Score:1

Freeradius: Authenticate users on certain condition

mp flag

There is a network where users are using PPPoE to establish connections to the Access servers. We have lost the billing system and users' DB. The only condition that we know is that 'Valid credential should be credential where username and password are the same value. (i.e. username: johnsmith, password: johnsmith)'.

We'd like to recover access to the Internet asap.

Setup that we have now: Ubuntu 2004, accel-ppp, freeradius3. Everything works fine but we have to add a record for each user to raddb/mods-config/files/authorize file.

# raddb/mods-config/files/authorize
user1 Cleartext-Password := "user1"
user2 Cleartext-Password := "user2"
userN Cleartext-Password := "userN"

Is that possible to avoid manually adding users? The script should verify credentials assuming that username and valid password are the same value.

Also, I tried:

# raddb/mods-config/files/authorize
DEFAULT Auth-Type := Accept

radtest -t mschap tqq tq 172.17.0.1 0 testing123 - Received Access-Accept but when trying to set up PPPoE on a Router or PC I get Authentication failed, incorrect username or password.

Appreciate any help.

freeradius-radius-1  | (11) Received Access-Request Id 1 from 192.168.192.1:49648 to 192.168.192.2:1812 length 178
freeradius-radius-1  | (11)   User-Name = "q"
freeradius-radius-1  | (11)   NAS-Identifier = "accel-ppp"
freeradius-radius-1  | (11)   NAS-IP-Address = 172.17.0.1
freeradius-radius-1  | (11)   NAS-Port-Type = Virtual
freeradius-radius-1  | (11)   Service-Type = Framed-User
freeradius-radius-1  | (11)   Framed-Protocol = PPP
freeradius-radius-1  | (11)   Calling-Station-Id = "d8:47:32:c3:72:bd"
freeradius-radius-1  | (11)   Called-Station-Id = "00:0c:29:fb:5d:8e"
freeradius-radius-1  | (11)   MS-CHAP-Challenge = 0x57d2a52805a8b83f1c2241558e501549
freeradius-radius-1  | (11)   MS-CHAP2-Response = 0x01002b3c2451214fb6e0583fb9972a49a56e00000000000000001ae496c046d6b776df57a8ba10ab82254b78878444ce0cb1
freeradius-radius-1  | (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default
freeradius-radius-1  | (11)   authorize {
freeradius-radius-1  | (11)     policy filter_username {
freeradius-radius-1  | (11)       if (&User-Name) {
freeradius-radius-1  | (11)       if (&User-Name)  -> TRUE
freeradius-radius-1  | (11)       if (&User-Name)  {
freeradius-radius-1  | (11)         if (&User-Name =~ / /) {
freeradius-radius-1  | (11)         if (&User-Name =~ / /)  -> FALSE
freeradius-radius-1  | (11)         if (&User-Name =~ /@[^@]*@/ ) {
freeradius-radius-1  | (11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
freeradius-radius-1  | (11)         if (&User-Name =~ /\.\./ ) {
freeradius-radius-1  | (11)         if (&User-Name =~ /\.\./ )  -> FALSE
freeradius-radius-1  | (11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
freeradius-radius-1  | (11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
freeradius-radius-1  | (11)         if (&User-Name =~ /\.$/)  {
freeradius-radius-1  | (11)         if (&User-Name =~ /\.$/)   -> FALSE
freeradius-radius-1  | (11)         if (&User-Name =~ /@\./)  {
freeradius-radius-1  | (11)         if (&User-Name =~ /@\./)   -> FALSE
freeradius-radius-1  | (11)       } # if (&User-Name)  = notfound
freeradius-radius-1  | (11)     } # policy filter_username = notfound
freeradius-radius-1  | (11)     [preprocess] = ok
freeradius-radius-1  | (11)     [chap] = noop
freeradius-radius-1  | (11) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
freeradius-radius-1  | (11)     [mschap] = ok
freeradius-radius-1  | (11)     [digest] = noop
freeradius-radius-1  | (11) suffix: Checking for suffix after "@"
freeradius-radius-1  | (11) suffix: No '@' in User-Name = "q", looking up realm NULL
freeradius-radius-1  | (11) suffix: No such realm "NULL"
freeradius-radius-1  | (11)     [suffix] = noop
freeradius-radius-1  | (11) eap: No EAP-Message, not doing EAP
freeradius-radius-1  | (11)     [eap] = noop
freeradius-radius-1  | (11) files: users: Matched entry DEFAULT at line 1
freeradius-radius-1  | (11)     [files] = ok
freeradius-radius-1  | (11)     [expiration] = noop
freeradius-radius-1  | (11)     [logintime] = noop
freeradius-radius-1  | (11) pap: WARNING: Auth-Type already set.  Not setting to PAP
freeradius-radius-1  | (11)     [pap] = noop
freeradius-radius-1  | (11)   } # authorize = ok
freeradius-radius-1  | (11) Found Auth-Type = Accept
freeradius-radius-1  | (11) Auth-Type = Accept, accepting the user
freeradius-radius-1  | (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
freeradius-radius-1  | (11)   post-auth {
freeradius-radius-1  | (11)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
freeradius-radius-1  | (11)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
freeradius-radius-1  | (11)     update {
freeradius-radius-1  | (11)       No attributes updated for RHS &session-state:
freeradius-radius-1  | (11)     } # update = noop
freeradius-radius-1  | (11)     [exec] = noop
freeradius-radius-1  | (11)     policy remove_reply_message_if_eap {
freeradius-radius-1  | (11)       if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius-radius-1  | (11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
freeradius-radius-1  | (11)       else {
freeradius-radius-1  | (11)         [noop] = noop
freeradius-radius-1  | (11)       } # else = noop
freeradius-radius-1  | (11)     } # policy remove_reply_message_if_eap = noop
freeradius-radius-1  | (11)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
freeradius-radius-1  | (11)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
freeradius-radius-1  | (11)   } # post-auth = noop
freeradius-radius-1  | (11) Sent Access-Accept Id 1 from 192.168.192.2:1812 to 192.168.192.1:49648 length 32
freeradius-radius-1  | (11)   Session-Timeout = 14400
freeradius-radius-1  | (11)   Termination-Action = RADIUS-Request
freeradius-radius-1  | (11) Finished request
freeradius-radius-1  | Waking up in 1.9 seconds.

Score:0
fr flag

This is easy to do in unlang, the FreeRADIUS configuration "language".

You copy the (known) User-Name to Cleartext-Password, which is what the incoming password is then compared to.

See my full answer to the same question on StackOverflow for an example: https://stackoverflow.com/a/70620187/5857272

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.