FreeRADIUS + MPPE for PPTP VPN clients

Alexei Monastyrnyi alexeim at
Fri Jun 3 15:54:28 CEST 2005

Hi List.

I have a Q about MS-CHAP and MPPE configuration for FreeRADIUS.

OS and software versions

OS Solaris 9 SPARC
FreeRADIUS 1.0.2
OpenLDAP 2.2.24
SAMBA 3.0.11

Network gateways
Cisco PIX 506,  IOS 6.3(4)

PPTP VPN Clients
Windows 2K/XP, MAC OSX.

The RADIUS server we're talking about is a secondary LDAP server and 
SAMBA BDC as well.

I'd like to use this FreeRADIUS as a username/password backend for PPTP 
VPN clients.
VPN hub in my case is Cisco PIX device, which supports AAA RADIUS for 
PPTP VPDN groups.
PPTP VPN against Cisco PIX works perfectly well with local 
authentication, i.e when usernames/passwords are configured locally on PIX.

The RADIUS is already configured with OpenLDAP as a backend, 
authenticating against userPassword attribute. This part works OK.
The OpenLDAP server is also a backend for my SAMBA domain controller, 
the same domain I'm trying to use for user logins via PPTP VPN. All 
users have both POSIX and SAMBA attiributes in LDAP.

The following chain works.
Cisco VPN clients  --- NAS --- RADIUS --- LDAP

This one doesn't                             
PPTP VPN clients --- NAS --- RADIUS --- SAMBA --- LDAP

I have configured RADIUS server as following (omitted some lines here).

Modules section

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                #require_encryption = yes
                #require_strong = yes
                #with_ntdomain_hack = no
                #ntlm_auth = "/usr/local/samba/bin/ntlm_auth 
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
        ldap {
                server = localhost
                basedn = "ou=People,dc=orcsoftware,dc=com"
                filter = 
                start_tls = no
                password_attribute = userPassword

authorize {

authenticate {
        Auth-Type MS-CHAP {
        Auth-Type LDAP {

For PPTP logins it doesn't work for user MYDOMAIN\username and the 
server says (omiting the beginning of debug)

Fri Jun  3 12:50:37 2005 : Debug:   modsingle[authenticate]: calling 
mschap (rlm_mschap) for request 0
Fri Jun  3 12:50:37 2005 : Debug:   rlm_mschap: No User-Password 
configured.  Cannot create LM-Password.
Fri Jun  3 12:50:37 2005 : Debug:   rlm_mschap: No User-Password 
configured.  Cannot create NT-Password.
Fri Jun  3 12:50:37 2005 : Debug:   rlm_mschap: Told to do MS-CHAPv1 
with NT-Password
Fri Jun  3 12:50:37 2005 : Debug:   rlm_mschap: FAILED: No 
NT/LM-Password.  Cannot perform authentication.
Fri Jun  3 12:50:37 2005 : Debug:   rlm_mschap: MS-CHAP-Response is 

My Q is: should I use ntlm_auth program for getting NTLM passwords?
If yes, should my RADIUS server be join a SAMBA domain which it is 
trying to use?
Actually I'm a bit confused here and highlighting how RADIUS obtains or 
generates MPPE keys might be heplful.
Any hints or useful URLs would be highly appreciated.


More information about the Freeradius-Users mailing list