Alexandre, if I try mschapv2 in Windons client: -- rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46, length=52 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "nobody" NAS-IP-Address = 1.1.1.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry DEFAULT at line 198 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for nobody radius_xlat: '(&(objectClass=posixAccount)(uid=nobody))' radius_xlat: 'ou=Users,dc=telemedicina,dc=ufsc,dc=br' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to ldap.telemedicina.ufsc.br:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br, with filter (&(objectClass=posixAccount)(uid=nobody)) rlm_ldap: Password header not found in password 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaNtPassword as NT-Password, value 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21 rlm_ldap: Adding sambaLmPassword as LM-Password, value 89E0B38AC380D2B8AAD3B435B51404EE & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user nobody authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_ldap: looking for reply items in directory... rlm_ldap: user nobody authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: No clear-text password in the request. Not performing PAP. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [nobody] (from client access-vpn port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request -- Any idea? Thanks in advanced, Douglas On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon < alexandre.chapellon@mana.pf> wrote:
trying forcing windows pptp client to use mschapv2
Le 26.11.2008 09:15, Douglas Macedo a écrit :
Sorry Alan,
but the webpage tells that its don't work. Its impossible? Correct?
So, how I can fix that the other way?
My pptp-options:
== epiderme:/etc/ppp# cat pptpd-options name pptpd refuse-pap ##refuse-chap require-chap ##refuse-mschap require-mschap require-mschap-v2 require-mppe-128 proxyarp nodefaultroute debug lock nobsdcomp plugin radius.so #plugin radattr.so radius-config-file /etc/radiusclient/radiusclient.conf auth ==
And my radiusd.conf:
== prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } ldap { server = "ldap.telemedicina.ufsc.br" identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br" password = "XXXXXXX" basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br" filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = "{Cleartext-Password}" password_attribute = sambaNTPassword timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 150.162.67.201 range-stop = 150.162.67.220 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess files ldap chap mschap suffix #eap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix #eap } preacct { preprocess #acct_unique #files } accounting { detail unix radutmp } session { radutmp } post-auth { #main_pool #ldap } pre-proxy { } post-proxy { #eap } ==
I apreciate your help.
Thanks a lot, Douglas
On Wed, Nov 26, 2008 at 5:04 PM, Alan DeKok <aland@deployingradius.com>wrote:
Douglas Macedo wrote:
how I can fix that?
Read the web page. It tells you.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Douglas Macedo dmacedo@gmail.com -- Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que ele é capaz de suportar. (Immanuel Kant)
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Douglas Macedo dmacedo@gmail.com -- Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que ele é capaz de suportar. (Immanuel Kant)