Freeradius+MySQL auth for PPTP (MSCHAP V2) failing
Hello, I am trying to setup the poptop authentication through freeradius with mysql backend. Freeradius server as of now will only authenticate users and do accounting. IP delegation will be done by poptop. The radtest for a test user is successful. # radtest myuser testpassword localhost 1812 'testing123' Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "myuser" User-Password = "mypassword" NAS-IP-Address = A.B.C.D NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=20 Here are three insert I made in the mysql tables, may be they are of use: insert into radcheck (username,attribute,op,value) values ('myuser','Crypt-Password',':=',encrypt('mypassword')); insert into radgroupcheck (groupname,attribute,op,value) values ('dynamic','Auth-Type',':=','Crypt-Local'); insert into radgroupreply (groupname,attribute,op,value) values ('dynamic','Acct-Interim-Interval','=',60); Here is the freeradius -X output snippet for authentication: rad_recv: Access-Request packet from host 127.0.0.1 port 40483, id=65, length=153 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "myuser" MS-CHAP-Challenge = 0x47359b9f4e6e11824858fd4b2a4a67c8 MS-CHAP2-Response = 0x7700234d5c8cd2388b66dd01a736d817a8070000000000000000629ab9bb7a480528165b51e15fb04b5293cc5b2ed0d5d272 Calling-Station-Id = "A.B.C.D" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize expand: %{User-Name} -> myuser rlm_sql (sql): sql_set_user escaped user --> 'myuser' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'myuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'myuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'myuser' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [myuser/<no User-Password attribute>] (from client localhost port 0 cli A.B.C.D) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 1.0 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 65 to 127.0.0.1 port 40483 The radiusd.conf file is more or less the default except I have added the sql lines to it. It will be great if someone can provide any help regarding this. Please let me know if you need further information from my side. Regards. -- Ajitabh Pandey http://ajitabhpandey.info/ | http://unixclinic.net/ | http://buddingthoughts.info ICQ - 150615062 Registered Linux User - 240748
2009/7/4 Padam J Singh <padam.singh@inventum.cc>:
Hello Ajitabh,
Does PAP work? If it does, then your overall configuration is correct. Whenever doing a new setup, always begin with PAP Password from PPTP and Clear-text password in Mysql, and if it works then go ahead and change the setting on either side to suit your needs.
Thanks for the advise, I will keep that in mind next time onwards. Start from simple and move towards complex......
I think the issue is that you are storing the password encrypted - the radius server either expects a Cleartext-Password or Chap-Password for MSCHAPv2, and you have Crypt - something the radius server cannot really derive anything for comparison on basis of any conversion between them.
Nope, as I have explained in a reply to other response. I have used the encrypted password also now and its working. The problem was Auth-Type record in radgroupcheck table. Removed that record and fixed few missing lines from authorise and authenticate sections and it worked. Thanks for responding though. Regards. -- Ajitabh Pandey http://ajitabhpandey.info/ | http://unixclinic.net/ | http://buddingthoughts.info ICQ - 150615062 Registered Linux User - 240748
I am trying to setup the poptop authentication through freeradius with mysql backend. Freeradius server as of now will only authenticate users and do accounting. IP delegation will be done by poptop.
Here are three insert I made in the mysql tables, may be they are of use:
insert into radcheck (username,attribute,op,value) values ('myuser','Crypt-Password',':=',encrypt('mypassword'));
http://deployingradius.com/documents/protocols/compatibility.html
insert into radgroupcheck (groupname,attribute,op,value) values ('dynamic','Auth-Type',':=','Crypt-Local');
Your user entries have disabled all authentication protocols (chap, mschap,eap,...) apart from pap. Delete Auth-Type entry and use password encryption (if any) compatible with the protocol you want to use. Ivan Kalik Kalik Informatika ISP
2009/7/4 Ivan Kalik <tnt@kalik.net>: [snipped...]
Your user entries have disabled all authentication protocols (chap, mschap,eap,...) apart from pap. Delete Auth-Type entry and use password encryption (if any) compatible with the protocol you want to use.
Thanks Ivan, that was helpful. I deleted the record, but when that also did not solved the problem. Even putting the plain text password in the mysql table did not help. So I looked at the authorise and authenticate sections again and realised that mschap lines were missing. Adding that fixed the issue. I have tested, at my end and no other change was required (even the encrypted password in mysql works). If any of you can recommend a good in-depth book on freeradius then it would be great. Regards. -- Ajitabh Pandey http://ajitabhpandey.info/ | http://unixclinic.net/ | http://buddingthoughts.info ICQ - 150615062 Registered Linux User - 240748
participants (3)
-
Ajitabh Pandey -
Ivan Kalik -
Padam J Singh