freeradius + pptp + mysql
Hello, I am trying to get freeradius to work with my pptp / ppp server. I have followed the documents from the following locations: http://poptop.sourceforge.net/dox/radius_mysql.html http://www.frontios.com/freeradius.html However I am unable to get it to work when using freeradius. pptpd-1.3.0-0 ppp-2.4.3-5.rhel4 freeradius-1.0.1-3.RHEL4.3 My client is a XP Pro laptop using MS-CHAP v2 I believe, with just pptp / ppp and using a chap-secrect file it work great. However once I introduce freerdius and mysql I am unable to authentication. The following works fine on my test server: radtest testuser testpass localhost 1812 testing123 When trying from the XP Pro client it fails with: rlm_mschap: No MS-CHAP-Challenge in the request I have added the logs below, any feedback would be appreciated. Here are the logs: rad_recv: Access-Request packet from host 127.0.0.1:32804, id=83, length=65 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" Calling-Station-Id = "10.10.0.3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.
Michael Gale <michael.gale@pason.com> wrote:
My client is a XP Pro laptop using MS-CHAP v2 I believe
Nope. It's not sending MS-CHAP in the request packet.
I have followed the documents from the following locations: http://poptop.sourceforge.net/dox/radius_mysql.html http://www.frontios.com/freeradius.html
And heavily edited the standard configurations files, probably. Please don't. The standard configuration is there for a reason: it works.
modcall[authorize]: module "mschap" returns noop for request 0
That works, at least. The server isn't trying to do MS-CHAP.
modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request
This only happens if you force MS-CHAP authentication. Don't. You've probably added entries in SQL to force "Auth-Type = MS-CHAP". Don't. And the request is unhelpful:
rad_recv: Access-Request packet from host 127.0.0.1:32804, id=83, length=65 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" Calling-Station-Id = "10.10.0.3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password or MS-CHAP attributes in it. The request cannot be authenticated. Use the standard FreeRADIUS config files. They work. Make pptp send MS-CHAP attributes. Alan DeKok.
Hello, Ok, I removed freeradius and re-installed the package. The only configuration changes I made where: username and password in sql.conf Uncommented sql options in radius.conf I also add the dictionary.mirosoft file to the /etc/radiusclient/ directory as I came across a document that said to do so. I am still receiving the same error as before, in the mysql database I have: mysql> select * from radcheck; +----+----------+-----------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------+ | 1 | testuser | Password | == | testpass | +----+----------+-----------+----+----------+ 1 row in set (0.00 sec) mysql> select * from radgroupcheck; +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | static | Auth-Type | := | Local | +----+-----------+-----------+----+-------+ 1 row in set (0.00 sec) mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | testuser | static | +----+----------+-----------+ Any hints would be appreciated, thanks. Michael Alan DeKok wrote:
Michael Gale <michael.gale@pason.com> wrote:
My client is a XP Pro laptop using MS-CHAP v2 I believe
Nope. It's not sending MS-CHAP in the request packet.
I have followed the documents from the following locations: http://poptop.sourceforge.net/dox/radius_mysql.html http://www.frontios.com/freeradius.html
And heavily edited the standard configurations files, probably.
Please don't. The standard configuration is there for a reason: it works.
modcall[authorize]: module "mschap" returns noop for request 0
That works, at least. The server isn't trying to do MS-CHAP.
modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request
This only happens if you force MS-CHAP authentication. Don't. You've probably added entries in SQL to force "Auth-Type = MS-CHAP". Don't.
And the request is unhelpful:
rad_recv: Access-Request packet from host 127.0.0.1:32804, id=83, length=65 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" Calling-Station-Id = "10.10.0.3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password or MS-CHAP attributes in it. The request cannot be authenticated.
Use the standard FreeRADIUS config files. They work. Make pptp send MS-CHAP attributes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I have it working I believe, more testing is required but so far everything seems good. Most of the docs I have come across say to set Auth-Type to Local or something in the mysql database. I came across the following post by Alan DeKok: http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036643.htm... Where he suggest removing the entry - once I did that everything worked. Michael Michael Gale wrote:
Hello,
Ok, I removed freeradius and re-installed the package. The only configuration changes I made where:
username and password in sql.conf Uncommented sql options in radius.conf
I also add the dictionary.mirosoft file to the /etc/radiusclient/ directory as I came across a document that said to do so.
I am still receiving the same error as before, in the mysql database I have: mysql> select * from radcheck; +----+----------+-----------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------+ | 1 | testuser | Password | == | testpass | +----+----------+-----------+----+----------+ 1 row in set (0.00 sec)
mysql> select * from radgroupcheck; +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | static | Auth-Type | := | Local | +----+-----------+-----------+----+-------+ 1 row in set (0.00 sec)
mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | testuser | static | +----+----------+-----------+
Any hints would be appreciated, thanks.
Michael
Alan DeKok wrote:
Michael Gale <michael.gale@pason.com> wrote:
My client is a XP Pro laptop using MS-CHAP v2 I believe
Nope. It's not sending MS-CHAP in the request packet.
I have followed the documents from the following locations: http://poptop.sourceforge.net/dox/radius_mysql.html http://www.frontios.com/freeradius.html
And heavily edited the standard configurations files, probably.
Please don't. The standard configuration is there for a reason: it works.
modcall[authorize]: module "mschap" returns noop for request 0
That works, at least. The server isn't trying to do MS-CHAP.
modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request
This only happens if you force MS-CHAP authentication. Don't. You've probably added entries in SQL to force "Auth-Type = MS-CHAP". Don't.
And the request is unhelpful:
rad_recv: Access-Request packet from host 127.0.0.1:32804, id=83, length=65 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" Calling-Station-Id = "10.10.0.3" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
There's no password or MS-CHAP attributes in it. The request cannot be authenticated.
Use the standard FreeRADIUS config files. They work. Make pptp send MS-CHAP attributes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Michael Gale wrote:
Hello,
I have it working I believe, more testing is required but so far everything seems good.
Most of the docs I have come across say to set Auth-Type to Local or something in the mysql database.
Those docs are WRONG, as you've discovered. If possible, could you send the URLs to the list so that we can ask the authors to correct them?
Hi, I have grouped my users in ldap using "groupofNames" objectclass. now one group of users which I only want to allow to authenticate to the radius server has a dn of: dn: cn=radiususers,ou=groups,o=example,dc=com It has "member" attributes such as: member: uid=user2,ou=people,o=example,dc=com member: uid=user3,ou=people,o=example,dc=com member: uid=user4,ou=people,o=example,dc=com member: uid=user5,ou=people,o=example,dc=com In my radiusd.conf I have these lines: groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" However, I'm not sure where to specify that only the member of the group "radiususer" is allowed to authenticate... Although I can simply add an dialupAccess attribute to each user I only want to allow, It is difficult because I have so many users... If only there's a way to just tell radius to only allow the member of this group.... Please help.. thanks.
On Wed, 3 May 2006, Mark Jayson R. Alvarez wrote:
Hi,
I have grouped my users in ldap using "groupofNames" objectclass.
now one group of users which I only want to allow to authenticate to the radius server has a dn of:
dn: cn=radiususers,ou=groups,o=example,dc=com
It has "member" attributes such as:
member: uid=user2,ou=people,o=example,dc=com member: uid=user3,ou=people,o=example,dc=com member: uid=user4,ou=people,o=example,dc=com member: uid=user5,ou=people,o=example,dc=com
In my radiusd.conf I have these lines:
groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))"
However, I'm not sure where to specify that only the member of the group "radiususer" is allowed to authenticate... Although I can simply add an dialupAccess attribute to each user I only want to allow, It is difficult because I have so many users... If only there's a way to just tell radius to only allow the member of this group....
You can also use the access_attr_used_for_allow directive (see doc/rlm_ldap) See doc/rlm_ldap and ldap_howto.txt for a description of how to use ldap groups
Please help.. thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
"Mark Jayson R. Alvarez" <jayson@asti.dost.gov.ph> wrote:
However, I'm not sure where to specify that only the member of the group "radiususer" is allowed to authenticate... Although I can simply add an dialupAccess attribute to each user I only want to allow, It is difficult because I have so many users... If only there's a way to just tell radius to only allow the member of this group....
See the FAQ. Use LDAP-Group Alan DeKok.
participants (5)
-
Alan DeKok -
Kostas Kalevras -
Mark Jayson R. Alvarez -
Michael Gale -
Phil Mayers