Setting up a VPN server with pptp and RADIUS for all sorts of clients

robert robert.harris at univ-lehavre.fr
Thu Feb 8 12:05:12 CET 2007 

Hello,

This is my First post on this mailing list, so sorry if I am in the 
wrong place!!

I am having problems getting the Radius Serv to validate my VPN clients.
Reading through the mail archives, I have found similar  subjects, but  
the  main difference I have is the fact that I don't have authority on 
the Radius Server.
The main problem comes from my windows clients, I am trying to stick to 
the default Microsoft auth method (using ms-chap v2) to keep the client 
side as simple as possible.
So I have set-up my pptp daemon, installed radiusclient, and have used 
the dictionary.microsoft from the sources of radiusclient.
I must point out that authentication works using "User-Password" field 
(say if I am wrong, but this is a clear text password?) on 802.1X 
clients, and all Users in the LDAP base have a valid User-Password (but 
no NT/LM Passwords)
The solutions I have come across until now tell me to use NT or LM 
password field and the problem is solved, but I can't change the layout, 
It has been set by "eduroam", who guides the project.
So I must get my radius client to work with User-password, but I don't 
know where to start...
A log sent from the Radius Admin shows that the mschap module fails to 
find User-Password (this is how I have understood it!) and refuses to 
validate the user.
here is the part I am talking about:
     FROM Radius log:

        auth: type "MS-CHAP"

    Processing the authenticate section of radiusd.conf
    modcall: entering group MS-CHAP for request 0
    rlm_mschap: No User-Password configured.  Cannot create LM-Password.
    rlm_mschap: No User-Password configured.  Cannot create NT-Password.
    rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password    
               
    rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.

But I am sure that the field User password contains the valid password I 
am trying to use.

Just in case, I shall post the dictionary.microsoft I am using:

        #
        #	Microsoft's VSA's, from RFC 2548
        #
        #	$Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $
        #

        VENDOR		Microsoft	311	Microsoft

        ATTRIBUTE	MS-CHAP-Response	1	string	Microsoft
        ATTRIBUTE	MS-CHAP-Error		2	string	Microsoft
        ATTRIBUTE	MS-CHAP-CPW-1		3	string	Microsoft
        ATTRIBUTE	MS-CHAP-CPW-2		4	string	Microsoft
        ATTRIBUTE	MS-CHAP-LM-Enc-PW	5	string	Microsoft
        ATTRIBUTE	MS-CHAP-NT-Enc-PW	6	string	Microsoft
        ATTRIBUTE	MS-MPPE-Encryption-Policy 7	string	Microsoft
        # This is referred to as both singular and plural in the RFC.
        # Plural seems to make more sense.
        ATTRIBUTE	MS-MPPE-Encryption-Type 8	string	Microsoft
        ATTRIBUTE	MS-MPPE-Encryption-Types  8	string	Microsoft
        ATTRIBUTE	MS-RAS-Vendor		9	integer	Microsoft
        ATTRIBUTE	MS-CHAP-Domain		10	string	Microsoft
        ATTRIBUTE	MS-CHAP-Challenge	11	string	Microsoft
        ATTRIBUTE	MS-CHAP-MPPE-Keys	12	string	Microsoft
        ATTRIBUTE	MS-BAP-Usage		13	integer	Microsoft
        ATTRIBUTE	MS-Link-Utilization-Threshold 14 integer	Microsoft
        ATTRIBUTE	MS-Link-Drop-Time-Limit	15	integer	Microsoft
        ATTRIBUTE	MS-MPPE-Send-Key	16	string	Microsoft
        ATTRIBUTE	MS-MPPE-Recv-Key	17	string	Microsoft
        ATTRIBUTE	MS-RAS-Version		18	string	Microsoft
        ATTRIBUTE	MS-Old-ARAP-Password	19	string	Microsoft
        ATTRIBUTE	MS-New-ARAP-Password	20	string	Microsoft
        ATTRIBUTE	MS-ARAP-PW-Change-Reason 21	integer	Microsoft

        ATTRIBUTE	MS-Filter		22	string	Microsoft
        ATTRIBUTE	MS-Acct-Auth-Type	23	integer	Microsoft
        ATTRIBUTE	MS-Acct-EAP-Type	24	integer	Microsoft

        ATTRIBUTE	MS-CHAP2-Response	25	string	Microsoft
        ATTRIBUTE	MS-CHAP2-Success	26	string	Microsoft
        ATTRIBUTE	MS-CHAP2-CPW		27	string	Microsoft

        ATTRIBUTE	MS-Primary-DNS-Server	28	ipaddr	Microsoft
        ATTRIBUTE	MS-Secondary-DNS-Server	29	ipaddr	Microsoft
        ATTRIBUTE	MS-Primary-NBNS-Server	30	ipaddr	Microsoft
        ATTRIBUTE	MS-Secondary-NBNS-Server 31	ipaddr	Microsoft

        #ATTRIBUTE	MS-ARAP-Challenge	33	string	Microsoft


        #
        #	Integer Translations
        #

        #	MS-BAP-Usage Values

        VALUE		MS-BAP-Usage		Not-Allowed	0
        VALUE		MS-BAP-Usage		Allowed		1
        VALUE		MS-BAP-Usage		Required	2

        #	MS-ARAP-Password-Change-Reason Values

        VALUE	MS-ARAP-PW-Change-Reason	Just-Change-Password		1
        VALUE	MS-ARAP-PW-Change-Reason	Expired-Password		2
        VALUE	MS-ARAP-PW-Change-Reason	Admin-Requires-Password-Change	3
        VALUE	MS-ARAP-PW-Change-Reason	Password-Too-Short		4

        #	MS-Acct-Auth-Type Values

        VALUE		MS-Acct-Auth-Type	PAP		1
        VALUE		MS-Acct-Auth-Type	CHAP		2
        VALUE		MS-Acct-Auth-Type	MS-CHAP-1	3
        VALUE		MS-Acct-Auth-Type	MS-CHAP-2	4
        VALUE		MS-Acct-Auth-Type	EAP		5

        #	MS-Acct-EAP-Type Values

        VALUE		MS-Acct-EAP-Type	MD5		4
        VALUE		MS-Acct-EAP-Type	OTP		5
        VALUE		MS-Acct-EAP-Type	Generic-Token-Card	6
        VALUE		MS-Acct-EAP-Type	TLS		13

            

I have tried to expose my problem the best I can, but If you find that 
something is missing, don't hesitate!

Thanks,
Robert            

PS: using other protocols (PAP for exemple) works fine, but we need 
mschap support!

More information about the Freeradius-Users mailing list