Setting up a VPN server with pptp and RADIUS for all sorts of clients

robert <robert.harris@univ-lehavre.fr> · Thu, 08 Feb 2007 12:05:12 +0100

Hello,

This is my First post on this mailing list, so sorry if I am in the 

wrong place!!

I am having problems getting the Radius Serv to validate my VPN clients.

Reading through the mail archives, I have found similar  subjects, but  

the  main difference I have is the fact that I don't have authority on 

the Radius Server.

The main problem comes from my windows clients, I am trying to stick to 

the default Microsoft auth method (using ms-chap v2) to keep the client 

side as simple as possible.

So I have set-up my pptp daemon, installed radiusclient, and have used 

the dictionary.microsoft from the sources of radiusclient.

I must point out that authentication works using "User-Password" field 

(say if I am wrong, but this is a clear text password?) on 802.1X 

clients, and all Users in the LDAP base have a valid User-Password (but 

no NT/LM Passwords)

The solutions I have come across until now tell me to use NT or LM 

password field and the problem is solved, but I can't change the layout, 

It has been set by "eduroam", who guides the project.

So I must get my radius client to work with User-password, but I don't 

know where to start...

A log sent from the Radius Admin shows that the mschap module fails to 

find User-Password (this is how I have understood it!) and refuses to 

validate the user.

here is the part I am talking about:
    FROM Radius log:

       auth: type "MS-CHAP"

   Processing the authenticate section of radiusd.conf
   modcall: entering group MS-CHAP for request 0
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.

   rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password    

   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.

But I am sure that the field User password contains the valid password I 

am trying to use.

Just in case, I shall post the dictionary.microsoft I am using:

       #
       #	Microsoft's VSA's, from RFC 2548
       #
       #	$Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $
       #

       VENDOR		Microsoft	311	Microsoft

       ATTRIBUTE	MS-CHAP-Response	1	string	Microsoft
       ATTRIBUTE	MS-CHAP-Error		2	string	Microsoft
       ATTRIBUTE	MS-CHAP-CPW-1		3	string	Microsoft
       ATTRIBUTE	MS-CHAP-CPW-2		4	string	Microsoft
       ATTRIBUTE	MS-CHAP-LM-Enc-PW	5	string	Microsoft
       ATTRIBUTE	MS-CHAP-NT-Enc-PW	6	string	Microsoft
       ATTRIBUTE	MS-MPPE-Encryption-Policy 7	string	Microsoft
       # This is referred to as both singular and plural in the RFC.
       # Plural seems to make more sense.
       ATTRIBUTE	MS-MPPE-Encryption-Type 8	string	Microsoft
       ATTRIBUTE	MS-MPPE-Encryption-Types  8	string	Microsoft
       ATTRIBUTE	MS-RAS-Vendor		9	integer	Microsoft
       ATTRIBUTE	MS-CHAP-Domain		10	string	Microsoft
       ATTRIBUTE	MS-CHAP-Challenge	11	string	Microsoft
       ATTRIBUTE	MS-CHAP-MPPE-Keys	12	string	Microsoft
       ATTRIBUTE	MS-BAP-Usage		13	integer	Microsoft
       ATTRIBUTE	MS-Link-Utilization-Threshold 14 integer	Microsoft
       ATTRIBUTE	MS-Link-Drop-Time-Limit	15	integer	Microsoft
       ATTRIBUTE	MS-MPPE-Send-Key	16	string	Microsoft
       ATTRIBUTE	MS-MPPE-Recv-Key	17	string	Microsoft
       ATTRIBUTE	MS-RAS-Version		18	string	Microsoft
       ATTRIBUTE	MS-Old-ARAP-Password	19	string	Microsoft
       ATTRIBUTE	MS-New-ARAP-Password	20	string	Microsoft
       ATTRIBUTE	MS-ARAP-PW-Change-Reason 21	integer	Microsoft

       ATTRIBUTE	MS-Filter		22	string	Microsoft
       ATTRIBUTE	MS-Acct-Auth-Type	23	integer	Microsoft
       ATTRIBUTE	MS-Acct-EAP-Type	24	integer	Microsoft

       ATTRIBUTE	MS-CHAP2-Response	25	string	Microsoft
       ATTRIBUTE	MS-CHAP2-Success	26	string	Microsoft
       ATTRIBUTE	MS-CHAP2-CPW		27	string	Microsoft

       ATTRIBUTE	MS-Primary-DNS-Server	28	ipaddr	Microsoft
       ATTRIBUTE	MS-Secondary-DNS-Server	29	ipaddr	Microsoft
       ATTRIBUTE	MS-Primary-NBNS-Server	30	ipaddr	Microsoft
       ATTRIBUTE	MS-Secondary-NBNS-Server 31	ipaddr	Microsoft

       #ATTRIBUTE	MS-ARAP-Challenge	33	string	Microsoft

       #
       #	Integer Translations
       #

       #	MS-BAP-Usage Values

       VALUE		MS-BAP-Usage		Not-Allowed	0
       VALUE		MS-BAP-Usage		Allowed		1
       VALUE		MS-BAP-Usage		Required	2

       #	MS-ARAP-Password-Change-Reason Values

       VALUE	MS-ARAP-PW-Change-Reason	Just-Change-Password		1
       VALUE	MS-ARAP-PW-Change-Reason	Expired-Password		2
       VALUE	MS-ARAP-PW-Change-Reason	Admin-Requires-Password-Change	3
       VALUE	MS-ARAP-PW-Change-Reason	Password-Too-Short		4

       #	MS-Acct-Auth-Type Values

       VALUE		MS-Acct-Auth-Type	PAP		1
       VALUE		MS-Acct-Auth-Type	CHAP		2
       VALUE		MS-Acct-Auth-Type	MS-CHAP-1	3
       VALUE		MS-Acct-Auth-Type	MS-CHAP-2	4
       VALUE		MS-Acct-Auth-Type	EAP		5

       #	MS-Acct-EAP-Type Values

       VALUE		MS-Acct-EAP-Type	MD5		4
       VALUE		MS-Acct-EAP-Type	OTP		5
       VALUE		MS-Acct-EAP-Type	Generic-Token-Card	6
       VALUE		MS-Acct-EAP-Type	TLS		13

I have tried to expose my problem the best I can, but If you find that 

something is missing, don't hesitate!

Thanks,

Robert            

PS: using other protocols (PAP for exemple) works fine, but we need 

mschap support!