FreeRadius IRC...

Thibault Le Meur Thibault.LeMeur at supelec.fr
Sat Jan 13 23:12:01 CET 2007


----- Message de evan at terralab.com ---------
     Date : Sat, 13 Jan 2007 16:55:50 -0500
      De : Evan Vittitow <evan at terralab.com>
Répondre à : FreeRadius users mailing list  
<freeradius-users at lists.freeradius.org>
  Objet : Re: FreeRadius IRC...
       À : FreeRadius users mailing list  
<freeradius-users at lists.freeradius.org>


>
>>
>> I posted an idea and you decided not to reply to my questions !
>>
>> I suspect that your VPN server doesn't know Microsoft Radius
>> attributes and refuses to send them to the radius server. I've tested
>> a bad setup (lack of Microsoft radius dictionary), and I get the same
>> radiusd -X debug log: no MS-CHAP Challenge in the request...
> I've ensured thet /etc/radiusclient/ and /etc/raddb have the same
> dictionary. (dictionary and dictionary.microsoft,.)
>>
>> I asked "have you checked possible error messages in /var/log/messages
>>  " on the vpn server ?
>> To be more specific, look for the following lines in you log file:
>> " rc_avpair_new: unknown attribute"
>>
> No such error messages appear on my Radius Server.

This error is to be seen on the PPPd server, not on the Freeradius  
server. It is an error from the PPPd radius plugin (in fact the  
radiusclient library).

> I had them once when
> I tried to change the dictionary to the one in /usr/share/freeradius,
> but I imported the official dictionary.microsoft one and they went away.

Curiuous, I never had to change the microsoft dictionary from the  
official Freeradius distribution !!!

>> If you see such lines it might be that your radiusclient library (used
>> by the PPPd plugin on your VPN server) doesn't understand the
>> Microsoft attributes (for instance the MS-CHAP Challenge). Thus, the
>> PPPd radius plugin doesn't send these attributes that are required for
>> Freeradius to do MS-CHAP authentication.
>>
>> Could you really check that your dictionnary file on the VPN server
>> side contains a line like:
>> INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft
>>
>> and check the content of this file...
>>
>> HTH,
>> Thibault
>
> I found A possible culprit.
>
> Jan 13 16:54:41 kurama pppd[11364]: rc_avpair_new: unknown attribute 11
> Jan 13 16:54:41 kurama pppd[11364]: rc_avpair_new: unknown attribute 25


This is not a possible culprit: This IS THE CULPRIT, and it confirms  
my diagnostic.

On your PPPd server, you have to update you:
* add a dictionary/microsoft file on the radiusclient dictionary  
directory (/etc/radiusclient or /usr/share/radiusclient-ng depending  
on your distro).
* modify the dictionary file in this directory to INCLUDE this file  
(see below).

Then your authentication should work fine.

Let me know...

Thibault





More information about the Freeradius-Users mailing list