FDS + Freeradius = pain.

Joey McDonald jmcdice at gmail.com
Fri Feb 3 04:27:32 CET 2006 

Whoops.. sent that from my wrong account.. trying again :)




Greetings!

I've been struggling to get PPTP authenticating through my freeradius
server through to my LDAP server.

I've got Fedora Directory Server as my LDAP database and I've
configured freeradius according to the instructions I found for
OpenLDAP (yes, this could be part of the problem but I didn't see
anything specific to FDS).

I've got authentication working via radtest, e.g.

rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56
        User-Name = "joey"
        User-Password = "xxxxxxxx"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for joey
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldap.example.net:389, authentication 0
rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user joey authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
ldap.example.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user joey authenticated succesfully
Login OK: [joey/xxxxxxx] (from client el-oso port 0)
Sending Access-Accept of id 116 to 172.33.100.18:32811

So that tells me that I've got the communication to my LDAP server
properly configured.

However when my PPTP server sends authentication requests to my radius
server, I always get "Login incorrect: [joey/<no User-Password
attribute>]"

For example:

rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "joey"
        MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6
        MS-CHAP2-Response =
0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442
        Calling-Station-Id = "67.41.208.129"
        NAS-Identifier = "pptp"
        NAS-Port = 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for joey
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user joey authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
Login incorrect: [joey/<no User-Password attribute>] (from client
vpn-external port 0 cli 67.41.208.129)
Sending Access-Reject of id 15 to 71.39.18.170:32784


I have no idea where to troubleshoot this at this point. The usual
suspects seem to be properly configured (ldap.attrmap, clients.conf,
radiusd.conf and users). Anybody have thoughts? Thanks.

           --joey

More information about the Freeradius-Users mailing list