Authentication with ms-chap

Hello,

I have a problem when trying to authenticate user trough radius with mschap protocol using TOTP token. I am using mysql database for users. Authentication with PAP works perfectly. Maybe i have missed something....

This is content of my multiotp file under modules

exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
shell_escape = yes
}

And this is content of multiotp file under policy.d

multiotp_prefix = ''
multiotp.authorize {
if (control:Auth-Type == MS-CHAP) {
update control {
Auth-Type := multiotpmschap
}
}
elsif (!control:Auth-Type) {
update control {
Auth-Type := multiotp
}
}
}

radtest testotp OTP_DIGITS 127.0.0.1 1812 secret returns Access-Accept but radtest -t mschap testotp OTP_DIGITS 127.0.0.1 1812 secret returns the following

Found Auth-Type = multiotp (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Auth-Type multiotp { (3) multiotp: Executing: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: (3) multiotp: EXPAND %{User-Name} (3) multiotp: --> testotp (3) multiotp: EXPAND %{User-Password} (3) multiotp: --> (3) multiotp: EXPAND -src=%{Packet-Src-IP-Address} (3) multiotp: --> -src=127.0.0.1 (3) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge} (3) multiotp: --> -chap-challenge= (3) multiotp: EXPAND -chap-password=%{CHAP-Password} (3) multiotp: --> -chap-password= (3) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge} (3) multiotp: --> -ms-chap-challenge=0x2ee85e7aa9a2b6e1 (3) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response} (3) multiotp: --> -ms-chap-response=0x000100000000000000000000000000000000000000000000000080cca3b95e8097092b15c3616a401670976d006084d6c506 (3) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response} (3) multiotp: --> -ms-chap2-response= (3) multiotp: ERROR: Failed parsing output from: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting operator (3) multiotp: ERROR: Program returned code (0) and output 'NT_KEY: 9B808D30754AE8E76E8ACB155F5A3D38, ' (3) [multiotp] = fail (3) } # Auth-Type multiotp = fail (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject

Comments

  • Hello, We need more detail please. Which version of Linux distribution are you using ? Which version of FreeRADIUS ? Which version of multiOTP open source (multiotp.php -v), or do you use our open source virtual appliance (which version) ? MS-CHAP authentication is implemented since a long time and should work without any problem. I suspect a FreeRADIUS 3.x issue. Regards, Andre
  • edited November 2017
    Hello, control:Auth-Type == MS-CHAP is the problem, replace MS-CHAP with mschap
    Content for policy.d: multiotp_prefix = '' multiotp.authorize { # This test force multiOTP for any MS-CHAP(v2),CHAP and PAP attempt if (control:Auth-Type == mschap) { update control { Auth-Type := multiotpmschap } } elsif (control:Auth-Type == chap) { update control { Auth-Type := multiotp } } elsif (!control:Auth-Type) { update control { Auth-Type := multiotp } } }
  • Thank you very much for your answer. I changed the content of file under policy.d but i still get the same response when using mschap. I am using CentOS Linux release 7.4.1708 (Core), multiOTP 5.0.4.8 (2017-06-06) [CLI] and FreeRADIUS Version 3.0.13
  • So now i've added multiotpmschap to sites-enabled/default and i get User doesn't exists so i must have set something wrong in the files.
    (2)   } # authorize = ok
    (2) Found Auth-Type = multiotpmschap
    (2) # Executing group from file /etc/raddb/sites-enabled/default
    (2)   Auth-Type multiotpmschap {
    (2) multiotpmschap: Client is using MS-CHAPv1 with NT-Password
    (2) multiotpmschap: Executing: /var/www/html/multiotp/multiotp.php --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
    (2) multiotpmschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
    (2) multiotpmschap:    --> --username=testotp
    (2) multiotpmschap: mschap1: 48
    (2) multiotpmschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
    (2) multiotpmschap:    --> --challenge=48ae2dc09976e946
    (2) multiotpmschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
    (2) multiotpmschap:    --> --nt-response=c745d57509542742555e62079bdf2fbd45633a89ace57fd8
    (2) multiotpmschap: ERROR: Program returned code (21) and output 'Reply-Message := "ERROR: User doesn't exist" '
    (2) multiotpmschap: External script failed
    (2) multiotpmschap: ERROR: External script says: Reply-Message := "ERROR: User doesn't exist" 
    (2) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect
    
  • Hello, for multiotpmschap, your multiotp.php parameters are wrong, you have apparently kept the ntlm_auth parameters instead! Regards, Andre
  • Thank you very much for your help, everything is working like it should now. Regards, Klavdija
  • You are welcome.
This discussion has been closed.