FreeRADIUS + MPPE for PPTP VPN clients
Hi List. I have a Q about MS-CHAP and MPPE configuration for FreeRADIUS. OS and software versions Servers OS Solaris 9 SPARC FreeRADIUS 1.0.2 OpenLDAP 2.2.24 SAMBA 3.0.11 Network gateways Cisco PIX 506, IOS 6.3(4) PPTP VPN Clients Windows 2K/XP, MAC OSX. The RADIUS server we're talking about is a secondary LDAP server and SAMBA BDC as well. I'd like to use this FreeRADIUS as a username/password backend for PPTP VPN clients. VPN hub in my case is Cisco PIX device, which supports AAA RADIUS for PPTP VPDN groups. PPTP VPN against Cisco PIX works perfectly well with local authentication, i.e when usernames/passwords are configured locally on PIX. The RADIUS is already configured with OpenLDAP as a backend, authenticating against userPassword attribute. This part works OK. The OpenLDAP server is also a backend for my SAMBA domain controller, the same domain I'm trying to use for user logins via PPTP VPN. All users have both POSIX and SAMBA attiributes in LDAP. The following chain works. Cisco VPN clients --- NAS --- RADIUS --- LDAP This one doesn't PPTP VPN clients --- NAS --- RADIUS --- SAMBA --- LDAP I have configured RADIUS server as following (omitted some lines here). Modules section mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = localhost basedn = "ou=People,dc=orcsoftware,dc=com" filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no password_attribute = userPassword } authorize { preprocess auth_log reply_log mschap suffix ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } For PPTP logins it doesn't work for user MYDOMAIN\username and the server says (omiting the beginning of debug) Fri Jun 3 12:50:37 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: Told to do MS-CHAPv1 with NT-Password Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: MS-CHAP-Response is incorrect. My Q is: should I use ntlm_auth program for getting NTLM passwords? If yes, should my RADIUS server be join a SAMBA domain which it is trying to use? Actually I'm a bit confused here and highlighting how RADIUS obtains or generates MPPE keys might be heplful. Any hints or useful URLs would be highly appreciated. Cheers, A.
Alexei Monastyrnyi <alexeim@orcsoftware.com> wrote:
My Q is: should I use ntlm_auth program for getting NTLM passwords?
No, you use ntlm_auth to do the authentication.
If yes, should my RADIUS server be join a SAMBA domain which it is trying to use?
No, ntlm_ath talks to winbindd, which eventually joins the Samba domain.
Actually I'm a bit confused here and highlighting how RADIUS obtains or generates MPPE keys might be heplful.
It gets the necessary data from ntlm_auth. If you want to know exactly how, read the source.
Any hints or useful URLs would be highly appreciated.
Configure ntlm_auth. See it's documentation, and the configuration examples in radiusd.conf. Alan DeKok.
participants (2)
-
Alan DeKok -
Alexei Monastyrnyi