problem in integeration with poptop
I've add that line and comment ntlm line but still some error( tnx god it's not the same error) my radtest syntax: radtest root rootpassword localhost.localdomain 1645 testing123 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_unix: [root]: invalid password i've attached radius.conf and users and output of debug mode for both radtest and vpn client. On 10/16/07, tnt@kalik.co.yu <tnt@kalik.co.yu> wrote:
You have obviously done some work on breaking the server configuration. Put mschap{} section back the way it was (with ntlm_auth line commented out). You don't need *any* changes to the default configuration if you are using users file. Put this in users file:
root Clertext-Password := "rootpassword"
Radtest will work and so will mschap (VPN).
Ivan Kalik Kalik Informatika ISP
Dana 16/10/2007, "hadi golestani" < hadi.golestani@gmail.com> piše:
I've change it to /usr/bin/ntlm_auth ( found from locate ntlm ) but still same error. What I must add to users file to test my radius from radtest or vpn client?
sorry for bothering I'm too newbie.
On 10/16/07, tnt@kalik.co.yu <tnt@kalik.co.yu> wrote:
Well path to ntlm_auth obviously isn't /path/to/ntlm_auth.
Ivan Kalik Kalik Informatika ISP
Dana 16/10/2007, "hadi golestani" <hadi.golestani@gmail.com >
pi�e:
hi, I've installed poptop and freeradius well and both are working, but when I try to connect from a vpn connection or even radtest some error occured. what I need to add to users.conf for a simple radtest connection or a
vpn
client?
it's the output of debug mode for vpn client, some thing like this has
been
printed for radtest also:
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=30, length=132
Service-Type = Framed-User Framed-Protocol = PPP User-Name = "root" MS-CHAP-Challenge = 0x4d1a9b1028ef83957754c83ce0f55e01 MS-CHAP2-Response =
0x9e000d1394f73d58cc731cd6cf58de7cb74f00000000000000008c6daec89825fb28b90bb60b737fb683a4a80f6252935547
NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "chap" returns noop for request 11 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 11 rlm_realm: No '@' in User-Name = "root", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 11 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 11 modcall: leaving group authorize (returns ok) for request 11 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 11 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password radius_xlat: Running registered xlat function of module mschap for
string
'Challenge' mschap2: 4d radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/path/to/ntlm_auth --request-nt-key --username=root --challenge=f1090a99b916ef69 --nt-response=8c6daec89825fb28b90bb60b737fb683a4a80f6252935547' Exec-Program: /path/to/ntlm_auth --request-nt-key --username=root --challenge=f1090a99b916ef69 --nt-response=8c6daec89825fb28b90bb60b737fb683a4a80f6252935547 Exec-Program output: Exec-Program: FAILED to execute /path/to/ntlm_auth: No such file or directory Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /path/to/ntlm_auth: No such file or directory Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 11 modcall: leaving group MS-CHAP (returns reject) for request 11 auth: Failed to validate the user. Delaying request 11 for 1 seconds Finished request 11 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 30 to 127.0.0.1 port 32770 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 30 with timestamp 47152198 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hadi golestani wrote:
I've add that line and comment ntlm line but still some error( tnx god it's not the same error)
my radtest syntax: radtest root rootpassword localhost.localdomain 1645 testing123
modcall[authorize]: module "files" returns ok for request 4
<sigh> You deleted most of the debug log. If you don't know what the problem is, you don't know what's important in the debug log, and what's not important.
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type System auth: type "System"
So you didn't put the entry at the TOP of the "users" file. The FAQ contains instructions for getting simple PAP authentication working. It's really not hard.
i've attached radius.conf and users and output of debug mode for both radtest and vpn client.
Why? The problem is simple: you haven't followed the instructions in the FAQ for PAP authentication. Alan DeKok.
It's Cleartext not Clertext for the password attribute. Ivan Kalik Kalik Informatika ISP
I know that it's taking too much , but plz accept my apologize 'cause I a little confused and have no time(sorry to say that and I know that it's not a commercial community so plz don't be angry at me). I've add the below line at the top of the users file. root Cleartext-Password := "myRealRootPassword" because this is the real root / root's password of my linux, this line in debug 'cause that access-accept via radtest modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Sending Access-Accept of id 219 to 127.0.0.1 port 32772 but when I've changed it to e.g. test / testpass old error occurred. and when I try to connect from vpn client even for root / root's real password the access has been rejected with this debug output: modcall: entering group MS-CHAP for request 1 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. why radiusd said No User-Password configured? Does it mean that password is not received from pptpd? tnx a lot.
hadi golestani wrote:
I know that it's taking too much , but plz accept my apologize 'cause I a little confused and have no time(sorry to say that and I know that it's not a commercial community so plz don't be angry at me).
If cannot make the time to understand the problem and solution, you won't be very successful in fixing it.
I've add the below line at the top of the users file. root Cleartext-Password := "myRealRootPassword"
because this is the real root / root's password of my linux, this line in debug 'cause that access-accept via radtest
modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0
Then it's not using the entry you configured.
modcall: leaving group authenticate (returns ok) for request 0 Sending Access-Accept of id 219 to 127.0.0.1 <http://127.0.0.1> port 32772
but when I've changed it to e.g. test / testpass old error occurred.
<sigh> You're not posting the full debug log, as suggested in the FAQ, README, INSTALL, etc. You're probably also massively editing radiusd.conf. STOP IT. Start with the default configuration files, and follow the FAQ to add a test account in the "users" file. Follow the FAQ to check that the account works, via "radtest". Then, login from the VPN client using that test account. If it doesn't work, I will be shocked. Again, most of the problems you see are because you are editing the configuration without understanding what you're doing. The default configuration is designed to work in the widest possible set of circumstances, with minimum changes required to get ANYTHING to work. I feel like putting that in letters 10 feet high in the FAQ, README, etc. But somehow I think there will still be people who won't bother reading them. Alan DeKok.
participants (3)
-
Alan DeKok -
hadi golestani -
tnt@kalik.co.yu