FreeRadius 3.0.11 [Best method to log access accept requests to DB]

Discussion:

Alan DeKok

2018-11-15 11:54:03 UTC

We are trying to log users access accept requests in a database for later
statistics and analysis for the network. Firstly, we accomplished this
requirement using the post-auth section by using sql module to inserting
users request and it worked perfectly, however, and obviously, if the
database is down for any reason, the radius won't process further requests
which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in
a similar fashion like "Post-Auth-Type REJECT" where we noticed that
FreeRadius can keep accepting radius requests and tolerate DB failures.

You can use the "linelog" module to log requests to a file on disk.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.fre

Alan DeKok

2018-11-16 00:00:31 UTC

Permalink

I dont understand what is failing here...
when i run `radtest -t mschap christian.salway pa$$word 10.0.0.247 0 testing123`
the response is

It's typically good to look at *ALL* of the debug output. You can't just look at a tiny piece of the output and expect to understand the whole thing.

(3) authenticate {
(3) mschap: Client is using MS-CHAPv1 with NT-Password

...

(3) mschap: ERROR: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge

That seems to be clear enough.

The server isn't receiving an MS-CHAP2-Response attribute.

and if i try it with MS-CHAPv2
(7) authenticate {
(7) mschap: Creating challenge hash with username: christian.salway
(7) mschap: Client is using MS-CHAPv2
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap: --> --username=christian.salway
(7) mschap: Creating challenge hash with username: christian.salway
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap: --> --challenge=87096cbcc288f585
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap: --> --nt-response=69ebf16ddad737fbaa5315235a9316fe9ccb5fcbc06c07e2
(7) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'

AD its rejecting the user. This unfortunately is out of the control of FreeRADIUS.

whats going on?!

AD is rejecting the user. Ask AD what the users password is. And, why it's rejecting the user.

The MS-CHAP calculations have been known, and known to work, for about 20 years. If AD is rejecting this with "Logon failure", then:

a) the users password in AD is not what the user entered on their system

b) the users account is locked out, or doesn't exist, or has another administrative setting that says "reject them"

There really are no other options here.

Try *simplifying* the problem. Instead of going to AD, configure a local password for the user. One that you can't get wrong. Then, try it with AWS. If that fails, then my guess is that AWS is broken.

And post the *full* debug output here. ALL of it.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://w

Alan DeKok

2018-11-16 11:38:29 UTC

Permalink

Is it possible to have 2 paths for authentication on the same freeRadius server?
1) In on UDP:1812 from VPN server which uses eap-mschapv2 and authenticates against Active Directory using LDAP and ntlm_auth.
2) In on UDP:1812 from AWS which uses PAP and needs to send a request to Duo over TCP:443.

Yes. Read raddb/sites-available/README

Alan DeKok.

-
List info/subscribe/unsubs

Noel Butler

2018-11-19 12:57:19 UTC

Permalink

what a jackass

please don't send email

please don't send email
Hi,
We are trying to log users access accept requests in a database for later
statistics and analysis for the network. Firstly, we accomplished this
requirement using the post-auth section by using sql module to inserting
users request and it worked perfectly, however, and obviously, if the
database is down for any reason, the radius won't process further requests
which will prevent users from authentication.
So we are wondering if there is any method to log radius accept request in
a similar fashion like "Post-Auth-Type REJECT" where we noticed that
FreeRadius can keep accepting radius requests and tolerate DB failures.
Ibrahim
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents

Links:
------
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument
-
List info/subscribe/unsubscribe? See http://www.freeradius