Hello, I am using a perl script to authenticate my users for hotspots with freeradius. I got no problem regarding to it. Now i planned to move my existing vpn server to freeradius also.. Read some howtos about it (with poptop mostly)
Perhaps reading freeradius documentation if you are to use freeradius would be better? If you read the main README file you could avoid most of your problems.
The documents i mentioned above was about pptp installation not freeradius itself. Sure i read docs about freeradius also. Even your main README file.!!
Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter.
Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
It was for my perl module. Which seems unnecessary for mschaps as i see. So i already removed it.
When second time this user tries to login it just checks the password.
How? You don't have password stored in radcheck table.
To make it clear.. My users passwords are stored in another system. So practically i got no chance to have them on mysql of freeradius. Thats why in my previous system (which still works for hotspot authentications) I was using a perl module to connect to an xml service and check if the username/password is correct (I was just sending usrname/password couple and the answer is returning as ok or not.), and if it is ok, add the username/ name/email address and other informational knowledges of the user to a mysql table which is not relative to our subject now. And everytime user logs on, that perl script checks for the password again via xml page. So i got no passwords in mysql at all.
So I got Auth-Type parameter for users in mysql.
Remove it.
freeradius: rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29, length=138 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "7798" MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e MS-CHAP2-Response = 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd Calling-Station-Id = ".931" NAS-IP-Address = 192.168.10.213 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [7798/<no User-Password attribute>] (from client localhost port 0 cli .931) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
freeradius config server vpn { authorize { preprocess files mschap update control { Auth-Type := perl } perl }
authenticate {
Auth-Type MS-CHAP { mschap } Auth-Type Perl { perl } }
Freeradius processes default virtual server by default (it looks like you have removed that one - why?). You haven't told it to use vpn default server.
There were some other virtual servers running on that freeradius server, Just removed them for my test purposes. So nothing special about removing default server.
Your plan won't work. You have to know the password in advance to authenticate users with mschap. You can't extract the password from the request when user first time logs in. You can with pap but not with mschap - that's the whole point of that protocol.
So as i understand, the only way that mschap works is to keep username/passwords on mysql (or file) right? I can not use perl module to return a "user is ok" msg and make it work.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html