Trouble with PPTP & FreeRadius
Mike Diggins
mike.diggins at mcmaster.ca
Fri Mar 27 20:24:56 CET 2009
I have a cisco vpn3030 concentrator with both IPSec and PPTP clients.
IPSec clients can successfully connect using my FreeRadius 2.1.3 server.
They use PAP, I believe. My PPTP clients are failing to connect. Every
indication on the Radius server is they have authenticated successfully,
although the client says no (both Macintosh and Windows XP clients). When
I point my cisco vpn3030 back to the CiscoSecure Radius server they use
now (what I'm migrating from), the clients work again. There must be
something different about the reply from each server. Any idea what might
be happening?
VPN logs from my failing PPTP connection:
Mar 27 15:03:30 macvpn-inside 13885796 03/27/2009 15:03:30.520 SEV=4
PPTP/47 RPT=37605 76.64.100.68 Tunnel to peer 76.64.100.68 established
Mar 27 15:03:30 macvpn-inside 13885797 03/27/2009 15:03:30.590 SEV=4
PPTP/42 RPT=37421 76.64.100.68 Session started on tunnel 76.64.100.68
Mar 27 15:03:33 macvpn-inside 13885798 03/27/2009 15:03:33.800 SEV=5 PPP/8
RPT=33514 76.64.100.68 User [test26] Authenticated successfully with
MSCHAP-V1
Mar 27 15:03:33 macvpn-inside 13885799 03/27/2009 15:03:33.890 SEV=4
PPTP/35 RPT=37406 76.64.100.68 Session closed on tunnel 76.64.100.68
(peer 0, local 61694, serial 44796), reason: User request (No additional
info)
FreeRadius debug log of failed connection:
Ready to process requests.
rad_recv: Access-Request packet from host 172.26.69.8 port 1479, id=77,
length=146
User-Name = "test26"
NAS-Port = 8057
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "76.64.100.68"
MS-CHAP-Response =
0x02010000000000000000000000000000000000000000000000002f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
MS-CHAP-Challenge = 0x5e0b3b68c24784e0
NAS-IP-Address = 172.26.69.8
NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
[mschap] mschap1: 5e
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=5e0b3b68c24784e0
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=2f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client macvpn port 8057)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 77 to 172.26.69.8 port 1479
Finished request 5.
Going to the next request
And my VPN logs from a working connection (ciscosecure radius):
Mar 27 15:08:11 macvpn-inside 13886204 03/27/2009 15:08:11.640 SEV=4
PPTP/47 RPT=37606 76.64.100.68 Tunnel to peer 76.64.100.68 established
Mar 27 15:08:11 macvpn-inside 13886205 03/27/2009 15:08:11.710 SEV=4
PPTP/42 RPT=37422 76.64.100.68 Session started on tunnel 76.64.100.68
Mar 27 15:08:14 macvpn-inside 13886215 03/27/2009 15:08:14.920 SEV=5 PPP/8
RPT=33515 76.64.100.68 User [test26] Authenticated successfully with
MSCHAP-V1
Mar 27 15:08:17 macvpn-inside 13886216 03/27/2009 15:08:17.790 SEV=5
PPP/49 RPT=33002 76.64.100.68 User [test26] IPCP assigned IP Address
172.26.94.7
Mar 27 15:08:17 macvpn-inside 13886217 03/27/2009 15:08:17.790 SEV=4
AUTH/22 RPT=354231 76.64.100.68 User [test26] Group [Base Group]
connected, Session Type: PPTP
-Mike
More information about the Freeradius-Users
mailing list