Trouble with PPTP & FreeRadius

Mike Diggins mike.diggins at mcmaster.ca
Fri Mar 27 20:24:56 CET 2009


I have a cisco vpn3030 concentrator with both IPSec and PPTP clients. 
IPSec clients can successfully connect using my FreeRadius 2.1.3 server. 
They use PAP, I believe. My PPTP clients are failing to connect. Every 
indication on the Radius server is they have authenticated successfully, 
although the client says no (both Macintosh and Windows XP clients). When 
I point my cisco vpn3030 back to the CiscoSecure Radius server they use 
now (what I'm migrating from), the clients work again. There must be 
something different about the reply from each server. Any idea what might 
be happening?

VPN logs from my failing PPTP connection:

Mar 27 15:03:30 macvpn-inside 13885796 03/27/2009 15:03:30.520 SEV=4 
PPTP/47 RPT=37605 76.64.100.68  Tunnel to peer 76.64.100.68 established
Mar 27 15:03:30 macvpn-inside 13885797 03/27/2009 15:03:30.590 SEV=4 
PPTP/42 RPT=37421 76.64.100.68  Session started on tunnel 76.64.100.68
Mar 27 15:03:33 macvpn-inside 13885798 03/27/2009 15:03:33.800 SEV=5 PPP/8 
RPT=33514 76.64.100.68  User [test26] Authenticated successfully with 
MSCHAP-V1
Mar 27 15:03:33 macvpn-inside 13885799 03/27/2009 15:03:33.890 SEV=4 
PPTP/35 RPT=37406 76.64.100.68  Session closed on tunnel 76.64.100.68 
(peer 0, local 61694, serial 44796), reason: User request (No additional 
info)


FreeRadius debug log of failed connection:

Ready to process requests.
rad_recv: Access-Request packet from host 172.26.69.8 port 1479, id=77, 
length=146
         User-Name = "test26"
         NAS-Port = 8057
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Tunnel-Client-Endpoint:0 = "76.64.100.68"
         MS-CHAP-Response = 
0x02010000000000000000000000000000000000000000000000002f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
         MS-CHAP-Challenge = 0x5e0b3b68c24784e0
         NAS-IP-Address = 172.26.69.8
         NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} -> 
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
[mschap]  mschap1: 5e
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=5e0b3b68c24784e0
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=2f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client macvpn port 8057)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 77 to 172.26.69.8 port 1479
Finished request 5.
Going to the next request


And my VPN logs from a working connection (ciscosecure radius):

Mar 27 15:08:11 macvpn-inside 13886204 03/27/2009 15:08:11.640 SEV=4 
PPTP/47 RPT=37606 76.64.100.68  Tunnel to peer 76.64.100.68 established
Mar 27 15:08:11 macvpn-inside 13886205 03/27/2009 15:08:11.710 SEV=4 
PPTP/42 RPT=37422 76.64.100.68  Session started on tunnel 76.64.100.68
Mar 27 15:08:14 macvpn-inside 13886215 03/27/2009 15:08:14.920 SEV=5 PPP/8 
RPT=33515 76.64.100.68  User [test26] Authenticated successfully with 
MSCHAP-V1
Mar 27 15:08:17 macvpn-inside 13886216 03/27/2009 15:08:17.790 SEV=5 
PPP/49 RPT=33002 76.64.100.68  User [test26] IPCP assigned IP Address 
172.26.94.7
Mar 27 15:08:17 macvpn-inside 13886217 03/27/2009 15:08:17.790 SEV=4 
AUTH/22 RPT=354231 76.64.100.68  User [test26] Group [Base Group] 
connected, Session Type: PPTP


-Mike




More information about the Freeradius-Users mailing list