MSChap/LDAP Question

Douglas Phillips csdgp at eiu.edu
Wed Jun 8 19:19:00 CEST 2005


I'm trying to authenticate MSChap with LDAP (LDAP has crypted  
passwords) for PPTP from a Cisco VPN box.  I'm getting a strange  
error.  Here's the logs:

rad_recv: Access-Request packet from host ************:1071, id=138,  
length=153
         User-Name = "csdgp"
         NAS-Port = 2311
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Tunnel-Client-Endpoint:0 = "**********"
         MS-CHAP-Challenge = 0x6ad5d5a423e76b09aeb8ac329215d4b1
         MS-CHAP2-Response =  
0x02000b2f32af6a677146bd81ec222958a45f00000000000000007249bfd5eb81dd31ee 
0af1a17712be08a7bc758820949d71
         NAS-IP-Address = **********
         NAS-Port-Type = Virtual
rlm_ldap: - authorize
rlm_ldap: performing user authorization for csdgp
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as *************** to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user csdgp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Login incorrect: [csdgp/<no User-Password attribute>] (from client  
vpn1 port 2311)
rad_recv: Access-Request packet from host ********:1071, id=138,  
length=153
Sending Access-Reject of id 138 to ********:1071
         MS-CHAP-Error = "\002E=691 R=1"


Here's the config:

chap {
                 authtype = CHAP
      }

mschap {
                 authtype = MS-CHAP
                 use_mppe = yes
        }

ldap {
                 server = "localhost"
                 identity = ***************
                 password = ***************
                 basedn = ***************
                 filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}) 
(host=ux1))"

                 start_tls = no

                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 password_attribute = "userPassword"
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1
         }

authorize {
     preprocess
     auth_log
     chap
     mschap
     suffix
     ldap
}

authenticate {
     Auth-Type MS-CHAP {
         mschap
     }
     Auth-Type LDAP {
         ldap
     }
}


-- End of config --

Am I up a creek here or is there something I can do?  I haven't been  
able to find much online, but I may not be hitting the right things.

--
   Douglas G. Phillips
      Development                     Information Technology Services
Eastern Illinois University                     (217) 581-7631




More information about the Freeradius-Users mailing list