pptp + perl + freeradius???

tnt at kalik.net tnt at kalik.net
Wed Nov 18 19:56:25 CET 2009 

> Hello, I am using a perl script to authenticate my users for hotspots with
> freeradius.
> I got no problem regarding to it.
> Now i planned to move my existing vpn server to freeradius also..
> Read some howtos about it (with poptop mostly)

Perhaps reading freeradius documentation if you are to use freeradius
would be better? If you read the main README file you could avoid most of
your problems.

> Here is how my perl script works.. When it gets a username/pass it checks
> it via an xml page and if it is correct it adds the username to mysql
> table with auth-type == local parameter.

Which is wrong. Don't add Auth-Type, add the Cleartext-Password.

> When second time this user tries
> to login it just checks the password.

How? You don't have password stored in radcheck table.

> So I got Auth-Type parameter for
> users in mysql.

Remove it.

> freeradius:
> rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29,
> length=138
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         User-Name = "7798"
>         MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e
>         MS-CHAP2-Response =
> 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd
>         Calling-Station-Id = ".931"
>         NAS-IP-Address = 192.168.10.213
>         NAS-Port = 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [7798/<no User-Password attribute>] (from client
> localhost port 0 cli .931)
>   Found Post-Auth-Type Reject
>   WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
> requested action.
>
> freeradius config
> server vpn {
>                  authorize {
>                                 preprocess
>                                 files
>                                 mschap
>                                      update control {
>                                      Auth-Type := perl
>                                                      }
>                                       perl
>                             }
>
>                 authenticate {
>
>
>                         Auth-Type MS-CHAP  {
>                                     mschap
>                                            }
>                         Auth-Type Perl   {
>                                          perl
>                                          }
>                                }

Freeradius processes default virtual server by default (it looks like you
have removed that one - why?). You haven't told it to use vpn default
server.

Your plan won't work. You have to know the password in advance to
authenticate users with mschap. You can't extract the password from the
request when user first time logs in. You can with pap but not with mschap
- that's the whole point of that protocol.

Ivan Kalik

More information about the Freeradius-Users mailing list