(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
I need to use radius as the backend of pptp vpn for auth/login/accounting etc. and I try to figure it out with the help of this doc: http://www.sajithpn.com/2016/08/centos-7-installing-pptp-freeradius.html freeradius: # rpm -qa | grep radius freeradius-3.0.4-7.el7_3.x86_64 radiusclient-ng-0.5.6-9.el7.x86_64 freeradius-utils-3.0.4-7.el7_3.x86_64 freeradius-mysql-3.0.4-7.el7_3.x86_64 with daloradius-0.9.9 as the web interface, both running on localhost, the system is centos 7.2. I use daloradius to add a new user wyx1(cleartext-password), and it passed "test user connectivity" test, below is the daloradius/radtest and radiusd -X output: daloradius output: *Executed:* echo "User-Name='wyx1',User-Password='wyx1'" | radclient -c '1' -n '3' -r '3' -t '3' -x '127.0.0.1:1812' 'auth' 'testing123' 2>&1 *Results:* Sending Access-Request Id 12 from 0.0.0.0:33948 to 127.0.0.1:1812 User-Name = 'wyx1' User-Password = 'wyx1' Received Access-Accept Id 12 from 127.0.0.1:1812 to 127.0.0.1:33948 length 20 radtest output: # radtest wyx1 wyx1 127.0.0.1 0 testing123 Sending Access-Request Id 127 from 0.0.0.0:38206 to 127.0.0.1:1812 User-Name = 'wyx1' User-Password = 'wyx1' NAS-IP-Address = 10.44.55.2 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Accept Id 127 from 127.0.0.1:1812 to 127.0.0.1:38206 length 20 radius -X output: Received Access-Request Id 32 from 127.0.0.1:46310 to 127.0.0.1:1812 length 44 User-Name = 'wyx1' User-Password = 'wyx1' (6) Received Access-Request packet from host 127.0.0.1 port 46310, id=32, length=44 (6) User-Name = 'wyx1' (6) User-Password = 'wyx1' (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (!&User-Name) (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log : --> /var/log/radius/radacct/ 127.0.0.1/auth-detail-20170327 (6) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170327 (6) auth_log : EXPAND %t (6) auth_log : --> Mon Mar 27 00:53:15 2017 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "wyx1", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : No EAP-Message, not doing EAP (6) [eap] = noop (6) sql : EXPAND %{User-Name} (6) sql : --> wyx1 (6) sql : SQL-User-Name set to 'wyx1' rlm_sql (sql): Reserved connection (7) (6) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (6) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wyx1' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wyx1' ORDER BY id' (6) sql : User found in radcheck table (6) sql : Check items matched (6) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (6) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wyx1' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wyx1' ORDER BY id' (6) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (6) sql : --> SELECT groupname FROM radusergroup WHERE username = 'wyx1' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'wyx1' ORDER BY priority' (6) sql : User not found in any groups rlm_sql (sql): Released connection (7) rlm_sql (sql): 0 of 3 connections in use. Need more spares rlm_sql (sql): Opening additional connection (8) rlm_sql_mysql: Starting connect to MySQL server rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 933 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 967 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket (6) [sql] = ok (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = updated (6) } # authorize = updated (6) Found Auth-Type = PAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Auth-Type PAP { (6) pap : Login attempt with password (6) pap : User authenticated successfully (6) [pap] = ok (6) } # Auth-Type PAP = ok (6) # Executing section post-auth from file /etc/raddb/sites-enabled/default (6) post-auth { (6) reply_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (6) reply_log : --> /var/log/radius/radacct/ 127.0.0.1/reply-detail-20170327 (6) reply_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20170327 (6) reply_log : EXPAND %t (6) reply_log : --> Mon Mar 27 00:53:15 2017 (6) [reply_log] = ok (6) sql : EXPAND .query (6) sql : --> .query (6) sql : Using query template 'query' rlm_sql (sql): Reserved connection (8) (6) sql : EXPAND %{User-Name} (6) sql : --> wyx1 (6) sql : SQL-User-Name set to 'wyx1' (6) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (6) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wyx1', 'wyx1', 'Access-Accept', '2017-03-27 00:53:15') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wyx1', 'wyx1', 'Access-Accept', '2017-03-27 00:53:15')' rlm_sql (sql): Released connection (8) (6) [sql] = ok (6) [exec] = noop (6) remove_reply_message_if_eap remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else else { (6) [noop] = noop (6) } # else else = noop (6) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (6) } # post-auth = ok (6) Sending Access-Accept packet to host 127.0.0.1 port 46310, id=32, length=0 Sending Access-Accept Id 32 from 127.0.0.1:1812 to 127.0.0.1:46310 (6) Finished request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (6) Cleaning up request packet ID 32 with timestamp +1053 Ready to process requests Now, everything seems fine. But when I use the same account to connect the pptp server, it says Authentication failed: Received Access-Request Id 232 from 127.0.0.1:39104 to 127.0.0.1:1812 length 65 Service-Type = Framed-User Framed-Protocol = PPP User-Name = 'wyx1' Calling-Station-Id = '117.73.147.49' NAS-IP-Address = 10.44.55.2 NAS-Port = 0 (7) Received Access-Request packet from host 127.0.0.1 port 39104, id=232, length=65 (7) Service-Type = Framed-User (7) Framed-Protocol = PPP (7) User-Name = 'wyx1' (7) Calling-Station-Id = '117.73.147.49' (7) NAS-IP-Address = 10.44.55.2 (7) NAS-Port = 0 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (!&User-Name) (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (7) auth_log : --> /var/log/radius/radacct/ 127.0.0.1/auth-detail-20170327 (7) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170327 (7) auth_log : EXPAND %t (7) auth_log : --> Mon Mar 27 00:56:06 2017 (7) [auth_log] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "wyx1", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : No EAP-Message, not doing EAP (7) [eap] = noop (7) sql : EXPAND %{User-Name} (7) sql : --> wyx1 (7) sql : SQL-User-Name set to 'wyx1' rlm_sql (sql): Reserved connection (8) (7) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wyx1' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wyx1' ORDER BY id' (7) sql : User found in radcheck table (7) sql : Check items matched (7) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wyx1' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wyx1' ORDER BY id' (7) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql : --> SELECT groupname FROM radusergroup WHERE username = 'wyx1' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'wyx1' ORDER BY priority' (7) sql : User not found in any groups rlm_sql (sql): Released connection (8) rlm_sql (sql): 0 of 2 connections in use. Need more spares rlm_sql (sql): Opening additional connection (9) rlm_sql_mysql: Starting connect to MySQL server rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 171 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket (7) [sql] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap : No cleartext password in the request. Not performing PAP (7) [pap] = noop (7) } # authorize = ok (7) WARNING: Please update your configuration, and remove 'Auth-Type = Local' (7) WARNING: Use the PAP or CHAP modules instead (7) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Post-Auth-Type REJECT { (7) sql : EXPAND .query (7) sql : --> .query (7) sql : Using query template 'query' rlm_sql (sql): Reserved connection (9) (7) sql : EXPAND %{User-Name} (7) sql : --> wyx1 (7) sql : SQL-User-Name set to 'wyx1' (7) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (7) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wyx1', '', 'Access-Reject', '2017-03-27 00:56:06') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wyx1', '', 'Access-Reject', '2017-03-27 00:56:06')' rlm_sql (sql): Released connection (9) (7) [sql] = ok (7) attr_filter.access_reject : EXPAND %{User-Name} (7) attr_filter.access_reject : --> wyx1 (7) attr_filter.access_reject : Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (7) [eap] = noop (7) remove_reply_message_if_eap remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else else { (7) [noop] = noop (7) } # else else = noop (7) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sending Access-Reject packet to host 127.0.0.1 port 39104, id=232, length=0 Sending Access-Reject Id 232 from 127.0.0.1:1812 to 127.0.0.1:39104 Waking up in 3.9 seconds. (7) Cleaning up request packet ID 232 with timestamp +1224 Ready to process requests And the responding pptp log: Mar 27 00:56:06 iZ2597ft3dqZ pptpd[23202]: CTRL: Client control connection started Mar 27 00:56:06 iZ2597ft3dqZ pptpd[23202]: CTRL: Starting call (launching pppd, opening GRE) Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin radius.so loaded. Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: RADIUS plugin initialized. Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin radattr.so loaded. Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: RADATTR plugin initialized. Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded. Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: pptpd-logwtmp: $Version$ Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: pppd 2.4.5 started by root, uid 0 Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Using interface ppp0 Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Connect: ppp0 <--> /dev/pts/0 Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: rc_avpair_new: unknown attribute 11 Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: rc_avpair_new: unknown attribute 25 Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Peer wyx1 failed CHAP authentication Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: EOF or bad error reading ctrl packet length. Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: couldn't read packet header (exit) Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: CTRL read failed Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Modem hangup Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Connection terminated. Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Exit. Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: Client control connection finished config file: # cat /etc/raddb/clients.conf: client localhost { ipaddr = 127.0.0.1 proto = * secret = testing123 require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = testing123 } # cat /etc/raddb/radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { user = radiusd group = radiusd allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE mods-enabled/ } instantiate { } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ cat /etc/raddb/users bob Cleartext-Password := "hello" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP cat /etc/raddb/site-enabled/default server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess auth_log chap mschap digest suffix eap { ok = return } sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest eap } preacct { preprocess acct_unique suffix } accounting { detail unix sql exec attr_filter.accounting_response } session { radutmp sql } post-auth { reply_log sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } # cat /etc/ppp/options.pptpd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 8.8.8.8 ms-dns 8.8.4.4 proxyarp debug lock nobsdcomp novj novjccomp nologfd plugin radius.so plugin radattr.so radius-config-file /etc/radiusclient-ng/radiusclient.conf # cat /usr/share/radiusclient-ng/dictionary # grep -v "#" dictionary | grep -v ^$ ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port-Id 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route 22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 string ATTRIBUTE Class 25 string ATTRIBUTE Vendor-Specific 26 string ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout 28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 string ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 string ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network 38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE Acct-Status-Type 40 integer ATTRIBUTE Acct-Delay-Time 41 integer ATTRIBUTE Acct-Input-Octets 42 integer ATTRIBUTE Acct-Output-Octets 43 integer ATTRIBUTE Acct-Session-Id 44 string ATTRIBUTE Acct-Authentic 45 integer ATTRIBUTE Acct-Session-Time 46 integer ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer ATTRIBUTE Acct-Terminate-Cause 49 integer ATTRIBUTE Acct-Multi-Session-Id 50 string ATTRIBUTE Acct-Link-Count 51 integer ATTRIBUTE Event-Timestamp 55 integer ATTRIBUTE CHAP-Challenge 60 string ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 integer ATTRIBUTE Connect-Info 77 string ATTRIBUTE NAS-IPv6-Address 95 string ATTRIBUTE Framed-Interface-Id 96 string ATTRIBUTE Framed-IPv6-Prefix 97 string ATTRIBUTE Login-IPv6-Host 98 string ATTRIBUTE Framed-IPv6-Route 99 string ATTRIBUTE Framed-IPv6-Pool 100 string ATTRIBUTE Huntgroup-Name 221 string ATTRIBUTE User-Category 1029 string ATTRIBUTE Group-Name 1030 string ATTRIBUTE Simultaneous-Use 1034 integer ATTRIBUTE Strip-User-Name 1035 integer ATTRIBUTE Fall-Through 1036 integer ATTRIBUTE Add-Port-To-IP-Address 1037 integer ATTRIBUTE Exec-Program 1038 string ATTRIBUTE Exec-Program-Wait 1039 string ATTRIBUTE Hint 1040 string ATTRIBUTE Expiration 21 date ATTRIBUTE Auth-Type 1000 integer ATTRIBUTE Menu 1001 string ATTRIBUTE Termination-Menu 1002 string ATTRIBUTE Prefix 1003 string ATTRIBUTE Suffix 1004 string ATTRIBUTE Group 1005 string ATTRIBUTE Crypt-Password 1006 string ATTRIBUTE Connect-Rate 1007 integer VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3 VALUE Service-Type Callback-Framed-User 4 VALUE Service-Type Outbound-User 5 VALUE Service-Type Administrative-User 6 VALUE Service-Type NAS-Prompt-User 7 VALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 VALUE Framed-Routing None 0 VALUE Framed-Routing Broadcast 1 VALUE Framed-Routing Listen 2 VALUE Framed-Routing Broadcast-Listen 3 VALUE Framed-Compression None 0 VALUE Framed-Compression Van-Jacobson-TCP-IP 1 VALUE Login-Service Telnet 0 VALUE Login-Service Rlogin 1 VALUE Login-Service TCP-Clear 2 VALUE Login-Service PortMaster 3 VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Alive 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 VALUE Acct-Authentic RADIUS 1 VALUE Acct-Authentic Local 2 VALUE Acct-Authentic PowerLink128 100 VALUE Termination-Action Default 0 VALUE Termination-Action RADIUS-Request 1 VALUE NAS-Port-Type Async 0 VALUE NAS-Port-Type Sync 1 VALUE NAS-Port-Type ISDN 2 VALUE NAS-Port-Type ISDN-V120 3 VALUE NAS-Port-Type ISDN-V110 4 VALUE Acct-Terminate-Cause User-Request 1 VALUE Acct-Terminate-Cause Lost-Carrier 2 VALUE Acct-Terminate-Cause Lost-Service 3 VALUE Acct-Terminate-Cause Idle-Timeout 4 VALUE Acct-Terminate-Cause Session-Timeout 5 VALUE Acct-Terminate-Cause Admin-Reset 6 VALUE Acct-Terminate-Cause Admin-Reboot 7 VALUE Acct-Terminate-Cause Port-Error 8 VALUE Acct-Terminate-Cause NAS-Error 9 VALUE Acct-Terminate-Cause NAS-Request 10 VALUE Acct-Terminate-Cause NAS-Reboot 11 VALUE Acct-Terminate-Cause Port-Unneeded 12 VALUE Acct-Terminate-Cause Port-Preempted 13 VALUE Acct-Terminate-Cause Port-Suspended 14 VALUE Acct-Terminate-Cause Service-Unavailable 15 VALUE Acct-Terminate-Cause Callback 16 VALUE Acct-Terminate-Cause User-Error 17 VALUE Acct-Terminate-Cause Host-Request 18 VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type SecurID 2 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type Pam 253 VALUE Auth-Type Accept 254 VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 VALUE Add-Port-To-IP-Address No 0 VALUE Add-Port-To-IP-Address Yes 1 INCLUDE /usr/share/radiusclient-ng/dictionary.merit INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft INCLUDE /usr/share/radiusclient-ng/dictionary.ascend INCLUDE /usr/share/radiusclient-ng/dictionary.compat I have googled a lot, but no big progress, any help is appreciated.
On Mar 26, 2017, at 1:08 PM, jaseywang <jaseywang@gmail.com> wrote:
I use daloradius to add a new user wyx1(cleartext-password), and it passed "test user connectivity" test, below is the daloradius/radtest and radiusd -X output:
Note that the server receives a User-Password attribute.
But when I use the same account to connect the pptp server, it says Authentication failed:
Because it doesn't receive a User-Password attribute.
And the responding pptp log:
...
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Peer wyx1 failed CHAP authentication
Nope. It never sent a CHAP-Password request. Fix PPTP to send User-Password or CHAP-Password.
config file:
# cat /etc/raddb/clients.conf:
We don't nee to see that. PLEASE follow the instructions in the FAQ: post "radiusd -X'. We don't need to see any configuration files.
# cat /usr/share/radiusclient-ng/dictionary # grep -v "#" dictionary | grep -v ^$
And don't post that. We already have it. It's not helpful. What does help is reading the debug output. If you had compared the two packets, you would see that PPTP doesn't send User-Password, or CHAP-Password. And from the "radiusd -X" output, the server is then unable to authenticate the user... because there's no password. Fix PPTP. No amount of poking FreeRADIUS will solve the problem. Alan DeKok.
Hi aland I finally find the cause, its due to the incorrect dictionary.microsoft config file, the pptp debug log give me some hint Mar 27 12:09:57 iZ2597ft3dqZ pppd[26789]: rc_avpair_new: unknown attribute 11 Mar 27 12:09:57 iZ2597ft3dqZ pppd[26789]: rc_avpair_new: unknown attribute 25 Mar 27 12:09:58 iZ2597ft3dqZ pppd[26789]: Peer wyx1 failed CHAP authentication Thanks for your help! On Mon, Mar 27, 2017 at 2:47 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 26, 2017, at 1:08 PM, jaseywang <jaseywang@gmail.com> wrote:
I use daloradius to add a new user wyx1(cleartext-password), and it passed "test user connectivity" test, below is the daloradius/radtest and radiusd -X output:
Note that the server receives a User-Password attribute.
But when I use the same account to connect the pptp server, it says Authentication failed:
Because it doesn't receive a User-Password attribute.
And the responding pptp log:
...
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Peer wyx1 failed CHAP authentication
Nope. It never sent a CHAP-Password request.
Fix PPTP to send User-Password or CHAP-Password.
config file:
# cat /etc/raddb/clients.conf:
We don't nee to see that.
PLEASE follow the instructions in the FAQ: post "radiusd -X'. We don't need to see any configuration files.
# cat /usr/share/radiusclient-ng/dictionary # grep -v "#" dictionary | grep -v ^$
And don't post that. We already have it. It's not helpful.
What does help is reading the debug output. If you had compared the two packets, you would see that PPTP doesn't send User-Password, or CHAP-Password. And from the "radiusd -X" output, the server is then unable to authenticate the user... because there's no password.
Fix PPTP. No amount of poking FreeRADIUS will solve the problem.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Alan DeKok -
jaseywang