I'm trying to authenticate MSChap with LDAP (LDAP has crypted passwords) for PPTP from a Cisco VPN box. I'm getting a strange error. Here's the logs: rad_recv: Access-Request packet from host ************:1071, id=138, length=153 User-Name = "csdgp" NAS-Port = 2311 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "**********" MS-CHAP-Challenge = 0x6ad5d5a423e76b09aeb8ac329215d4b1 MS-CHAP2-Response = 0x02000b2f32af6a677146bd81ec222958a45f00000000000000007249bfd5eb81dd31ee 0af1a17712be08a7bc758820949d71 NAS-IP-Address = ********** NAS-Port-Type = Virtual rlm_ldap: - authorize rlm_ldap: performing user authorization for csdgp rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as *************** to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user csdgp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 Login incorrect: [csdgp/<no User-Password attribute>] (from client vpn1 port 2311) rad_recv: Access-Request packet from host ********:1071, id=138, length=153 Sending Access-Reject of id 138 to ********:1071 MS-CHAP-Error = "\002E=691 R=1" Here's the config: chap { authtype = CHAP } mschap { authtype = MS-CHAP use_mppe = yes } ldap { server = "localhost" identity = *************** password = *************** basedn = *************** filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}) (host=ux1))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = "userPassword" timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess auth_log chap mschap suffix ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } -- End of config -- Am I up a creek here or is there something I can do? I haven't been able to find much online, but I may not be hitting the right things. -- Douglas G. Phillips Development Information Technology Services Eastern Illinois University (217) 581-7631
Douglas Phillips <csdgp@eiu.edu> wrote:
I'm trying to authenticate MSChap with LDAP (LDAP has crypted passwords)
It's impossible. You need to store NT-hashed passwords, or clear-text passwords in LDAP.
rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user csdgp authorized to use remote access
The LDAP module isn't even finding the crypt'd passwords for the user. Alan DeKok.
participants (2)
-
Alan DeKok -
Douglas Phillips