Help configuring FreeRadius with PPPD and ntlm_auth
Bruce Marriner
bmarriner at ameristarfence.com
Mon Aug 20 16:30:07 CEST 2007
I am setting up a Linux VPN for Windows clients via L2TP/IPSEC. I had everything working using basic PPPD chap-secrets authentication via MSCHAPv2 and am trying to add on the Radius part. I’ve read a bunch of how-to’s but they all seem to be wrote for a different setup or different versions and many of them have incorrect statements about what is or is not in the config files ☺ I have samba configured and winbindd running. I tried to follow the instructions from the below links which are for PPTP not L2TP but both systems use PPPD for the username/pass authentication.
http://wiki.freeradius.org/PopTop
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_8.htm
I can run ntlm_auth as the radius user and it runs okay.
impasse ~ # sudo -u radiusd /usr/bin/ntlm_auth --request-nt-key --domain=ameristarfence.com --username=supersecretuser
password:
NT_STATUS_OK: Success (0x0)
On all examples of setting up FreeRadius with VPN configurations against AD they all just say to basicly.. change the radiusd.conf file to turn on mppe in the mschap section and setup winbindd so it works. But I read some place that I also need EAP or.. PEAP to get this to work. I’m not sure if that’s required and that’s my primary question right now? Does anyone know the specific things I need to setup so freeradius can authenticate via the ntlm_auth tool back to PPPD? Below is the versions of everything. Last night I got frustrated and removed freeradius and reinstalled it with all fresh new config files. Followed the poptop guide on freeradius wiki site again and am not surprisingly getting the same response. Below is what the radius server is saying about all this :) I see the part where it sets the authtype to CHAP. And I think that should be MS-CHAP but I don't really know (obviously). Any help would be very appreciated :)
-----------------------------------------------------------------------------
impasse ~ # radiusd -x
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=123, length=94
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "supersecretuser"
CHAP-Challenge = 0xafd50494421ab0f8cc743432bbd7000278ee8748078c2b
CHAP-Password = 0x8a3ab7e348bc7de701db2207475d474831
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rlm_chap: Setting 'Auth-Type := CHAP'
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
rlm_chap: login attempt by "supersecretuser" with CHAP password
rlm_chap: Could not find clear text password for user supersecretuser
Login incorrect (rlm_chap: Clear text password not available): [supersecretuser/<CHAP-Password>] (from client localhost port 0)
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=123, length=94
Sending Access-Reject of id 123 to 127.0.0.1 port 32774
-----------------------------------------------------------------------------
Below is a list of versions and compile features (via Gentoo USE statements)
-----------------------------------------------------------------------------
samba-3.0.24-r3
USE="acl kerberos ldap oav pam python readline syslog winbind -async -automount -caps -cups -doc -examples -fam -quotas (-selinux) -swat"
freeradius-1.1.6
USE="debug kerberos ldap mysql pam snmp ssl -edirectory -firebird -frascend -frnothreads -frxp -postgres -udpfromto" 0 kB
xl2tpd-1.1.10 0 kB
openssl-0.9.8e-r1
USE="bindist sse2 zlib -emacs -test" 0 kB
strongswan-2.8.4
USE="ldap nat -curl -smartcard" 0 kB
ppp-2.4.4-r9
USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6 -mppe-mppc" 0 kB
Linux impasse 2.6.21-gentoo-r4 #11 SMP Tue Aug 14 16:29:27 CDT 2007 i686 Intel(R) Pentium(R) D CPU 3.20GHz GenuineIntel GNU/Linux
More information about the Freeradius-Users
mailing list