search

FreeRADIUS / freeradius-server

FreeRADIUS - A multi-protocol policy server.
http://freeradius.org
GNU General Public License v2.0
2.11k stars 1.08k forks source link

[defect]: log message for wrong password or password expired not working. Only no NT-Domain was found message apearing #4491

Closed dandanpena closed 2 years ago

dandanpena commented 2 years ago

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Log message works when using username pattern DOMAIN\user, but if username has pattern like user@domain.com or just user wrong message is sent to log file.

note that I used a default value for NT-Domain not set %{%{mschap:NT-Domain}:-MPDFTMPBR} I understand debug message "mschap: ERROR: No NT-Domain was found in the User-Name" because user name is in fact missing nt domain, but as I configured MPDFTMPBR as default value, log message should write correct output for mschap.

Log output from the FreeRADIUS daemon

OUTPUT INCORRECT:
=================
USER PATTERN: user@domain
---------------------------
(44)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(44)     authenticate {
(44) eap: Expiring EAP session with state 0xeb975bb4eadf429c
(44) eap: Finished EAP session with state 0x528ce5ad524fff0f
(44) eap: Previous EAP request found for state 0x528ce5ad524fff0f, released from the list
(44) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(44) eap: Calling submodule eap_mschapv2 to process data
(44) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(44) eap_mschapv2:   authenticate {
(44) mschap: Creating challenge hash with username: jucelino.araujo@mpdft.mp.br
(44) mschap: Client is using MS-CHAPv2
(44) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(44) mschap:    --> jucelino.araujo
(44) mschap: ERROR: No NT-Domain was found in the User-Name
(44) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(44) mschap:    --> MPDFTMPBR
rlm_mschap (mschap): Reserved connection (3)
(44) mschap: sending authentication request user='jucelino.araujo' domain='MPDFTMPBR'
rlm_mschap (mschap): Released connection (3)
(44) mschap: ERROR: Wrong Password [0xC000006A]
(44) mschap: ERROR: Password has expired.  User should retry authentication
(44)     [mschap] = reject
(44)   } # authenticate = reject
(44) eap: Sending EAP Failure (code 4) ID 195 length 4
(44) eap: Freeing handler
(44)       [eap] = reject
(44)     } # authenticate = reject
(44)   Failed to authenticate the user
WRONG MESSAGE HERE => (44)   Login incorrect (mschap: No NT-Domain was found in the User-Name): [jucelino.araujo@mpdft.mp.br] (from client AP-CEI-TER-221 port 0 via TLS tunnel)
(44)   Using Post-Auth-Type Reject

USER PATTERN: user
---------------------------
(24858)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24858)     authenticate {
(24858) eap: Expiring EAP session with state 0xffe5b7d0ff0fad91
(24858) eap: Finished EAP session with state 0xa9203b74a97a2124
(24858) eap: Previous EAP request found for state 0xa9203b74a97a2124, released from the list
(24858) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(24858) eap: Calling submodule eap_mschapv2 to process data
(24858) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24858) eap_mschapv2:   authenticate {
(24858) mschap: Creating challenge hash with username: isa.santos
(24858) mschap: Client is using MS-CHAPv2
(24858) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(24858) mschap:    --> isa.santos
(24858) mschap: ERROR: No NT-Domain was found in the User-Name
(24858) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(24858) mschap:    --> MPDFTMPBR
rlm_mschap (mschap): Reserved connection (7)
(24858) mschap: sending authentication request user='isa.santos' domain='MPDFTMPBR'
rlm_mschap (mschap): Released connection (7)
(24858) mschap: ERROR: Wrong Password [0xC000006A]
(24858) mschap: ERROR: Password has expired.  User should retry authentication
(24858)     [mschap] = reject
(24858)   } # authenticate = reject
(24858) eap: Sending EAP Failure (code 4) ID 90 length 4
(24858) eap: Freeing handler
(24858)       [eap] = reject
(24858)     } # authenticate = reject
(24858)   Failed to authenticate the user
WRONG MESSAGE HERE => (24858)   Login incorrect (mschap: No NT-Domain was found in the User-Name): [isa.santos] (from client AP-REM-A01-222 port 0 via TLS tunnel)

OUTPUT CORRECT:
=================
USER PATTERN: DOMAIN\user
---------------------------
(24171)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24171)     authenticate {
(24171) eap: Expiring EAP session with state 0x2412cbcb26e5d2dc
(24171) eap: Finished EAP session with state 0x4dc14fbd4d4b559a
(24171) eap: Previous EAP request found for state 0x4dc14fbd4d4b559a, released from the list
(24171) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(24171) eap: Calling submodule eap_mschapv2 to process data
(24171) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24171) eap_mschapv2:   authenticate {
(24171) mschap: Creating challenge hash with username: paulo.espindola
(24171) mschap: Client is using MS-CHAPv2
(24171) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(24171) mschap:    --> paulo.espindola
(24171) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(24171) mschap:    --> mpdftmpbr
rlm_mschap (mschap): Reserved connection (4)
(24171) mschap: sending authentication request user='paulo.espindola' domain='mpdftmpbr'
rlm_mschap (mschap): Released connection (4)
(24171) mschap: ERROR: Wrong Password [0xC000006A]
(24171) mschap: ERROR: Password has expired.  User should retry authentication
(24171)     [mschap] = reject
(24171)   } # authenticate = reject
(24171) eap: Sending EAP Failure (code 4) ID 138 length 4
(24171) eap: Freeing handler
(24171)       [eap] = reject
(24171)     } # authenticate = reject
(24171)   Failed to authenticate the user
(24171)   Login incorrect (mschap: Wrong Password [0xC000006A]): [mpdftmpbr\paulo.espindola] (from client AP-SD2-A02-Q03 port 0 via TLS tunnel)

USER PATTERN: user@domain
---------------------------
(726)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(726)     authenticate {
(726) eap: Expiring EAP session with state 0xc5f176c6c5c06f10
(726) eap: Finished EAP session with state 0x4fd835b64f672f44
(726) eap: Previous EAP request found for state 0x4fd835b64f672f44, released from the list
(726) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(726) eap: Calling submodule eap_mschapv2 to process data
(726) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(726) eap_mschapv2:   authenticate {
(726) mschap: Creating challenge hash with username: nayara.fraga@mpdft.mp.br
(726) mschap: Client is using MS-CHAPv2
(726) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(726) mschap:    --> nayara.fraga
(726) mschap: ERROR: No NT-Domain was found in the User-Name
(726) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(726) mschap:    --> MPDFTMPBR
rlm_mschap (mschap): Reserved connection (5)
(726) mschap: sending authentication request user='nayara.fraga' domain='MPDFTMPBR'
rlm_mschap (mschap): Released connection (5)
(726) mschap: Authenticated successfully
(726) mschap: Adding MS-CHAPv2 MPPE keys
(726)     [mschap] = ok
(726)   } # authenticate = ok
(726) MSCHAP Success

USER PATTERN: DOMAIN\user
---------------------------
(24682)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24682)     authenticate {
(24682) eap: Expiring EAP session with state 0xf665c16ff664d834
(24682) eap: Finished EAP session with state 0x840d59ba84114371
(24682) eap: Previous EAP request found for state 0x840d59ba84114371, released from the list
(24682) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(24682) eap: Calling submodule eap_mschapv2 to process data
(24682) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24682) eap_mschapv2:   authenticate {
(24682) mschap: Creating challenge hash with username: paulo.espindola
(24682) mschap: Client is using MS-CHAPv2
(24682) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(24682) mschap:    --> paulo.espindola
(24682) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(24682) mschap:    --> mpdftmpbr
rlm_mschap (mschap): Reserved connection (0)
(24682) mschap: sending authentication request user='paulo.espindola' domain='mpdftmpbr'
rlm_mschap (mschap): Released connection (0)
(24682) mschap: Authenticated successfully
(24682) mschap: Adding MS-CHAPv2 MPPE keys
(24682)     [mschap] = ok
(24682)   } # authenticate = ok
(24682) MSCHAP Success

USER PATTERN: user
---------------------------
(24864)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24864)     authenticate {
(24864) eap: Expiring EAP session with state 0xffe5b7d0ff0fad91
(24864) eap: Finished EAP session with state 0xb65d9474b6868ed0
(24864) eap: Previous EAP request found for state 0xb65d9474b6868ed0, released from the list
(24864) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(24864) eap: Calling submodule eap_mschapv2 to process data
(24864) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24864) eap_mschapv2:   authenticate {
(24864) mschap: Creating challenge hash with username: crygina
(24864) mschap: Client is using MS-CHAPv2
(24864) mschap: EXPAND %{%{Stripped-User-Name}:-%{mschap:User-Name}}
(24864) mschap:    --> crygina
(24864) mschap: ERROR: No NT-Domain was found in the User-Name
(24864) mschap: EXPAND %{%{mschap:NT-Domain}:-MPDFTMPBR}
(24864) mschap:    --> MPDFTMPBR
rlm_mschap (mschap): Reserved connection (1)
(24864) mschap: sending authentication request user='crygina' domain='MPDFTMPBR'
rlm_mschap (mschap): Released connection (1)
(24864) mschap: Authenticated successfully
(24864) mschap: Adding MS-CHAPv2 MPPE keys
(24864)     [mschap] = ok
(24864)   } # authenticate = ok
(24864) MSCHAP Success

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

alandekok commented 2 years ago

The expansions %{mschap:NT-Domain} expansion gets the NT domain, e.g. NTDOMAIN\user. It doesn't get the domain name, e.g. user@example.com.

If you want to use both, see the file mods-available/realms, and the proxy.conf file. You can configure NTDOMAIN and example.com as both local realms. Then also uncomment ntdomain in sites-available/default.

The server will split the User-Name into a Stripped-User-Name portion, and a Realm portion. And you won't need to use %{mschap:NT-Domain}.

In short, the server is worked as documented, and as intended. If you want different behavior, there are simple ways to get that behavior.

dandanpena commented 2 years ago

Hi Alan,

I already use both NTDOMAIN and SUFFIX uncommented. For some reason, SUFFIX sets realm only, NTDOMAIN sets realm and NT-Domain So, if my users put their username as @.***, I get that error.

maybe it 's mschap... even if I set MPDFTMPBR as default in that expansion as you may see in logs

Em qui., 5 de mai. de 2022 às 04:01, Alan DeKok @.***> escreveu:

The expansions %{mschap:NT-Domain} expansion gets the NT domain, e.g. NTDOMAIN\user. It doesn't get the domain name, e.g. @.***

If you want to use both, see the file mods-available/realms, and the proxy.conf file. You can configure NTDOMAIN and example.com as both local realms. Then also uncomment ntdomain in sites-available/default.

The server will split the User-Name into a Stripped-User-Name portion, and a Realm portion. And you won't need to use %{mschap:NT-Domain}.

In short, the server is worked as documented, and as intended. If you want different behavior, there are simple ways to get that behavior.

— Reply to this email directly, view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/4491#issuecomment-1118234270, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANUMQAAQR4XNFVK66WG3W33VINW4NANCNFSM5VCV4Z3A . You are receiving this because you authored the thread.Message ID: @.***>