Re: Trying to set no authentication for users
On Thu, 2004-01-08 at 18:39, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > As can be seen it says 'Login OK' but seems to be missing the: > > > > Sending Access-Accept of id 209 to 127.0.0.1:40603 > > MS-CHAP2-Success = > > 0x01533d36364635423233344331414344363438463746353946443832353834324437424131433645464332 > > Ah, yes. For that, the server needs access to the user's password. > > Since you want it to authenticate *anyone* using MS-CHAP, you'll > need to supply all the server with all of their passwords. In which > case, you might as well let the MSCHAP module just authenticate them > normally. > > MS-CHAPv2 is two-way authentication. There's no way to get around > that. > Okay, many thanks. I think that confirms what I was beginning to suspect. As initially mentioned this all arose from a disaster recovery test of our servers. The problem being caused by the fact that we only have one MS IAS server and in losing that server we would need to let all users through RADIUS. I think we will either need to get another IAS server, or perhaps get freeradius to use LDAP calls as a fallback - we have resilient servers providing ldap information for our web caches. (I think I prefer this option :-)) Many thanks for all your help. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote: > As can be seen it says 'Login OK' but seems to be missing the: > > Sending Access-Accept of id 209 to 127.0.0.1:40603 > MS-CHAP2-Success = > 0x01533d36364635423233344331414344363438463746353946443832353834324437424131433645464332 Ah, yes. For that, the server needs access to the user's password. Since you want it to authenticate *anyone* using MS-CHAP, you'll need to supply all the server with all of their passwords. In which case, you might as well let the MSCHAP module just authenticate them normally. MS-CHAPv2 is two-way authentication. There's no way to get around that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
On Thu, 2004-01-08 at 17:08, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > > Will allow the user through, without password checking. > > > > > No it doesn't - I tried that after reading the FAQ. If I use just: > > > > jhornexAuth-Type := Accept > > > > then radiusd complains that no MSCHAP password has been supplied: > > Which is why I suggested the patch to the MSCHAP module. > > Also, list "mschap" in the "authorize" section BEFORE the "files" > module. That should make it work. > Yes, that list bit makes it work a bit better :-) However, the connection still gets dropped - it authenticates then disconnects. radiusd shows: rad_recv: Access-Request packet from host 127.0.0.1:40590, id=207, length=135 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "jhornex" MS-CHAP-Challenge = 0x9ba0cfb38117c686059c6fcfc1c766c6 MS-CHAP2-Response = 0x0100e121e9d1b2342bc6ce77b610beac0b493f2b0f1fc8eb1dfc3c8d6548139a79efe61ebda57f88185c NAS-IP-Address = 141.163.163.250 NAS-Port = 0 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 users: Matched jhornex at 221 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [jhornex] (from client localhost port 0) Sending Access-Accept of id 207 to 127.0.0.1:40590 Finished request 0 Going to the next request === As can be seen it says 'Login OK' but seems to be missing the: Sending Access-Accept of id 209 to 127.0.0.1:40603 MS-CHAP2-Success = 0x01533d36364635423233344331414344363438463746353946443832353834324437424131433645464332 MS-MPPE-Recv-Key = 0x4ca560566ccfe8dc36dff7f0ca4105b0 MS-MPPE-Send-Key = 0x87b29ea1f2f4d997c695b364e22fbb80 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 John -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote: > > Will allow the user through, without password checking. > > > No it doesn't - I tried that after reading the FAQ. If I use just: > > jhornexAuth-Type := Accept > > then radiusd complains that no MSCHAP password has been supplied: Which is why I suggested the patch to the MSCHAP module. Also, list "mschap" in the "authorize" section BEFORE the "files" module. That should make it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
On Thu, 2004-01-08 at 16:48, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > Given that, I assume then that it is then not possible to create a > > default 'users' file entry which will allow *any* user through if we > > insist on using MS-CHAPv2? > > Auth-Type := Accept > > Will allow the user through, without password checking. > No it doesn't - I tried that after reading the FAQ. If I use just: jhornexAuth-Type := Accept then radiusd complains that no MSCHAP password has been supplied: auth: type "MS-CHAP" modcall: entering group authenticate for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. modcall[authenticate]: module "mschap" returns fail for request 0 modcall: group authenticate returns fail for request 0 auth: Failed to validate the user. If I enter a User-Password attribute: jhornexAuth-Type := Accept, User-Password == "anything" then, because I can't use the '!=', '!~' operators I have to let every user know what the password is. Either way, use of Accept and MS-CHAP seems to still go through the password checking. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote: > Given that, I assume then that it is then not possible to create a > default 'users' file entry which will allow *any* user through if we > insist on using MS-CHAPv2? Auth-Type := Accept Will allow the user through, without password checking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
On Thu, 2004-01-08 at 16:19, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > This seemed to make no difference. However I did notice, before and > > after the change, that if the user file entry has something like: > > > > User-Password != "something" > > > > Then if the user enters the password of 'something' they are > > authenticated. > > It's a bug. > > > In which case I think I am somewhat lost! :-) Given that in our case > > MS-CHAPv2 must be used, and hence some form of encryption is going on, > > do the '!=', '!~' etc operators still apply? > > Not for passwords, for a number of reasons. > Okay, thanks for this. I had a quick look at the rlm_mschap.c code and as far as I could tell the user-supplied password and the password in the 'users' file are encrypted and then compared using memcmp (line 856 from freeradius version 0.9.3). If they are not the same then the authentication fails. In that respect the '!=', etc operators are not used. Given that, I assume then that it is then not possible to create a default 'users' file entry which will allow *any* user through if we insist on using MS-CHAPv2? John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote: > This seemed to make no difference. However I did notice, before and > after the change, that if the user file entry has something like: > > User-Password != "something" > > Then if the user enters the password of 'something' they are > authenticated. It's a bug. > In which case I think I am somewhat lost! :-) Given that in our case > MS-CHAPv2 must be used, and hence some form of encryption is going on, > do the '!=', '!~' etc operators still apply? Not for passwords, for a number of reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
On Wed, 2004-01-07 at 15:54, Alan DeKok wrote:
> John Horne <[EMAIL PROTECTED]> wrote:
> > However, if I simply change the users file entry to:
> >
> > fred Auth-Type := Local, User-Password != "anything"
> >
> > Specifying that the pwd should not be 'anything' then it doesn't work.
> > That is, I cannot authenticate. The radiusd output shows:
>
> I don't see why you would expect that user to authenticate.
>
Because I am reading the '!=' as meaning that when a check of the stored
password and the user-supplied password is done then the user is 'valid'
- that is, authenticated - providing the password they entered did not
match the radiusd calculated/encrypted password derived from 'anything'.
If that is not so then what does the '!=', '!~', '=*' and so on mean?
>
> OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for:
>
> vp = pairmake("Auth-Type", authtype_name, T_OP_SET);
>
> change the T_OP_SET to T_OP_EQ, and re-compile & install the
> module. It should work then.
>
This seemed to make no difference. However I did notice, before and
after the change, that if the user file entry has something like:
User-Password != "something"
Then if the user enters the password of 'something' they are
authenticated. To me this seems odd since what then is the difference
between using '==' or '!='? My reading of this, as stated above, is that
if they enter 'something' as the password they should not be
authenticated, and if they enter anything which does not match
'something' then they will.
> > Anyone got any suggestions about this. Relevant parts of the
> > radiusd.conf are below, but simply change the users file entry operator
> > from '==' to '!=' surely shouldn't cause a problem? All the encryption
> > stuff should work because instead of comparing the users file password
> > with the one the user enters when connecting should simply check for
> > equality or not. When '==' is used they should be equal, when '!=' is
> > used the should not be equal.
>
> Due to the way passwords are checked, it doesn't quite work that
> way.
>
In which case I think I am somewhat lost! :-) Given that in our case
MS-CHAPv2 must be used, and hence some form of encryption is going on,
do the '!=', '!~' etc operators still apply? If so, then how are they
applied. As stated above using '==' or '!=' makes no difference, in both
cases the user is authenticated.
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to set no authentication for users
John Horne <[EMAIL PROTECTED]> wrote:
...
> This all works fine; the user is authenticated and radiusd sees that
> MS-CHAPv2 is being used (and is to be used).
Hmm... so MS-CHAPv2 works, as I suspected. Recent discussion on the
list says it's broken on some systems, but I don't know why.
> However, if I simply change the users file entry to:
>
> fred Auth-Type := Local, User-Password != "anything"
>
> Specifying that the pwd should not be 'anything' then it doesn't work.
> That is, I cannot authenticate. The radiusd output shows:
I don't see why you would expect that user to authenticate.
> My thought was to make a default entry such as:
>
> DEFAULT Auth-Type := Local, User-Password != "something"
>
> I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
> radiusd seems to accept the user and password, the connection then
> fails.
Hmm... that's probably an issue with the MS-CHAP module.
OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for:
vp = pairmake("Auth-Type", authtype_name, T_OP_SET);
change the T_OP_SET to T_OP_EQ, and re-compile & install the
module. It should work then.
> Anyone got any suggestions about this. Relevant parts of the
> radiusd.conf are below, but simply change the users file entry operator
> from '==' to '!=' surely shouldn't cause a problem? All the encryption
> stuff should work because instead of comparing the users file password
> with the one the user enters when connecting should simply check for
> equality or not. When '==' is used they should be equal, when '!=' is
> used the should not be equal.
Due to the way passwords are checked, it doesn't quite work that
way.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to set no authentication for users
Hello,
I have been asked to run through some disaster recovery checks for our
servers, and one (pair) of these servers runs RADIUS but does so in
order to talk to a Microsoft IAS server (for the actual authentication).
In the event of a disaster the IAS server may be lost, and as such I
would like to be able to put into the 'users' file a DEFAULT entry to
simply allow all users through.
Users connecting to this system for authentication are required to be
using MS-CHAPv2 with MPPE and strong encryption. There is no problem
with this, and entering users into the users file itself for
authentication works fine. However, I am having a lot of trouble trying
to get it to just let all users through.
If I have an entry in the users file such as:
fred Auth-Type := Local, User-Password == "anything"
this works fine. Debug output from radiusd shows:
==
rad_recv: Access-Request packet from host 127.0.0.1:37229, id=55,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x7ff02513996443c04f7d280a820730b5
MS-CHAP2-Response
=
0x01009d037c05f32b32648cc561c047c5e56c0974512bcb2c65addd6edab9c9caf4d18660ae908b206e03
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 220
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [fred] (from client localhost port 0)
Sending Access-Accept of id 55 to 127.0.0.1:37229
MS-CHAP2-Success
=
0x01533d42424438423038344545373041393441463244373339324645323833434437313343424543413641
MS-MPPE-Recv-Key
=
0xdf02432bffb7b8b4313cdb04515ecba440ba63a8bc4a95a2a425f4c225cd850416dc
MS-MPPE-Send-Key
=
0xdf01d4b2fc3bf9cb6054f92175106cf105f49e8d3408586aa2af17f0e615fc5ffc01
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Finished request 0
==
This all works fine; the user is authenticated and radiusd sees that
MS-CHAPv2 is being used (and is to be used).
However, if I simply change the users file entry to:
fred Auth-Type := Local, User-Password != "anything"
Specifying that the pwd should not be 'anything' then it doesn't work.
That is, I cannot authenticate. The radiusd output shows:
===
rad_recv: Access-Request packet from host 127.0.0.1:38635, id=130,
length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "fred"
MS-CHAP-Challenge = 0x5079b24962676ca1fefc3a935a7c4a12
MS-CHAP2-Response =
0x0100021413eac173639764d57968f33043e3b49cc542c3a9427787a46df5e94e67efef8c75e935267049
NAS-IP-Address = 141.163.163.250
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched fred at 222
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: Authentication failed
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
modcall[authenticate]: module "mschap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect: [fred] (from client localhost port 0)
Delaying request 0 for 5 seconds
Finished request 0
===
My thought was to make a default entry such as:
DEFAULT Auth-Type := Local, User-Password != "something"
I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
radiusd seems to accept the user and password, the connection then
fails. The mschap module (?) expects a password but doesn't see any (it
seems) - it gives a 'notfound' error. Adding the above User-Password
attribute, and using '=*' or one of the regular expression operators
('=~') seems to make no difference. Radiusd returns the same error as
above about nothing in the packet being recognised.
Anyone got any suggestions about this. Relevant parts of the
