Values for MySQL tables for pptpd ?
Hi I did setup pptpd with freeradius + mysql http://poptop.sourceforge.net/dox/radius_mysql.html. pptpd "poptop" works fine without freeradius, with freeradius and mysql, all seems fine apart from me not knowing what values to enter into the mysql tables of freeradius. With no entries in database I get Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:45194, id=198, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "193.227.186.146" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User test not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User test not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found <####################### modcall[authorize]: module "sql" returns notfound for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 198 to 127.0.0.1 port 45194 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 198 with timestamp 4fbc8c9d When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); I get rad_recv: Access-Request packet from host 127.0.0.1:46882, id=199, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "193.227.186.146" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [test] modcall[authorize]: module "sql" returns notfound for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user <################# auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 199 to 127.0.0.1 port 46882 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 199 with timestamp 4fbc8d01 Nothing to do. Sleeping until we see a request. I am lost here, please advice.
Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
When I do add to radcheck -
INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test');
That's wrong. See the FAQ.
Use "Cleartext-Password := test".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute "Cleartext-Password" rlm_sql (sql): Error getting data from database I have microsoft and merit dictionary loaded Regards On Wed, May 23, 2012 at 10:44 AM, Ali Jawad <ali.jawad@splendor.net> wrote:
Thanks Alan, I assumed Chap-Password because during testing I got
auth: No User-Password or CHAP-Password attribute in the request Regards
On Wed, May 23, 2012 at 10:16 AM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
When I do add to radcheck -
INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test');
That's wrong. See the FAQ.
Use "Cleartext-Password := test".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Ali Jawad wrote:
I did test with Cleartext-Password
and got
rlm_sql: Failed to create the pair: Unknown attribute "Cleartext-Password" rlm_sql (sql): Error getting data from database
Then you edited the default configuration and broke the server.
I have microsoft and merit dictionary loaded
What does that mean? DON"T edit the dictionaries. The server WORKS. Alan DeKok.
Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! On Wed, May 23, 2012 at 11:15 AM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
I did test with Cleartext-Password
and got
rlm_sql: Failed to create the pair: Unknown attribute "Cleartext-Password" rlm_sql (sql): Error getting data from database
Then you edited the default configuration and broke the server.
I have microsoft and merit dictionary loaded
What does that mean?
DON"T edit the dictionaries. The server WORKS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Ali Jawad wrote:
Fair enough, what is the value that forces use of Cleartext-Password ?
DON'T EDIT THE DICTIONARIES. There is NOTHING YOU NEED TO DO. My example WORKS USING THE DEFAULT CONFIGURATION. I have NO IDEA why you're asking that question. It shows a deep misunderstanding of how the server works. Happily, you don't need to understand it. Just.... DON'T EDIT THE DICTIONARIES. MY EXAMPLE WORKS. What else do I need to say to convince you that you should DO WHAT I SAID? Alan DeKok.
On Wed, May 23, 2012 at 3:22 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Fair enough, what is the value that forces use of Cleartext-Password ? Thanks !
Step back a bit. As Phil said, what version of FR are you using? If you're using 2.1.x, then the dictionary should have an attribute called Cleartext-Password. If the server doesn't recognize it, you need to: - check for typos in your config/db entry. just in case - make SURE you don't break the server (e.g. changing something like default dictionary location) - make SURE you use new-enough version. For example, RHEL/Centos5 has it under the name "freeradius2" package. pptpd does need some dictionary file modification, but you should make it so that it uses SEPARATE directory from the one that FR is using. Do NOT change anything in FR's dictionary directory. Is that clear enough? -- Fajar
On 05/23/2012 08:46 AM, Ali Jawad wrote:
Hi Alan Sorry for the many mails
I did test with Cleartext-Password
and got
rlm_sql: Failed to create the pair: Unknown attribute "Cleartext-Password" rlm_sql (sql): Error getting data from database
Which version of FreeRADIUS?
I have microsoft and merit dictionary loaded
I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all.
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos thanks On Wed, May 23, 2012 at 11:17 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 05/23/2012 08:46 AM, Ali Jawad wrote:
Hi Alan Sorry for the many mails
I did test with Cleartext-Password
and got
rlm_sql: Failed to create the pair: Unknown attribute "Cleartext-Password" rlm_sql (sql): Error getting data from database
Which version of FreeRADIUS?
I have microsoft and merit dictionary loaded
I you have fiddled with the dictionaries, you'll break everything. Don't do that.
Leave the dictionaries alone. There's no problem loading them all.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
On Wed, May 23, 2012 at 3:26 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos
Upgrade. Seriously. Don't bother doing anything else until you upgrade. Uninstall 1.1.3, install "freeradius2" package (and the corresponding "freeradius2-mysql") -- Fajar
Hi I switched to freeradius2. I did edit only sql.conf to the correct MySQL values and I did import schema.sql from sql/mysql/. I did add a user to the new tables and that is about all. Now I get the below, I did NOT edit any other settings, is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} and session{} +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 247 to 127.0.0.1 port 60798 Waking up in 4.9 seconds. Cleaning up request 0 ID 247 with timestamp +18 Ready to process requests. Regards On Wed, May 23, 2012 at 11:49 AM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos
<sigh> It would have helped to say that at the start.
Delete the 1.1.3 version.
Install freeradius2.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
is there something that needs to be done so FR checks in the database like adding sql entries to authorize{}
exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment "sql" on authorize section.
and session{}
only if you use simultaneous check. I suggest just ignore it for now. -- Fajar
On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
is there something that needs to be done so FR checks in the database like adding sql entries to authorize{}
exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment "sql" on authorize section.
... and don't forget to read radiusd.conf as well. Read the commetns there, and uncomment the line that includes sql.conf (since you didn't mention it, you probably didn't do that either). -- Fajar
hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan
Hi I did install freeradius2-mysql, configured /etc/raddb/sql.conf and included sql.conf in /etc/raddb/radius.conf and uncommented sql from authorize section of default. I did also import schema.sql from sql/mysql/. The queries show in the debug output but I am getting the error shown in the last email. Thanks Regards On Wed, May 23, 2012 at 12:46 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
hi,
sql support isnt turned on by default as you need to have SQL server,schema etc
need to ensure sql.conf is read and sql is enabled in the relevant sections
however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! I did try as LOCAL and it says set CHAP, I also tried mschap ########## Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'normalusers' ORDER BY id [sql] User found in group normalusers [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'normalusers' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 36343 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +8 Ready to process requests. My DB entries are : INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Cleartext-Password', '==', '123456'), INSERT INTO `radgroupcheck` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Auth-Type', '==', 'chap'); INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Framed-Compression', '=', 'Van-Jacobson-TCP-IP'), (2, 'normalusers', 'Framed-Protocol', '=', 'PPP'), (3, 'normalusers', 'Service-Type', '=', 'Framed-User'); INSERT INTO `radreply` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Framed-IP-Address', '=', '192.168.100.233'); INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES ('test', 'normalusers', 1); On Wed, May 23, 2012 at 12:17 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
is there something that needs to be done so FR checks in the database like adding sql entries to authorize{}
exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment "sql" on authorize section.
... and don't forget to read radiusd.conf as well. Read the commetns there, and uncomment the line that includes sql.conf (since you didn't mention it, you probably didn't do that either).
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random changes is terrible.
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a password! Whatever RADIUS client you're using is broken. Don't use it. Alan DeKok.
Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config is : auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random changes is terrible.
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a password!
Whatever RADIUS client you're using is broken. Don't use it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
Hi I got it to work "at least half way", I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4FBCBB330F5000",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] expand: %t -> Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default options" Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is :
rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5
It's radiusclient config is :
auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random changes is terrible.
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a password!
Whatever RADIUS client you're using is broken. Don't use it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
In btw, I do not have any Auth-Type settings now. Thanks On Wed, May 23, 2012 at 1:42 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi I got it to work "at least half way", I did change pptpd options from
-chap -mschap +mschap-v2 require-mppe
TO
+chap +mschap +mschap-v2 #require-mppe
And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see
++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4FBCBB330F5000",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] expand: %t -> Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds.
However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails.
Test example :
Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default options" Set pptpd options to : -chap -mschap +mschap-v2 require-mppe
I get the following in radius
++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests.
In short it works for chap but not mschap, any input please ?
Regards
On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is :
rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5
It's radiusclient config is :
auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random changes is terrible.
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a password!
Whatever RADIUS client you're using is broken. Don't use it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
On Wed, May 23, 2012 at 01:42:56PM +0300, Ali Jawad wrote:
I got it to work "at least half way", I did change pptpd options from
-chap -mschap +mschap-v2 require-mppe
TO
+chap +mschap +mschap-v2 #require-mppe
That's a lot of changes in one go (unless you tested each one individually). I'd check you've got the right entries in the microsoft dictionary for radiusclient (MS-MPPE-Send-Key, MS-MPPE-Recv-Key etc). For what it's worth, we got l2tp/ipsec working recently with radiusclient. The pppd options include: refuse-pap refuse-chap refuse-mschap require-mschap-v2 and you can connect from Windows just fine. No need for CHAP/MSCHAP, or to disable encryption. I'd imagine pptp is similar (albeit the final solution less secure - I don't believe anyone has recommended pptp for new deployments for at least the last five years). However, radiusclient and radius.so are, from what I can tell, ancient and seem in rather need of an overhaul. The dictionary support is nasty, compared to the recent dictionary format. I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Even that is terrible. I'm inclined to fix it once and for all. Alan DeKok.
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote:
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed.
It has become freeradius-client. :) See http://freeradius.org
Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly See Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde289040000000000000000c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d43303035333346323444353031324334354144323433334634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 4. but I get the following error on the pptpd side May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Regards On Wed, May 23, 2012 at 3:17 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote:
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed.
It has become freeradius-client. :) See http://freeradius.org
Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng.
Looks like I'll be looking at the freeradius-client code instead now... if I ever get time!
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
NM posted to quickly, secrets were wrong, fiddling around with Unsupported protocol 'IPv6 Control Protovol' (0x8057) received after that it should work, will definitively post it up in a howto. Regards On Wed, May 23, 2012 at 3:31 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly
See
Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde289040000000000000000c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d43303035333346323444353031324334354144323433334634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 4.
but I get the following error on the pptpd side
May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server
Any input please ?
Regards
On Wed, May 23, 2012 at 3:17 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote:
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed.
It has become freeradius-client. :) See http://freeradius.org
Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng.
Looks like I'll be looking at the freeradius-client code instead now... if I ever get time!
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
-- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
On Wed, May 23, 2012 at 4:48 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!
I did try as LOCAL and it says set CHAP, I also tried mschap
As Alan said, you shouldn't need to set Auth-Type manually. So don't do that
##########
Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" Calling-Station-Id = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
Which client generates this? I highly suggest you try with radtest first. Once that works, you can try it with pptpd (or whatever client that you're going to use) -- Fajar
participants (6)
-
alan buxey -
Alan DeKok -
Ali Jawad -
Fajar A. Nugraha -
Matthew Newton -
Phil Mayers