Authentication with ms-chap
I have a problem when trying to authenticate user trough radius with mschap protocol using TOTP token. I am using mysql database for users. Authentication with PAP works perfectly. Maybe i have missed something....
This is content of my multiotp file under modules
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
shell_escape = yes
}
And this is content of multiotp file under policy.d
multiotp_prefix = ''
multiotp.authorize {
if (control:Auth-Type == MS-CHAP) {
update control {
Auth-Type := multiotpmschap
}
}
elsif (!control:Auth-Type) {
update control {
Auth-Type := multiotp
}
}
}
radtest testotp OTP_DIGITS 127.0.0.1 1812 secret returns Access-Accept but radtest -t mschap testotp OTP_DIGITS 127.0.0.1 1812 secret returns the following
Found Auth-Type = multiotp (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Auth-Type multiotp { (3) multiotp: Executing: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: (3) multiotp: EXPAND %{User-Name} (3) multiotp: --> testotp (3) multiotp: EXPAND %{User-Password} (3) multiotp: --> (3) multiotp: EXPAND -src=%{Packet-Src-IP-Address} (3) multiotp: --> -src=127.0.0.1 (3) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge} (3) multiotp: --> -chap-challenge= (3) multiotp: EXPAND -chap-password=%{CHAP-Password} (3) multiotp: --> -chap-password= (3) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge} (3) multiotp: --> -ms-chap-challenge=0x2ee85e7aa9a2b6e1 (3) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response} (3) multiotp: --> -ms-chap-response=0x000100000000000000000000000000000000000000000000000080cca3b95e8097092b15c3616a401670976d006084d6c506 (3) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response} (3) multiotp: --> -ms-chap2-response= (3) multiotp: ERROR: Failed parsing output from: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting operator (3) multiotp: ERROR: Program returned code (0) and output 'NT_KEY: 9B808D30754AE8E76E8ACB155F5A3D38, ' (3) [multiotp] = fail (3) } # Auth-Type multiotp = fail (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject
Comments
Content for policy.d: multiotp_prefix = '' multiotp.authorize { # This test force multiOTP for any MS-CHAP(v2),CHAP and PAP attempt if (control:Auth-Type == mschap) { update control { Auth-Type := multiotpmschap } } elsif (control:Auth-Type == chap) { update control { Auth-Type := multiotp } } elsif (!control:Auth-Type) { update control { Auth-Type := multiotp } } }