Hi there, New questions are ready. :) I have radiusd.conf authorize { chap preprocess suffix mschap ldap } ... authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } ... I am making VPN server with PPPD with radius module as NAS. Passwords are stored in LDAP database in clear text format. When i use PAP in connection setting, it works pretty fine ( connection is established) but with chap: What does it mean login attempt ? Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: checking if remote access for dmitry is allowed by dialupAccess Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: Password header not found in password qazxsw for user dmitry Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for check items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for reply items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: user dmitry authorized to use remote access Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group authorize returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: rad_check_password: Found Auth-Type CHAP Mon Oct 3 02:16:05 2005 : Debug: auth: type "CHAP" Mon Oct 3 02:16:05 2005 : Debug: Processing the authenticate section of radiusd.conf Mon Oct 3 02:16:05 2005 : Debug: modcall: entering group Auth-Type for request 3 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: login attempt by "dmitry" with CHAP password Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: Could not find clear text password for user dmitry Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authenticate]: module "chap" returns invalid for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group Auth-Type returns invalid for request 3 Mon Oct 3 02:16:05 2005 : Debug: auth: Failed to validate the user.
are you sure that you have passwords in ldap in cleartext format?
Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: checking if remote access for dmitry is allowed by dialupAccess Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: Password header not found in password qazxsw for user dmitry Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for check items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for reply items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: user dmitry authorized to use remote access Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group authorize returns ok for request 3
so the user dmitry is found in the ldap, and authorize succeeds.
Mon Oct 3 02:16:05 2005 : Debug: rad_check_password: Found Auth-Type CHAP Mon Oct 3 02:16:05 2005 : Debug: auth: type "CHAP" Mon Oct 3 02:16:05 2005 : Debug: Processing the authenticate section of radiusd.conf Mon Oct 3 02:16:05 2005 : Debug: modcall: entering group Auth-Type for request 3 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: login attempt by "dmitry" with CHAP password Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: Could not find clear text password for user dmitry
here radius complains that it can't find a cleartext password for the user dmitry. check your ldap configs again to see that passwords are in cleartext. if you're using openldap, you have to set the password-hash to {CLEARTEXT}, and that actually doesn't work in current stable versions of openldap. if you don't have any value set, then I think it uses SHA by default but I'm not sure on that one. if you're using some other type of ldap server, read the appropriate docs and check over your config files once again. because PAP authentication does work, that also leads me to believe that the problem is not with freeradius, but with the passwords in ldap.
participants (2)
-
Andrew Browning -
Dmitry Alekhin