Windows -> VPN -> Radius

Roberto Greiner mrgreiner at gmail.com
Wed Jun 29 15:50:43 CEST 2005 

On 6/27/05, Alan DeKok <aland at ox.org> wrote:
> Roberto Greiner <mrgreiner at gmail.com> wrote:
> > Problem: Windows sends the user info as a Chap challenge, and as a
> > result the Freeradius server reports that the user request came with
> > no password. Did somebody face a similiar problem? Can someone
> > helpme/point in the right direction?
> 
>   The problem isn't that the request doesn't contain a password.  The
> problem is that the user is rejected.
> 
>   Run the server in debug mode to see why.
> 
>   Alan DeKok.
> 
Ok. I ran the server in debug mode, but it still says that the request
is comming without Password. Specifically, the message says: "auth: No
User-Password or CHAP-Password attribute in the request".

The full log:
   ----------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:32799, id=180, length=66
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "teste"
        Calling-Station-Id = "aa.bb.cc.dd"
        NAS-IP-Address = ee.ff.gg.hh
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "teste", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 3
radius_xlat:  'teste'
rlm_sql (sql): sql_set_user escaped user --> 'teste'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'teste' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'teste' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = 'teste' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'teste' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module "sql" returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [teste/<no User-Password attribute>] (from client
localhost port 0 cli aa.bb.cc.dd)
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 180 to 127.0.0.1:32799
Waking up in 7 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 180 with timestamp 42c2a106
Nothing to do.  Sleeping until we see a request.
  ---------------------------------------------------------------- 

in radius.conf, mschap part is as follows:
 mschap {
                authtype = MS-CHAP
                use_mppe = yes
                #require_encryption = yes
                require_strong = yes
                #with_ntdomain_hack = no
                #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
        }

In the mysql radcheck table, I tried both 'Password' and
'CHAP-Password' as attributes, with no diference at all in the result

In the windows box, for authentication, I left enabled in the security
menu, the options 'CHAP Protocol', 'Microsoft CHAP' and 'Microsoft
CHAP version 2 (MS-CHAP v2)'.

One possibility I see is that there may be some wrong configuration in
my radius.conf, since the log is saying "modcall[authorize]: module
"mschap" returns noop for request 3". Shouldn't it say "returns ok" or
something like that?

Thank you,

Marcos Roberto

More information about the Freeradius-Users mailing list