dapphp / radius

A pure PHP RADIUS client based on SysCo/al implementation
GNU Lesser General Public License v3.0
80 stars 43 forks source link

EAP-MS-CHAPv2 won't work with v2.5.5 #19

Closed jawira closed 3 years ago

jawira commented 3 years ago

Hi, after updating the project to dapphp/radius:v2.5.5 I couldn't login anymore.

The following code will will return VALID if I use v2.5.4 and will return INVALID when using v2.5.5.

<?php

use Dapphp\Radius\Radius;

include __DIR__ . '/vendor/autoload.php';

$radius = new Radius('172.18.0.7', 'hamster');
$radius->setAttribute(32, 'login');

$valid = $radius->accessRequestEapMsChapV2('sarah.connor', 'boombastic');

echo $valid ? 'VALID' : 'NOT VALID', PHP_EOL;

This is the log:

(100) mschap: Creating challenge hash with username: sarah.connor
,(100) mschap: Client is using MS-CHAPv2
,(100) mschap: Adding MS-CHAPv2 MPPE keys
,(100) eap_mschapv2:     [mschap] = ok
,(100) eap_mschapv2:   } # authenticate = ok
,(100) eap_mschapv2: MSCHAP Success
,(100) eap: Sending EAP Request (code 1) ID 98 length 51
,(100) eap: EAP session adding &reply:State = 0xe62cc2bbe74ed8b0
,(100)     [eap] = handled
,(100)   } # authenticate = handled
,(100) Using Post-Auth-Type Challenge
,(100) # Executing group from file /etc/freeradius/sites-enabled/default
,(100)   Challenge { ... } # empty sub-section is ignored
,(100) Sent Access-Challenge Id 1 from 172.18.0.7:1812 to 172.18.0.1:35088 length 0
,(100)   EAP-Message = 0x016200331a0361002e533d41464431364639423743464443424337303745383437463346423545463344433430343235343433
,(100)   Message-Authenticator = 0x00000000000000000000000000000000
,(100)   State = 0xe62cc2bbe74ed8b0f051d4599170f449
,(100) Finished request
,Waking up in 4.9 seconds.
,(101) Received Access-Request Id 2 from 172.18.0.1:54273 to 172.18.0.7:1812 length 85
,(101)   NAS-Identifier = "login"
,(101)   User-Name = "sarah.connor"
,(101)   EAP-Message = 0x026200061a03
,(101)   Message-Authenticator = 0xf29b0443c20ce662069030e66e625d84
,(101)   State = 0xe62cc2bbe64dd8b0f051d4599170f449
,(101) session-state: No cached attributes
,(101) # Executing section authorize from file /etc/freeradius/sites-enabled/default
,(101)   authorize {
,(101)     policy filter_username {
,(101)       if (&User-Name) {
,(101)       if (&User-Name)  -> TRUE
,(101)       if (&User-Name)  {
,(101)         if (&User-Name =~ / /) {
,(101)         if (&User-Name =~ / /)  -> FALSE
,(101)         if (&User-Name =~ /@[^@]*@/ ) {
,(101)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
,(101)         if (&User-Name =~ /\.\./ ) {
,(101)         if (&User-Name =~ /\.\./ )  -> FALSE
,(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
,(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
,(101)         if (&User-Name =~ /\.$/)  {
,(101)         if (&User-Name =~ /\.$/)   -> FALSE
,(101)         if (&User-Name =~ /@\./)  {
,(101)         if (&User-Name =~ /@\./)   -> FALSE
,(101)       } # if (&User-Name)  = notfound
,(101)     } # policy filter_username = notfound
,(101)     [preprocess] = ok
,(101)     [chap] = noop
,(101)     [mschap] = noop
,(101)     [digest] = noop
,(101) suffix: Checking for suffix after "@"
,(101) suffix: No '@' in User-Name = "sarah.connor", looking up realm NULL
,(101) suffix: No such realm "NULL"
,(101)     [suffix] = noop
,(101) eap: Peer sent EAP Response (code 2) ID 98 length 6
,(101) eap: No EAP Start, assuming it's an on-going EAP conversation
,(101)     [eap] = updated
,(101) files: users: Matched entry sarah.connor at line 1
,(101)     [files] = ok
,(101)     [expiration] = noop
,(101)     [logintime] = noop
,(101) pap: WARNING: Auth-Type already set.  Not setting to PAP
,(101)     [pap] = noop
,(101)   } # authorize = updated
,(101) Found Auth-Type = eap
,(101) # Executing group from file /etc/freeradius/sites-enabled/default
,(101)   authenticate {
,(101) eap: Expiring EAP session with state 0x19a129b618f7335a
,(101) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xe62cc2bbe64dd8b0
,(101) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
,(101) eap: Failed in handler
,(101)     [eap] = invalid
,(101)   } # authenticate = invalid
,(101) Failed to authenticate the user
,(101) Using Post-Auth-Type Reject
,(101) # Executing group from file /etc/freeradius/sites-enabled/default
,(101)   Post-Auth-Type REJECT {
,(101) attr_filter.access_reject: EXPAND %{User-Name}
,(101) attr_filter.access_reject:    --> sarah.connor
,(101) attr_filter.access_reject: Matched entry DEFAULT at line 11
,(101)     [attr_filter.access_reject] = updated
,(101) eap: Expiring EAP session with state 0x19a129b618f7335a
,(101) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xe62cc2bbe64dd8b0
,(101) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
,(101) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
,(101)     [eap] = noop
,(101)     policy remove_reply_message_if_eap {
,(101)       if (&reply:EAP-Message && &reply:Reply-Message) {
,(101)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
,(101)       else {
,(101)         [noop] = noop
,(101)       } # else = noop
,(101)     } # policy remove_reply_message_if_eap = noop
,(101)   } # Post-Auth-Type REJECT = updated
,(101) Delaying response for 1.000000 seconds
,Waking up in 0.3 seconds.
,Waking up in 0.6 seconds.
,(101) Sending delayed response
,(101) Sent Access-Reject Id 2 from 172.18.0.7:1812 to 172.18.0.1:54273 length 20
,Waking up in 3.9 seconds.

Hope you can fix it, thanks.

jawira commented 3 years ago

Maybe related with #13

dapphp commented 3 years ago

Hi @jawira,

Can you share relevant portions of your FreeRADIUS config?

When I try EAP-MS-CHAPv2 with FreeRADIUS, I do get the error referenced in 13, "EAP type is not EAP_MS_AUTH in access response". That check is over 5 years old and has been around since the beginning.

The EAP type I'm getting back is MD5 Challenge (4) instead of MS Auth (26).

I'll see if I can get that working as well so at least both of those are supported, but I couldn't get that code to work with FreeRADIUS using 2.5.4 either.

dapphp commented 3 years ago

Hey nevermind, if I change default_eap_type from md5 to mschapv2 in FreeRADIUS' eap config file then I can replicate the issue.

dapphp commented 3 years ago

This should be fixed now. I just pushed 2.5.6 with the changes. Thank you for reporting it! I hope it didn't cause too much trouble.

jawira commented 3 years ago

Sorry but I still have the problem, everything worked with v2.5.4 but it fails as soon I update to v2.5.6 now.

These are my configuration files. Please note this is a docker testing server freeradius/freeradius-server:3.0.20. Thanks.

  1. clientes.conf
  2. mods-config/files/authorize
  3. mods-available/eap
  4. mods-available/mschap
  5. radiusd.conf

clients.conf

client 0.0.0.0/0 {
    secret = hamster
    shortname = docker
}

mods-config/files/authorize

alice   Cleartext-Password := "jodee"
bob     Cleartext-Password := "jodee"

mods-available/eap

eap {
    default_eap_type = mschapv2
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = ${max_requests}
    tls-config tls-common {
        private_key_password = whatever
        private_key_file = ${certdir}/server.pem
        certificate_file = ${certdir}/server.pem
        ca_file = ${cadir}/ca.pem
        dh_file = ${certdir}/dh
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
        cache {
            enable = no
        }
        verify {
        }
        ocsp {
            enable = no
        }
    }
    ttls {
        tls = tls-common
        default_eap_type = md5
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    mschapv2 {
    }
}

mods-available/mschap

mschap {
    authtype = MS-CHAP
    use_mppe = yes
    require_encryption = yes
    require_strong = yes

    authorize {
        preprocess
        mschap
        suffix
        eap
        files
    }
    authenticate {
        Auth-Type MS-CHAP {
            mschap
        }
    }

}

radiusd.conf

#   The format of this (and other) configuration file is
#   documented in "man unlang".  There are also READMEs in many
#   subdirectories:
#
#     raddb/README.rst
#       How to upgrade from v2.
#
#     raddb/mods-available/README.rst
#       How to use mods-available / mods-enabled.
#       All of the modules are in individual files,
#       along with configuration items and full documentation.
#
#     raddb/sites-available/README
#       virtual servers, "listen" sections, clients, etc.
#       The "sites-available" directory contains many
#       worked examples of common configurations.
#
#     raddb/certs/README
#       How to create certificates for EAP or RadSec.
#
#   Every configuration item in the server is documented
#   extensively in the comments in the example configuration
#   files.
#
#   Before editing this (or any other) configuration file, PLEASE
#   read "man radiusd".  See the section titled DEBUGGING.  It
#   outlines a method where you can quickly create the
#   configuration you want, with minimal effort.
#
#   Run the server in debugging mode, and READ the output.
#
#       $ radiusd -X
#
#   We cannot emphasize this point strongly enough.  The vast
#   majority of problems can be solved by carefully reading the
#   debugging output, which includes warnings about common issues,
#   and suggestions for how they may be fixed.
#
#   There may be a lot of output, but look carefully for words like:
#   "warning", "error", "reject", or "failure".  The messages there
#   will usually be enough to guide you to a solution.
#
#   More documentation on "radiusd -X" is available on the wiki:
#       https://wiki.freeradius.org/radiusd-X
#
#   If you are going to ask a question on the mailing list, then
#   explain what you are trying to do, and include the output from
#   debugging mode (radiusd -X).  Failure to do so means that all
#   of the responses to your question will be people telling you
#   to "post the output of radiusd -X".
#
#   Guidelines for posting to the mailing list are on the wiki:
#       https://wiki.freeradius.org/list-help
#
#   Please read those guidelines before posting to the list.
#
#   Further documentation is available in the "doc" directory
#   of the server distribution, or on the wiki at:
#       https://wiki.freeradius.org/
#
#   New users to RADIUS should read the Technical Guide.  That guide
#   explains how RADIUS works, how FreeRADIUS works, and what each
#   part of a RADIUS system does.  It is not just "configure FreeRADIUS"!
#       https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
#   More documentation on dictionaries, modules, unlang, etc. is also
#   available on the Network RADIUS web site:
#       https://networkradius.com/freeradius-documentation/
#

######################################################################

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#
#  name of the running server.  See also the "-n" command-line option.
name = freeradius

#  Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#   ./configure --disable-shared
#   make
#   make install
#
libdir = /usr/lib/freeradius

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid

#
#  correct_escapes: use correct backslash escaping
#
#  Prior to version 3.0.5, the handling of backslashes was a little
#  awkward, i.e. "wrong".  In some cases, to get one backslash into
#  a regex, you had to put 4 in the config files.
#
#  Version 3.0.5 fixes that.  However, for backwards compatibility,
#  the new method of escaping is DISABLED BY DEFAULT.  This means
#  that upgrading to 3.0.5 won't break your configuration.
#
#  If you don't have double backslashes (i.e. \\) in your configuration,
#  this won't matter to you.  If you do have them, fix that to use only
#  one backslash, and then set "correct_escapes = true".
#
#  You can check for this by doing:
#
#   $ grep '\\\\' $(find raddb -type f -print)
#
correct_escapes = true

#  panic_action: Command to execute if the server dies unexpectedly.
#
#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
#  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
#  PATTACH CAN BE USED AS AN ATTACK VECTOR.
#
#  The panic action is a command which will be executed if the server
#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
#  SIGABRT or SIGFPE.
#
#  This can be used to start an interactive debugging session so
#  that information regarding the current state of the server can
#  be acquired.
#
#  The following string substitutions are available:
#  - %e   The currently executing program e.g. /sbin/radiusd
#  - %p   The PID of the currently executing program e.g. 12345
#
#  Standard ${} substitutions are also allowed.
#
#  An example panic action for opening an interactive session in GDB would be:
#
#panic_action = "gdb %e %p"
#
#  Again, don't use that on a production system.
#
#  An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
#
#  That command can be used on a production system.
#

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as separate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 30
#
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 16384

#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no

#
#  Logging section.  The various "log_*" configuration items
#  will eventually be moved here.
#
log {
    #
    #  Destination for log messages.  This can be one of:
    #
    #   files - log to "file", as defined below.
    #   syslog - to syslog (see also the "syslog_facility", below.
    #   stdout - standard output
    #   stderr - standard error.
    #
    #  The command-line option "-X" over-rides this option, and forces
    #  logging to go to stdout.
    #
    destination = files

    #
    #  Highlight important messages sent to stderr and stdout.
    #
    #  Option will be ignored (disabled) if output if TERM is not
    #  an xterm or output is not to a TTY.
    #
    colourise = yes

    #
    #  The logging messages for the server are appended to the
    #  tail of this file if destination == "files"
    #
    #  If the server is running in debugging mode, this file is
    #  NOT used.
    #
    file = ${logdir}/radius.log

    #
    #  Which syslog facility to use, if ${destination} == "syslog"
    #
    #  The exact values permitted here are OS-dependent.  You probably
    #  don't want to change this.
    #
    syslog_facility = daemon

    #  Log the full User-Name attribute, as it was found in the request.
    #
    # allowed values: {no, yes}
    #
    stripped_names = no

    #  Log all (accept and reject) authentication results to the log file.
    #
    #  This is the same as setting "auth_accept = yes" and
    #  "auth_reject = yes"
    #
    #  allowed values: {no, yes}
    #
    auth = no

    #  Log Access-Accept results to the log file.
    #
    #  This is only used if "auth = no"
    #
    #  allowed values: {no, yes}
    #
#   auth_accept = no

    #  Log Access-Reject results to the log file.
    #
    #  This is only used if "auth = no"
    #
    #  allowed values: {no, yes}
    #
#   auth_reject = no

    #  Log passwords with the authentication requests.
    #  auth_badpass  - logs password if it's rejected
    #  auth_goodpass - logs password if it's correct
    #
    #  allowed values: {no, yes}
    #
    auth_badpass = no
    auth_goodpass = no

    #  Log additional text at the end of the "Login OK" messages.
    #  for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
    #  configurations above have to be set to "yes".
    #
    #  The strings below are dynamically expanded, which means that
    #  you can put anything you want in them.  However, note that
    #  this expansion can be slow, and can negatively impact server
    #  performance.
    #
#   msg_goodpass = ""
#   msg_badpass = ""

    #  The message when the user exceeds the Simultaneous-Use limit.
    #
    msg_denied = "You are already logged in - access denied"
}

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

#
#  ENVIRONMENT VARIABLES
#
#  You can reference environment variables using an expansion like
#  `$ENV{PATH}`.  However it is sometimes useful to be able to also set
#  environment variables.  This section lets you do that.
#
#  The main purpose of this section is to allow administrators to keep
#  RADIUS-specific configuration in the RADIUS configuration files.
#  For example, if you need to set an environment variable which is
#  used by a module.  You could put that variable into a shell script,
#  but that's awkward.  Instead, just list it here.
#
#  Note that these environment variables are set AFTER the
#  configuration file is loaded.  So you cannot set FOO here, and
#  expect to reference it via `$ENV{FOO}` in another configuration file.
#  You should instead just use a normal configuration variable for
#  that.
#
ENV {
    #
    #  Set environment varable `FOO` to value '/bar/baz'.
    #
    #  NOTE: Note that you MUST use '='.  You CANNOT use '+=' to append
    #  values.
    #
#   FOO = '/bar/baz'

    #
    #  Delete environment variable `BAR`.
    #
#   BAR

    #
    #  `LD_PRELOAD` is special.  It is normally set before the
    #  application runs, and is interpreted by the dynamic linker.
    #  Which means you cannot set it inside of an application, and
    #  expect it to load libraries.
    #
    #  Since this functionality is useful, we extend it here.
    #
    #  You can set
    #
    #  LD_PRELOAD = /path/to/library.so
    #
    #  and the server will load the named libraries.  Multiple
    #  libraries can be loaded by specificing multiple individual
    #  `LD_PRELOAD` entries.
    #
    #
#   LD_PRELOAD = /path/to/library1.so
#   LD_PRELOAD = /path/to/library2.so
}

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
    #  chroot: directory where the server does "chroot".
    #
    #  The chroot is done very early in the process of starting
    #  the server.  After the chroot has been performed it
    #  switches to the "user" listed below (which MUST be
    #  specified).  If "group" is specified, it switches to that
    #  group, too.  Any other groups listed for the specified
    #  "user" in "/etc/group" are also added as part of this
    #  process.
    #
    #  The current working directory (chdir / cd) is left
    #  *outside* of the chroot until all of the modules have been
    #  initialized.  This allows the "raddb" directory to be left
    #  outside of the chroot.  Once the modules have been
    #  initialized, it does a "chdir" to ${logdir}.  This means
    #  that it should be impossible to break out of the chroot.
    #
    #  If you are worried about security issues related to this
    #  use of chdir, then simply ensure that the "raddb" directory
    #  is inside of the chroot, end be sure to do "cd raddb"
    #  BEFORE starting the server.
    #
    #  If the server is statically linked, then the only files
    #  that have to exist in the chroot are ${run_dir} and
    #  ${logdir}.  If you do the "cd raddb" as discussed above,
    #  then the "raddb" directory has to be inside of the chroot
    #  directory, too.
    #
#   chroot = /path/to/chroot/directory

    # user/group: The name (or #number) of the user/group to run radiusd as.
    #
    #   If these are commented out, the server will run as the
    #   user/group that started it.  In order to change to a
    #   different user/group, you MUST be root ( or have root
    #   privileges ) to start the server.
    #
    #   We STRONGLY recommend that you run the server with as few
    #   permissions as possible.  That is, if you're not using
    #   shadow passwords, the user and group items below should be
    #   set to radius'.
    #
    #  NOTE that some kernels refuse to setgid(group) when the
    #  value of (unsigned)group is above 60000; don't use group
    #  "nobody" on these systems!
    #
    #  On systems with shadow passwords, you might have to set
    #  'group = shadow' for the server to be able to read the
    #  shadow password file.  If you can authenticate users while
    #  in debug mode, but not in daemon mode, it may be that the
    #  debugging mode server is running as a user that can read
    #  the shadow info, and the user listed below can not.
    #
    #  The server will also try to use "initgroups" to read
    #  /etc/groups.  It will join all groups where "user" is a
    #  member.  This can allow for some finer-grained access
    #  controls.
    #
    user = freerad
    group = freerad

    #  Core dumps are a bad thing.  This should only be set to
    #  'yes' if you're debugging a problem with the server.
    #
    #  allowed values: {no, yes}
    #
    allow_core_dumps = no

    #
    #  max_attributes: The maximum number of attributes
    #  permitted in a RADIUS packet.  Packets which have MORE
    #  than this number of attributes in them will be dropped.
    #
    #  If this number is set too low, then no RADIUS packets
    #  will be accepted.
    #
    #  If this number is set too high, then an attacker may be
    #  able to send a small number of packets which will cause
    #  the server to use all available memory on the machine.
    #
    #  Setting this number to 0 means "allow any number of attributes"
    max_attributes = 200

    #
    #  reject_delay: When sending an Access-Reject, it can be
    #  delayed for a few seconds.  This may help slow down a DoS
    #  attack.  It also helps to slow down people trying to brute-force
    #  crack a users password.
    #
    #  Setting this number to 0 means "send rejects immediately"
    #
    #  If this number is set higher than 'cleanup_delay', then the
    #  rejects will be sent at 'cleanup_delay' time, when the request
    #  is deleted from the internal cache of requests.
    #
    #  As of Version 3.0.5, "reject_delay" has sub-second resolution.
    #  e.g. "reject_delay =  1.4" seconds is possible.
    #
    #  Useful ranges: 1 to 5
    reject_delay = 1

    #
    #  status_server: Whether or not the server will respond
    #  to Status-Server requests.
    #
    #  When sent a Status-Server message, the server responds with
    #  an Access-Accept or Accounting-Response packet.
    #
    #  This is mainly useful for administrators who want to "ping"
    #  the server, without adding test users, or creating fake
    #  accounting packets.
    #
    #  It's also useful when a NAS marks a RADIUS server "dead".
    #  The NAS can periodically "ping" the server with a Status-Server
    #  packet.  If the server responds, it must be alive, and the
    #  NAS can start using it for real requests.
    #
    #  See also raddb/sites-available/status
    #
    status_server = yes

}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf

# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".
#

#  The 'clients.conf' file contains all of the information from the old
#  'clients' and 'naslist' configuration files.  We recommend that you
#  do NOT use 'client's or 'naslist', although they are still
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the
#  information from the old-style configuration files.
#
$INCLUDE clients.conf

# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
    #  Number of servers to start initially --- should be a reasonable
    #  ballpark figure.
    start_servers = 5

    #  Limit on the total number of servers running.
    #
    #  If this limit is ever reached, clients will be LOCKED OUT, so it
    #  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
    #  keep a runaway server from taking the system with it as it spirals
    #  down...
    #
    #  You may find that the server is regularly reaching the
    #  'max_servers' number of threads, and that increasing
    #  'max_servers' doesn't seem to make much difference.
    #
    #  If this is the case, then the problem is MOST LIKELY that
    #  your back-end databases are taking too long to respond, and
    #  are preventing the server from responding in a timely manner.
    #
    #  The solution is NOT do keep increasing the 'max_servers'
    #  value, but instead to fix the underlying cause of the
    #  problem: slow database, or 'hostname_lookups=yes'.
    #
    #  For more information, see 'max_request_time', above.
    #
    max_servers = 32

    #  Server-pool size regulation.  Rather than making you guess
    #  how many servers you need, FreeRADIUS dynamically adapts to
    #  the load it sees, that is, it tries to maintain enough
    #  servers to handle the current load, plus a few spare
    #  servers to handle transient load spikes.
    #
    #  It does this by periodically checking how many servers are
    #  waiting for a request.  If there are fewer than
    #  min_spare_servers, it creates a new spare.  If there are
    #  more than max_spare_servers, some of the spares die off.
    #  The default values are probably OK for most sites.
    #
    min_spare_servers = 3
    max_spare_servers = 10

    #  When the server receives a packet, it places it onto an
    #  internal queue, where the worker threads (configured above)
    #  pick it up for processing.  The maximum size of that queue
    #  is given here.
    #
    #  When the queue is full, any new packets will be silently
    #  discarded.
    #
    #  The most common cause of the queue being full is that the
    #  server is dependent on a slow database, and it has received
    #  a large "spike" of traffic.  When that happens, there is
    #  very little you can do other than make sure the server
    #  receives less traffic, or make sure that the database can
    #  handle the load.
    #
#   max_queue_size = 65536

    #  Clean up old threads periodically.  For no reason other than
    #  it might be useful.
    #
    #  '0' is a special value meaning 'infinity', or 'the servers never
    #  exit'
    max_requests_per_server = 0

    #  Automatically limit the number of accounting requests.
    #  This configuration item tracks how many requests per second
    #  the server can handle.  It does this by tracking the
    #  packets/s received by the server for processing, and
    #  comparing that to the packets/s handled by the child
    #  threads.
    #

    #  If the received PPS is larger than the processed PPS, *and*
    #  the queue is more than half full, then new accounting
    #  requests are probabilistically discarded.  This lowers the
    #  number of packets that the server needs to process.  Over
    #  time, the server will "catch up" with the traffic.
    #
    #  Throwing away accounting packets is usually safe and low
    #  impact.  The NAS will retransmit them in a few seconds, or
    #  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1
    #  to see how accounting packets should be retransmitted.  Using
    #  any other method is likely to cause network meltdowns.
    #
    auto_limit_acct = no
}

######################################################################
#
#  SNMP notifications.  Uncomment the following line to enable
#  snmptraps.  Note that you MUST also configure the full path
#  to the "snmptrap" command in the "trigger.conf" file.
#
#$INCLUDE trigger.conf

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
    #
    #  Each module has a configuration as follows:
    #
    #   name [ instance ] {
    #       config_item = value
    #       ...
    #   }
    #
    #  The 'name' is used to load the 'rlm_name' library
    #  which implements the functionality of the module.
    #
    #  The 'instance' is optional.  To have two different instances
    #  of a module, it first must be referred to by 'name'.
    #  The different copies of the module are then created by
    #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
    #
    #  The instance names can then be used in later configuration
    #  INSTEAD of the original 'name'.  See the 'radutmp' configuration
    #  for an example.
    #

    #
    #  Some modules have ordering issues.  e.g. "sqlippool" uses
    #  the configuration from "sql".  In that case, the "sql"
    #  module must be read off of disk before the "sqlippool".
    #  However, the directory inclusion below just reads the
    #  directory from start to finish.  Which means that the
    #  modules are read off of disk randomly.
    #
    #  As of 3.0.18, you can list individual modules *before* the
    #  directory inclusion.  Those modules will be loaded first.
    #  Then, when the directory is read, those modules will be
    #  skipped and not read twice.
    #
#   $INCLUDE mods-enabled/sql

    #
    #  As of 3.0, modules are in mods-enabled/.  Files matching
    #  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are
    #  initialized ONLY if they are referenced in a processing
    #  section, such as authorize, authenticate, accounting,
    #  pre/post-proxy, etc.
    #
    $INCLUDE mods-enabled/
}

# Instantiation
#
#  This section sets the instantiation order of the modules.  listed
#  here will get started up BEFORE the sections like authorize,
#  authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like authorize
#  refers to a module, the module is automatically loaded and
#  initialized.  However, some modules may not be listed in any of the
#  processing sections, so they should be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initialized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
#  After the modules listed here have been loaded, all of the modules
#  in the "mods-enabled" directory will be loaded.  Loading the
#  "mods-enabled" directory means that unlike Version 2, you usually
#  don't need to list modules here.
#
instantiate {
    #
    # We list the counter module here so that it registers
    # the check_name attribute before any module which sets
    # it
#   daily

    # subsections here can be thought of as "virtual" modules.
    #
    # e.g. If you have two redundant SQL servers, and you want to
    # use them in the authorize and accounting sections, you could
    # place a "redundant" block in each section, containing the
    # exact same text.  Or, you could uncomment the following
    # lines, and list "redundant_sql" in the authorize and
    # accounting sections.
    #
    #  The "virtual" module defined here can also be used with
    #  dynamic expansions, under a few conditions:
    #
    #  * The section is "redundant", or "load-balance", or
    #    "redundant-load-balance"
    #  * The section contains modules ONLY, and no sub-sections
    #  * all modules in the section are using the same rlm_
    #    driver, e.g. They are all sql, or all ldap, etc.
    #
    #  When those conditions are satisfied, the server will
    #  automatically register a dynamic expansion, using the
    #  name of the "virtual" module.  In the example below,
    #  it will be "redundant_sql".  You can then use this expansion
    #  just like any other:
    #
    #   update reply {
    #       Filter-Id := "%{redundant_sql: ... }"
    #   }
    #
    #  In this example, the expansion is done via module "sql1",
    #  and if that expansion fails, using module "sql2".
    #
    #  For best results, configure the "pool" subsection of the
    #  module so that "retry_delay" is non-zero.  That will allow
    #  the redundant block to quickly ignore all "down" SQL
    #  databases.  If instead we have "retry_delay = 0", then
    #  every time the redundant block is used, the server will try
    #  to open a connection to every "down" database, causing
    #  problems.
    #
    #redundant redundant_sql {
    #   sql1
    #   sql2
    #}
}

######################################################################
#
#  Policies are virtual modules, similar to those defined in the
#  "instantiate" section above.
#
#  Defining a policy in one of the policy.d files means that it can be
#  referenced in multiple places as a *name*, rather than as a series of
#  conditions to match, and actions to take.
#
#  Policies are something like subroutines in a normal language, but
#  they cannot be called recursively. They MUST be defined in order.
#  If policy A calls policy B, then B MUST be defined before A.
#
######################################################################
policy {
    $INCLUDE policy.d/
}

######################################################################
#
#   Load virtual servers.
#
#   This next $INCLUDE line loads files in the directory that
#   match the regular expression: /[a-zA-Z0-9_.]+/
#
#   It allows you to define new virtual servers simply by placing
#   a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/

######################################################################
#
#   All of the other configuration sections like "authorize {}",
#   "authenticate {}", "accounting {}", have been moved to the
#   the file:
#
#       raddb/sites-available/default
#
#   This is the "default" virtual server that has the same
#   configuration as in version 1.0.x and 1.1.x.  The default
#   installation enables this virtual server.  You should
#   edit it to create policies for your local site.
#
#   For more documentation on virtual servers, see:
#
#       raddb/sites-available/README
#
######################################################################
dapphp commented 3 years ago

Hi @jawira ,

Thanks for the extra info and config. I ran example/eap-mschapv2.php against the freeradius docker image using your config and was able to auth. See logs here: https://pastebin.com/kfizX7MS

In example/eapmschapv2.php could you try adding $radius->setDebug(true); before the access request and post that output along with the freeradius debug output?

I used your exact config aside from my own clients and authorize file.

Maybe with updated logs I can compare the two and try to see where it is failing now.

Sorry for the trouble and thank you very much for your time!

jawira commented 3 years ago

@dapphp thanks for using your time to fix this :)

I think I got it, you are right the code I give you works. But the problem raises when I use accessRequestEapMsChapV2List method.

This is the code I used:

<?php

use Dapphp\Radius\Radius;

include __DIR__ . '/vendor/autoload.php';

$radius = new Radius;
$radius->setSecret('hamster');
$radius->setAttribute(32, 'login');
$radius->setDebug(true);
$valid = $radius->accessRequestEapMsChapV2List(['192.168.5.5', 'radius'], 'sarah.connor', 'boombastic');

echo $valid ? 'VALID' : 'NOT VALID', PHP_EOL;

Checking the server logs I found this message:

 eap: ERROR: Malformed EAP Message: Malformed EAP packet.  Length in packet header 17, does not match actual length 88

Anyway, here are the logs:

Thanks again!

jawira commented 3 years ago

Closing issue since my new employer doesn't use Radius :)