pptp + perl + freeradius???
Oguzhan Kayhan
oguzhank at bilkent.edu.tr
Thu Nov 19 08:02:02 CET 2009
>> Hello, I am using a perl script to authenticate my users for hotspots
>> with
>> freeradius.
>> I got no problem regarding to it.
>> Now i planned to move my existing vpn server to freeradius also..
>> Read some howtos about it (with poptop mostly)
>
> Perhaps reading freeradius documentation if you are to use freeradius
> would be better? If you read the main README file you could avoid most of
> your problems.
The documents i mentioned above was about pptp installation not freeradius
itself. Sure i read docs about freeradius also. Even your main README
file.!!
>
>> Here is how my perl script works.. When it gets a username/pass it
>> checks
>> it via an xml page and if it is correct it adds the username to mysql
>> table with auth-type == local parameter.
>
> Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
>
It was for my perl module. Which seems unnecessary for mschaps as i see.
So i already removed it.
>> When second time this user tries
>> to login it just checks the password.
>
> How? You don't have password stored in radcheck table.
>
To make it clear.. My users passwords are stored in another system. So
practically i got no chance to have them on mysql of freeradius.
Thats why in my previous system (which still works for hotspot
authentications) I was using a perl module to connect to an xml service
and
check if the username/password is correct (I was just sending
usrname/password couple and the answer is returning as ok or not.), and if
it is ok, add the username/ name/email address and other informational
knowledges of the user to a mysql table which is not relative to our
subject now.
And everytime user logs on, that perl script checks for the password again
via xml page. So i got no passwords in mysql at all.
>> So I got Auth-Type parameter for
>> users in mysql.
>
> Remove it.
>
>> freeradius:
>> rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=29,
>> length=138
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> User-Name = "7798"
>> MS-CHAP-Challenge = 0xf42766132ee2e3d828c770c460e8588e
>> MS-CHAP2-Response =
>> 0x44006948a59f2dbc8c838083bdea3e846fc300000000000000003f4aeadca9c80f730fd668686d8eac96570d941da2b4c2fd
>> Calling-Station-Id = ".931"
>> NAS-IP-Address = 192.168.10.213
>> NAS-Port = 0
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>> Login incorrect: [7798/<no User-Password attribute>] (from client
>> localhost port 0 cli .931)
>> Found Post-Auth-Type Reject
>> WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
>> requested action.
>>
>> freeradius config
>> server vpn {
>> authorize {
>> preprocess
>> files
>> mschap
>> update control {
>> Auth-Type := perl
>> }
>> perl
>> }
>>
>> authenticate {
>>
>>
>> Auth-Type MS-CHAP {
>> mschap
>> }
>> Auth-Type Perl {
>> perl
>> }
>> }
>
> Freeradius processes default virtual server by default (it looks like you
> have removed that one - why?). You haven't told it to use vpn default
> server.
>
There were some other virtual servers running on that freeradius server,
Just removed them for my test purposes. So nothing special about removing
default server.
> Your plan won't work. You have to know the password in advance to
> authenticate users with mschap. You can't extract the password from the
> request when user first time logs in. You can with pap but not with mschap
> - that's the whole point of that protocol.
>
So as i understand, the only way that mschap works is to keep
username/passwords on mysql (or file) right?
I can not use perl module to return a "user is ok" msg and make it work.
> Ivan Kalik
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list