add MS-CHAP-Use-NTLM-Auth := Auto

jejones3141 · Jan 9, 2024 · ddfc353 · ddfc353
1 parent 272adc8
commit ddfc353
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 7 deletions.
diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap
@@ -122,6 +122,9 @@ mschap {
 	#  `MS-CHAP-Use-NTLM-Auth := No` in the control items, and the `mschap`
 	#  module will do the authentication itself, without calling `ntlm_auth`.
 	#
+	#  You can also set `MS-CHAP-Use-NTLM-Auth := Auto`.  If a password is available,
+	#  it will be used.  Otherwise the module will fall back to ntlm_auth.
+	#
 	#  You can also try setting the user name as:
 	#
 	#  `... --username=%mschap(User-Name) ...`

diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal b/share/dictionary/freeradius/dictionary.freeradius.internal
@@ -1,5 +1,5 @@
 # -*- text -*-
-# Copyright (C) 2023 The FreeRADIUS Server project and contributors
+# Copyright (C) 2024 The FreeRADIUS Server project and contributors
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
 #
@@ -131,7 +131,12 @@ ATTRIBUTE	Module-Failure-Message			1038	string
 ATTRIBUTE	Rewrite-Rule				1039	string
 # 1040 was Digest-HA1
 
-ATTRIBUTE	MS-CHAP-Use-NTLM-Auth			1041	bool
+ATTRIBUTE	MS-CHAP-Use-NTLM-Auth			1041	uint8
+
+VALUE	MS-CHAP-Use-NTLM-Auth		No			0
+VALUE	MS-CHAP-Use-NTLM-Auth		Yes			1
+VALUE	MS-CHAP-Use-NTLM-Auth		Auto			2
+
 ATTRIBUTE	NTLM-User-Name				1042	string
 ATTRIBUTE	MS-CHAP-User-Name			1043	string
 

diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
@@ -228,7 +228,7 @@ fr_dict_attr_autoload_t rlm_mschap_dict_attr[] = {
 	{ .out = &attr_ms_chap_new_cleartext_password, .name = "MS-CHAP-New-Cleartext-Password", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_ms_chap_new_nt_password, .name = "MS-CHAP-New-NT-Password", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
 	{ .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
-	{ .out = &attr_ms_chap_use_ntlm_auth, .name = "MS-CHAP-Use-NTLM-Auth", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
+	{ .out = &attr_ms_chap_use_ntlm_auth, .name = "MS-CHAP-Use-NTLM-Auth", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
 	{ .out = &attr_ms_chap_user_name, .name = "MS-CHAP-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_nt_password, .name = "Password.NT", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
 	{ .out = &attr_smb_account_ctrl_text, .name = "SMB-Account-Ctrl-Text", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
@@ -1212,6 +1212,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5, 6)) do_mschap(rlm_mschap_t const *inst,
 
 	switch (method) {
 	case AUTH_INTERNAL:
+	case AUTH_AUTO:
 	/*
 	 *	Do normal authentication.
 	 */
@@ -1220,6 +1221,8 @@ static int CC_HINT(nonnull (1, 2, 4, 5, 6)) do_mschap(rlm_mschap_t const *inst,
 		 *	No password: can't do authentication.
 		 */
 		if (!password) {
+			if (method == AUTH_AUTO) goto do_ntlm;
+
 			REDEBUG("FAILED: No Password.NT/LM.  Cannot perform authentication");
 			return -1;
 		}
@@ -1238,6 +1241,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5, 6)) do_mschap(rlm_mschap_t const *inst,
 		break;
 		}
 	case AUTH_NTLMAUTH_EXEC:
+	do_ntlm:
 	/*
 	 *	Run ntlm_auth
 	 */
@@ -2104,7 +2108,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 	 */
 	if (method != AUTH_INTERNAL) {
 		fr_pair_t *vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_ms_chap_use_ntlm_auth);
-		if (vp && vp->vp_bool == false) method = AUTH_INTERNAL;
+		if (vp && (vp->vp_uint8 <= AUTH_AUTO)) method = vp->vp_uint8;
 	}
 
 	/*
@@ -2319,6 +2323,9 @@ static int mod_instantiate(module_inst_ctx_t const *mctx)
 	case AUTH_INTERNAL:
 		DEBUG("Using internal authentication");
 		break;
+	case AUTH_AUTO:
+		DEBUG("Using auto password or ntlm_auth");
+		break;
 	case AUTH_NTLMAUTH_EXEC:
 		DEBUG("Authenticating by calling 'ntlm_auth'");
 		break;

diff --git a/src/modules/rlm_mschap/rlm_mschap.h b/src/modules/rlm_mschap/rlm_mschap.h
@@ -15,10 +15,11 @@ RCSIDH(rlm_mschap_h, "$Id$")
 
 /* Method of authentication we are going to use */
 typedef enum {
-	AUTH_INTERNAL		= 0,
-	AUTH_NTLMAUTH_EXEC	= 1
+	AUTH_INTERNAL		= 0, /* MS-CHAP-Use-NTLM-Auth = no */
+	AUTH_NTLMAUTH_EXEC	= 1, /* MS-CHAP-Use-NTLM-Auth = yes */
+	AUTH_AUTO		= 2, /* MS-CHAP-Use-NTLM-Auth = auto */
 #ifdef WITH_AUTH_WINBIND
-	,AUTH_WBCLIENT       	= 2
+	,AUTH_WBCLIENT       	= 3
 #endif
 } MSCHAP_AUTH_METHOD;