freeradius, ldap error - HELP ME!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please freeradius User... HELP ME! So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration? look this! this is the freeradius output Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=159, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 159 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 45ffa841 Nothing to do. Sleeping until we see a request. But the Ldap database work good! the User peppeska have the password and the direct access to ldap database work! what I must do? - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/6qQkA6hcnFZI/YRAlRfAKDVYKu8MkY8QSz80gnaJTkGgtnttACbBaPU wPIiKiVRmzm2c91/6a6jSjA= =ZqNs -----END PGP SIGNATURE-----
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de peppeska Envoyé : mardi 20 mars 2007 10:34 À : FreeRadius users mailing list Objet : freeradius, ldap error - HELP ME!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Please freeradius User... HELP ME!
So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration?
look this! this is the freeradius output
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Comment this line in your ldap section of radiusd.conf: # access_attr = "dialupAccess" HTH, Thibault
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Comment this line in your ldap section of radiusd.conf: # access_attr = "dialupAccess"
And comment this one too, like this : # access_attr_used_for_allow = yes
HTH, Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thibault Le Meur ha scritto:
Comment this line in your ldap section of radiusd.conf: # access_attr = "dialupAccess"
And comment this one too, like this : # access_attr_used_for_allow = yes
I do it! and now there is the following error: rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 118 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 118 with timestamp 4600073d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=119, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 119 to 127.0.0.1 port 1027 Waking up in 4 seconds... - --- Walking the entire request list --- Cleaning up request 1 ID 119 with timestamp 46000765 Nothing to do. Sleeping until we see a request. now the problem is with the MS-CHAP autentication...:-( - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAGPQkA6hcnFZI/YRAvqlAJ9gbpL2GYl96+MLRUkc4Ihl9kVwRQCcCcBk v0eema7N3QFFosT6h9iDGkU= =6vnI -----END PGP SIGNATURE-----
peppeska wrote: ...
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP"
Where did the "Auth-Type = MS-CHAP" come from? It's not in the default configuration. i.e. you edited the server configuration to break it. Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok ha scritto:
peppeska wrote: ...
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP"
Where did the "Auth-Type = MS-CHAP" come from? It's not in the default configuration.
ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = "LDAP" Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ->Where is User-Password attribute? - ------------------------------------------------ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -> mmmmm depend to ppp version? it's possible? - ---------------------------------------------------------------------- modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP5skA6hcnFZI/YRAmuUAJ9Ql6J+TImJf7/mmPyJ0z54pSfiBwCgrMkQ rk1f2Cwt+EFPc6rqBLjrGJk= =ocug -----END PGP SIGNATURE-----
peppeska wrote:
Now my configuration in user file is:
DEFAULT Auth-Type = "LDAP" Fall-Through = 1
Can you explain why you're setting Auth-Type? All of the docs say to NOT DO THAT.
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ->Where is User-Password attribute?
Ask the NAS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok ha scritto:
peppeska wrote:
Now my configuration in user file is:
DEFAULT Auth-Type = "LDAP" Fall-Through = 1
Can you explain why you're setting Auth-Type? All of the docs say to NOT DO THAT.
ooooook I comment that but now: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=66, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 66 to 127.0.0.1 port 1030 Cleaning up request 0 ID 66 with timestamp 46010854 Nothing to do. Sleeping until we see a request.
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ->Where is User-Password attribute?
Ask the NAS.
what?
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAQj5kA6hcnFZI/YRAsKoAKCXuWuZ4YpaZpYqs/iyqHfu50j9EwCgrGOh 6G3Y8O4ZhWZESvofWdiOEAY= =UNNH -----END PGP SIGNATURE-----
peppeska wrote:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54
^^^^^^^^^^
->Where is User-Password attribute?
Ask the NAS.
what?
In this case I have a suspicion the "NAS" could be radclient... How are you sending requests to freeRADIUS? regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mitchell ha scritto:
peppeska wrote:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^^^^^^^^^
->Where is User-Password attribute? Ask the NAS.
what?
In this case I have a suspicion the "NAS" could be radclient...
How are you sending requests to freeRADIUS?
Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGASiekA6hcnFZI/YRAmonAKC876X/8o6xWoOM73C07JyIeem2YwCdE05H XjpsMgzBUspOONgapXx3gXg= =Vy07 -----END PGP SIGNATURE-----
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 13:44 À : FreeRadius users mailing list Objet : Re: freeradius, ldap error - HELP ME!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Michael Mitchell ha scritto:
peppeska wrote:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^^^^^^^^^
->Where is User-Password attribute? Ask the NAS.
what?
In this case I have a suspicion the "NAS" could be radclient...
How are you sending requests to freeRADIUS?
Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box
Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ? If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ? Regards, Thibault Le Meur
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thibault Le Meur ha scritto:
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 13:44 À : FreeRadius users mailing list Objet : Re: freeradius, ldap error - HELP ME!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Michael Mitchell ha scritto:
peppeska wrote:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 ^^^^^^^^^^
->Where is User-Password attribute? Ask the NAS.
what?
In this case I have a suspicion the "NAS" could be radclient...
How are you sending requests to freeRADIUS?
Freeradius recive request from pppoe-server, I try to connect to pppoe-server from a linux box
Is your pppoe-server a linux server ? Is your pppoe client or pppoe server configured to use ms-chap authentication ?
If your pppoe server is a linux box, have you checked that the radiusclient library contains the microsoft dictionnary as I described in my previous email ?
Thibault Le Meur ha scritto:
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ->Where is User-Password attribute? - ------------------------------------------------
A good question indeed, that one should be asked to your NAS ;-)
It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP).
Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ?
refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe
If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the "dictionary <path-to-dict-file>" line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file <path-to-dict-file> contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) ==> I've attached the two files
in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGATavkA6hcnFZI/YRAtO2AKCvLofpLFkKzqJ3pHWgCB5WfU+PZQCdFCKU 5BM2fsuNTyacCHdX5z6hCjA= =y9bX -----END PGP SIGNATURE-----
Hi, Very strange I didn't get this email ? See my comments below:
Thibault Le Meur ha scritto:
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ->Where is User-Password attribute? - ------------------------------------------------
A good question indeed, that one should be asked to your NAS ;-)
It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP).
Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ?
refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe
Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought.
If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the "dictionary <path-to-dict-file>" line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file <path-to-dict-file> contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) ==> I've attached the two files
in my radiusclient.conf there is:
# dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary
and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for radiusclient.
But... whitout declaretion of Default Auth-Type in the users file:
rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0
Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Regards, Thibault
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thibault Le Meur ha scritto:
Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ?
refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe
Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought.
oooooooooook
and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for radiusclient.
Now.. without "$"
But... whitout declaretion of Default Auth-Type in the users file:
rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0
Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge.
ooooooooooook the /etc/freeradius/users file now contain: DEFAULT Auth-Type = "MS-CHAP" Fall-Through = yes
But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue).
Well.. I try now... and....(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING!!!! the freeradius don't recive request (uff) and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... and now? - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAU0RkA6hcnFZI/YRAtfvAJ4nxFC9JTgLR1FEJ6E1eyMxP/yXWwCeKDYZ sFZqyoJilQMJxh7wxCHoWyI= =ZmIX -----END PGP SIGNATURE-----
and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for radiusclient.
Now.. without "$"
the /etc/freeradius/users file now contain:
DEFAULT Auth-Type = "MS-CHAP" Fall-Through = yes
Not a good idea ;-)
But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue).
Well.. I try now... and....(roll of drumps):
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
NOTHING!!!! the freeradius don't recive request (uff)
That's because the NAS doesn't send packets (or because you have firewall rules droppig packets, but this shouldn't be the case since you got packets in the past).
and:
debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~#
MMM damn! why freeradius don't want work with me?
It's not a Freeradius issue, but a ppp/radiusclient issue ;-)
P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before...
Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Or may it be an issue with the dictionnary files ?
$INCLUDE /usr/share/freeradius/dictionary
Avoid this one, it shouldn't be necessary.
$INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit
Are these dictionaries from the radiusclient distro or did you copy the dictionaries from freeradius ? Please use only dictionaries from the radiusclient distributions. (Or try the one I posted if you don't have them in the distro). Let me know, Thibault
MMM damn! why freeradius don't want work with me?
It's not a Freeradius issue, but a ppp/radiusclient issue ;-)
P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before...
Very strange I've got several servers her using radiusclient with the INCLUDE syntax !!
Very very curious, I've checked radiusclient's original code and it seems it is "$INCLUDE" syntax that is the good one. So keep with this one for now. I just have no clue on why on my system only "INCLUDE" works !!!!!! Sorry for this wrong information ! Had you got new results ? Regards, Thibault
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok!!! Now I have this configuration
INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c2000000000000000074aba52270d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 1 modcall: leaving group MS-CHAP (returns ok) for request 1 Login OK: [peppeska/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 modcall[post-auth]: module "ldap" returns noop for request 1 modcall: leaving group post-auth (returns noop) for request 1 Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d46384134363830383437333231383543443335394538363933394636453234323633323333373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 1 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 1 ID 40 with timestamp 4601688f Nothing to do. Sleeping until we see a request. Well! it work! or not? because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!!!!!! I realy don't now why...
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAW0PkA6hcnFZI/YRAsv4AJ9wRB4Vl/2clx6Knw8P0zbTrZI1YQCfXmgF skR/gztg4MHbO4l/vq+xiRI= =Gb65 -----END PGP SIGNATURE-----
peppeska wrote:
Ok!!! Now I have this configuration
INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
No. radiusclient can't use the FreeRADIUS dictionaries. Once freeradius-client is updated, it will use the FreeRADIUS dictionaries. But radiusclient can't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok ha scritto:
peppeska wrote:
Ok!!! Now I have this configuration
INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
No. radiusclient can't use the FreeRADIUS dictionaries.
ooooooooook now I don't have the freeradius dictionary... now the freradius: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=50, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x3733ba43d6d8debb5b0302f590250afd MS-CHAP2-Response = 0x0f00997701aa0d8775038e203d7c0487880f0000000000000000e6ba63b22268fbe23624491c47a9744354f94591fc730a90 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 50 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x0f533d33344135313830413334423831353141383738414532454632414341303830394341423344393945 MS-MPPE-Recv-Key = 0x923e2c93c2156b71231ea782495f5b99 MS-MPPE-Send-Key = 0x44fe16f0095f4b51b33c59a5387f512c MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 4601790a Nothing to do. Sleeping until we see a request. but plog: root@applejack:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. root@applejack:/home/peppeska# poff UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my problem...
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAXkskA6hcnFZI/YRAjp5AJ4ze65NRu3Ru1N/AuShXl+jgwPWpgCeMyko i82K1WaCNttfrjX8WszJbpg= =Y7KG -----END PGP SIGNATURE-----
peppeska wrote: ...
Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed:
PPPD is broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok ha scritto:
peppeska wrote: ...
Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed:
PPPD is broken.
And wath I most do now? @Thibault Le Meur I use Your dictonary... the final respone is: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0xb6b462d0d978bcbfe51e4783f4a3dd32 MS-CHAP2-Response = 0xa0002138a2441156e5ed33506db0e19e960d0000000000000000b1cfdb576490d5d29b54d30317856b01d0780f1d51ef5fa7 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 51 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0xa0533d32463945383842443446423034313543303139374631363834344244424532413836423234323346 MS-MPPE-Recv-Key = 0xee31ff0993d0e3b1589a2920ac31b3d8 MS-MPPE-Send-Key = 0x61bccd9e7dbd48aa264d2117a72ed2cc MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Sending duplicate reply to client localhost:1028 - ID: 51 Re-sending Access-Accept of id 51 to 127.0.0.1 port 1028 - --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 46018448 Nothing to do. Sleeping until we see a request. debian:/etc/freeradius# tail /var/log/messages Mar 21 19:38:15 debian -- MARK -- Mar 21 19:58:19 debian -- MARK -- Mar 21 20:15:14 debian pppd[4426]: Plugin radius.so loaded. Mar 21 20:15:14 debian pppd[4426]: RADIUS plugin initialized. Mar 21 20:15:15 debian pppd[4426]: pppd 2.4.4 started by root, uid 0 Mar 21 20:15:17 debian pppd[4426]: Using interface ppp0 Mar 21 20:15:17 debian pppd[4426]: Connect: ppp0 <--> /dev/pts/2 Mar 21 20:15:32 debian pppd[4426]: Peer peppeska failed CHAP authentication Mar 21 20:15:32 debian pppd[4426]: Connection terminated. Mar 21 20:15:33 debian pppd[4426]: Exit. debian:/etc/freeradius# ma script to start pppoe-server is debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R -S PPPoE-R -R $BASE debian:~#
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAYV9kA6hcnFZI/YRAspvAKCr1JXqtUkxbArgOwneCiYH621BGQCgyKaf GsJHbl3ybsslFZKKP+iSG3I= =euMt -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 peppeska ha scritto:
ma script to start pppoe-server is
debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R -S PPPoE-R -R $BASE debian:~#
nobody can help me? - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA+6VkA6hcnFZI/YRAp2cAKCov2R+AetOdFgaJrqntCRX/ltpNACgmnoJ 3PvvnqnjYBKDyNeKkFNSr60= =7072 -----END PGP SIGNATURE-----
but plog:
root@applejack:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. root@applejack:/home/peppeska# poff
UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my problem...
plog may not be enough: could you check the /var/log/messages Moreover, what dictionnary.microsoft file are you using ? Maybe it is lacking some attributes and radiusclient doesn't understand them. If you're not using the one I posted today, could you test with this one instead ? Thibault
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de peppeska Envoyé : mercredi 21 mars 2007 18:36 À : FreeRadius users mailing list Objet : Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok!!! Now I have this configuration
INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary
Very Very Very Weird !!!! I'm curious about one thing: when you remove the last "$INCLUDE" line, does it work as described below ? I'm also wondering why only "INCLUDE" statement work unless the radiusclient code uses a hardoced "$INCLUDE" strncmp in dict.c !!!! Alan, I thought there was a plan to make the radiusclient hosted at freeradius.org so that It will benefit from Freeradius developpment: is it always a plan ?
And... (same roll of drumps)
rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c2000000000000000074aba522 70d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0
Better,
Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d463841343638303834373332313835434433353945383639333946 36453234323633323333373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004
Ok, you're done with Freeradius.
Well! it work! or not?
As far as Freeradius is concerned yes.
because.. this is the pppoe-server log
debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~#
boh!!!!!! I realy don't now why...
Just a question: who is suposed to assign the IP address: Freeradius in Framed-IP-Address Attribute or your pppoe server ? Regards, Thibault
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok ha scritto:
peppeska wrote: ...
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP"
Where did the "Auth-Type = MS-CHAP" come from? It's not in the default configuration.
ok I make some change in my configuration file.. Now my configuration in user file is: DEFAULT Auth-Type = "LDAP" Fall-Through = 1 But the output now is: rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ->Where is User-Password attribute? - ------------------------------------------------ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -> mmmmm depend to ppp version? it's possible? - ---------------------------------------------------------------------- modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request. ok.. I my ldap.attrmap contain: checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword And the ldap section in radiusd.conf contain: password_attribute = User-Password What's the problem? - -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |donpeppiniello@tiscali.it - http://peppeska.altervista.org------| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -----END PGP SIGNATURE-----
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ->Where is User-Password attribute? - ------------------------------------------------
A good question indeed, that one should be asked to your NAS ;-) It's up to the NAS to send User-Password: unless it is setup to do something else (for instance MSCHAP). Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? If yes, could you check that you radiusclient dictionnary file includes Microsoft attributes: * check the "dictionary <path-to-dict-file>" line of /etc/radiusclient-ng/radiusclient.conf file (or /etc/radiusclient/radiusclient.conf file) * check that the file <path-to-dict-file> contains a reference to other dictionnary files such as: INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft * check that you have these 2 extra dictionnary files (especially the microsoft one) ==> I've attached the two files Regards, Thibault
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -> mmmmm depend to ppp version? it's possible? - ---------------------------------------------------------------------- modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/<no User-Password attribute>] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 65 to 127.0.0.1 port 1030 Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 4600fb5f Nothing to do. Sleeping until we see a request.
ok.. I my ldap.attrmap contain:
checkItem User-Password lmPassword checkItem LM-Password lmPassword checkItem NT-Password ntPassword
And the ldap section in radiusd.conf contain:
password_attribute = User-Password
What's the problem?
- -- <<<<---------------------------------------------------------->>>> |Giuseppe Moscato aka peppeska - Linux User - no html messages---|
|donpeppiniello@tiscali.it - http://peppeska.altervista.org------|
|Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| <<<<---------------------------------------------------------->>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGAP+4kA6hcnFZI/YRAgF+AKC7+GLE/xihS1DkdHcHk9pvTINsOgCgm4s8 ejjPb/Qg2uW/D2ddqSWj0Ao= =cvka -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Michael Mitchell -
peppeska -
Thibault Le Meur