<div dir="ltr">Hi<div>I got it to work "at least half way", I did change pptpd options from </div><div><br></div><div><br></div><div><div>-chap</div><div>-mschap</div><div>+mschap-v2</div><div>require-mppe</div></div>
<div><div><br></div><div>TO</div><div><br></div><div>+chap</div><div>+mschap</div><div>+mschap-v2</div><div>#require-mppe</div><div><br></div><div>And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see </div>
<div><br></div><div><div>++[preprocess] returns ok</div><div>[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4FBCBB330F5000",User-Name = "test"'</div>
<div>[acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872".</div><div>++[acct_unique] returns ok</div><div>[suffix] No '@' in User-Name = "test", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div><div>++[files] returns noop</div><div># Executing section accounting from file /etc/raddb/sites-enabled/default</div><div>+- entering group accounting {...}</div><div>[detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1</div>
<div>[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/detail-20120523" target="_blank">127.0.0.1/detail-20120523</a></div>
<div>[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/detail-20120523" target="_blank">127.0.0.1/detail-20120523</a></div>
<div>[detail] expand: %t -> Wed May 23 11:25:55 2012</div><div>++[detail] returns ok</div><div>++[unix] returns ok</div><div>[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp</div><div>
[radutmp] expand: %{User-Name} -> test</div><div>++[radutmp] returns ok</div><div>++[exec] returns noop</div><div>[attr_filter.accounting_response] expand: %{User-Name} -> test</div><div>attr_filter: Matched entry DEFAULT at line 12</div>
<div>++[attr_filter.accounting_response] returns updated</div><div>Sending Accounting-Response of id 27 to 127.0.0.1 port 50177</div><div>Finished request 2.</div><div>Cleaning up request 2 ID 27 with timestamp +15</div>
<div>
Going to the next request</div><div>Waking up in 4.7 seconds.</div></div><div><br></div><div><br></div><div>However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails.</div>
<div><br></div><div>Test example :</div><div><br></div><div>Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default options"</div><div>Set pptpd options to :</div><div><div>-chap</div><div>-mschap</div>
<div>+mschap-v2</div><div>
require-mppe</div></div><div><br></div><div>I get the following in radius</div><div><br></div><div><div>++[sql] returns ok</div><div>++[expiration] returns noop</div><div>rlm_logintime: Checking Login-Time: 'Al0800-1200'</div>
<div>rlm_logintime: timestr returned accept</div><div>rlm_logintime: Session-Timeout set to: 1200</div><div>++[logintime] returns ok</div><div>[pap] No clear-text password in the request. Not performing PAP.</div><div>++[pap] returns noop</div>
<div>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</div><div>!!! Replacing User-Password in config items with Cleartext-Password. !!!</div><div>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</div>
<div>!!! Please update your configuration so that the "known good" !!!</div><div>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!</div><div>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</div>
<div>WARNING: Please update your configuration, and remove 'Auth-Type = Local'</div><div>WARNING: Use the PAP or CHAP modules instead.</div><div>No User-Password or CHAP-Password attribute in the request.</div><div>
Cannot perform authentication.</div><div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group REJECT {...}</div>
<div>[attr_filter.access_reject] expand: %{User-Name} -> test</div><div>attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div><div>Delaying reject of request 12 for 1 seconds</div>
<div>Going to the next request</div><div>Waking up in 0.9 seconds.</div><div>Sending delayed reject for request 12</div><div>Sending Access-Reject of id 45 to 127.0.0.1 port 60652</div><div>Waking up in 4.9 seconds.</div>
<div>Cleaning up request 12 ID 45 with timestamp +591</div><div>Ready to process requests.</div></div><div><br></div><div>In short it works for chap but not mschap, any input please ?</div><div><br></div><div>Regards</div>
<div><br></div><div><br></div><div><br></div><div><br></div></div><div><div class="gmail_quote">On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <span dir="ltr"><<a href="mailto:ali.jawad@splendor.net" target="_blank">ali.jawad@splendor.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi<div>Thanks again</div><div><br></div><div>I did remove Auth-Type entry from DB and error says now </div>
<div><br></div><div><div><div>rlm_sql (sql): Released sql socket id: 4</div><div>++[sql] returns ok</div>
<div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div><div>++[pap] returns noop</div>
</div><div><div>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user</div></div><div><div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div><div>
# Executing group from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> test</div><div>attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div>
<div>Delaying reject of request 0 for 1 seconds</div><div><br></div></div><div>I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is :</div><div><br></div><div><div>rpm -qa | grep radiusclient</div>
<div>radiusclient-ng-utils-0.5.6-3.el5</div><div>radiusclient-ng-0.5.6-3.el5</div></div><div><br></div><div>It's radiusclient config is :</div><div><br></div><div><div>auth_order radius</div><div>login_tries 4</div>
<div>login_timeout 60</div><div>nologin /etc/nologin</div><div>issue /etc/radiusclient/issue</div><div>authserver localhost:1812</div><div>acctserver localhost:1813</div><div>servers /etc/radiusclient/servers</div>
<div>#dictionary /etc/raddb/dictionary</div><div>dictionary /usr/share/radiusclient-ng/dictionary</div><div>login_radius /usr/sbin/login.radius</div><div>seqfile /var/run/radius.seq</div><div>mapfile /etc/radiusclient/port-id-map</div>
<div>default_realm</div><div>radius_timeout 10</div><div>radius_retries 3</div><div>login_local /bin/login</div></div><div><div><br><div class="gmail_quote">On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Ali Jawad wrote:<br>
> Thanks for your patience so far.<br>
><br>
> I did edit include sql.conf and only edited authorize to uncomment sql line.<br>
><br>
> Now I am getting the below.<br>
><br>
> [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not<br>
> contain a CHAP-Password attribute!<br>
<br>
</div> Because you forced Auth-Type := CHAP. Don't do that.<br>
<div><br>
> I did try as LOCAL and it says set CHAP, I also tried mschap<br>
<br>
</div> It's MUCH better to *understand* what's going on. Trying random<br>
changes is terrible.<br>
<div><br>
> Listening on proxy address * port 1814<br>
> Ready to process requests.<br>
> rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0,<br>
> length=67<br>
> Service-Type = Framed-User<br>
> Framed-Protocol = PPP<br>
> User-Name = "test"<br>
> Calling-Station-Id = "xxxxxxxx"<br>
> NAS-IP-Address = 127.0.0.1<br>
> NAS-Port = 0<br>
<br>
</div> There's no password in this request. Use a RADIUS client that sends a<br>
password!<br>
<br>
Whatever RADIUS client you're using is broken. Don't use it.<br>
<span><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><div>-- <br><div dir="ltr"><font><font color="#888888"><b>Ali Jawad<br></b></font></font><div><div><font><font color="#888888"><b>Information Systems Manager</b></font></font></div>
<div><font><font color="#888888"><b>Splendor Telecom <span>(</span><span style="background-color:rgb(51,51,255);color:rgb(51,102,255)"><a href="http://www.splendor.net/" target="_blank"><span style="background-color:rgb(255,255,255)"><font color="#3366ff">www.splendor.net</font></span></a></span><span>)</span><br>
Beirut, Lebanon<br>Phone: +9611373725/ext 116<br>FAX: +9611375554</b></font></font><div><div></div></div></div></div></div><br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font><font color="#888888"><b>Ali Jawad<br></b></font></font><div><div><font><font color="#888888"><b>Information Systems Manager</b></font></font></div>
<div><font><font color="#888888"><b>Splendor Telecom <span style>(</span><span style="background-color:rgb(51,51,255);color:rgb(51,102,255)"><a href="http://www.splendor.net/" target="_blank"><span style="background-color:rgb(255,255,255)"><font color="#3366ff">www.splendor.net</font></span></a></span><span style>)</span><br>
Beirut, Lebanon<br>Phone: +9611373725/ext 116<br>FAX: +9611375554</b></font></font><div><div></div></div></div></div></div><br>
</div></div>