Dear Igor Maciel Macaubas,

Put chap and mschap into the end of the list.

Alternatively you can download current version of RADIUS, but you still
need to have mschap in the end of the list if you want authentication to
be selected automatically.

--Tuesday, March 25, 2003, 6:05:58 PM, you wrote to freeradius-***@lists.cistron.nl:

IMM> Hi 3APA3A,

IMM> My authorization section looks like this:

IMM> authorize {
IMM> #
IMM> # The preprocess module takes care of sanitizing some bizarre
IMM> # attributes in the request, and turning them into attributes
IMM> # which are more standard.
IMM> #
IMM> # It takes care of processing the 'raddb/hints' and the
IMM> # 'raddb/huntgroups' files.
IMM> #
IMM> # It also adds a Client-IP-Address attribute to the request.
IMM> preprocess

IMM> #
IMM> # The chap module will set 'Auth-Type := CHAP' if we are
IMM> # handling a CHAP request and Auth-Type has not already been set
IMM> chap

IMM> #
IMM> # If the users are logging in with an MS-CHAP-Challenge
IMM> # attribute for authentication, the mschap module will find
IMM> # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
IMM> # to the request, which will cause the server to then use
IMM> # the mschap module for authentication.
IMM> mschap

IMM> # counter
IMM> # attr_filter
IMM> # eap
IMM> suffix
IMM> files
IMM> sql
IMM> # etc_smbpasswd
IMM> # The ldap module will set Auth-Type to LDAP if it has not already been set
IMM> # ldap
IMM> }

IMM> Where should I move MSCHAP?

IMM> Regards,
IMM> Igor
IMM> --
IMM> ***@fastbee.net

IMM> ----- Original Message -----
IMM> From: "3APA3A" <***@SECURITY.NNOV.RU>
IMM> To: <freeradius-users-***@lists.cistron.nl>; "Igor Maciel Macaubas"
IMM> <***@fastbee.net>
IMM> Cc: "freeradius users" <freeradius-***@lists.cistron.nl>
IMM> Sent: Tuesday, March 25, 2003 11:54 AM
IMM> Subject: Re: Problems with MS-CHAP/MS-CHAPv2


IMM> Dear Igor Maciel Macaubas,

IMM> Put mschap after users in authorization.

IMM> --Tuesday, March 25, 2003, 5:50:22 PM, you wrote to
IMM> freeradius-***@lists.cistron.nl:

IMM>> Hi,

IMM>> I'm not a newbie to RADIUS or FreeRADIUS, but I'm a newbie in
IMM> MSCHAP/MSCHAPv2 authentication.
IMM>> I have a fresh FreeRADIUS server installed on a RedHat 8.0 box, w/
IMM> kernel 2.4.20.
IMM>> I'm using the latest version of FreeRADIUS at this time (FreeRADIUS
IMM> Version 0.8.1, for host i686-pc-linux-gnu, built on Mar 7 2003 at
IMM> 12:11:12), installed from the .tar.gz package.
IMM>> The RADIUS authentication is working, and also the accounting is fine.
IMM> But I can just authenticate using PAP/CHAP methods. As I need to put mppe
IMM> over my connections, I must authenticate using
IMM>> MSCHAP/MSCHAPv2, and it has not been easy or well-documented. (in two
IMM> days searching over the internet, I couldn't find any usefull
IMM> article/email).

IMM>> Bellow are my authentication log's (for PAP/CHAP) - those ones work:
IMM>> Tue Mar 25 11:18:30 2003 : Auth: Login OK: [igor/mypassword123] (from
IMM> client RAS_TEST port 0)
IMM>> Tue Mar 25 11:19:16 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from
IMM> client RAS_TEST port 0)

IMM>> And now, when I try with MSCHAPv2:
IMM>> Tue Mar 25 11:33:02 2003 : Auth: Login incorrect: [igor/<no
IMM> User-Password attribute>] (from client develop-rec port 0)

IMM>> And If I go to the user settings and force MSCHAP auth (Auth-type ==
IMM> MS-CHAP):
IMM>> Tue Mar 25 11:35:16 2003 : Error: rlm_mschap: No LM/NT password
IMM> configured. Check authorization.
IMM>> Tue Mar 25 11:35:16 2003 : Auth: Login incorrect: [igor/<no
IMM> User-Password attribute>] (from client develop-rec port 0)

IMM>> When I execute the RADIUS with -X option, I got this DUMP when I try to
IMM> auth using MSCHAP:
IMM>> ------- START ---------
IMM>> rad_recv: Access-Request packet from host 192.168.2.6:32861, id=168,
IMM> length=144
IMM>> Service-Type = Framed-User
IMM>> Framed-Protocol = PPP
IMM>> User-Name = "***@fastbee.net"
IMM>> MS-CHAP-Challenge = 0x83e1cbaedd8cc8b8af29ebc4b5a922d8
IMM>> MS-CHAP2-Response =
IMM> 0x01002ae59a8e96df154f317aa76840a4f05c0000000000000000fffb3d38d774b8fb2466ca
IMM> de8b56ed8dbcf76ea3ae7977d9
IMM>> NAS-IP-Address = 192.168.2.6
IMM>> NAS-Port = 0
IMM>> modcall: entering group authorize
IMM>> modcall[authorize]: module "preprocess" returns ok
IMM>> rlm_chap: Could not find proper Chap-Password attribute in request
IMM>> modcall[authorize]: module "chap" returns noop
IMM>> modcall[authorize]: module "mschap" returns notfound
IMM>> rlm_realm: Looking up realm fastbee.net for User-Name =
IMM> "***@fastbee.net"
IMM>> rlm_realm: Found realm DEFAULT
IMM>> rlm_realm: Adding Stripped-User-Name = "igor"
IMM>> rlm_realm: Proxying request from user igor to realm DEFAULT
IMM>> rlm_realm: Adding Realm = "DEFAULT"
IMM>> rlm_realm: Authentication realm is LOCAL.
IMM>> modcall[authorize]: module "suffix" returns noop
IMM>> users: Checking igor at 154
IMM>> rad_check_password: Found Auth-Type Local
IMM>> auth: type Local
IMM>> auth: No User-Password or CHAP-Password attribute in the request
IMM>> users: Matched DEFAULT at 182
IMM>> users: Matched DEFAULT at 201
IMM>> users: Matched DEFAULT at 213
IMM>> modcall[authorize]: module "files" returns ok
IMM>> radius_xlat: '***@fastbee.net'
IMM>> rlm_sql (sql): sql_set_user escaped user --> '***@fastbee.net'
IMM>> radius_xlat: 'SELECT id,login,radius_atributo,senha,radius_operacao
IMM> FROM tb_mercurius_login WHERE login = '***@fastbee.net' ORDER BY id'
IMM>> rlm_sql (sql): Reserving sql socket id: 4
IMM>> radius_xlat: 'SELECT
IMM>>
IMM> tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.Group
IMM> Name,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgrou
IMM> pcheck.Value,tb_mercurius_radius_radgroupcheck.op
IMM>> FROM tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE
IMM> tb_mercurius_login.login = '***@fastbee.net' AND
IMM> tb_mercurius_login.radius_grupo =
IMM> tb_mercurius_radius_radgroupcheck.GroupName
IMM>> ORDER BY tb_mercurius_radius_radgroupcheck.id'
IMM>> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
IMM> tb_mercurius_radius_radreply WHERE Username = '***@fastbee.net' ORDER BY
IMM> id'
IMM>> radius_xlat: 'SELECT
IMM>>
IMM> tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.Group
IMM> Name,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgrou
IMM> preply.Value,tb_mercurius_radius_radgroupreply.op
IMM>> FROM tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE
IMM> tb_mercurius_login.login = '***@fastbee.net' AND
IMM> tb_mercurius_login.radius_grupo =
IMM> tb_mercurius_radius_radgroupreply.GroupName
IMM>> ORDER BY tb_mercurius_radius_radgroupreply.id'
IMM>> rlm_sql (sql): Released sql socket id: 4
IMM>> modcall[authorize]: module "sql" returns ok
IMM>> modcall: group authorize returns ok
IMM>> rad_check_password: Found Auth-Type MS-CHAP
IMM>> auth: type "MS-CHAP"
IMM>> modcall: entering group authtype
IMM>> rlm_mschap: No LM/NT password configured. Check authorization.
IMM>> modcall[authenticate]: module "mschap" returns invalid
IMM>> modcall: group authtype returns invalid
IMM>> auth: Failed to validate the user.
IMM>> Login incorrect: [igor/<no User-Password attribute>] (from client
IMM> RAS_TEST port 0)
IMM>> Delaying request 0 for 1 seconds
IMM>> Finished request 0
IMM>> Going to the next request
IMM>> --- Walking the entire request list ---
IMM>> Waking up in 1 seconds...
IMM>> --- Walking the entire request list ---
IMM>> Waking up in 1 seconds...
IMM>> --- Walking the entire request list ---
IMM>> Sending Access-Reject of id 168 to 192.168.2.6:32861
IMM>> MS-CHAP-Error = "\001E=691 R=1"
IMM>> Waking up in 4 seconds...
IMM>> --- Walking the entire request list ---
IMM>> Cleaning up request 0 ID 168 with timestamp 3e8069b4
IMM>> Nothing to do. Sleeping until we see a request.
IMM>> -------------- END ----------------

IMM>> Bellow is my configuration file (I have splitted out the commented
IMM> lines to be smaller):
IMM>> OBS: I'm using high level-logging because this is a test server.
IMM>> -------------- START -----------------

IMM>> prefix = /usr/local/freeradius
IMM>> exec_prefix = ${prefix}
IMM>> sysconfdir = ${prefix}/etc
IMM>> localstatedir = ${prefix}/var
IMM>> sbindir = ${exec_prefix}/sbin
IMM>> logdir = ${localstatedir}/log/radius
IMM>> raddbdir = ${sysconfdir}/raddb
IMM>> radacctdir = ${logdir}/radacct
IMM>> confdir = ${raddbdir}
IMM>> run_dir = ${localstatedir}/run/radiusd
IMM>> log_file = ${logdir}/radius.log
IMM>> libdir = ${exec_prefix}/lib
IMM>> pidfile = ${run_dir}/radiusd.pid

IMM>> user = radius
IMM>> group = radius

IMM>> max_request_time = 30
IMM>> delete_blocked_requests = no

IMM>> cleanup_delay = 5
IMM>> max_requests = 1024
IMM>> bind_address = *
IMM>> port = 1812
IMM>> hostname_lookups = no
IMM>> allow_core_dumps = no
IMM>> regular_expressions = yes
IMM>> extended_expressions = yes

IMM>> log_stripped_names = yes
IMM>> log_auth = yes
IMM>> log_auth_badpass = yes
IMM>> log_auth_goodpass = yes
IMM>> usercollide = yes
IMM>> lower_user = no
IMM>> lower_pass = no
IMM>> nospace_user = no
IMM>> nospace_pass = no

IMM>> checkrad = ${sbindir}/checkrad

IMM>> security {
IMM>> max_attributes = 200
IMM>> reject_delay = 1
IMM>> status_server = no
IMM>> }

IMM>> proxy_requests = no
IMM>> $INCLUDE ${confdir}/proxy.conf
IMM>> $INCLUDE ${confdir}/clients.conf
IMM>> $INCLUDE ${confdir}/snmp.conf

IMM>> thread pool {
IMM>> start_servers = 5
IMM>> max_servers = 32
IMM>> min_spare_servers = 3
IMM>> max_spare_servers = 10
IMM>> max_requests_per_server = 0
IMM>> }

IMM>> modules {
IMM>> pap {
IMM>> encryption_scheme = clear
IMM>> }
IMM>> chap {
IMM>> authtype = CHAP
IMM>> }
IMM>> pam {
IMM>> pam_auth = radiusd
IMM>> }
IMM>> unix {
IMM>> cache = no
IMM>> cache_reload = 600
IMM>> radwtmp = ${logdir}/radwtmp
IMM>> }

IMM>> eap {
IMM>> md5 {
IMM>> }
IMM>> }

IMM>> mschap {
IMM>> authtype = MS-CHAP
IMM>> }

IMM>> ldap {
IMM>> server = "ldap.your.domain"
IMM>> basedn = "o=My Org,c=UA"
IMM>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
IMM>> start_tls = no
IMM>> tls_mode = no
IMM>> access_attr = "dialupAccess"
IMM>> dictionary_mapping = ${raddbdir}/ldap.attrmap
IMM>> ldap_connections_number = 5
IMM>> timeout = 4
IMM>> timelimit = 3
IMM>> net_timeout = 1
IMM>> }

IMM>> realm suffix {
IMM>> format = suffix
IMM>> delimiter = "@"
IMM>> }

IMM>> realm realmslash {
IMM>> format = prefix
IMM>> delimiter = "/"
IMM>> }

IMM>> realm realmpercent {
IMM>> format = suffix
IMM>> delimiter = "%"
IMM>> }

IMM>> preprocess {
IMM>> huntgroups = ${confdir}/huntgroups
IMM>> hints = ${confdir}/hints
IMM>> with_ascend_hack = no
IMM>> ascend_channels_per_line = 23
IMM>> with_ntdomain_hack = no
IMM>> with_specialix_jetstream_hack = no
IMM>> with_cisco_vsa_hack = no
IMM>> }

IMM>> files {
IMM>> usersfile = ${confdir}/users
IMM>> acctusersfile = ${confdir}/acct_users
IMM>> compat = no
IMM>> }

IMM>> detail {
IMM>> detailfile =
IMM> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
IMM>> detailperm = 0600
IMM>> }

IMM>> acct_unique {
IMM>> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
IMM> Client-IP-Address, NAS-Port-Id"
IMM>> }

IMM>> $INCLUDE ${confdir}/sql.conf

IMM>> radutmp {
IMM>> filename = ${logdir}/radutmp
IMM>> perm = 0600
IMM>> callerid = "yes"
IMM>> }

IMM>> radutmp sradutmp {
IMM>> filename = ${logdir}/sradutmp
IMM>> perm = 0644
IMM>> callerid = "no"
IMM>> }

IMM>> attr_filter {
IMM>> attrsfile = ${confdir}/attrs
IMM>> }

IMM>> counter {
IMM>> filename = ${raddbdir}/db.counter
IMM>> key = User-Name
IMM>> count-attribute = Acct-Session-Time
IMM>> reset = daily
IMM>> counter-name = Daily-Session-Time
IMM>> check-name = Max-Daily-Session
IMM>> allowed-servicetype = Framed-User
IMM>> cache-size = 5000
IMM>> }

IMM>> always fail {
IMM>> rcode = fail
IMM>> }
IMM>> always reject {
IMM>> rcode = reject
IMM>> }
IMM>> always ok {
IMM>> rcode = ok
IMM>> simulcount = 0
IMM>> mpp = no
IMM>> }

IMM>> expr {
IMM>> }


IMM>> }

IMM>> instantiate {
IMM>> expr
IMM>> }

IMM>> authorize {
IMM>> preprocess
IMM>> chap
IMM>> mschap
IMM>> suffix
IMM>> files
IMM>> sql
IMM>> }

IMM>> authenticate {
IMM>> authtype PAP {
IMM>> pap
IMM>> }

IMM>> authtype CHAP {
IMM>> chap
IMM>> }

IMM>> authtype MS-CHAP {
IMM>> mschap
IMM>> }
IMM>> unix
IMM>> }

IMM>> preacct {
IMM>> preprocess
IMM>> suffix
IMM>> files
IMM>> }

IMM>> accounting {
IMM>> acct_unique
IMM>> detail
IMM>> radutmp
IMM>> sql
IMM>> }

IMM>> session {
IMM>> radutmp
IMM>> }

IMM>> post-auth {
IMM>> }

IMM>> --- END ---

IMM>> Sorry about the size of the email, but I really don't know what's going
IMM> on.

IMM>> Regards,
IMM>> Igor
IMM>> --
IMM>> ***@fastbee.net


IMM> --
IMM> ~/ZARAZA
IMM> Ïî÷òåííûå èñêîïàåìûå! Æäó îò âàñ äàëüíåéøèõ ïèñåì. (Òâåí)


IMM> -
IMM> List info/subscribe/unsubscribe? See
IMM> http://www.freeradius.org/list/users.html



IMM> -
IMM> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html