PPTP + FreeRadius + LDAP

Douglas Macedo dmacedo at gmail.com
Fri Nov 28 04:19:41 CET 2008


Alexandre,

that's work. The problem is that the dictionaries of radiusclient, isn't
correct. The default microsoft dictionary don't work perfectly.

I use this page to modify my dictionary.microsoft:

http://wiki.freeradius.org/PopTop#The_radiusclient_setup_part_.28on_the_Poptop_server.29

Now thats fine!!

Thanks a lot all!! Thanks ..

Cheers,
Douglas

On Thu, Nov 27, 2008 at 6:40 PM, Alexandre Chapellon <
alexandre.chapellon at mana.pf> wrote:

>
>
> Le 27.11.2008 10:15, Douglas Macedo a écrit :
>
> Hey,
>
> i copy the dictionary to /etc/radiusclient. But now the connections don't
> target the Radius Server.
> --
> epiderme:/etc/radiusclient# ls -l
> total 68
> -rw-r--r-- 1 root root  6593 2008-11-27 15:02 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root   646 2008-11-27 14:20 dictionary.merit
> -rw-r--r-- 1 root root   599 2008-11-27 14:20 dictionary.merit.BKP
> -rwxr-xr-x 1 root root  3639 2008-11-27 14:42 dictionary.microsoft
> -rwxr-xr-x 1 root root  2697 2008-11-27 14:20 dictionary.microsoft.BKP
> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root   508 2008-11-27 13:29 radiusclient.conf
> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw-r--r-- 1 root root   435 2008-11-27 12:17 radiusclient.conf.LIMPO
> -rw------- 1 root root   272 2008-11-24 13:12 servers
> --
>
> And include on dictionary:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
> INCLUDE /etc/radiusclient/dictionary.merit
> INCLUDE /etc/radiusclient/dictionary.microsoft
> --
>
> Now, the pptp log:
>
>
> Weird! you don't receive request on radius anymore?
>
>
>
> --
> Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching /usr/sbin/pptpctrl to
> handle client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address =
> 150.162.67.200
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address =
> 150.162.67.201
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
> /etc/ppp/pptpd-options
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
> connection started
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 1)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN RPLY
> packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to 100000000
> maxbps, 64 window size
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching pppd,
> opening GRE)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program binary
> = /usr/sbin/pppd
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local address
> = 150.162.67.200
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote address
> = 150.162.67.201
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin
> /usr/lib/pptpd/pptpd-logwtmp.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
> Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
> Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 15)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO packet
> with standard ACCMs
> Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0 <mru 1400>
> <magic 0x31fa2cf6> <pcomp> <accomp> <callback CBCP>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0 <callback
> CBCP>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x35f8d0db> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1 <mru 1400>
> <magic 0x31fa2cf6> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1 <mru 1400>
> <magic 0x31fa2cf6> <pcomp> <accomp>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
> magic=0x35f8d0db]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Challenge id=0x43
> <8643b88179a03fce2ca15689bf84147b>, name = "pptpd"]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #3
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #4
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #5
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x2
> magic=0x31fa2cf6 "MSRASV5.10"]
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x3
> magic=0x31fa2cf6 "MSRAS-0-MOLAR"]
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP EchoRep id=0x0
> magic=0x31fa2cf6]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #6
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [CHAP Response id=0x43
> <318ca3c0e7f2e099a1f93ed8ca10717e00000000000000006b76deecbf9b1bd51ccc27f8183335f703835d5f6589e20400>,
> name = "douglas"]
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 6
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 7
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 1
> Nov 27 15:14:32 epiderme pppd[13059]: rc_avpair_new: unknown attribute 4
> Nov 27 15:14:32 epiderme pppd[13059]: Peer douglas failed CHAP
> authentication
> Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Failure id=0x43 ""]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP TermReq id=0x2
> "Authentication failed"]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #7
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP TermAck id=0x2
> "Authentication failed"]
> Nov 27 15:14:32 epiderme pppd[13059]: Connection terminated.
> Nov 27 15:14:32 epiderme pppd[13059]: Exit.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
> read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error =
> Input/output error, usually caused by unexpected termination of pppd, check
> option syntax and pppd logs
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write failed
> (pty,gre)=(6,7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Reaping child PPP[13059]
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
> connection finished
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Exiting now
> Nov 27 15:14:32 epiderme pptpd[13024]: MGR: Reaped child 13058
> --
>
>  Have you tested your pptpd work with local authentication first (without
> radius)?
>
> So, the problem persist:
>
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 6
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 7
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 1
> Nov 27 15:10:43 epiderme pppd[13043]: rc_avpair_new: unknown attribute 4
>
> And:
>
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE:
> read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error =
> Input/output error, usually caused by unexpected termination of pppd, check
> option syntax and pppd logs
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: PTY read or GRE write failed
> (pty,gre)=(6,7)
>
>
> that's why you should first test with credential in chap-secrets, and only
> after setup radius (if you haven't already done so).
>
> What you think? I put de dictionaries here to you look it:
>
> (dictionary.microsoft)
> --
>
> #
> # Microsoft's VSA's, from RFC 2548
> #
> # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
> #
>
> VENDOR Microsoft 311 Microsoft
>
> ATTRIBUTE MS-CHAP-Response 1 string Microsoft
> ATTRIBUTE MS-CHAP-Error 2 string Microsoft
> ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
> ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
> ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
> ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
> ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
> # This is referred to as both singular and plural in the RFC.
> # Plural seems to make more sense.
> ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
> ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
> ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
> ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
> ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
> ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
> ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
> ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
> ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
> ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
> ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
> ATTRIBUTE MS-RAS-Version 18 string Microsoft
> ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
> ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
> ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
>
> ATTRIBUTE MS-Filter 22 string Microsoft
> ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
> ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
>
> ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
> ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
> ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
>
> ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
> ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
>
> #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
>
>
> #
> # Integer Translations
> #
>
> # MS-BAP-Usage Values
>
> VALUE MS-BAP-Usage Not-Allowed 0
> VALUE MS-BAP-Usage Allowed 1
> VALUE MS-BAP-Usage Required 2
>
> # MS-ARAP-Password-Change-Reason Values
>
> VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
> VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
> VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
> VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
>
> # MS-Acct-Auth-Type Values
>
> VALUE MS-Acct-Auth-Type PAP 1
> VALUE MS-Acct-Auth-Type CHAP 2
> VALUE MS-Acct-Auth-Type MS-CHAP-1 3
> VALUE MS-Acct-Auth-Type MS-CHAP-2 4
> VALUE MS-Acct-Auth-Type EAP 5
>
> # MS-Acct-EAP-Type Values
>
> VALUE MS-Acct-EAP-Type MD5 4
> VALUE MS-Acct-EAP-Type OTP 5
> VALUE MS-Acct-EAP-Type Generic-Token-Card 6
> VALUE MS-Acct-EAP-Type TLS 13
> ----
>
> Thanks in advanced!
>
> Douglas
>
> On Thu, Nov 27, 2008 at 4:06 PM, Alexandre Chapellon <
> alexandre.chapellon at mana.pf> wrote:
>
>>
>>
>> Le 27.11.2008 07:17, Douglas Macedo a écrit :
>>
>> Hey TNT,
>>
>> On Thu, Nov 27, 2008 at 2:54 PM, <tnt at kalik.net> wrote:
>>
>>> >i force in WIndows Client to use only mschap2, but the problem continue:
>>> >
>>> >-
>>> >Module: Instantiated radutmp (radutmp)
>>> >Listening on authentication *:1812
>>> >Listening on accounting *:1813
>>> >Ready to process requests.
>>> >rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
>>> >length=53
>>> >        Service-Type = Framed-User
>>> >        Framed-Protocol = PPP
>>> >        User-Name = "douglas"
>>> >        NAS-IP-Address = 1.1.1.1
>>> >        NAS-Port = 0
>>>
>>>  This is nothing to do with freeradius. I don't see your NAS sending
>>> mschap attributes.
>>>
>>
>> How I can fix that? Where i configure that?
>>
>>
>>>
>>> >In PPTP debug show:
>>> >
>>> ..
>>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute
>>> 11
>>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute
>>> 25
>>>
>>>  Has your radius client got mschap dictionary?
>>>
>>
>> I'm using the RadiusClient1 of Debian.
>>
>> --
>> epiderme:/etc/radiusclient# ls -l
>> total 52
>> -rw-r--r-- 1 root root  6502 2008-11-26 13:10 dictionary
>> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
>> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
>> -rw-r--r-- 1 root root   599 2006-10-29 08:54 dictionary.merit
>> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
>> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
>> -rw-r--r-- 1 root root  2630 2008-11-24 15:24 radiusclient.conf
>> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
>> -rw------- 1 root root   272 2008-11-24 13:12 servers
>> --
>>
>>
>>  Copy microsoft dictionnary from your freeradius install to your pptp
>> server, and add it to the dictionnary list.
>> Additionnaly (this may not be related to your problem) having multiple
>> require-<protocols> in pptpd config is a non-sense, if you want to enable
>> multiples protocols for authentications, use +pap, +chap, +mschap....
>> instead of require-...
>>
>>
>> --
>> epiderme:/etc/radiusclient# cat radiusclient.conf
>> auth_order      radius,local
>> login_tries     4
>> login_timeout   60
>> nologin /etc/nologin
>> issue   /etc/radiusclient/issue
>> authserver      ldap.telemedicina.ufsc.br
>> acctserver      ldap.telemedicina.ufsc.br
>> servers         /etc/radiusclient/servers
>> dictionary      /etc/radiusclient/dictionary
>> login_radius    /usr/sbin/login.radius
>> seqfile         /var/run/radius.seq
>> mapfile         /etc/radiusclient/port-id-map
>> default_realm
>> radius_timeout  10
>> radius_retries  3
>> login_local     /bin/login
>> --
>>
>>
>> But I don't found the attributes to MS-CHAP:
>>
>> --
>> epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
>> epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
>> epiderme:/etc/radiusclient# cat dictionary | grep mschap
>> --
>>
>> Just to CHAP:
>>
>> --
>> epiderme:/etc/radiusclient# cat dictionary | grep -i chap
>> ATTRIBUTE       CHAP-Password           3       string
>> ATTRIBUTE       Chap-Challenge          60      string
>> --
>>
>> That's correct?
>>
>>  No you need MS-CHAP Attributes
>>
>>
>> Thanks a lot in advanced,
>> Douglas
>>
>>
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>> --
>> Douglas Macedo
>> dmacedo at gmail.com
>> --
>> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
>> ele é capaz de suportar.
>> (Immanuel Kant)
>>
>> ------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Douglas Macedo
> dmacedo at gmail.com
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
> ele é capaz de suportar.
> (Immanuel Kant)
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Douglas Macedo
dmacedo at gmail.com
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081128/8a5b2813/attachment.html>


More information about the Freeradius-Users mailing list