My PPTP+802.1X+MS-CHAP+EAP+OpenLDAP+MySQL Project.

Evan Vittitow evan at terralab.com
Wed Jan 10 23:40:04 CET 2007


I'm a hard core Linux User with a Linux infrastructure I am attempting
to expand upon and include FreeRadius, with my existing Linux-only
OpenLDAP, Kerberos, Samba, Bind Infrastructure.

Here is my situation.

I want to be able to create MS-CHAPv2 VPNs, that use pptpd, pppd and
freeRadius.
I want to secure my Wireless Access points using 802.1X and PEAP, or
EAP-TLS that are operated by my Cisco Aironet 340. I'm not interested in
encrypting traffic. I have UDP Protocols like Quake 3 that are degraded
by WPA, WEP and IPSec. IPSec may get implemented in due time, but for
now, thats not on the agenda. My current issue is securing the APs from
unauthorized access.

My Progess so far:

The issue with the VPNs is that even through Client Side PPP uses
MS-CHAP, FreeRadius is causing pppd to think its authenticating normal CHAP.

Jan  9 03:09:00 kurama pppd[12373]: Peer User failed CHAP authentication
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: No MS-CHAP-Challenge in the request

Now, The Server works fine when I turn off the Radius plugin and enter
the and enter stuff in the chap-secrets. This is the output of radisd -fX

rad_recv: Access-Request packet from host 127.0.0.1:35034, id=77, length=62
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "User"
        Calling-Station-Id = "192.168.0.3"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for User
radius_xlat:  '(uid=User)'
radius_xlat:  'dc=pukey'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to kurama.pukey:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=pukey/password to kurama.pukey:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=pukey, with filter (uid=User)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value
[U          ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value
AA6D039ED308809C... & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value
AEC210AF99DB43C... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user User authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "User", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 54
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
  rlm_mschap: Found LM-Password
  rlm_mschap: Found NT-Password
  rlm_mschap: No MS-CHAP-Challenge in the request
  modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.

Why is this happening?

I haven't started on the AP security yet, because this is holding me back.



More information about the Freeradius-Users mailing list