Freeradius with LDAP backend for pptpd (via MS-CHAP)

Peter Lambrechtsen plambrechtsen at gmail.com
Thu Jul 8 23:00:07 CEST 2010 

Why not setup your NAS to use PAP, instead of MS-CHAP.

If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory.

It would be far easier to have PAP authentication enabled on your NAS, then
it should work fine.

On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes <dgomes at ipfn.ist.utl.pt> wrote:

> Dear list,
>
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).
>
> First of all, on the pptpd server's side (which I know it's not your
> "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
> require-mppe options enabled.
>
> As for freeradius itself, a summarized sites-enabled/default reads:
>
> authorize {
>        preprocess
>
>        pap
>
>        mschap
>
>        ldap
>
>        auth_log
>
>        eap {
>                ok = return
>        }
>
>        expiration
>        logintime
> }
>
> authenticate {
>        Auth-Type PAP {
>                pap
>        }
>
>        Auth-Type MS-CHAP {
>                mschap
>        }
>
>        Auth-Type LDAP {
>                ldap
>        }
>
>        eap
> }
>
> My modules/ldap contains all the necessary information, and my
> modules/mschap has the options use_mppe, require_encryption and
> require_strong enabled, like most tutorials state.
>
> As for the results, radtest works fine (querying LDAP etc), but through
> pptd it always fails with this error:
>
> ----------------
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
> length=151
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        User-Name = "dgomes"
>        MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
>        MS-CHAP2-Response =
>
> 0x48003ac4b88e3cc4c6b5819eb258c434e27a000000000000000002a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
>        Calling-Station-Id = "193.136.136.200"
>        NAS-IP-Address = 193.136.136.40
>        NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [ldap] performing user authorization for dgomes
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
>        expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
> rlm_ldap: bind as
> cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
> gold.ipfn.ist.utl.pt:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
> with filter (cn=dgomes)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user dgomes authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
>        expand:
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
> %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
> to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
>        expand: %t -> Thu Jul  8 14:08:34 2010
> ++[auth_log] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
>        expand: %{User-Name} -> dgomes
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
>
> ------------------
>
> I know that the error should be enough for me to fix it (since it's
> quite explanatory), but after trying many different configurations and
> searching through dozens of old mailing lists posts, I still haven't
> managed it...
>
> So yeah, of you could help me out, I'd appreciate it! All I want is
> pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
> is not even a requirement for me here, since both services are on the
> same machine, so there's not even the need for safe connections. So long
> as it works, I really don't care about any particular configuration!
>
> Thanks in advance,
> Daniel Gomes
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100709/fd391f0d/attachment.html>

More information about the Freeradius-Users mailing list