W dniu 2011-12-01 23:51, James J J Hooper pisze:
On 01/12/2011 22:41, Piotr wrote:
This is debug from l2tp/ipsec connection:
CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504
[chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available):
and here is debug from working connection for sslvpn:
User-Password = "bd8d9a"
[MOTP] expand: %{User-Password} -> bd8d9a
Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13)
If you want FR to handle the CHAP for you:
[chap] Cleartext-Password is required for authentication
If FR doesn't know the correct password, you can't expect it to do CHAP. Change things so FR knows the password, or do plain text authn as per your first scenario.
I changed type of authentication,on cisco asa, to PAP: ASA(config)# sh run all | begin tunnel-group l2tp-ipsec ppp-attributes tunnel-group l2tp-ipsec ppp-attributes authentication pap no authentication chap no authentication ms-chap-v1 no authentication ms-chap-v2 no authentication eap-proxy but i don't know why i stil get on FR: rad_recv: Access-Request packet from host 10.62.1.1 port 1025, id=85, length=136 User-Name = "tom3" CHAP-Password = 0x01ccbbe398364421101d8b50e4cb59a46e NAS-Port = 6275072 Service-Type = Framed-User Framed-Protocol = PPP CHAP-Challenge = 0x864b681ad0fc9cbd87668f9d51a638eb9a69cda6dabbf6f2e0b7147fe8d17afc2ea401ba44cf8e7d18802e Tunnel-Client-Endpoint:0 = "13.176.76.66" NAS-IP-Address = 10.62.1.1 NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. FR try to authenticate via CHAP. I don't understand this, i'm little confused thanks for an advice kindly regards Piotr