PPTP auth vs samba-ldap, 691

Cory Johnson cjohnson at commspeed.net
Tue Aug 10 22:53:17 CEST 2010


Greetings,

Trying to get FreeRADIUS 2.1.8 to authenticate VPN users for PfSense's 
PPTP server.

I am having an issue similar to the one in this old list post: 
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40632.html. 
When I try to log into the VPN from a Windows client, I get the error 
message: "Error 691: Access was denied because the user name and/or 
password was invalid on the domain.", but radius logs show 
"Access-Accept". My major difference is that I am using a LDAP backend 
which contains NT passwords (it is also the LDAP backend for my samba 
server).

Tried fiddling with mppe and encryption settings in the mschap module, 
but always get the same results.

"freeradius -X" debug below, as always any reply would be great.


rad_recv: Access-Request packet from host 192.168.1.55 port 43210, 
id=116, length=166
     NAS-Identifier = "pfsense.local"
     NAS-Port = 0
     NAS-Port-Type = Virtual
     Service-Type = Framed-User
     Framed-Protocol = PPP
     Calling-Station-Id = "192.168.1.153"
     User-Name = "cjohnson"
     MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f
     MS-CHAP2-Response = 
0x0100991b81f3bbq3859d8qa75ae826662d8600000000000000009584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2
server vpn {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "cjohnson", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
   [ldap] Entering ldap_groupcmp()
[vpn]     expand: dc=corp,dc=example,dc=com -> dc=corp,dc=example,dc=com
[vpn]     expand: %{Stripped-User-Name} ->
[vpn]     ... expanding second conditional
[vpn]     expand: %{User-Name} -> cjohnson
[vpn]     expand: 
(&(objectClass=posixAccount)(uid=%{%{Stripped-User-Name}:-%{User-Name}})) -> 
(&(objectClass=posixAccount)(uid=cjohnson))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to 192.168.1.99:389, authentication 0
   [ldap] bind as cn=admin,dc=corp,dc=example,dc=com/s3cr3t to 
192.168.1.99:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
   [ldap] performing search in dc=corp,dc=example,dc=com, with filter 
(&(objectClass=posixAccount)(uid=cjohnson))
   [ldap] ldap_release_conn: Release Id: 0
[vpn] WARNING: Deprecated conditional expansion ":-".  See "man unlang" 
for details
[vpn]     ... expanding second conditional
[vpn]     expand: %{User-Name} -> cjohnson
[vpn]     expand: 
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) 
-> (&(objectClass=posixGroup)(memberUid=cjohnson))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=corp,dc=example,dc=com, with filter 
(&(cn=VPN)(&(objectClass=posixGroup)(memberUid=cjohnson)))
rlm_ldap::ldap_groupcmp: User found in group VPN
   [ldap] ldap_release_conn: Release Id: 0
[vpn] users: Matched entry DEFAULT at line 5
++[vpn] returns ok
[ldap] performing user authorization for cjohnson
[ldap]     expand: %{Stripped-User-Name} ->
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> cjohnson
[ldap]     expand: 
(&(objectClass=posixAccount)(uid=%{%{Stripped-User-Name}:-%{User-Name}})) -> 
(&(objectClass=posixAccount)(uid=cjohnson))
[ldap]     expand: dc=corp,dc=example,dc=com -> dc=corp,dc=example,dc=com
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=corp,dc=example,dc=com, with filter 
(&(objectClass=posixAccount)(uid=cjohnson))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] sambaNtPassword -> NT-Password == 
0x4039323544423042363155514544454138343541433236383039324641284532
   [ldap] sambaLmPassword -> LM-Password == 
0x3145314444423038343342393233433141414433423444454235313430333545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user cjohnson authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
     expand: Great Success! -> Great Success!
Login OK: [cjohnson] (from client 192.168.1.55 port 0 cli 192.168.1.153) 
Great Success!
+- entering group post-auth {...}
++[exec] returns noop
} # server vpn
Sending Access-Accept of id 116 to 192.168.1.55 port 43210
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 116 with timestamp +23
Ready to process requests.

--CJ



More information about the Freeradius-Users mailing list