Radius Server refusing to MS-CHAP

Evan Vittitow evan at terralab.com
Thu Jan 11 22:32:44 CET 2007


This is the configuration producing the MS-CHAP issue. No matter what I
do, it wants to use CHAP  instead of MS-CHAP

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
raddbdir = /etc/raddb
radacctdir = /var/log/radius/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}
modules {
    pap {
        encryption_scheme = crypt
    }
    pam {
        pam_auth = radiusd
    }
    unix {
        cache = no
        cache_reload = 600
        radwtmp = ${logdir}/radwtmp
    }
$INCLUDE ${confdir}/eap.conf
    mschap {
        authtype = MS-CHAP
        use_mppe = no
        require_encryption = no
        require_strong = no
    }
    ldap {
        server = "kurama.pukey"
        identity = "cn=Manager,dc=pukey"
        password = password
        basedn = "dc=pukey"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"

        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }
    realm IPASS {
        format = prefix
        delimiter = "/"
        ignore_default = no
        ignore_null = no
    }
    realm suffix {
        format = suffix
        delimiter = "@"
        ignore_default = no
        ignore_null = no
    }
    realm realmpercent {
        format = suffix
        delimiter = "%"
        ignore_default = no
        ignore_null = no
    }
    realm ntdomain {
        format = prefix
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
    }    
    checkval {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
    }
    
    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }
    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        preproxy_usersfile = ${confdir}/preproxy_users
        compat = no
    }
    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }
    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
    }
    $INCLUDE  ${confdir}/sql.conf
    
    radutmp {
        filename = ${logdir}/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes        
        perm = 0600
        callerid = "yes"
    }
    radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
    }
    attr_filter {
        attrsfile = ${confdir}/attrs
    }
    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }
    sqlcounter dailycounter {
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        sqlmod-inst = sql
        key = User-Name
        reset = daily
        query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
    }
    sqlcounter monthlycounter {
        counter-name = Monthly-Session-Time
        check-name = Max-Monthly-Session
        sqlmod-inst = sql
        key = User-Name
        reset = monthly
        query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
    }
    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }
    expr {
    }
    digest {
    }
    exec {
        wait = yes
        input_pairs = request
    }
    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }
    ippool main_pool {
        range-start = 192.168.101.1
        range-stop = 192.168.101.99
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${raddbdir}/db.ippool
        ip-index = ${raddbdir}/db.ipindex
        override = no
        maximum-timeout = 0
    }
}
instantiate {
    exec
    expr
}
authorize {
    preprocess
    ldap
    mschap
    suffix
    eap
    files
}
authenticate {
    Auth-Type MS-CHAP {
        mschap
    }
    unix
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    radutmp
    sql
}
session {
    radutmp
}
post-auth {
    sql
}
pre-proxy {
}
post-proxy {
    eap
}

users
DEFAULT Auth-Type := MS-CHAP
    Fall-Through = 1

ldap.attrmap

#
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
# to be used by LDAP authentication and authorization module (rlm_ldap)
#
# Format:
#   ItemType    RADIUS-Attribute-Name        ldapAttributeName
#
# Where:
#   ItemType              = checkItem or replyItem
#   RADIUS-Attribute-Name = attribute name in RADIUS dictionary
#   ldapAttributeName     = attribute name in LDAP schema
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
# a LDAP attribute which can be used to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit it to your needs.
#

checkItem    $GENERIC$            radiusCheckItem
replyItem    $GENERIC$            radiusReplyItem

checkItem    Auth-Type            radiusAuthType
checkItem    Simultaneous-Use        radiusSimultaneousUse
checkItem    Called-Station-Id        radiusCalledStationId
checkItem    Calling-Station-Id        radiusCallingStationId
checkItem    LM-Password            sambaLMPassword
checkItem    NT-Password            sambaNTPassword
checkItem    SMB-Account-CTRL-TEXT        sambaAcctFlags
checkItem    Expiration            radiusExpiration
checkItem    NAS-IP-Address            radiusNASIpAddress

replyItem    Service-Type            radiusServiceType
replyItem    Framed-Protocol            radiusFramedProtocol
replyItem    Framed-IP-Address        radiusFramedIPAddress
replyItem    Framed-IP-Netmask        radiusFramedIPNetmask
replyItem    Framed-Route            radiusFramedRoute
replyItem    Framed-Routing            radiusFramedRouting
replyItem    Filter-Id            radiusFilterId
replyItem    Framed-MTU            radiusFramedMTU
replyItem    Framed-Compression        radiusFramedCompression
replyItem    Login-IP-Host            radiusLoginIPHost
replyItem    Login-Service            radiusLoginService
replyItem    Login-TCP-Port            radiusLoginTCPPort
replyItem    Callback-Number            radiusCallbackNumber
replyItem    Callback-Id            radiusCallbackId
replyItem    Framed-IPX-Network        radiusFramedIPXNetwork
replyItem    Class                radiusClass
replyItem    Session-Timeout            radiusSessionTimeout
replyItem    Idle-Timeout            radiusIdleTimeout
replyItem    Termination-Action        radiusTerminationAction
replyItem    Login-LAT-Service        radiusLoginLATService
replyItem    Login-LAT-Node            radiusLoginLATNode
replyItem    Login-LAT-Group            radiusLoginLATGroup
replyItem    Framed-AppleTalk-Link        radiusFramedAppleTalkLink
replyItem    Framed-AppleTalk-Network    radiusFramedAppleTalkNetwork
replyItem    Framed-AppleTalk-Zone        radiusFramedAppleTalkZone
replyItem    Port-Limit            radiusPortLimit
replyItem    Login-LAT-Port            radiusLoginLATPort
replyItem    Reply-Message            radiusReplyMessage

eap.conf

    eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        md5 {
        }
        leap {
        }
        gtc {
            auth_type = PAP
        }
        tls {
            private_key_password = whatever
            private_key_file = ${raddbdir}/certs/cert-srv.pem
            certificate_file = ${raddbdir}/certs/cert-srv.pem
            CA_file = ${raddbdir}/certs/demoCA/cacert.pem
            dh_file = ${raddbdir}/certs/dh
            random_file = /dev/urandom
        }
        peap {
        default_eap_type = mschapv2
        }
        mschapv2 {
        }
    }

clients.conf
#client some.host.org {
#    secret        =
#    shortname    = localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#    secret        = testing-1
#    shortname    = private-network-1
#}
#
#client 192.168.0.0/16 {
#    secret        = testing-2
#    shortname    = private-network-2
#}


#client 10.10.10.10 {
#    # secret and password are mapped through the "secrets" file.
#    secret      = testing
#    shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#    nastype     = livingston
#    login       = !root
#    password    = someadminpas
#}


I've removed passwords.

/etc/ppp/opions.pptpd

lock
nobsdcomp
nodeflate
mtu 1000
mru 1000
debug
auth
-chap
-mschap
+mschap-v2
plugin radius.so
plugin radattr.so




More information about the Freeradius-Users mailing list