This is the configuration producing the MS-CHAP issue. No matter what I do, it wants to use CHAP instead of MS-CHAP radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius raddbdir = /etc/raddb radacctdir = /var/log/radius/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = no require_strong = no } ldap { server = "kurama.pukey" identity = "cn=Manager,dc=pukey" password = password basedn = "dc=pukey" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.101.1 range-stop = 192.168.101.99 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess ldap mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql } session { radutmp } post-auth { sql } pre-proxy { } post-proxy { eap } users DEFAULT Auth-Type := MS-CHAP Fall-Through = 1 ldap.attrmap # # Mapping of RADIUS dictionary attributes to LDAP directory attributes # to be used by LDAP authentication and authorization module (rlm_ldap) # # Format: # ItemType RADIUS-Attribute-Name ldapAttributeName # # Where: # ItemType = checkItem or replyItem # RADIUS-Attribute-Name = attribute name in RADIUS dictionary # ldapAttributeName = attribute name in LDAP schema # # If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies # a LDAP attribute which can be used to store any RADIUS # attribute/value-pair in LDAP directory. # # You should edit this file to suit it to your needs. # checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password sambaLMPassword checkItem NT-Password sambaNTPassword checkItem SMB-Account-CTRL-TEXT sambaAcctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort replyItem Reply-Message radiusReplyMessage eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } clients.conf #client some.host.org { # secret = # shortname = localhost #} # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing-2 # shortname = private-network-2 #} #client 10.10.10.10 { # # secret and password are mapped through the "secrets" file. # secret = testing # shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password = someadminpas #} I've removed passwords. /etc/ppp/opions.pptpd lock nobsdcomp nodeflate mtu 1000 mru 1000 debug auth -chap -mschap +mschap-v2 plugin radius.so plugin radattr.so
Evan Vittitow wrote:
This is the configuration producing the MS-CHAP issue. No matter what I do, it wants to use CHAP instead of MS-CHAP
This isn't a FreeRadius issue. This is a configuration issue of your PPP daemon, as you've been told.
/etc/ppp/opions.pptpd
lock nobsdcomp nodeflate mtu 1000 mru 1000 debug auth -chap -mschap +mschap-v2 plugin radius.so plugin radattr.so
If that's really what your options.pptpd reads, then I can only assume your system is not configured to read that file. Do you have: option /etc/ppp/options.pptpd ...in /etc/pptpd.conf?
Contents: localip 192.168.102.1-101 remoteip 192.168.102.102-203 option /etc/ppp/options.pptpd
Evan Vittitow wrote:
Contents:
localip 192.168.102.1-101 remoteip 192.168.102.102-203 option /etc/ppp/options.pptpd
In which case I don't have any other suggestion. pppd decides what authentication algorithm to use - Radius does not have any choice in the matter. You might try enabling the various ppp debugging options (debub, kdebug) and inspecting the output. To be clear: nothing you can do in FreeRadius will make pppd use MS-CHAP. One more thing - looking back at a previous email, I infer you are setting Auth-Type in the "users" file to MS-CHAP? Don't do that. If the request is a real MS-CHAP request, the "mschap" module will set that itself. If it's not, setting it will just break things.
Phil Mayers wrote:
Evan Vittitow wrote:
Contents:
localip 192.168.102.1-101 remoteip 192.168.102.102-203 option /etc/ppp/options.pptpd
In which case I don't have any other suggestion.
pppd decides what authentication algorithm to use - Radius does not have any choice in the matter.
You might try enabling the various ppp debugging options (debub, kdebug) and inspecting the output.
To be clear: nothing you can do in FreeRadius will make pppd use MS-CHAP.
One more thing - looking back at a previous email, I infer you are setting Auth-Type in the "users" file to MS-CHAP? Don't do that. If the request is a real MS-CHAP request, the "mschap" module will set that itself. If it's not, setting it will just break things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maybe thats part of my problem. What should that be set to then?
DEFAULT Auth-Type := MS-CHAP Fall-Through = 1 Thats what it is set too, should it be something else? Also, do you know how to have pppd use Client side PEAP? Maybe I can skip MS-CHAP and use PEAP for both PPTP and 802.1X
Evan Vittitow wrote:
DEFAULT Auth-Type := MS-CHAP Fall-Through = 1
Thats what it is set too, should it be something else?
The ONLY circumstances you should set Auth-Type to ANYTHING are (in order of probability): 1. Setting it to Reject to refuse authentication e.g. based on group 2. Setting it to Accept for PAP requests which you wish to permit-all e.g. MAC-based authentication 3. Setting it (in old versions of the server) for the few modules which don't set it to themselves - namely, PAP Basically - DON'T set it. Delete that entry from the users file completely. Let the server figure it out, it will do the right thing if configured correctly.
Also, do you know how to have pppd use Client side PEAP? Maybe I can skip MS-CHAP and use PEAP for both PPTP and 802.1X
Not sure - you'd have to consult the pppd docs. In theory it's possible, but I know of no-one using it, and I'm not sure it interacts correctly with PPTP.
Okay, I did what you said: The result is: Jan 13 18:45:24 kurama pptpd[12444]: CTRL: Client 192.168.0.3 control connection started Jan 13 18:45:25 kurama pptpd[12444]: CTRL: Starting call (launching pppd, opening GRE) Jan 13 18:45:25 kurama pppd[12445]: Plugin radius.so loaded. Jan 13 18:45:25 kurama pppd[12445]: RADIUS plugin initialized. Jan 13 18:45:25 kurama pppd[12445]: Plugin radattr.so loaded. Jan 13 18:45:25 kurama pppd[12445]: RADATTR plugin initialized. Jan 13 18:45:25 kurama pppd[12445]: pppd 2.4.4 started by root, uid 0 Jan 13 18:45:25 kurama pppd[12445]: Using interface ppp0 Jan 13 18:45:25 kurama pppd[12445]: Connect: ppp0 <--> /dev/pts/12 Jan 13 18:45:25 kurama pppd[12445]: rc_avpair_new: unknown attribute 11 Jan 13 18:45:25 kurama pppd[12445]: rc_avpair_new: unknown attribute 25 Jan 13 18:45:27 kurama pppd[12445]: Peer User failed CHAP authentication Jan 13 18:45:27 kurama pppd[12445]: Connection terminated. Jan 13 18:45:27 kurama pppd[12445]: Exit. I reverted the /etc/raddb/dictionary and /etc/radiusclient/dictionary to its original forms. I then added an $Include for the two dictionaries you sent me at the end of /etc/radiusclient/dictionary.
----- Message de evan@terralab.com --------- Date : Sat, 13 Jan 2007 18:50:58 -0500 De : Evan Vittitow <evan@terralab.com> Répondre à : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: Radius Server refusing to MS-CHAP À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Okay, I did what you said:
No, not carefully enough... read below...
The result is:
...
Jan 13 18:45:25 kurama pppd[12445]: rc_avpair_new: unknown attribute 11 Jan 13 18:45:25 kurama pppd[12445]: rc_avpair_new: unknown attribute 25 Jan 13 18:45:27 kurama pppd[12445]: Peer User failed CHAP authentication Jan 13 18:45:27 kurama pppd[12445]: Connection terminated. Jan 13 18:45:27 kurama pppd[12445]: Exit.
I reverted the /etc/raddb/dictionary and /etc/radiusclient/dictionary to its original forms. I then added an $Include for the two dictionaries you sent me at the end of /etc/radiusclient/dictionary.
It's not $INCLUDE but INCLUDE as I wrote in previous emails. I know that the "$Include" form is written somewhere in the doc, but It doesn't work. Thibault
The sweet taste of Victory. I have a working FreeRadius server :-) Thank you. Now, the next step, setting up 802.1X with my Cisco AiroNet 340. (Have to be able to do both.)
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Evan Vittitow -
Phil Mayers -
Thibault Le Meur