Greetings! I've been struggling to get PPTP authenticating through my freeradius server through to my LDAP server. I've got Fedora Directory Server as my LDAP database and I've configured freeradius according to the instructions I found for OpenLDAP (yes, this could be part of the problem but I didn't see anything specific to FDS). I've got authentication working via radtest, e.g. rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56 User-Name = "joey" User-Password = "xxxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.example.net:389, authentication 0 rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "joey" with password "xxxxxxxx" rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net rlm_ldap: (re)connect to ldap.example.net:389, authentication 1 rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user joey authenticated succesfully Login OK: [joey/xxxxxxx] (from client el-oso port 0) Sending Access-Accept of id 116 to 172.33.100.18:32811 So that tells me that I've got the communication to my LDAP server properly configured. However when my PPTP server sends authentication requests to my radius server, I always get "Login incorrect: [joey/<no User-Password attribute>]" For example: rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "joey" MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6 MS-CHAP2-Response = 0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442 Calling-Station-Id = "67.41.208.129" NAS-Identifier = "pptp" NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Login incorrect: [joey/<no User-Password attribute>] (from client vpn-external port 0 cli 67.41.208.129) Sending Access-Reject of id 15 to 71.39.18.170:32784 I have no idea where to troubleshoot this at this point. The usual suspects seem to be properly configured (ldap.attrmap, clients.conf, radiusd.conf and users). Anybody have thoughts? Thanks. --joey
Whoops.. sent that from my wrong account.. trying again :) Greetings! I've been struggling to get PPTP authenticating through my freeradius server through to my LDAP server. I've got Fedora Directory Server as my LDAP database and I've configured freeradius according to the instructions I found for OpenLDAP (yes, this could be part of the problem but I didn't see anything specific to FDS). I've got authentication working via radtest, e.g. rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56 User-Name = "joey" User-Password = "xxxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.example.net:389, authentication 0 rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "joey" with password "xxxxxxxx" rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net rlm_ldap: (re)connect to ldap.example.net:389, authentication 1 rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user joey authenticated succesfully Login OK: [joey/xxxxxxx] (from client el-oso port 0) Sending Access-Accept of id 116 to 172.33.100.18:32811 So that tells me that I've got the communication to my LDAP server properly configured. However when my PPTP server sends authentication requests to my radius server, I always get "Login incorrect: [joey/<no User-Password attribute>]" For example: rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "joey" MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6 MS-CHAP2-Response = 0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442 Calling-Station-Id = "67.41.208.129" NAS-Identifier = "pptp" NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Login incorrect: [joey/<no User-Password attribute>] (from client vpn-external port 0 cli 67.41.208.129) Sending Access-Reject of id 15 to 71.39.18.170:32784 I have no idea where to troubleshoot this at this point. The usual suspects seem to be properly configured (ldap.attrmap, clients.conf, radiusd.conf and users). Anybody have thoughts? Thanks. --joey
Joey McDonald wrote:
I've got authentication working via radtest, e.g.
rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56 User-Name = "joey" User-Password = "xxxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.example.net:389, authentication 0 rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
rlm_ldap: - authenticate rlm_ldap: login attempt by "joey" with password "xxxxxxxx" rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net rlm_ldap: (re)connect to ldap.example.net:389, authentication 1 rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP request from radtest. This ONLY works with PAP because an LDAP simple bind needs the plaintext password.
Login OK: [joey/xxxxxxx] (from client el-oso port 0) Sending Access-Accept of id 116 to 172.33.100.18:32811
So that tells me that I've got the communication to my LDAP server properly configured.
However when my PPTP server sends authentication requests to my radius server, I always get "Login incorrect: [joey/<no User-Password attribute>]"
Since it's a PPTP server you are almost certainly going to be using MS-CHAP, which requires either: 1. The NT password hash to be in LDAP and readable by FreeRadius 2. The plaintext password to be in LDAP and readable 3. Samba, domain membership, winbind and the ntlm_auth plugin option for the mschap module
For example:
rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "joey" MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6 MS-CHAP2-Response = 0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442 Calling-Station-Id = "67.41.208.129" NAS-Identifier = "pptp" NAS-Port = 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for joey rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line directly above looks wrong - value "{" ? So you've probably got a crypted password in LDAP, which you won't be able to do MS-CHAP from (unless the "crypt" happens to be "{nt}32bytes")
rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Login incorrect: [joey/<no User-Password attribute>] (from client vpn-external port 0 cli 67.41.208.129) Sending Access-Reject of id 15 to 71.39.18.170:32784
I have no idea where to troubleshoot this at this point. The usual suspects seem to be properly configured (ldap.attrmap, clients.conf, radiusd.conf and users). Anybody have thoughts? Thanks.
--joey
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Phil, Thanks for the response.
rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
Sure, I don't think that FDS has the radius extensions yet although I've created an ldif to add them if needed but in the mean time I've just commented out: access_attr = "dialupAccess" because I want all my users to be able to use the VPN.
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joey" with password "xxxxxxxx" rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net rlm_ldap: (re)connect to ldap.example.net:389, authentication 1 rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP request from radtest. This ONLY works with PAP because an LDAP simple bind needs the plaintext password.
Login OK: [joey/xxxxxxx] (from client el-oso port 0) Sending Access-Accept of id 116 to 172.33.100.18:32811
So that tells me that I've got the communication to my LDAP server properly configured.
However when my PPTP server sends authentication requests to my radius server, I always get "Login incorrect: [joey/<no User-Password attribute>]"
Since it's a PPTP server you are almost certainly going to be using MS-CHAP, which requires either:
1. The NT password hash to be in LDAP and readable by FreeRadius 2. The plaintext password to be in LDAP and readable 3. Samba, domain membership, winbind and the ntlm_auth plugin option for the mschap module
Well, I'm not using windows systems at all - I've got OSX clients and a linux-based PPTP server. The passwords are stored as SSHA in my LDAP directory. That finally makes sense as to why radtest works, so thanks! My next question is, what Auth-Type should I be using for SSHA's stored in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't support decrypting passwords and I don't wish to store passwords in plain text in the directory.
Joey McDonald <jmcdice@gmail.com> wrote:
Well, I'm not using windows systems at all - I've got OSX clients and a linux-based PPTP server. The passwords are stored as SSHA in my LDAP directory. That finally makes sense as to why radtest works, so thanks!
And it explains why MS-CHAP will never work. It's *impossible*.
My next question is, what Auth-Type should I be using for SSHA's stored in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't support decrypting passwords and I don't wish to store passwords in plain text in the directory.
Then you can't do MS-CHAP. It's a s simple as that. If you're not willing to store clear-text passwords, you can store NT-Passwords in LDAP. But that's your ONLY other option to get MS-CHAP to work. Alan DeKok.
I wonder why can't I just use an ldap bind to authenticate? I'm already doing it to authorize.. seems like I should be able to do it to authenticate as well. --joey On 2/3/06, Alan DeKok <aland@ox.org> wrote:
Joey McDonald <jmcdice@gmail.com> wrote:
Well, I'm not using windows systems at all - I've got OSX clients and a linux-based PPTP server. The passwords are stored as SSHA in my LDAP directory. That finally makes sense as to why radtest works, so thanks!
And it explains why MS-CHAP will never work. It's *impossible*.
My next question is, what Auth-Type should I be using for SSHA's stored in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't support decrypting passwords and I don't wish to store passwords in plain text in the directory.
Then you can't do MS-CHAP. It's a s simple as that.
If you're not willing to store clear-text passwords, you can store NT-Passwords in LDAP. But that's your ONLY other option to get MS-CHAP to work.
Alan DeKok.
On Fri, 3 Feb 2006, Joey McDonald wrote:
I wonder why can't I just use an ldap bind to authenticate? I'm already doing it to authorize.. seems like I should be able to do it to authenticate as well.
--joey
Because you don't have a password to do a simple bind with. During authorization, you are programming the username/password into radius.conf. So, ldap has a username/password to bind with. During authentication, if you use ldap, it uses the username/password that comes in the access-request to bind with. In this case, you don't have a user-password because you're doing CHAP. Can you get your NAS to send over the Access-Request with a plaintext password (PAP)? Then it will work, just like it does when you use radclient.
participants (5)
-
Alan DeKok -
Dusty Doris -
Joey McDonald -
Joey McDonald -
Phil Mayers