Trouble with FR3 users file format

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Trouble with FR3 users file format

Diggins Mike
Hello and Happy New Year!

I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2).

userid2 Auth-Type = ntlm_auth
                    Reply-Message = "attr1, attr2"
guest002           Auth-Type = ntlm_auth
                    Reply-Message = "attr1, attr2"
userid3             Auth-Type = ntlm_auth
                    Reply-Message = "attr1, attr2"
userid4             Auth-Type = ntlm_auth
                  Reply-Message = "attr1, attr2"
DEFAULT Auth-Type = ntlm_auth

Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.

Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.

If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.

It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?

-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble with FR3 users file format

Alan DeKok-2
On Jan 1, 2019, at 3:22 PM, Diggins Mike <[hidden email]> wrote:

>
> I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2).
>
> userid2 Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> guest002           Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> userid3             Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> userid4             Auth-Type = ntlm_auth
>                 Reply-Message = "attr1, attr2"
> DEFAULT Auth-Type = ntlm_auth

  That should be OK.  It's a little redundant, but whatever.

> Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.
>
> Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.

  What does the debug output show?  And which version of the server are you using?  3.0.17?

> If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.

  As *always*, read the debug output to see what the server is doing.

  In short, the default configuration works.  If you're just using the default config and the above "users" file, it should work.  If you've changed everything else, then who knows what's going on.

> It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?

  You shouldn't need to do that.  The "users" file should work the same as in v2.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Trouble with FR3 users file format

Diggins Mike
I played around with the users file after reading your reply. I added the 'Fall-Through Yes' parameter to the DEFAULT section and now it's working as expected.

# Begin
$INCLUDE /home/radius-users/users.include
DEFAULT Auth-Type = ntlm_auth
               Fall-Through = Yes
# end of user file

I don't believe the Fall-Through parameter is actually the fix itself because there is nothing to fall through to. I have just one DEFAULT user. Perhaps the default user needs a 'value' as well. I'm going to live with this "fix" unless I come across something else. I'm running the latest RHEL7 included FreeRadius package which is based on 3.x. I don't think that's the issue though.

-Mike

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+diggins=[hidden email]> On Behalf Of Alan DeKok
Sent: Tuesday, January 1, 2019 4:25 PM
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Trouble with FR3 users file format

On Jan 1, 2019, at 3:22 PM, Diggins Mike <[hidden email]> wrote:

>
> I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2).
>
> userid2 Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> guest002           Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> userid3             Auth-Type = ntlm_auth
>                   Reply-Message = "attr1, attr2"
> userid4             Auth-Type = ntlm_auth
>                 Reply-Message = "attr1, attr2"
> DEFAULT Auth-Type = ntlm_auth

  That should be OK.  It's a little redundant, but whatever.

> Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.
>
> Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.

  What does the debug output show?  And which version of the server are you using?  3.0.17?

> If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.

  As *always*, read the debug output to see what the server is doing.

  In short, the default configuration works.  If you're just using the default config and the above "users" file, it should work.  If you've changed everything else, then who knows what's going on.

> It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?

  You shouldn't need to do that.  The "users" file should work the same as in v2.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble with FR3 users file format

Alan DeKok-2
On Jan 1, 2019, at 6:58 PM, Diggins Mike <[hidden email]> wrote:

>
> I played around with the users file after reading your reply. I added the 'Fall-Through Yes' parameter to the DEFAULT section and now it's working as expected.
>
> # Begin
> $INCLUDE /home/radius-users/users.include
> DEFAULT Auth-Type = ntlm_auth
>                Fall-Through = Yes
> # end of user file
>
> I don't believe the Fall-Through parameter is actually the fix itself because there is nothing to fall through to. I have just one DEFAULT user. Perhaps the default user needs a 'value' as well. I'm going to live with this "fix" unless I come across something else. I'm running the latest RHEL7 included FreeRadius package which is based on 3.x. I don't think that's the issue though.

  "Based on 3.x" doesn't mean a lot.  Vendors are notorious for sticking with versions from many years ago.

  I'd suggest trying 3.0.17.  It has a fix for $INCLUDE ordering in the "users" file.  You're probably running an older version.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html