pptp + perl + freeradius???
Hello, I am using a perl script to authenticate my users for hotspots with freeradius. I got no problem regarding to it. Now i planned to move my existing vpn server to freeradius also.. Read some howtos about it (with poptop mostly) Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter. When second time this user tries to login it just checks the password.. So I got Auth-Type parameter for users in mysql. And.. here is debug of my freeradius, pptp daemon,mysql query.. and my site config on freeradius freeradius: rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29, length=138 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "7798" MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e MS-CHAP2-Response = 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd Calling-Station-Id = ".931" NAS-IP-Address = 192.168.10.213 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [7798/<no User-Password attribute>] (from client localhost port 0 cli .931) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. pptp: Client 192.168.16.243 control connection started Nov 18 12:49:30 pptp pptpd[4898]: CTRL: Starting call (launching pppd, opening GRE) Nov 18 12:49:30 pptp pppd[4900]: Plugin radius.so loaded. Nov 18 12:49:30 pptp pppd[4900]: RADIUS plugin initialized. Nov 18 12:49:30 pptp pppd[4900]: Plugin radattr.so loaded. Nov 18 12:49:30 pptp pppd[4900]: RADATTR plugin initialized. Nov 18 12:49:30 pptp pppd[4900]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Nov 18 12:49:30 pptp pppd[4900]: pppd 2.4.4 started by root, uid 0 Nov 18 12:49:30 pptp pppd[4900]: Using interface ppp0 Nov 18 12:49:30 pptp pppd[4900]: Connect: ppp0 <--> /dev/pts/1 Nov 18 12:49:30 pptp pptpd[4898]: GRE: Bad checksum from pppd. Nov 18 12:49:33 pptp pptpd[4898]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Nov 18 12:49:34 pptp pppd[4900]: Peer 7798 failed CHAP authentication Nov 18 12:49:34 pptp pppd[4900]: Connection terminated. Nov 18 12:49:34 pptp pppd[4900]: Exit. Mysql Query mysql> select * from radcheck where Username = '7798'; +-------+----------+------------------+----+-------------------------+ | id | UserName | Attribute | op | Value | +-------+----------+------------------+----+-------------------------+ | 48225 | 7798 | UserType | := | B | | 48224 | 7798 | email | := | a@b.com | | 48223 | 7798 | NameSurname | := | Test | | 49754 | 7798 | Auth-Type | == | Local | | 76810 | 7798 | Simultaneous-Use | := | 4 | +-------+----------+------------------+----+-------------------------+ 5 rows in set (0.00 sec) freeradius config server vpn { authorize { preprocess files mschap update control { Auth-Type := perl } perl } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type Perl { perl } } ................
Ok, I am updating my question. I tried to make vpn work with inner-tunnel and it works via mysql without any problems. As i understand ms-chap asks the username to mysql. So, how can i use perl script instead of using mysql to authenticate???
Hello, I am using a perl script to authenticate my users for hotspots with freeradius. I got no problem regarding to it. Now i planned to move my existing vpn server to freeradius also.. Read some howtos about it (with poptop mostly) Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter. When second time this user tries to login it just checks the password.. So I got Auth-Type parameter for users in mysql.
And.. here is debug of my freeradius, pptp daemon,mysql query.. and my site config on freeradius
freeradius: rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29, length=138 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "7798" MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e MS-CHAP2-Response = 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd Calling-Station-Id = ".931" NAS-IP-Address = 192.168.10.213 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [7798/<no User-Password attribute>] (from client localhost port 0 cli .931) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
pptp:
Client 192.168.16.243 control connection started Nov 18 12:49:30 pptp pptpd[4898]: CTRL: Starting call (launching pppd, opening GRE) Nov 18 12:49:30 pptp pppd[4900]: Plugin radius.so loaded. Nov 18 12:49:30 pptp pppd[4900]: RADIUS plugin initialized. Nov 18 12:49:30 pptp pppd[4900]: Plugin radattr.so loaded. Nov 18 12:49:30 pptp pppd[4900]: RADATTR plugin initialized. Nov 18 12:49:30 pptp pppd[4900]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Nov 18 12:49:30 pptp pppd[4900]: pppd 2.4.4 started by root, uid 0 Nov 18 12:49:30 pptp pppd[4900]: Using interface ppp0 Nov 18 12:49:30 pptp pppd[4900]: Connect: ppp0 <--> /dev/pts/1 Nov 18 12:49:30 pptp pptpd[4898]: GRE: Bad checksum from pppd. Nov 18 12:49:33 pptp pptpd[4898]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Nov 18 12:49:34 pptp pppd[4900]: Peer 7798 failed CHAP authentication Nov 18 12:49:34 pptp pppd[4900]: Connection terminated. Nov 18 12:49:34 pptp pppd[4900]: Exit.
Mysql Query mysql> select * from radcheck where Username = '7798'; +-------+----------+------------------+----+-------------------------+ | id | UserName | Attribute | op | Value | +-------+----------+------------------+----+-------------------------+ | 48225 | 7798 | UserType | := | B | | 48224 | 7798 | email | := | a@b.com | | 48223 | 7798 | NameSurname | := | Test | | 49754 | 7798 | Auth-Type | == | Local | | 76810 | 7798 | Simultaneous-Use | := | 4 | +-------+----------+------------------+----+-------------------------+ 5 rows in set (0.00 sec)
freeradius config server vpn { authorize { preprocess files mschap update control { Auth-Type := perl } perl }
authenticate {
Auth-Type MS-CHAP { mschap } Auth-Type Perl { perl } } ................
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, I am updating my question. I tried to make vpn work with inner-tunnel and it works via mysql without any problems. As i understand ms-chap asks the username to mysql.
So, how can i use perl script instead of using mysql to authenticate???
"Just" translate rlm_mysql code to perl. Ivan Kalik
Hello, I am using a perl script to authenticate my users for hotspots with freeradius. I got no problem regarding to it. Now i planned to move my existing vpn server to freeradius also.. Read some howtos about it (with poptop mostly)
Perhaps reading freeradius documentation if you are to use freeradius would be better? If you read the main README file you could avoid most of your problems.
Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter.
Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
When second time this user tries to login it just checks the password.
How? You don't have password stored in radcheck table.
So I got Auth-Type parameter for users in mysql.
Remove it.
freeradius: rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29, length=138 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "7798" MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e MS-CHAP2-Response = 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd Calling-Station-Id = ".931" NAS-IP-Address = 192.168.10.213 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [7798/<no User-Password attribute>] (from client localhost port 0 cli .931) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
freeradius config server vpn { authorize { preprocess files mschap update control { Auth-Type := perl } perl }
authenticate {
Auth-Type MS-CHAP { mschap } Auth-Type Perl { perl } }
Freeradius processes default virtual server by default (it looks like you have removed that one - why?). You haven't told it to use vpn default server. Your plan won't work. You have to know the password in advance to authenticate users with mschap. You can't extract the password from the request when user first time logs in. You can with pap but not with mschap - that's the whole point of that protocol. Ivan Kalik
Hello, I am using a perl script to authenticate my users for hotspots with freeradius. I got no problem regarding to it. Now i planned to move my existing vpn server to freeradius also.. Read some howtos about it (with poptop mostly)
Perhaps reading freeradius documentation if you are to use freeradius would be better? If you read the main README file you could avoid most of your problems.
The documents i mentioned above was about pptp installation not freeradius itself. Sure i read docs about freeradius also. Even your main README file.!!
Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter.
Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
It was for my perl module. Which seems unnecessary for mschaps as i see. So i already removed it.
When second time this user tries to login it just checks the password.
How? You don't have password stored in radcheck table.
To make it clear.. My users passwords are stored in another system. So practically i got no chance to have them on mysql of freeradius. Thats why in my previous system (which still works for hotspot authentications) I was using a perl module to connect to an xml service and check if the username/password is correct (I was just sending usrname/password couple and the answer is returning as ok or not.), and if it is ok, add the username/ name/email address and other informational knowledges of the user to a mysql table which is not relative to our subject now. And everytime user logs on, that perl script checks for the password again via xml page. So i got no passwords in mysql at all.
So I got Auth-Type parameter for users in mysql.
Remove it.
freeradius: rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29, length=138 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "7798" MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e MS-CHAP2-Response = 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd Calling-Station-Id = ".931" NAS-IP-Address = 192.168.10.213 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [7798/<no User-Password attribute>] (from client localhost port 0 cli .931) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
freeradius config server vpn { authorize { preprocess files mschap update control { Auth-Type := perl } perl }
authenticate {
Auth-Type MS-CHAP { mschap } Auth-Type Perl { perl } }
Freeradius processes default virtual server by default (it looks like you have removed that one - why?). You haven't told it to use vpn default server.
There were some other virtual servers running on that freeradius server, Just removed them for my test purposes. So nothing special about removing default server.
Your plan won't work. You have to know the password in advance to authenticate users with mschap. You can't extract the password from the request when user first time logs in. You can with pap but not with mschap - that's the whole point of that protocol.
So as i understand, the only way that mschap works is to keep username/passwords on mysql (or file) right? I can not use perl module to return a "user is ok" msg and make it work.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The documents i mentioned above was about pptp installation not freeradius itself. Sure i read docs about freeradius also. Even your main README file.!!
If you did read it, why did you do this:
There were some other virtual servers running on that freeradius server, Just removed them for my test purposes. So nothing special about removing default server.
Removing default server = destroying default configuration! If you want to replace default server with another one you need to alter listen section. See README in raddb/sites-available.
Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter.
Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
It was for my perl module. Which seems unnecessary for mschaps as i see. So i already removed it.
Yes, you don't want perl in authenticate, but you do want it in authorize still to get the password from xml.
Thats why in my previous system (which still works for hotspot authentications) I was using a perl module to connect to an xml service and check if the username/password is correct (I was just sending usrname/password couple and the answer is returning as ok or not.), and if it is ok, add the username/ name/email address and other informational knowledges of the user to a mysql table which is not relative to our subject now. And everytime user logs on, that perl script checks for the password again via xml page. So i got no passwords in mysql at all.
Fine, just have perl copy the password from xml into $RAD_CHECK{'Cleartext-Password'}.
So as i understand, the only way that mschap works is to keep username/passwords on mysql (or file) right?
No, if you can get password using perl it doesn't have to be in mysql. You need cleartext of nt hashed password for mschap - freeradius doesn't care where is it stored (sql, ldap, file, whatever) and how is it made available. As long as the password is available for authentication. Ivan Kalik
The documents i mentioned above was about pptp installation not freeradius itself. Sure i read docs about freeradius also. Even your main README file.!!
If you did read it, why did you do this:
There were some other virtual servers running on that freeradius server, Just removed them for my test purposes. So nothing special about removing default server.
Removing default server = destroying default configuration! If you want to replace default server with another one you need to alter listen section. See README in raddb/sites-available.
I already set the listen section according to my new config. Thats ok..
Here is how my perl script works.. When it gets a username/pass it checks it via an xml page and if it is correct it adds the username to mysql table with auth-type == local parameter.
Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
It was for my perl module. Which seems unnecessary for mschaps as i see. So i already removed it.
Yes, you don't want perl in authenticate, but you do want it in authorize still to get the password from xml.
I will give it a try.
Thats why in my previous system (which still works for hotspot authentications) I was using a perl module to connect to an xml service and check if the username/password is correct (I was just sending usrname/password couple and the answer is returning as ok or not.), and if it is ok, add the username/ name/email address and other informational knowledges of the user to a mysql table which is not relative to our subject now. And everytime user logs on, that perl script checks for the password again via xml page. So i got no passwords in mysql at all.
Fine, just have perl copy the password from xml into $RAD_CHECK{'Cleartext-Password'}.
Tht seems not possible, Because as i say, I only send username/password information to a web server as http://xxx.xxx.xxx.xxx?=username&password and it returns me something like <true> <Name><xxx xxx> <email><a@b.com> or just <false> So the only password available is the one i send to web. But maybe if answer returns true, i can return parameter radcheck from perl script as $RAD_CHECK{'Cleartext-Password'} That seem to work. Thanks.
So as i understand, the only way that mschap works is to keep username/passwords on mysql (or file) right?
No, if you can get password using perl it doesn't have to be in mysql. You need cleartext of nt hashed password for mschap - freeradius doesn't care where is it stored (sql, ldap, file, whatever) and how is it made available. As long as the password is available for authentication.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The documents i mentioned above was about pptp installation not freeradius itself. Sure i read docs about freeradius also. Even your main README file.!!
If you did read it, why did you do this:
There were some other virtual servers running on that freeradius server, Just removed them for my test purposes. So nothing special about removing default server.
Removing default server = destroying default configuration! If you want to replace default server with another one you need to alter listen section. See README in raddb/sites-available.
I already set the listen section according to my new config. Thats ok..
Not on the debug you posted.
Fine, just have perl copy the password from xml into $RAD_CHECK{'Cleartext-Password'}.
Tht seems not possible, Because as i say, I only send username/password information to a web server as http://xxx.xxx.xxx.xxx?=username&password and it returns me something like <true> <Name><xxx xxx> <email><a@b.com> or just <false> So the only password available is the one i send to web. But maybe if answer returns true, i can return parameter radcheck from perl script as $RAD_CHECK{'Cleartext-Password'}
No cleartext or nt hashed password - no mschap authentication. You will have password in pap request that you can send to that web service, but not in mschap request. Ivan Kalik
participants (2)
-
Oguzhan Kayhan -
tnt@kalik.net