chap authentication with v4

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

chap authentication with v4

Users mailing list
Hi all,
  Sorry this is embarrassingly simple, but I'm struggling a bit with it. Profuse apologies if I missed something obvious.

We use MAC authentication with some stuff, and update the control Cleartext-Password to match the user-name field, as mac auth on the NASes here always use that as the password. Authorisation does all our useful accept/reject stuff, not authentication. Having said that I'd prefer not to "hack" it to bypass auth.

My test NAS is an HP/Aruba 2530 with v15.17.0009 firmware

Before the chap auth runs:

Update control {
  &Cleartext-Password = &User-Name
}

Works on v3:
From the access request :
Wed Jul 22 08:33:57 2020 : Debug: (0)   User-Name = "08000f510d1e"
Wed Jul 22 08:33:57 2020 : Debug: (0)   CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0)   Message-Authenticator = 0x978dc5f6ccbcd916950b3d76190039dc
..
.. and then the chap auth debug:
..
Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Comparing with "known good" &control:Cleartext-Password value "08000f510d1e"
Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Using challenge from &request:CHAP-Challenge
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   CHAP challenge : e7714b9a5d8463e7947041bdbf399c17
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   Client sent    : dc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   We calculated  : dc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0) chap: CHAP user "08000f510d1e" authenticated successfully

But on v4, it doesn't like it, and I can't figure out why, says the password is incorrect.
I've checked and double checked the client.conf secret is correct.

Wed Jul 22 07:59:01 2020: (1)    User-Name = "08000f510d1e"
Wed Jul 22 07:59:01 2020: (1)    CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
Wed Jul 22 07:59:01 2020: (1)    Message-Authenticator = 0x5433e862ac2ab58c19866ff8bb05863f
..
Wed Jul 22 07:59:01 2020: (1)    chap - Using "known good" cleartext password Cleartext-Password = "08000f510d1e"
Wed Jul 22 07:59:01 2020: (1)    chap - Using challenge from &request:CHAP-Challenge
Wed Jul 22 07:59:01 2020: (1)    chap -   CHAP challenge : bf61a943b98f4d1b9e9885677705a6b8
Wed Jul 22 07:59:01 2020: (1)    chap -   Client sent    : 526f5b6d5cc40d3d87df334515befc07
Wed Jul 22 07:59:01 2020: (1)    chap -   We calculated  : 72ca08cb516acb819b0ff9d7cc5988c4
Wed Jul 22 07:59:01 2020: ERROR : (1)    chap - Password comparison failed: password is incorrect

Testing chap with radtest DOES work ok with v4 though, really confusing. Can anyone spot the issue? I've a feeling I've missed something obvious.. :(

Thanks
Andy


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: chap authentication with v4

Alan DeKok-2
On Jul 22, 2020, at 4:58 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
> We use MAC authentication with some stuff, and update the control Cleartext-Password to match the user-name field, as mac auth on the NASes here always use that as the password. Authorisation does all our useful accept/reject stuff, not authentication. Having said that I'd prefer not to "hack" it to bypass auth.

  Sure.

> My test NAS is an HP/Aruba 2530 with v15.17.0009 firmware
>
> Before the chap auth runs:
>
> Update control {
>  &Cleartext-Password = &User-Name
> }
>
> Works on v3:
> From the access request :
> Wed Jul 22 08:33:57 2020 : Debug: (0)   User-Name = "08000f510d1e"
> Wed Jul 22 08:33:57 2020 : Debug: (0)   CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0)   Message-Authenticator = 0x978dc5f6ccbcd916950b3d76190039dc
> ..
> .. and then the chap auth debug:
> ..
> Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Comparing with "known good" &control:Cleartext-Password value "08000f510d1e"
> Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Using challenge from &request:CHAP-Challenge
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   CHAP challenge : e7714b9a5d8463e7947041bdbf399c17
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   Client sent    : dc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   We calculated  : dc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap: CHAP user "08000f510d1e" authenticated successfully
>
> But on v4, it doesn't like it, and I can't figure out why, says the password is incorrect.


> I've checked and double checked the client.conf secret is correct.

  The client secret isn't used for CHAP.  The message means that the "known good" password doesn't match the one used for CHAP.

> Wed Jul 22 07:59:01 2020: (1)    User-Name = "08000f510d1e"
> Wed Jul 22 07:59:01 2020: (1)    CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
> Wed Jul 22 07:59:01 2020: (1)    Message-Authenticator = 0x5433e862ac2ab58c19866ff8bb05863f
> ..
> Wed Jul 22 07:59:01 2020: (1)    chap - Using "known good" cleartext password Cleartext-Password = "08000f510d1e"
> Wed Jul 22 07:59:01 2020: (1)    chap - Using challenge from &request:CHAP-Challenge
> Wed Jul 22 07:59:01 2020: (1)    chap -   CHAP challenge : bf61a943b98f4d1b9e9885677705a6b8
> Wed Jul 22 07:59:01 2020: (1)    chap -   Client sent    : 526f5b6d5cc40d3d87df334515befc07
> Wed Jul 22 07:59:01 2020: (1)    chap -   We calculated  : 72ca08cb516acb819b0ff9d7cc5988c4
> Wed Jul 22 07:59:01 2020: ERROR : (1)    chap - Password comparison failed: password is incorrect
>
> Testing chap with radtest DOES work ok with v4 though, really confusing. Can anyone spot the issue? I've a feeling I've missed something obvious.. :(

  You can use the debug output to send test packets with radclient

from v3:

User-Name = "08000f510d1e"
CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
CHAP-Challenge = 0xe7714b9a5d8463e7947041bdbf399c17

from v4:

User-Name =  "08000f510d1e"
CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
CHAP-Challenge = 0xbf61a943b98f4d1b9e9885677705a6b8

  Send *both* of those packets to *both* servers.  If the servers behave differently, there's a bug.  If the servers behave the same, then one of the packets was using the wrong password.

  Hmm... just tried that here.  And yes, v3 passes both packets.  v4 doesn't.  How the heck is CHAP broken?  I haven't touched that code.  Maybe Arran...

  I'll take a look today.  And, add some tests so that this doesn't happen again.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: chap authentication with v4

Alan DeKok-2
In reply to this post by Users mailing list
  Yes... bad Arran.  He missed one critical bit when updating the CHAP code in v4.

  I've pushed a fix, and added tests so that this doesn't happen again.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: chap authentication with v4

Users mailing list
Wow, I didn't think it would be a bug, more something I wasn't doing right!

So ... thanks very much, I'll give it a test :-)

Kind Regards
Andy

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+andy.franks1=[hidden email]> On Behalf Of Alan DeKok
Sent: 22 July 2020 14:12
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: chap authentication with v4

  Yes... bad Arran.  He missed one critical bit when updating the CHAP code in v4.

  I've pushed a fix, and added tests so that this doesn't happen again.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html