On 6/27/05, Alan DeKok <aland@ox.org> wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction?
The problem isn't that the request doesn't contain a password. The problem is that the user is rejected.
Run the server in debug mode to see why.
Alan DeKok.
Ok. I ran the server in debug mode, but it still says that the request is comming without Password. Specifically, the message says: "auth: No User-Password or CHAP-Password attribute in the request". The full log: ---------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1:32799, id=180, length=66 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "teste" Calling-Station-Id = "aa.bb.cc.dd" NAS-IP-Address = ee.ff.gg.hh NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "teste", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 radius_xlat: 'teste' rlm_sql (sql): sql_set_user escaped user --> 'teste' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'teste' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'teste' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [teste/<no User-Password attribute>] (from client localhost port 0 cli aa.bb.cc.dd) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 180 to 127.0.0.1:32799 Waking up in 7 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 180 with timestamp 42c2a106 Nothing to do. Sleeping until we see a request. ---------------------------------------------------------------- in radius.conf, mschap part is as follows: mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } In the mysql radcheck table, I tried both 'Password' and 'CHAP-Password' as attributes, with no diference at all in the result In the windows box, for authentication, I left enabled in the security menu, the options 'CHAP Protocol', 'Microsoft CHAP' and 'Microsoft CHAP version 2 (MS-CHAP v2)'. One possibility I see is that there may be some wrong configuration in my radius.conf, since the log is saying "modcall[authorize]: module "mschap" returns noop for request 3". Shouldn't it say "returns ok" or something like that? Thank you, Marcos Roberto