Freeradius - Cisco L2TP Tunnel - Authentication problem.
Hi I have an issue with authentication using Freeradius (freeradius-1.0.1-3) We were running L2TPNS on a Linux box and authenticating fine using CHAP to the Freeradius server. However because of increased volume of users (DSL and Dial) we need to move to a Cisco 7200 so it could terminate the tunnel. The tunnel terminates fine but authentication is failing because the Cisco is sending PAP authentication and we use CHAP, in fact I would know how to move to PAP anyway. No matter what we put into the Cisco config it still uses PAP, even telling it to refuse PAP. The Cisco is running IOS 12.2.(6) and here is the relevant lines of config for the tunnel and authentication: ######################## aaa new-model aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting network default start-stop group radius multilink virtual-template 1 vpdn enable ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname tunnel local name gw1 l2tp tunnel password 7 xxxxxxxxxx source-ip 10.0.0.1 interface Virtual-Template1 ip unnumbered FastEthernet1/0 ip mroute-cache no logging event link-status no keepalive timeout absolute 4320 0 no peer default ip address ppp authentication chap callin ppp multilink ! ip local pool IP-POOL 192.168.0.1 192.168.1.254 ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.254 no ip http server ip pim bidir-enable ! radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key xxxxxx radius-server retransmit 2 ############### Here is a line from the radius users file that authentication is failing for: ###### user1 Auth-Type := Local, User-Password== "jijyocspok" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 192.168.2.22, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ###### Here is the radius log entries for when the login fails from the Cisco and passes from the L2TPNS server: #### Thu Feb 16 23:30:41 2006 : Auth: Login incorrect: [user1/jijyocspok] (from client l2tp port 3) Fri Feb 17 08:22:43 2006 : Auth: Login OK: [user1/<CHAP-Password>] (from client l2tp port 3) ###### I was wondering if anyone had seen a problem like this before and found a solution. Is the Cisco at fault, does it have a bug in it? Should I just move to PAP authentication, is so how do I do that? But doesn't Windows PC's send CHAP? Would it still work? Any help would be appreciated. Thanks Tony
I presently have the following in the post-auth section of my freeradius. Is there a way to log my ACCEPTS to another table in the sql. Additionally I would like to see the reason why it failed in the post-auth-type REJECT But cannot work that one out either is this possible if so how. Post-Auth-Type REJECT { # Login failed: log to SQL database. Sql1 Sql2 }
Tony Spencer wrote:
No matter what we put into the Cisco config it still uses PAP, even telling it to refuse PAP. Sounds more like a cisco issue than freeradius. What does radius -X look like?
-- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841
Yes I'm beginning to think it is. The Cisco just will not send Chap authentication to the radius server. I'm wondering if that's because the Radius Proxy it's getting it's request from is sending PAP and not Chap. Something I need to speak to them about, on Monday now.. The radiusd -X looks like this: ### modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "dsl.adslco.com" for User-Name = "01543677236@dsl.adslco.com" rlm_realm: No such realm "dsl.adslco.com" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 modcall[authenticate]: module "unix" returns notfound for request 3 modcall: group authenticate returns notfound for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request ### This was before I started changing things. But as I said since the Cisco won't send Chap, I think that's the cause of my problem. However I do have a work around, but making "Auth-Type = Accept" on each user. Since it's mainly DSL traffic the only realm we're ever be sent is our own, and we can easily disable uses with the Reject setting if needbe. Thanks anyway. Tony -----Original Message----- From: freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.or g] On Behalf Of Lewis Bergman Sent: 17 February 2006 13:44 To: FreeRadius users mailing list Subject: Re: Freeradius - Cisco L2TP Tunnel - Authentication problem. Tony Spencer wrote:
No matter what we put into the Cisco config it still uses PAP, even telling it to refuse PAP. Sounds more like a cisco issue than freeradius. What does radius -X look like?
-- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
alan -
Lewis Bergman -
Tony Spencer