Moved from Debian 4.0 to Fedora 8, now Radius (1.1.7) is broken.

[Piero Giobbi <piero@news.fb.se>]

Hi all.

have been enjoying radius for a while now. Had to make a severupgrade and move over to Fedora 8 for HW support. Still using 1.1.7 because it rocks. Well not quite any more, i moved over the configfiles i had on Debian and everything seems ok except for no users can login anymore via pptp on my firewall.

My config:

Linux ns.intern.fb.se 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT 2008 i686 i686 i386 GNU/Linux

[root@ns usersdepot]# radiusd -X

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Config:   including file: /etc/raddb/proxy.conf

Config:   including file: /etc/raddb/clients.conf

Config:   including file: /etc/raddb/snmp.conf

Config:   including file: /etc/raddb/eap.conf

Config:   including file: /etc/raddb/sql.conf

 main: prefix = "/usr"

 main: localstatedir = "/var"

 main: logdir = "/var/log/radius"

 main: libdir = "/usr/lib"

 main: radacctdir = "/var/log/radius/radacct"

 main: hostname_lookups = yes

 main: snmp = no

 main: max_request_time = 30

 main: cleanup_delay = 5

 main: max_requests = 1024

 main: delete_blocked_requests = 0

 main: port = 0

 main: allow_core_dumps = no

 main: log_stripped_names = no

 main: log_file = "/var/log/radius/radius.log"

 main: log_auth = yes

 main: log_auth_badpass = yes

 main: log_auth_goodpass = no

 main: pidfile = "/var/run/radius/radiusd.pid"

 main: user = "(null)"

 main: group = "(null)"

 main: usercollide = no

 main: lower_user = "no"

 main: lower_pass = "no"

 main: nospace_user = "no"

 main: nospace_pass = "no"

 main: checkrad = "/usr/sbin/checkrad"

 main: proxy_requests = yes

 proxy: retry_delay = 5

 proxy: retry_count = 3

 proxy: synchronous = no

 proxy: default_fallback = yes

 proxy: dead_time = 120

 proxy: post_proxy_authorize = no

 proxy: wake_all_if_all_dead = no

 security: max_attributes = 200

 security: reject_delay = 1

 security: status_server = no

 main: debug_level = 0

read_config_files:  reading dictionary

read_config_files:  reading naslist

Using deprecated naslist file.  Support for this will go away soon.

read_config_files:  reading clients

read_config_files:  reading realms

radiusd:  entering modules setup

Module: Library search path is /usr/lib

Module: Loaded exec 

 exec: wait = yes

 exec: program = "(null)"

 exec: input_pairs = "request"

 exec: output_pairs = "(null)"

 exec: packet_type = "(null)"

rlm_exec: Wait=yes but no output defined. Did you mean output=none?

Module: Instantiated exec (exec) 

Module: Loaded expr 

Module: Instantiated expr (expr) 

Module: Loaded PAP 

 pap: encryption_scheme = "crypt"

 pap: auto_header = yes

Module: Instantiated pap (pap) 

Module: Loaded CHAP 

Module: Instantiated chap (chap) 

Module: Loaded MS-CHAP 

 mschap: use_mppe = yes

 mschap: require_encryption = no

 mschap: require_strong = no

 mschap: with_ntdomain_hack = no

 mschap: passwd = "(null)"

 mschap: ntlm_auth = "(null)"

Module: Instantiated mschap (mschap) 

Module: Loaded System 

 unix: cache = no

 unix: passwd = "(null)"

 unix: shadow = "(null)"

 unix: group = "(null)"

 unix: radwtmp = "/var/log/radius/radwtmp"

 unix: usegroup = no

 unix: cache_reload = 600

Module: Instantiated unix (unix) 

Module: Loaded eap 

 eap: default_eap_type = "md5"

 eap: timer_expire = 60

 eap: ignore_unknown_eap_types = no

 eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

rlm_eap: Loaded and initialized type leap

 gtc: challenge = "Password: "

 gtc: auth_type = "PAP"

rlm_eap: Loaded and initialized type gtc

 mschapv2: with_ntdomain_hack = no

rlm_eap: Loaded and initialized type mschapv2

Module: Instantiated eap (eap) 

Module: Loaded preprocess 

 preprocess: huntgroups = "/etc/raddb/huntgroups"

 preprocess: hints = "/etc/raddb/hints"

 preprocess: with_ascend_hack = no

 preprocess: ascend_channels_per_line = 23

 preprocess: with_ntdomain_hack = no

 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no

 preprocess: with_alvarion_vsa_hack = no

Module: Instantiated preprocess (preprocess) 

Module: Loaded realm 

 realm: format = "suffix"

 realm: delimiter = "@"

 realm: ignore_default = no

 realm: ignore_null = no

Module: Instantiated realm (suffix) 

Module: Loaded files 

 files: usersfile = "/etc/raddb/users"

 files: acctusersfile = "/etc/raddb/acct_users"

 files: preproxy_usersfile = "/etc/raddb/preproxy_users"

 files: compat = "no"

Module: Instantiated files (files) 

Module: Loaded Acct-Unique-Session-Id 

 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

Module: Instantiated acct_unique (acct_unique) 

Module: Loaded detail 

 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

 detail: detailperm = 384

 detail: dirperm = 493

 detail: locking = no

Module: Instantiated detail (detail) 

Module: Loaded radutmp 

 radutmp: filename = "/var/log/radius/radutmp"

 radutmp: username = "%{User-Name}"

 radutmp: case_sensitive = yes

 radutmp: check_with_nas = yes

 radutmp: perm = 384

 radutmp: callerid = yes

Module: Instantiated radutmp (radutmp) 

Listening on authentication *:1812

Listening on accounting *:1813

Ready to process requests.

When a user login:

rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3, length=181

NAS-Identifier = "halon"

NAS-IP-Address = 10.0.5.1

Message-Authenticator = 0x18e8c7acd5db57751eb497c6d6c59503

NAS-Port = 0

NAS-Port-Type = Virtual

Service-Type = Framed-User

Framed-Protocol = PPP

Calling-Station-Id = "212.247.38.166"

User-Name = "giobbi"

MS-CHAP-Challenge = 0xbb1e6823d2ae12e363e056523f30a6de

MS-CHAP2-Response = 0x01000357ec5a5b0eb534ea8682a730849e89000000000000000034ff990a30a4a24681b50b31d7da17a3d2634e2e55ad5e17

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

  modcall[authorize]: module "mschap" returns ok for request 0

    rlm_realm: No '@' in User-Name = "giobbi", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 0

    users: Matched entry DEFAULT at line 185

    users: Matched entry giobbi at line 4

  modcall[authorize]: module "files" returns ok for request 0

rlm_pap: Found existing Auth-Type, not changing it.

  modcall[authorize]: module "pap" returns noop for request 0

modcall: leaving group authorize (returns ok) for request 0

  rad_check_password:  Found Auth-Type MS-CHAP

auth: type "MS-CHAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group MS-CHAP for request 0

  rlm_mschap: Told to do MS-CHAPv2 for giobbi with NT-Password

rlm_mschap: adding MS-CHAPv2 MPPE keys

  modcall[authenticate]: module "mschap" returns ok for request 0

modcall: leaving group MS-CHAP (returns ok) for request 0

Login OK: [giobbi] (from client fw-halon port 0 cli 212.247.38.166)

Sending Access-Accept of id 3 to 10.0.5.1 port 60461

Framed-Protocol = PPP

Framed-Compression = Van-Jacobson-TCP-IP

Service-Type = Framed-User

Framed-Route = "10.0.4.0/24 10.0.5.245  10.0.5.0/24 10.0.5.1  10.0.8.0/24 10.0.5.245 10.0.9/24 10.0.5.245"

MS-CHAP2-Success = 0x01533d34444432314431443741453246333335453632323046463633304643464435463835353236393736

MS-MPPE-Recv-Key = 0x9f2fb3fc6a24b8a5a5251de891f8ece8

MS-MPPE-Send-Key = 0xd488a4ec77025f4c8c3e4defc4fbdf70

MS-MPPE-Encryption-Policy = 0x00000001

MS-MPPE-Encryption-Types = 0x00000006

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3, length=181

Sending duplicate reply to client fw-halon:60461 - ID: 3

Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3, length=181

Sending duplicate reply to client fw-halon:60461 - ID: 3

Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461

Waking up in 6 seconds...

Firewall log:

halon(Firewall_GOT)# system logs pptp

PPTP: Incoming control connection from 212.247.38.166 55553 to 212.247.38.166 1723

pptp0: attached to connection with 212.247.38.166 55553

[pptp0] Accepting PPTP connection

[pptp0] opening link "pptp0"...

[pptp0] link: OPEN event

[pptp0] LCP: Open event

[pptp0] LCP: state change Initial --> Starting

[pptp0] LCP: LayerStart

[pptp0] PPTP: attaching to peer's outgoing call

[pptp0] link: UP event

[pptp0] link: origination is remote

[pptp0] LCP: Up event

[pptp0] LCP: state change Starting --> Req-Sent

[pptp0] LCP: SendConfigReq #31

 ACFCOMP

 PROTOCOMP

 MRU 1460

 MAGICNUM a3e02c2f

 AUTHPROTO CHAP MSOFTv2

[pptp0] LCP: rec'd Configure Request #1 (Req-Sent)

 ACCMAP 0x00000000

 MAGICNUM c5887687

 PROTOCOMP

 ACFCOMP

[pptp0] LCP: SendConfigAck #1

 ACCMAP 0x00000000

 MAGICNUM c5887687

 PROTOCOMP

 ACFCOMP

[pptp0] LCP: state change Req-Sent --> Ack-Sent

[pptp0] LCP: SendConfigReq #32

 ACFCOMP

 PROTOCOMP

 MRU 1460

 MAGICNUM a3e02c2f

 AUTHPROTO CHAP MSOFTv2

[pptp0] LCP: rec'd Configure Ack #32 (Ack-Sent)

 ACFCOMP

 PROTOCOMP

 MRU 1460

 MAGICNUM a3e02c2f

 AUTHPROTO CHAP MSOFTv2

[pptp0] LCP: state change Ack-Sent --> Opened

[pptp0] LCP: auth: peer wants nothing, I want CHAP

[pptp0] CHAP: sending CHALLENGE len:17

[pptp0] LCP: LayerUp

[pptp0] CHAP: rec'd RESPONSE #1

 Name: "giobbi"

[pptp0] AUTH: Auth-Thread started

[pptp0] AUTH: Trying RADIUS

[pptp0] RADIUS: RadiusAuthenticate for: giobbi

[pptp0] RADIUS: rad_send_request failed: No valid RADIUS responses received

[pptp0] AUTH: RADIUS returned undefined

[pptp0] AUTH: Trying INTERNAL

AUTH: User "giobbi" not found in secret file

[pptp0] AUTH: INTERNAL returned failed

[pptp0] AUTH: ran out of backends

[pptp0] AUTH: Auth-Thread finished normally

[pptp0] CHAP: ChapInputFinish: status failed

 Reply message: E=691 R=0 M=Login incorrect

[pptp0] CHAP: sending FAILURE len:27

[pptp0] LCP: authorization failed

[pptp0] LCP: parameter negotiation failed

[pptp0] LCP: state change Opened --> Stopping

[pptp0] AUTH: Cleanup

[pptp0] LCP: SendTerminateReq #33

[pptp0] LCP: LayerDown

[pptp0] LCP: rec'd Terminate Request #2 (Stopping)

[pptp0] LCP: SendTerminateAck #34

[pptp0] LCP: rec'd Terminate Ack #33 (Stopping)

[pptp0] LCP: state change Stopping --> Stopped

[pptp0] LCP: LayerFinish

pptp0-0: clearing call

pptp0-0: killing channel

[pptp0] PPTP call terminated

[pptp0] link: DOWN event

[pptp0] LCP: Close event

[pptp0] LCP: state change Stopped --> Closed

[pptp0] LCP: Down event

[pptp0] LCP: state change Closed --> Initial

pptp0: closing connection with 212.247.38.166 55553

pptp0: ctrl connection closed by peer

pptp0: killing connection with 212.247.38.166 55553

So here's the problem, the firewall doesn't like the response it gets, isn't valid for some reason. I'm using the exact same configs as in the working Debian version (same radius, 1.1.7), so in theory these should work just as fine in my Fedora setup right?

Any clues or tip is greatly appreciated.

thx

p