[Pkg-freeradius-maintainers] Bug#896952: Bug#896952: freeradius: NT/LM password check fails, if Calling-Station-Id per user check activated

Thu Apr 26 14:01:31 BST 2018

Thanks for your message. This seems like an upstream issue, not like an
issue with the Debian packaging.

Hence, could you please redirect your question to the FreeRADIUS mailing
list? See https://freeradius.org/support/

On Thu, Apr 26, 2018 at 11:46 AM, Marek Lukács <marek.lukacs at gmail.com>
wrote:

> Package: freeradius
> Version: 3.0.12+dfsg-5+deb
> Architecture: amd64
>
> I want to have per user MAC address checking and per user VLAN
> assignment. It is possible if:
>
>
>
> 1/ Requests attributes are copied into inner tunnel by adding
>
> copy_request_to_tunnel = yes
>
> into
>
> eap { peap { } }
>
> in file /etc/freeradius/3.0/mods-enabled/eap
>
>
>
> 2/ Send inner tunnel attributes to outside by adding
>
> use_tunneled_reply = yes
>
> into
>
> eap { peap { } }
>
> in file /etc/freeradius/3.0/mods-enabled/eap
>
>
>
> 3/ users are defined like:
>
> username Cleartext-Password := "password" , Calling-Station-ID ==
> "00-DE-AD-BE-EF-00"
>         Tunnel-Type = VLAN,
>         Tunnel-Medium-Type = IEEE-802,
>         Tunnel-Private-Group-ID = 100,
>         Fall-Through = Yes
>
> in file /etc/freeradius/3.0/users
>
>
>
> This works fine and MAC address is checked for Android devices. But if
> using Windows 10 device, authentication fails with:
>
> (7) eap_mschapv2: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) eap_mschapv2:   authenticate {
> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password
> (7) mschap: Creating challenge hash with username: czpzlpwd0006
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> authentication
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
> (7)     [mschap] = reject
> (7)   } # authenticate = reject
>
>
>
>
> But it happens only if Calling-Station-ID is next to
> Cleartext-Password in users file. If that line does not have
> Calling-Station-ID and user is defined like:
>
> username Cleartext-Password := "password"
>         Tunnel-Type = VLAN,
>         Tunnel-Medium-Type = IEEE-802,
>         Tunnel-Private-Group-ID = 100,
>         Fall-Through = Yes
>
> Authentication works and Windows 10 device is authenticated, but no
> MAC address is checked.
>
>
>
> My other modifications to my configurations:
>
> 1/ enabled ntdomain realms in
> /etc/freeradius/3.0/sites-enabled/default and
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
>
> 2/ configured local DOMAIN in /etc/freeradius/3.0/proxy.conf
>
> realm DOMAIN {
> }
>
>
>
> It looks, like mschap is using NTLM password checking if MS Windows
> device is authenticating, but another method (MD5?) if it is Android
> device.
>
> It results that users with Android device can be configured including
> Calling-Station-ID, but Windows devices must be configured without
> Calling-Station-ID, so no MAC address checking for Windows devices.
> For me it looks, like mschap NT/LM auth is not parsing correctly the
> line, if there is Calling-Station-ID.
>
> I expect, that I can use per user MAC address checking independently
> on used end device, so Android and Windows users can be configured
> with Calling-Station-ID.
>
>
>
> I am using Debian GNU/Linux 9.4, kernel 4.9.0-6-amd64 #1 SMP Debian
> 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux and libc6
> 2.24-11+deb9u3.
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/
> pkg-freeradius-maintainers
>

-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20180426/3104679d/attachment.html>