Hi I got it to work "at least half way", I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4FBCBB330F5000",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] expand: %t -> Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default options" Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is :
rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5
It's radiusclient config is :
auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random changes is terrible.
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a password!
Whatever RADIUS client you're using is broken. Don't use it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*