive, then. > Well, I've inherited this installation and the Radius service is used > for a dozen different things so I have to be very careful not to break > anything. Anyway why is PAM so evil by itself? I've been working with PAM for many years. I've never liked it. If nothing else, PAM isnt designed to be used in the way that FreeRADIUS is using it: one process doing many PAM authentications. It's meant to be used by "login", and similar programs. We've had problems in the past with PAM because of this. > OK, assuming I have a smbpasswd format file somewhere (not the case > now), I should configure the mschap *and* passwd modules, > uncommenting out: Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP: what password backends can be used?
Thanks for your reply Alan,
On Thu, May 11, 2006 at 01:53:10AM -0400, Alan DeKok wrote:
> Alain Fauconnet <[EMAIL PROTECTED]> wrote:
> > I've browsed the FAQs, the mailing list archives but I have failed to
> > find a definite, clear answer to this: what kind of user/password
> > back-end can work if one is to support MS-CHAP?
>
> I don't see why there was no clear answer. The answer has been
> given many, many, times, and is always the same. MS-CHAP works with
> clear-text passwords, or with NT-Passwords. Nothing else.
Then I must have missed it. I probably have searched for the wrong
keywords... yes, I see now in the FAQ, I should have searched for
"chap" and not "ms-chap" or "mschap". Sorry.
>
> > I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It
> > works fine if I use PAP and no encryption. If I want to use
> > encryption, I need MS-CHAP, right?
>
> What kind of encryption do you mean? There are many kinds.
This PPTP so encryption is MPPE.
When you configure a Windows client for a VPN (PPTP)
connection, if you enable encryption and allow anything but MS-CHAP
and MS-CHAP-V2, it says that if anything else is used (such as PAP),
encryption will be disabled.
>
> > Right now my FreeRADIUS server is configured to use PAM.
>
> Ugh. That's not nice. It's added complexity for no real benefit.
>
Well, I've inherited this installation and the Radius service is used
for a dozen different things so I have to be very careful not to break
anything. Anyway why is PAM so evil by itself? it adds a layer of
abstraction and makes it a single place to tweak things if the
authentication back-ends change. I understand that it defeats any
requirement to access the cleartext passwords, though.
> > The master source of authentication is /etc/passwd and /etc/shadow,
> > so passwords are in MD5 format.
>
> MS-CHAP is impossible.
Roger that :-)
>
> > Is there any way I can get FreeRADIUS to handle MS-CHAP authentication
> > requests from the Cisco box in this context? (i'm kind of expecting a
> > big "no" here, but I want to be sure)
>
> No.
>
> > If I'm not using Samba or a domain controller, do I need cleartext
> > passwords to achieve this? where? in the "users" file only?
>
> The passwords can be obtained from any database.
>
> > In radiusd.conf, the "mschap" module has parameters for a Samba
> > smpasswd format file or invoking ntlm_auth. If neither is set, where
> > does it try to get the password from? I'm confused.
>
> The mschap module no longer supports smbpasswd files.
>
> The mschap module doesn't "try" to get the password. It just does
> ms-chap authentication. Databases get the password, and add it to the
> RADIUS request. See doc/aaa.txt
OK, assuming I have a smbpasswd format file somewhere (not the case now), I
should
configure the mschap *and* passwd modules, uncommenting out:
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
is that correct?
Greets,
_Alain_
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP: what password backends can be used?
Alain Fauconnet <[EMAIL PROTECTED]> wrote: > I've browsed the FAQs, the mailing list archives but I have failed to > find a definite, clear answer to this: what kind of user/password > back-end can work if one is to support MS-CHAP? I don't see why there was no clear answer. The answer has been given many, many, times, and is always the same. MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else. > I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It > works fine if I use PAP and no encryption. If I want to use > encryption, I need MS-CHAP, right? What kind of encryption do you mean? There are many kinds. > Right now my FreeRADIUS server is configured to use PAM. Ugh. That's not nice. It's added complexity for no real benefit. > The master source of authentication is /etc/passwd and /etc/shadow, > so passwords are in MD5 format. MS-CHAP is impossible. > Is there any way I can get FreeRADIUS to handle MS-CHAP authentication > requests from the Cisco box in this context? (i'm kind of expecting a > big "no" here, but I want to be sure) No. > If I'm not using Samba or a domain controller, do I need cleartext > passwords to achieve this? where? in the "users" file only? The passwords can be obtained from any database. > In radiusd.conf, the "mschap" module has parameters for a Samba > smpasswd format file or invoking ntlm_auth. If neither is set, where > does it try to get the password from? I'm confused. The mschap module no longer supports smbpasswd files. The mschap module doesn't "try" to get the password. It just does ms-chap authentication. Databases get the password, and add it to the RADIUS request. See doc/aaa.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP authenticating (should fail)
Iain Sims <[EMAIL PROTECTED]> wrote: > I've a FR and LDAP server configured that seems to be performing nicely > except for one small issue where an 'Auth-Type := Reject' in my users > file seems to have little affect. In brief, I want users not caught by > the following users file: ... > users: Matched entry DEFAULT at line 20 The "users" file you posted has 16 lines. The debug log says it matched an entry at line 20. > How can I stop processing after the reject message in the users file?? It looks like it's a bug in the mschap module. The next version of the server will contain a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS CHAP V2 authentication failure...
Jon <[EMAIL PROTECTED]> wrote: >rlm_eap: EAP/mschapv2 >rlm_eap: processing type mschapv2 >ERROR: Unknown value specified for Auth-Type. Cannot perform > requested action. You deleted the "mschap" entry from the "authenticate" section. Don't do that. The default configuration works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP, LDAP, ADS
"Elizabeth Palomino" <[EMAIL PROTECTED]> wrote: > I have poked about on google and read several how to's. Is it > possible using any authentication module ( rlm_pam,rlm_ldap...) To > authenticate a connection from a client using CHAP or MS-CHAP to an > Active Directory Server (TM) *cough*. MS-CHAP yes, CHAP no. > LDAP -->ADS > Error: > User-Password is Required for authentication. Cannot use "CHAP-Password" It's impossible. See ntlm_auth in radiusd.conf for how to do MS-CHAP to AD. > 2) Which is a better way to authenticate? ldap,PAM-->Winbind? I would suggest not using PAM. > 3) Can I use the ntlm_auth line with the chap No. > 4) I have read about peap and eap. Perhaps this would work? No. > What I am trying to avoid is having password transmitted clear text > over the network. Is there perhaps a better Solution? RADIUS doesn't send the password in clear text over the network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
"DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: > as u have specified in src/tests/README , that lines with #U shud go > into users file. > but in src/tests/mschapv1 u have given User-Password in clear text??? Yes, so? > mschap has the advantage over chap, that it doesn't store passwords in > clear-text in the users file. > am i right No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
comments INLINE Alan DeKok wrote: "DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client. if so, please give the packet contents for radius client and the users file check-items. src/tests/mschapv1 as u have specified in src/tests/README , that lines with #U shud go into users file. but in src/tests/mschapv1 u have given User-Password in clear text??? mschap has the advantage over chap, that it doesn't store passwords in clear-text in the users file. am i right Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
Patrick Bartkus wrote: You could try using the windows program NTRadPing from http://www.dialways.com/download/. It has a "CHAP" checkbox. CHAP and MS-CHAP are quite different. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
"DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: > is there any simple tool(other than jradius) which can be used as radius > client and which can be used to test > mschap authentication?? radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client. > if so, please give the packet contents for radius client and the users > file check-items. src/tests/mschapv1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
You could try using the windows program NTRadPing from http://www.dialways.com/download/.It has a "CHAP" checkbox. HTH,Patrick On 1/31/06, Phil Mayers <[EMAIL PROTECTED]> wrote: DilipSimha.N.M wrote:> hi,>> is there any simple tool(other than jradius) which can be used as radius> client and which can be used to test> mschap authentication??> if so, please give the packet contents for radius client and the users > file check-items. 1. run FreeRadius in debugging mode 2. perform a successful MS-CHAP authentication with a "real" client 3. copy the following info from the FreeRadius debugging output: User-Name = "user"MS-CHAP-Challenge = 0xBYTESMS-CHAP2-Response = 0xBYTES 4. with that info, create a file containing a radius request:Service-Type = Framed-UserFramed-Protocol = PPP User-Name = "user"MS-CHAP-Challenge = 0xBYTESMS-CHAP2-Response = 0xBYTESCalling-Station-Id = "something"NAS-IP-Address = 192.168.1.2NAS-Port = 1 5. run the command "radclient -s -f $FILE $HOST auth $SECRET"The radius server will authenticate that request every time. Since thechallenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file.You may need to edit your users file to disable things such as IPaddress pool assignment or such, but it will basically work fine. Suchediting is dependent on your local configuration. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ms-chap authentication with client tool?
DilipSimha.N.M wrote: hi, is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items. 1. run FreeRadius in debugging mode 2. perform a successful MS-CHAP authentication with a "real" client 3. copy the following info from the FreeRadius debugging output: User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES 4. with that info, create a file containing a radius request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES Calling-Station-Id = "something" NAS-IP-Address = 192.168.1.2 NAS-Port = 1 5. run the command "radclient -s -f $FILE $HOST auth $SECRET" The radius server will authenticate that request every time. Since the challenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file. You may need to edit your users file to disable things such as IP address pool assignment or such, but it will basically work fine. Such editing is dependent on your local configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
