Hi, I'm having the following problem: I'm trying to establish a VPN server, where most of the clients are Windows XP/2K machines. As VPN server I'm using a Debian Sarge box running PopTop 1.2.1, which sends the autentication MS-CHAPv2 requests to my other Debian Sarge box running Freeradius 1.0.4, using my-sql v. 12.22 as database for users/accounting. Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction? Thank you, Marcos Roberto Radius.log entries: Mon Jun 27 10:15:16 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Jun 27 10:15:16 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Mon Jun 27 10:15:16 2005 : Info: rlm_sql (sql): Attempting to connect to radius@localhost:/radius Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Mon Jun 27 10:15:16 2005 : Info: Ready to process requests. Mon Jun 27 10:15:40 2005 : Auth: Login incorrect: [testuser/<no User-Password attribute>] (from client localhost port 0 cli aaa.bbb.ccc.ddd) (IP address edited....)
Roberto Greiner <mrgreiner@gmail.com> wrote:
Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction?
The problem isn't that the request doesn't contain a password. The problem is that the user is rejected. Run the server in debug mode to see why. Alan DeKok.
On 6/27/05, Alan DeKok <aland@ox.org> wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction?
The problem isn't that the request doesn't contain a password. The problem is that the user is rejected.
Run the server in debug mode to see why.
Alan DeKok.
Ok. I ran the server in debug mode, but it still says that the request is comming without Password. Specifically, the message says: "auth: No User-Password or CHAP-Password attribute in the request". The full log: ---------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1:32799, id=180, length=66 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "teste" Calling-Station-Id = "aa.bb.cc.dd" NAS-IP-Address = ee.ff.gg.hh NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "teste", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 radius_xlat: 'teste' rlm_sql (sql): sql_set_user escaped user --> 'teste' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'teste' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'teste' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [teste/<no User-Password attribute>] (from client localhost port 0 cli aa.bb.cc.dd) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 180 to 127.0.0.1:32799 Waking up in 7 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 180 with timestamp 42c2a106 Nothing to do. Sleeping until we see a request. ---------------------------------------------------------------- in radius.conf, mschap part is as follows: mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } In the mysql radcheck table, I tried both 'Password' and 'CHAP-Password' as attributes, with no diference at all in the result In the windows box, for authentication, I left enabled in the security menu, the options 'CHAP Protocol', 'Microsoft CHAP' and 'Microsoft CHAP version 2 (MS-CHAP v2)'. One possibility I see is that there may be some wrong configuration in my radius.conf, since the log is saying "modcall[authorize]: module "mschap" returns noop for request 3". Shouldn't it say "returns ok" or something like that? Thank you, Marcos Roberto
Ok. I ran the server in debug mode, but it still says that the request is comming without Password. Specifically, the message says: "auth: No User-Password or CHAP-Password attribute in the request".
The full log: ---------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1:32799, id=180, length=66 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "teste" Calling-Station-Id = "aa.bb.cc.dd" NAS-IP-Address = ee.ff.gg.hh NAS-Port = 0 Processing the authorize section of radiusd.conf
Well, its correct, there is no user-password or chap-password.
Roberto Greiner <mrgreiner@gmail.com> wrote:
Ok. I ran the server in debug mode, but it still says that the request is comming without Password. Specifically, the message says: "auth: No User-Password or CHAP-Password attribute in the request".
Well, that's because there is no password in the request. How do you want the server to authenticate this request?
in radius.conf, mschap part is as follows: mschap {
Do you see the word "mschap" in the request? Nope. So poking the mschap configuration in the server won't do anything.
In the mysql radcheck table, I tried both 'Password' and 'CHAP-Password' as attributes, with no diference at all in the result
Don't set CHAP-Password. Ever.
One possibility I see is that there may be some wrong configuration in my radius.conf, since the log is saying "modcall[authorize]: module "mschap" returns noop for request 3". Shouldn't it say "returns ok" or something like that?
If the request contained MSCHAP, yes, the mschap module should return ok. Since the request doesn't contain MSCHAP, the mschap module returns noop. Make the client send MSCHAP, or CHAP-Password, or User-Password. No amount of playing with radiusd.conf will fix the client. Alan DeKok.
participants (3)
-
Alan DeKok -
Dusty Doris -
Roberto Greiner