Le 26.11.2008 09:32, Douglas Macedo a écrit :
Alexandre,

if I try mschapv2 in Windons client:

--
rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46, length=52
    Service-Type = Framed-User
    Framed-Protocol = PPP
    User-Name = "nobody"
    NAS-IP-Address = 1.1.1.1
    NAS-Port = 0

Did you truncated the Access-request before posting???.... there is no information about CHAP chalenge so there is no way freeradius can handle with rlm_chap...

Additionnally your pptp config seems strange to me....
You *REQUIRE* chap + mschap + mschapv2!!! Shouldn't a requirement be uniq? I would just keep require mschapv2 (and so force win client to use it)
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    users: Matched entry DEFAULT at line 198
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nobody
radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to ldap.telemedicina.ufsc.br:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br, with filter (&(objectClass=posixAccount)(uid=nobody))
rlm_ldap: Password header not found in password 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNtPassword as NT-Password, value 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
rlm_ldap: Adding sambaLmPassword as LM-Password, value 89E0B38AC380D2B8AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: No clear-text password in the request.  Not performing PAP.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [nobody] (from client access-vpn port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--

Any idea?

Thanks in advanced,
Douglas

On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon <alexandre.chapellon@mana.pf> wrote:
trying forcing windows pptp client to use mschapv2

Le 26.11.2008 09:15, Douglas Macedo a écrit :
Sorry Alan,

but the webpage tells that its don't work. Its impossible? Correct?

So, how I can fix that the other way?

My pptp-options:

==
epiderme:/etc/ppp# cat pptpd-options
name pptpd
refuse-pap
##refuse-chap
require-chap
##refuse-mschap
require-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
debug
lock
nobsdcomp
plugin radius.so
#plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
auth
==

And my radiusd.conf:

==
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp    = no
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        unix {
                cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }
        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = no
                require_strong = no
                with_ntdomain_hack = yes
        }
        ldap {
                server = "ldap.telemedicina.ufsc.br"
                identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
                password = "XXXXXXX"
                basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
                filter = "(&(objectClass=posixAccount)(uid=%u))"

                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_header = "{Cleartext-Password}"
                password_attribute = sambaNTPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 150.162.67.201
                range-stop = 150.162.67.220
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
        files
        ldap
        chap
        mschap
        suffix
        #eap
        pap
}
authenticate {
         Auth-Type PAP {
                pap
         }
        Auth-Type LDAP {
                ldap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        #eap
}
preacct {
        preprocess
        #acct_unique
        #files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
        #main_pool
        #ldap
}
pre-proxy {
}
post-proxy {
        #eap
}
==

I apreciate your help.

Thanks a lot,
Douglas

On Wed, Nov 26, 2008 at 5:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
Douglas Macedo wrote:
> how I can fix that?

 Read the web page.  It tells you.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Douglas Macedo
dmacedo@gmail.com
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que ele é capaz de suportar.
(Immanuel Kant)

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Douglas Macedo
dmacedo@gmail.com
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que ele é capaz de suportar.
(Immanuel Kant)

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html