PPTP + FreeRadius + LDAP
Douglas Macedo
dmacedo at gmail.com
Thu Nov 27 21:15:35 CET 2008
Hey,
i copy the dictionary to /etc/radiusclient. But now the connections don't
target the Radius Server.
--
epiderme:/etc/radiusclient# ls -l
total 68
-rw-r--r-- 1 root root 6593 2008-11-27 15:02 dictionary
-rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
-rw-r--r-- 1 root root 1517 2006-10-29 08:54 dictionary.compat
-rw-r--r-- 1 root root 646 2008-11-27 14:20 dictionary.merit
-rw-r--r-- 1 root root 599 2008-11-27 14:20 dictionary.merit.BKP
-rwxr-xr-x 1 root root 3639 2008-11-27 14:42 dictionary.microsoft
-rwxr-xr-x 1 root root 2697 2008-11-27 14:20 dictionary.microsoft.BKP
-rw-r--r-- 1 root root 135 2006-10-29 08:54 issue
-rw-r--r-- 1 root root 410 2006-10-29 08:54 port-id-map
-rw-r--r-- 1 root root 508 2008-11-27 13:29 radiusclient.conf
-rwxr-xr-x 1 root root 2621 2008-11-24 13:33 radiusclient.conf.EPI
-rw-r--r-- 1 root root 435 2008-11-27 12:17 radiusclient.conf.LIMPO
-rw------- 1 root root 272 2008-11-24 13:12 servers
--
And include on dictionary:
--
epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
--
Now, the pptp log:
--
Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address = 150.162.67.200
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address = 150.162.67.201
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
/etc/ppp/pptpd-options
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
connection started
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 1)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN RPLY
packet
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
client.
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 7)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to 100000000
maxbps, 64 window size
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching pppd,
opening GRE)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program binary
= /usr/sbin/pppd
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local address =
150.162.67.200
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote address
= 150.162.67.201
Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
Nov 27 15:14:32 epiderme pppd[13059]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so
loaded.
Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the client.
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 15)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO packet with
standard ACCMs
Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0 <mru 1400>
<magic 0x31fa2cf6> <pcomp> <accomp> <callback CBCP>]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0 <callback
CBCP>]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1 <asyncmap
0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1 <mru 1400>
<magic 0x31fa2cf6> <pcomp> <accomp>]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1 <mru 1400>
<magic 0x31fa2cf6> <pcomp> <accomp>]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
magic=0x35f8d0db]
Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Challenge id=0x43
<8643b88179a03fce2ca15689bf84147b>, name = "pptpd"]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #3
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #4
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #5
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x2
magic=0x31fa2cf6 "MSRASV5.10"]
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x3
magic=0x31fa2cf6 "MSRAS-0-MOLAR"]
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP EchoRep id=0x0
magic=0x31fa2cf6]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #6
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [CHAP Response id=0x43
<318ca3c0e7f2e099a1f93ed8ca10717e00000000000000006b76deecbf9b1bd51ccc27f8183335f703835d5f6589e20400>,
name = "douglas"]
Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 6
Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 7
Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 1
Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 4
Nov 27 15:14:32 epiderme pppd[13059]: Peer douglas failed CHAP
authentication
Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Failure id=0x43 ""]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP TermReq id=0x2
"Authentication failed"]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #7
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP TermAck id=0x2
"Authentication failed"]
Nov 27 15:14:32 epiderme pppd[13059]: Connection terminated.
Nov 27 15:14:32 epiderme pppd[13059]: Exit.
Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error =
Input/output error, usually caused by unexpected termination of pppd, check
option syntax and pppd logs
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write failed
(pty,gre)=(6,7)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Reaping child PPP[13059]
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
connection finished
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Exiting now
Nov 27 15:14:32 epiderme pptpd[13024]: MGR: Reaped child 13058
--
So, the problem persist:
Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 6
Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 7
Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 1
Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 4
And:
Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error =
Input/output error, usually caused by unexpected termination of pppd, check
option syntax and pppd logs
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write failed
(pty,gre)=(6,7)
What you think? I put de dictionaries here to you look it:
(dictionary.microsoft)
--
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
----
Thanks in advanced!
Douglas
On Thu, Nov 27, 2008 at 4:06 PM, Alexandre Chapellon <
alexandre.chapellon at mana.pf> wrote:
>
>
> Le 27.11.2008 07:17, Douglas Macedo a écrit :
>
> Hey TNT,
>
> On Thu, Nov 27, 2008 at 2:54 PM, <tnt at kalik.net> wrote:
>
>> >i force in WIndows Client to use only mschap2, but the problem continue:
>> >
>> >-
>> >Module: Instantiated radutmp (radutmp)
>> >Listening on authentication *:1812
>> >Listening on accounting *:1813
>> >Ready to process requests.
>> >rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
>> >length=53
>> > Service-Type = Framed-User
>> > Framed-Protocol = PPP
>> > User-Name = "douglas"
>> > NAS-IP-Address = 1.1.1.1
>> > NAS-Port = 0
>>
>> This is nothing to do with freeradius. I don't see your NAS sending
>> mschap attributes.
>>
>
> How I can fix that? Where i configure that?
>
>
>>
>> >In PPTP debug show:
>> >
>> ..
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 11
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 25
>>
>> Has your radius client got mschap dictionary?
>>
>
> I'm using the RadiusClient1 of Debian.
>
> --
> epiderme:/etc/radiusclient# ls -l
> total 52
> -rw-r--r-- 1 root root 6502 2008-11-26 13:10 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root 1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root 599 2006-10-29 08:54 dictionary.merit
> -rw-r--r-- 1 root root 135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root 410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root 2630 2008-11-24 15:24 radiusclient.conf
> -rwxr-xr-x 1 root root 2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw------- 1 root root 272 2008-11-24 13:12 servers
> --
>
>
> Copy microsoft dictionnary from your freeradius install to your pptp
> server, and add it to the dictionnary list.
> Additionnaly (this may not be related to your problem) having multiple
> require-<protocols> in pptpd config is a non-sense, if you want to enable
> multiples protocols for authentications, use +pap, +chap, +mschap....
> instead of require-...
>
>
>
> --
> epiderme:/etc/radiusclient# cat radiusclient.conf
> auth_order radius,local
> login_tries 4
> login_timeout 60
> nologin /etc/nologin
> issue /etc/radiusclient/issue
> authserver ldap.telemedicina.ufsc.br
> acctserver ldap.telemedicina.ufsc.br
> servers /etc/radiusclient/servers
> dictionary /etc/radiusclient/dictionary
> login_radius /usr/sbin/login.radius
> seqfile /var/run/radius.seq
> mapfile /etc/radiusclient/port-id-map
> default_realm
> radius_timeout 10
> radius_retries 3
> login_local /bin/login
> --
>
>
> But I don't found the attributes to MS-CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
> epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
> epiderme:/etc/radiusclient# cat dictionary | grep mschap
> --
>
> Just to CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep -i chap
> ATTRIBUTE CHAP-Password 3 string
> ATTRIBUTE Chap-Challenge 60 string
> --
>
> That's correct?
>
> No you need MS-CHAP Attributes
>
>
> Thanks a lot in advanced,
> Douglas
>
>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Douglas Macedo
> dmacedo at gmail.com
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
> ele é capaz de suportar.
> (Immanuel Kant)
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Douglas Macedo
dmacedo at gmail.com
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081127/4e9745df/attachment.html>
More information about the Freeradius-Users
mailing list