Auth-Type

jon michaels joniamasad at gmail.com
Mon Dec 7 09:05:10 CET 2009


Thanks for the quick response.

On Mon, Dec 7, 2009 at 11:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
> jon michaels wrote:
>> My NAS, pppd, does not grant access to a user with attribute Auth-Type
>> set to Accept but radtest does work.

Perhaps i should also mention that without Auth-Type set to Accept, i
can connect. I am just searching for a good way to update one field in
mysql to flip access on and off. If there is another attribute that i
can use for this, that would be fine too. I just tried this one
because it was mentioned in the /etc/freeradius/users example.

>  My *guess* is that the NAS is doing MS-CHAP.  You *cannot* simply set
> Auth-Type = Accept to let them in. You *must* have the "known good"
> password, and you *must* do a full MS-CHAP exchange.

True, its doing mschap. I currently dont understand yet why the debug
shows an accept but the ppp doesn't like it.

Here's my freeradius debug output and my pppd and pptp debug output
underneath it:

rad_recv: Access-Request packet from host 127.0.0.1 port 59011,
id=238, length=135
	Service-Type = Framed-User
	Framed-Protocol = PPP
	User-Name = "testuser"
	MS-CHAP-Challenge = 0xcf50beb20eeb75a90e5577b142c0fdfc
	MS-CHAP2-Response =
0xec002b8744dec345f27532594312332a563e0000000000000000ef6a691cef86e60776c054bc5180319d1eb0bff41a2275cf
	NAS-IP-Address = 172.16.132.204
	NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207
	expand: %t -> Mon Dec  7 11:41:48 2009
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 148
++[files] returns ok
	expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 0
	expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'testuser'           ORDER BY id
[sql] User found in radcheck table
	expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'testuser'           ORDER BY id
	expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'testuser'           ORDER BY priority
	expand: SELECT id, groupname, attribute,           Value, op
 FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
  ORDER BY id -> SELECT id, groupname, attribute,           Value, op
         FROM radgroupcheck           WHERE groupname = 'dynamic'
     ORDER BY id
[sql] User found in group dynamic
	expand: SELECT id, groupname, attribute,           value, op
 FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
  ORDER BY id -> SELECT id, groupname, attribute,           value, op
         FROM radgroupreply           WHERE groupname = 'dynamic'
     ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group session {...}
	expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
	expand: %{User-Name} -> testuser
++[radutmp] returns ok
+- entering group post-auth {...}
	expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.132.204 0
[main_pool] MD5 on 'key' directive maps to: 3f65cbc9230f10232661e598553cbde4
[main_pool] Searching for an entry for key: '3f65cbc9230f10232661e598553cbde4'
[main_pool] Found a stale entry for ip: 172.16.132.163
[main_pool] num: 0
rlm_ippool: Allocating ip to key: '3f65cbc9230f10232661e598553cbde4'
[main_pool] num: 1
[main_pool] Allocated ip 172.16.132.160 to client key:
3f65cbc9230f10232661e598553cbde4
++[main_pool] returns ok
	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207
[reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207
	expand: %t -> Mon Dec  7 11:41:48 2009
++[reply_log] returns ok
	expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
	expand: %{User-Password} ->
	expand: %{Chap-Password} ->
	expand: INSERT INTO radpostauth                           (username,
pass, reply, authdate)                           VALUES (
             '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
            (username, pass, reply, authdate)
 VALUES (                           'testuser',
   '',                           'Access-Accept', '2009-12-07
11:41:48')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                   (username, pass, reply, authdate)
        VALUES (                           'testuser',
          '',                           'Access-Accept', '2009-12-07
11:41:48')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 238 to 127.0.0.1 port 59011
	Service-Type := Framed-User
	Framed-Protocol := PPP
	Framed-Compression := Van-Jacobson-TCP-IP
	Framed-MTU := 1500
	Acct-Interim-Interval = 3600
	Acct-Status-Type = Interim-Update
	Framed-IP-Address = 172.16.132.160
	Framed-IP-Netmask = 255.255.255.0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 238 with timestamp +4214
Ready to process requests.



pptpd[7714]: CTRL: pppd options file = /etc/ppp/pptpd-options
pptpd[7714]: CTRL: Starting call (launching pppd, opening GRE)
pptpd[7715]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
pppd[7715]: Plugin radius.so loaded.
pppd[7715]: RADIUS plugin initialized.
pppd[7715]: Plugin radattr.so loaded.
pppd[7715]: RADATTR plugin initialized.
pppd[7715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[7715]: pptpd-logwtmp: $Version$
pppd[7715]: pppd 2.4.5 started by root, uid 0
pppd[7715]: using channel 20
pppd[7715]: Using interface ppp0
pppd[7715]: Connect: ppp0 <--> /dev/pts/2
pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pptpd[7714]: GRE: Bad checksum from pppd.
pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pppd[7715]: sent [LCP EchoReq id=0x0 magic=0x3a4f9548]
pppd[7715]: sent [CHAP Challenge id=0xab
<fee8a2f7b97dc91c29b77a21b811bd7b>, name = "pptpd"]
pppd[7715]: rcvd [LCP EchoReq id=0x0 magic=0xe4a25036]
pppd[7715]: sent [LCP EchoRep id=0x0 magic=0x3a4f9548]
pppd[7715]: rcvd [LCP EchoRep id=0x0 magic=0xe4a25036]
pppd[7715]: rcvd [CHAP Response id=0xab
<cd3e1f2e7e3333563806295b83cc29e400000000000000000e5fa91bba34183221a516ca3133441b607edcb9b0a7852d00>,
name = "testuser"]
pppd[7715]: RADATTR plugin wrote 8 line(s) to file /var/run/radattr.ppp0.
pppd[7715]:
pppd[7715]: Peer hexuser failed CHAP authentication
pppd[7715]: sent [CHAP Failure id=0xab ""]
pppd[7715]: sent [LCP TermReq id=0x2 "Authentication failed"]
pppd[7715]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
pppd[7715]: sent [LCP TermAck id=0x2]
pppd[7715]: rcvd [LCP TermAck id=0x2]
pppd[7715]: Connection terminated.
pppd[7715]: RADATTR plugin removed file /var/run/radattr.ppp0.
pppd[7715]: Exit.




More information about the Freeradius-Users mailing list