'Re: rlm_cache NT-Password with EAP-PEAP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: rlm_cache NT-Password with EAP-PEAP
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2015-02-27 22:57:59
Message-ID: D67428DC-D707-4D20-BB57-A1C2154BA7C0 () freeradius ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


> On 27 Feb 2015, at 17:48, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Feb 27, 2015, at 4:20 PM, Sherker, Donald <Donald.Sherker@mybrighthouse.com> \
> wrote:
> > I have made this change and the server is able to cache the hashes for both \
> > EAP-PEAP and EAP-TTLS now.  I am now seeing a problem where after MSCHAPv2 \
> > finishes it's status is "updated" the first time the user tries to authenticate \
> > and then EAP fails.
> 
> A careful reading of the debug log is helpful here:
> 
> (7) eap_mschapv2:   Auth-Type MS-CHAP {
> (7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: qaresdon
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Adding MS-CHAPv2 MPPE keys
> (7)     [mschap] = ok
> (7) cache: EXPAND %{User-Name}%{outer.request:Calling-Station-Id}
> (7) cache:    --> qaresdone899c47233d8
> (7) cache: No cache entry found for "qaresdone899c47233d8"
> (7) cache: Creating new cache entry
> (7) cache: EXPAND %{control:NT-Password}
> (7) cache:    --> 0x5835048ce94ad0564e29a924a03510ef
> (7) cache:   control:NT-Password := 0x5835048ce94ad0564e29a924a03510ef
> (7) cache: EXPAND %{control:LM-Password}
> (7) cache:    --> 0xe52cac67419a9a2238f10713b629b565
> (7) cache:   control:LM-Password := 0xe52cac67419a9a2238f10713b629b565
> (7) cache: Merging cache entry into request
> (7) cache:   &control:NT-Password := 0x5835048ce94ad0564e29a924a03510ef
> (7) cache:   &control:LM-Password := 0xe52cac67419a9a2238f10713b629b565
> (7) cache: Commited entry, TTL 86400 seconds
> (7)     [cache.authorize] = updated
> (7)   } # Auth-Type MS-CHAP = updated
> (7) eap: Freeing handler
> (7)       [eap] = reject
> (7)     } # authenticate = reject
> 
> i.e. the *cache* module returns "updated".  That can be fixed.  Just add "ok" after \
> "cache.authorize":

Sure, that's a workaround, but this is a bug in the server. A module returning \
updated in the authentication section should not cause authentication to fail.

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.26
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJU8PZ3AAoJEP+k1YKfttfKg1wP/2AVV7jq77/R0+RPNYgnN/9/
Haia48QhXsHbg5qwF7R5kBQr/ckGrxr/bL21L4VTViz2DY7DBzhNaBON0l9yTn0v
KXJKNQ/8CqqKIhI49tpJsdWn71xbFe+Ig+pYZCGtOoU/Y/d81kqI0nsgyenFh0t4
gYrlhQRRF9MpJ3PvY/ionyAO2qP/kCbCQqJnV1Vsxswjz6gzaJ/ym1CLMRxPM6S2
A61Ehh8Dye6fA0I8fVBIY924HmkpScTVkbcUDo7gepZWnG2KjvX2K6n60VzbIwZ9
h0VY0xb9xf1oMysWeGYbYaf9UaEkEr6UpxS/v+EWr1NTQOZxmV9AXHaAqOJnu15D
ZvXpTgF1OdXi7JcTtNvyeYaxTdQ4RuHKVX/8S1oB3uXX5o6dGQSJetua3j3IgMOy
ZekmKLgEYmy7G05PQNszRpy/M74ebHWUXNxpku/WDmf4hPDQjRtPozJXLN2QKB/c
v73EiA2eDdpUooN7qX/17VQMdpIS5LxdH9EAzz8bzPCdT429hHcrd2EI84bMG4Wz
3ltxvnVpIdAylqBJJeMVoo3vgeWOWVu2e7ZHdFy295e8XRBSgIxSmCwjWj6kvphi
PYrlvl4lu8ZLPSlwO2JZlMoSoY+vONZTbzsMzcywmmJcQ8EHbws0xLgpfbEoX5wO
OWrgvBgMJkIGfaRoAxBM
=keXW
-----END PGP SIGNATURE-----

[Attachment #6 (text/plain)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic