PPTP + FreeRadius + LDAP
Alexandre Chapellon
alexandre.chapellon at mana.pf
Thu Nov 27 21:40:14 CET 2008
Le 27.11.2008 10:15, Douglas Macedo a écrit :
> Hey,
>
> i copy the dictionary to /etc/radiusclient. But now the connections
> don't target the Radius Server.
> --
> epiderme:/etc/radiusclient# ls -l
> total 68
> -rw-r--r-- 1 root root 6593 2008-11-27 15:02 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root 1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root 646 2008-11-27 14:20 dictionary.merit
> -rw-r--r-- 1 root root 599 2008-11-27 14:20 dictionary.merit.BKP
> -rwxr-xr-x 1 root root 3639 2008-11-27 14:42 dictionary.microsoft
> -rwxr-xr-x 1 root root 2697 2008-11-27 14:20 dictionary.microsoft.BKP
> -rw-r--r-- 1 root root 135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root 410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root 508 2008-11-27 13:29 radiusclient.conf
> -rwxr-xr-x 1 root root 2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw-r--r-- 1 root root 435 2008-11-27 12:17 radiusclient.conf.LIMPO
> -rw------- 1 root root 272 2008-11-24 13:12 servers
> --
>
> And include on dictionary:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
> INCLUDE /etc/radiusclient/dictionary.merit
> INCLUDE /etc/radiusclient/dictionary.microsoft
> --
>
> Now, the pptp log:
Weird! you don't receive request on radius anymore?
>
> --
> Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching
> /usr/sbin/pptpctrl to handle client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address =
> 150.162.67.200 <http://150.162.67.200>
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address =
> 150.162.67.201 <http://150.162.67.201>
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
> /etc/ppp/pptpd-options
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54
> <http://150.162.67.54> control connection started
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 1)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN
> RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to
> 100000000 maxbps, 64 window size
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching
> pppd, opening GRE)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program
> binary = /usr/sbin/pppd
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local
> address = 150.162.67.200 <http://150.162.67.200>
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote
> address = 150.162.67.201 <http://150.162.67.201>
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin
> /usr/lib/pptpd/pptpd-logwtmp.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
> Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
> Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 15)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO
> packet with standard ACCMs
> Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1
> <asyncmap 0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0 <mru
> 1400> <magic 0x31fa2cf6> <pcomp> <accomp> <callback CBCP>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0
> <callback CBCP>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1
> <asyncmap 0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1 <mru
> 1400> <magic 0x31fa2cf6> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1 <mru
> 1400> <magic 0x31fa2cf6> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
> magic=0x35f8d0db]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Challenge id=0x43
> <8643b88179a03fce2ca15689bf84147b>, name = "pptpd"]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #3
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #4
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #5
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x2
> magic=0x31fa2cf6 "MSRASV5.10"]
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x3
> magic=0x31fa2cf6 "MSRAS-0-MOLAR"]
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP EchoRep id=0x0
> magic=0x31fa2cf6]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #6
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [CHAP Response id=0x43
> <318ca3c0e7f2e099a1f93ed8ca10717e00000000000000006b76deecbf9b1bd51ccc27f8183335f703835d5f6589e20400>,
> name = "douglas"]
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 6
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 7
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 1
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 4
> Nov 27 15:14:32 epiderme pppd[13059]: Peer douglas failed CHAP
> authentication
> Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Failure id=0x43 ""]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP TermReq id=0x2
> "Authentication failed"]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #7
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP TermAck id=0x2
> "Authentication failed"]
> Nov 27 15:14:32 epiderme pppd[13059]: Connection terminated.
> Nov 27 15:14:32 epiderme pppd[13059]: Exit.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
> read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error
> = Input/output error, usually caused by unexpected termination of
> pppd, check option syntax and pppd logs
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write
> failed (pty,gre)=(6,7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Reaping child PPP[13059]
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54
> <http://150.162.67.54> control connection finished
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Exiting now
> Nov 27 15:14:32 epiderme pptpd[13024]: MGR: Reaped child 13058
> --
>
Have you tested your pptpd work with local authentication first (without
radius)?
> So, the problem persist:
>
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 6
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 7
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 1
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 4
>
> And:
>
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
> read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error
> = Input/output error, usually caused by unexpected termination of
> pppd, check option syntax and pppd logs
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write
> failed (pty,gre)=(6,7)
>
that's why you should first test with credential in chap-secrets, and
only after setup radius (if you haven't already done so).
> What you think? I put de dictionaries here to you look it:
>
> (dictionary.microsoft)
> --
>
> #
> # Microsoft's VSA's, from RFC 2548
> #
> # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
> #
>
> VENDOR Microsoft 311 Microsoft
>
> ATTRIBUTE MS-CHAP-Response 1 string Microsoft
> ATTRIBUTE MS-CHAP-Error 2 string Microsoft
> ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
> ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
> ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
> ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
> ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
> # This is referred to as both singular and plural in the RFC.
> # Plural seems to make more sense.
> ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
> ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
> ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
> ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
> ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
> ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
> ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
> ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
> ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
> ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
> ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
> ATTRIBUTE MS-RAS-Version 18 string Microsoft
> ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
> ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
> ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
>
> ATTRIBUTE MS-Filter 22 string Microsoft
> ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
> ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
>
> ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
> ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
> ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
>
> ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
> ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
>
> #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
>
>
> #
> # Integer Translations
> #
>
> # MS-BAP-Usage Values
>
> VALUE MS-BAP-Usage Not-Allowed 0
> VALUE MS-BAP-Usage Allowed 1
> VALUE MS-BAP-Usage Required 2
>
> # MS-ARAP-Password-Change-Reason Values
>
> VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
> VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
> VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
> VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
>
> # MS-Acct-Auth-Type Values
>
> VALUE MS-Acct-Auth-Type PAP 1
> VALUE MS-Acct-Auth-Type CHAP 2
> VALUE MS-Acct-Auth-Type MS-CHAP-1 3
> VALUE MS-Acct-Auth-Type MS-CHAP-2 4
> VALUE MS-Acct-Auth-Type EAP 5
>
> # MS-Acct-EAP-Type Values
>
> VALUE MS-Acct-EAP-Type MD5 4
> VALUE MS-Acct-EAP-Type OTP 5
> VALUE MS-Acct-EAP-Type Generic-Token-Card 6
> VALUE MS-Acct-EAP-Type TLS 13
> ----
>
> Thanks in advanced!
>
> Douglas
>
> On Thu, Nov 27, 2008 at 4:06 PM, Alexandre Chapellon
> <alexandre.chapellon at mana.pf <mailto:alexandre.chapellon at mana.pf>> wrote:
>
>
>
> Le 27.11.2008 07:17, Douglas Macedo a écrit :
>> Hey TNT,
>>
>> On Thu, Nov 27, 2008 at 2:54 PM, <tnt at kalik.net
>> <mailto:tnt at kalik.net>> wrote:
>>
>> >i force in WIndows Client to use only mschap2, but the
>> problem continue:
>> >
>> >-
>> >Module: Instantiated radutmp (radutmp)
>> >Listening on authentication *:1812
>> >Listening on accounting *:1813
>> >Ready to process requests.
>> >rad_recv: Access-Request packet from host
>> 150.162.67.254:32858 <http://150.162.67.254:32858>, id=109,
>> >length=53
>> > Service-Type = Framed-User
>> > Framed-Protocol = PPP
>> > User-Name = "douglas"
>> > NAS-IP-Address = 1.1.1.1 <http://1.1.1.1>
>> > NAS-Port = 0
>>
>> This is nothing to do with freeradius. I don't see your NAS
>> sending
>> mschap attributes.
>>
>>
>> How I can fix that? Where i configure that?
>>
>>
>>
>> >In PPTP debug show:
>> >
>> ..
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
>> attribute 11
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
>> attribute 25
>>
>> Has your radius client got mschap dictionary?
>>
>>
>> I'm using the RadiusClient1 of Debian.
>>
>> --
>> epiderme:/etc/radiusclient# ls -l
>> total 52
>> -rw-r--r-- 1 root root 6502 2008-11-26 13:10 dictionary
>> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
>> -rw-r--r-- 1 root root 1517 2006-10-29 08:54 dictionary.compat
>> -rw-r--r-- 1 root root 599 2006-10-29 08:54 dictionary.merit
>> -rw-r--r-- 1 root root 135 2006-10-29 08:54 issue
>> -rw-r--r-- 1 root root 410 2006-10-29 08:54 port-id-map
>> -rw-r--r-- 1 root root 2630 2008-11-24 15:24 radiusclient.conf
>> -rwxr-xr-x 1 root root 2621 2008-11-24 13:33 radiusclient.conf.EPI
>> -rw------- 1 root root 272 2008-11-24 13:12 servers
>> --
>
> Copy microsoft dictionnary from your freeradius install to your
> pptp server, and add it to the dictionnary list.
> Additionnaly (this may not be related to your problem) having
> multiple require-<protocols> in pptpd config is a non-sense, if
> you want to enable multiples protocols for authentications, use
> +pap, +chap, +mschap.... instead of require-...
>
>
>>
>> --
>> epiderme:/etc/radiusclient# cat radiusclient.conf
>> auth_order radius,local
>> login_tries 4
>> login_timeout 60
>> nologin /etc/nologin
>> issue /etc/radiusclient/issue
>> authserver ldap.telemedicina.ufsc.br
>> <http://ldap.telemedicina.ufsc.br>
>> acctserver ldap.telemedicina.ufsc.br
>> <http://ldap.telemedicina.ufsc.br>
>> servers /etc/radiusclient/servers
>> dictionary /etc/radiusclient/dictionary
>> login_radius /usr/sbin/login.radius
>> seqfile /var/run/radius.seq
>> mapfile /etc/radiusclient/port-id-map
>> default_realm
>> radius_timeout 10
>> radius_retries 3
>> login_local /bin/login
>> --
>>
>>
>> But I don't found the attributes to MS-CHAP:
>>
>> --
>> epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
>> epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
>> epiderme:/etc/radiusclient# cat dictionary | grep mschap
>> --
>>
>> Just to CHAP:
>>
>> --
>> epiderme:/etc/radiusclient# cat dictionary | grep -i chap
>> ATTRIBUTE CHAP-Password 3 string
>> ATTRIBUTE Chap-Challenge 60 string
>> --
>>
>> That's correct?
> No you need MS-CHAP Attributes
>>
>> Thanks a lot in advanced,
>> Douglas
>>
>>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>> --
>> Douglas Macedo
>> dmacedo at gmail.com <mailto:dmacedo at gmail.com>
>> --
>> Avalia-se a inteligência de um indivíduo pela quantidade de
>> incertezas que ele é capaz de suportar.
>> (Immanuel Kant)
>> ------------------------------------------------------------------------
>> - List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> --
> Douglas Macedo
> dmacedo at gmail.com <mailto:dmacedo at gmail.com>
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas
> que ele é capaz de suportar.
> (Immanuel Kant)
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081127/cd85a6e9/attachment.html>
More information about the Freeradius-Users
mailing list