Please help !!!

Kartthik Raghunathan kartthikr at lycos.com
Wed Jun 28 21:02:59 CEST 2006 

Using the same FR, authenticating wireless client sagainst the Active directory using PEAP and TLS and now trying to authenticate the PPTP clients against the Active directory thru Dlink FW. The first part works like charm...and the second one i have issue with and here is the MSCHAP configuration on radiusd.conf

mschap {
                authtype = MS-CHAP
             
                use_mppe = no
              
                require_encryption = yes
                
                require_strong = yes
           
                with_ntdomain_hack = yes

 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}


Here is the log when pptp client dials into the pptp server (ie. Dlink FW, parameters are configured as MPPE 128 bit encryption and MSCHAPV2).

rad_recv: Access-Request packet from host 192.168.0.1:2838, id=68, length=151
        User-Name = "TEST\\kartthikr"
        MS-CHAP2-Response = 0x200038088c81bfc0e2d29944dc15551174ab0000000000000000231accd16d14cd2691a3d4ebc78d51577067db9138eaf627
        MS-CHAP-Challenge = 0xfb3fee292c917043d609ddf16c97b78c
        NAS-Identifier = "Clavister"
        NAS-Port = 0
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = MS-CHAP'
  modcall[authorize]: module "mschap" returns ok for request 0
    rlm_realm: No '@' in User-Name = "TEST\kartthikr", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for kartthikr with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
 mschap2: fb
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=kartthikr --domain=TEST --challenge=ee58ce24154980e8 --nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=kartthikr --domain=TEST --challenge=ee58ce24154980e8 --nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627
Exec-Program output: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program-Wait: plaintext: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program: returned: 0
  modcall[authenticate]: module "mschap" returns ok for request 0
modcall: leaving group MS-CHAP (returns ok) for request 0
Sending Access-Accept of id 68 to 192.168.0.1 port 2838
        MS-CHAP2-Success = 0x20533d36333943444337363042443142463535393941334136453634453645364430343545333138363336
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 68 with timestamp 44a2cf37

Kartthik

> I have freeradius setup for wireless client access againt the active
> directory and its working good. Now using the same FR trying to
> authenticating pptp clients against AD using Dlink firewall. While
> the pptp client connect to the dlink fw, getting this error message
> "the remote server doesnt support the support the encryption
> type".

   So it's a DLINK problem.

> The dlink support guys told that the encryption on the freeradius
> server is not correct. Do you guys think this makes sense ?

   Since you didn't show any of the RADIUS logs, there's no way to tell.

> Note: In dlink fw, the mppe encryption has been enabled. Does
> freeradius support this encryption type too ?

   Yes.

   Alan DeKok.


-- 
_______________________________________________

Search for businesses by name, location, or phone number.  -Lycos Yellow Pages

http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

More information about the Freeradius-Users mailing list