PPTP + FreeRadius + LDAP
Alexandre Chapellon
alexandre.chapellon at mana.pf
Wed Nov 26 20:38:29 CET 2008
Le 26.11.2008 09:32, Douglas Macedo a écrit :
> Alexandre,
>
> if I try mschapv2 in Windons client:
>
> --
> rad_recv: Access-Request packet from host 150.162.67.254:32839
> <http://150.162.67.254:32839>, id=46, length=52
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "nobody"
> NAS-IP-Address = 1.1.1.1 <http://1.1.1.1>
> NAS-Port = 0
Did you truncated the Access-request before posting???.... there is no
information about CHAP chalenge so there is no way freeradius can handle
with rlm_chap...
Additionnally your pptp config seems strange to me....
You *REQUIRE* chap + mschap + mschapv2!!! Shouldn't a requirement be
uniq? I would just keep require mschapv2 (and so force win client to use it)
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched entry DEFAULT at line 198
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for nobody
> radius_xlat: '(&(objectClass=posixAccount)(uid=nobody))'
> radius_xlat: 'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389
> <http://ldap.telemedicina.ufsc.br:389>, authentication 0
> rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
> ldap.telemedicina.ufsc.br:389 <http://ldap.telemedicina.ufsc.br:389>
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br,
> with filter (&(objectClass=posixAccount)(uid=nobody))
> rlm_ldap: Password header not found in password
> 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sambaNtPassword as NT-Password, value
> 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
> rlm_ldap: Adding sambaLmPassword as LM-Password, value
> 89E0B38AC380D2B8AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_pap: No clear-text password in the request. Not performing PAP.
> modcall[authorize]: module "pap" returns noop for request 1
> modcall: leaving group authorize (returns ok) for request 1
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [nobody] (from client access-vpn port 0)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> --
>
> Any idea?
>
> Thanks in advanced,
> Douglas
>
> On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon
> <alexandre.chapellon at mana.pf <mailto:alexandre.chapellon at mana.pf>> wrote:
>
> trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>> Sorry Alan,
>>
>> but the webpage tells that its don't work. Its impossible? Correct?
>>
>> So, how I can fix that the other way?
>>
>> My pptp-options:
>>
>> ==
>> epiderme:/etc/ppp# cat pptpd-options
>> name pptpd
>> refuse-pap
>> ##refuse-chap
>> require-chap
>> ##refuse-mschap
>> require-mschap
>> require-mschap-v2
>> require-mppe-128
>> proxyarp
>> nodefaultroute
>> debug
>> lock
>> nobsdcomp
>> plugin radius.so
>> #plugin radattr.so
>> radius-config-file /etc/radiusclient/radiusclient.conf
>> auth
>> ==
>>
>> And my radiusd.conf:
>>
>> ==
>> prefix = /usr/local
>> exec_prefix = ${prefix}
>> sysconfdir = ${prefix}/etc
>> localstatedir = /var
>> sbindir = ${exec_prefix}/sbin
>> logdir = /var/log
>> raddbdir = ${sysconfdir}/raddb
>> radacctdir = ${logdir}/radacct
>> confdir = ${raddbdir}
>> run_dir = ${localstatedir}/run/radiusd
>> log_file = ${logdir}/radius.log
>> libdir = ${exec_prefix}/lib
>> pidfile = ${run_dir}/radiusd.pid
>> max_request_time = 30
>> delete_blocked_requests = no
>> cleanup_delay = 5
>> max_requests = 1024
>> bind_address = *
>> port = 0
>> hostname_lookups = no
>> allow_core_dumps = no
>> regular_expressions = yes
>> extended_expressions = yes
>> log_stripped_names = no
>> log_auth = yes
>> log_auth_badpass = no
>> log_auth_goodpass = no
>> usercollide = no
>> lower_user = no
>> lower_pass = no
>> nospace_user = no
>> nospace_pass = no
>> checkrad = ${sbindir}/checkrad
>> security {
>> max_attributes = 200
>> reject_delay = 1
>> status_server = no
>> }
>> proxy_requests = no
>> $INCLUDE ${confdir}/clients.conf
>> snmp = no
>> thread pool {
>> start_servers = 5
>> max_servers = 32
>> min_spare_servers = 3
>> max_spare_servers = 10
>> max_requests_per_server = 0
>> }
>> modules {
>> pap {
>> encryption_scheme = crypt
>> }
>> chap {
>> authtype = CHAP
>> }
>> unix {
>> cache = no
>> cache_reload = 600
>> radwtmp = ${logdir}/radwtmp
>> }
>> mschap {
>> authtype = MS-CHAP
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = yes
>> }
>> ldap {
>> server = "ldap.telemedicina.ufsc.br
>> <http://ldap.telemedicina.ufsc.br>"
>> identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
>> password = "XXXXXXX"
>> basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
>> filter = "(&(objectClass=posixAccount)(uid=%u))"
>>
>> start_tls = no
>> dictionary_mapping = ${raddbdir}/ldap.attrmap
>> ldap_connections_number = 5
>> password_header = "{Cleartext-Password}"
>> password_attribute = sambaNTPassword
>> timeout = 4
>> timelimit = 3
>> net_timeout = 1
>> compare_check_items = no
>> }
>> realm suffix {
>> format = suffix
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> checkval {
>> item-name = Calling-Station-Id
>> check-name = Calling-Station-Id
>> data-type = string
>> }
>> preprocess {
>> huntgroups = ${confdir}/huntgroups
>> hints = ${confdir}/hints
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> }
>> files {
>> usersfile = ${confdir}/users
>> compat = no
>> }
>> detail {
>> detailfile =
>> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>> detailperm = 0600
>> }
>> acct_unique {
>> key = "User-Name, Acct-Session-Id,
>> NAS-IP-Address, Client-IP-Address, NAS-Port"
>> }
>> radutmp {
>> filename = ${logdir}/radutmp
>> username = %{User-Name}
>> case_sensitive = yes
>> check_with_nas = yes
>> perm = 0600
>> callerid = "yes"
>> }
>> radutmp sradutmp {
>> filename = ${logdir}/sradutmp
>> perm = 0644
>> callerid = "no"
>> }
>> attr_filter {
>> attrsfile = ${confdir}/attrs
>> }
>> counter daily {
>> filename = ${raddbdir}/db.daily
>> key = User-Name
>> count-attribute = Acct-Session-Time
>> reset = daily
>> counter-name = Daily-Session-Time
>> check-name = Max-Daily-Session
>> allowed-servicetype = Framed-User
>> cache-size = 5000
>> }
>> always fail {
>> rcode = fail
>> }
>> always reject {
>> rcode = reject
>> }
>> always ok {
>> rcode = ok
>> simulcount = 0
>> mpp = no
>> }
>> expr {
>> }
>> digest {
>> }
>> exec {
>> wait = yes
>> input_pairs = request
>> }
>> exec echo {
>> wait = yes
>> program = "/bin/echo %{User-Name}"
>> input_pairs = request
>> output_pairs = reply
>> }
>> ippool main_pool {
>> range-start = 150.162.67.201 <http://150.162.67.201>
>> range-stop = 150.162.67.220 <http://150.162.67.220>
>> netmask = 255.255.255.0 <http://255.255.255.0>
>> cache-size = 800
>> session-db = ${raddbdir}/db.ippool
>> ip-index = ${raddbdir}/db.ipindex
>> override = no
>> maximum-timeout = 0
>> }
>> }
>> instantiate {
>> exec
>> expr
>> }
>> authorize {
>> preprocess
>> files
>> ldap
>> chap
>> mschap
>> suffix
>> #eap
>> pap
>> }
>> authenticate {
>> Auth-Type PAP {
>> pap
>> }
>> Auth-Type LDAP {
>> ldap
>> }
>> Auth-Type CHAP {
>> chap
>> }
>> Auth-Type MS-CHAP {
>> mschap
>> }
>> unix
>> #eap
>> }
>> preacct {
>> preprocess
>> #acct_unique
>> #files
>> }
>> accounting {
>> detail
>> unix
>> radutmp
>> }
>> session {
>> radutmp
>> }
>> post-auth {
>> #main_pool
>> #ldap
>> }
>> pre-proxy {
>> }
>> post-proxy {
>> #eap
>> }
>> ==
>>
>> I apreciate your help.
>>
>> Thanks a lot,
>> Douglas
>>
>> On Wed, Nov 26, 2008 at 5:04 PM, Alan DeKok
>> <aland at deployingradius.com <mailto:aland at deployingradius.com>> wrote:
>>
>> Douglas Macedo wrote:
>> > how I can fix that?
>>
>> Read the web page. It tells you.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>> --
>> Douglas Macedo
>> dmacedo at gmail.com <mailto:dmacedo at gmail.com>
>> --
>> Avalia-se a inteligência de um indivíduo pela quantidade de
>> incertezas que ele é capaz de suportar.
>> (Immanuel Kant)
>> ------------------------------------------------------------------------
>> - List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> --
> Douglas Macedo
> dmacedo at gmail.com <mailto:dmacedo at gmail.com>
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas
> que ele é capaz de suportar.
> (Immanuel Kant)
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081126/d2ec765f/attachment.html>
More information about the Freeradius-Users
mailing list