PPTP + FreeRadius + LDAP
Douglas Macedo
dmacedo at gmail.com
Wed Nov 26 20:32:00 CET 2008
Alexandre,
if I try mschapv2 in Windons client:
--
rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
length=52
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "nobody"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched entry DEFAULT at line 198
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nobody
radius_xlat: '(&(objectClass=posixAccount)(uid=nobody))'
radius_xlat: 'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
ldap.telemedicina.ufsc.br:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br, with
filter (&(objectClass=posixAccount)(uid=nobody))
rlm_ldap: Password header not found in password
5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNtPassword as NT-Password, value
5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
rlm_ldap: Adding sambaLmPassword as LM-Password, value
89E0B38AC380D2B8AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: No clear-text password in the request. Not performing PAP.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [nobody] (from client access-vpn port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--
Any idea?
Thanks in advanced,
Douglas
On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon <
alexandre.chapellon at mana.pf> wrote:
> trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions = yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests = no
> $INCLUDE ${confdir}/clients.conf
> snmp = no
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> }
> ldap {
> server = "ldap.telemedicina.ufsc.br"
> identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
> password = "XXXXXXX"
> basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
> filter = "(&(objectClass=posixAccount)(uid=%u))"
>
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{Cleartext-Password}"
> password_attribute = sambaNTPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> compat = no
> }
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
> expr {
> }
> digest {
> }
> exec {
> wait = yes
> input_pairs = request
> }
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> }
> ippool main_pool {
> range-start = 150.162.67.201
> range-stop = 150.162.67.220
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> maximum-timeout = 0
> }
> }
> instantiate {
> exec
> expr
> }
> authorize {
> preprocess
> files
> ldap
> chap
> mschap
> suffix
> #eap
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type LDAP {
> ldap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> unix
> #eap
> }
> preacct {
> preprocess
> #acct_unique
> #files
> }
> accounting {
> detail
> unix
> radutmp
> }
> session {
> radutmp
> }
> post-auth {
> #main_pool
> #ldap
> }
> pre-proxy {
> }
> post-proxy {
> #eap
> }
> ==
>
> I apreciate your help.
>
> Thanks a lot,
> Douglas
>
> On Wed, Nov 26, 2008 at 5:04 PM, Alan DeKok <aland at deployingradius.com>wrote:
>
>> Douglas Macedo wrote:
>> > how I can fix that?
>>
>> Read the web page. It tells you.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Douglas Macedo
> dmacedo at gmail.com
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
> ele é capaz de suportar.
> (Immanuel Kant)
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Douglas Macedo
dmacedo at gmail.com
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081126/8009c590/attachment.html>
More information about the Freeradius-Users
mailing list