PPTP auth vs samba-ldap, 691
Alan DeKok
aland at deployingradius.com
Wed Aug 11 02:35:03 CEST 2010
Cory Johnson wrote:
> When I try to log into the VPN from a Windows client, I get the error
> message: "Error 691: Access was denied because the user name and/or
> password was invalid on the domain.", but radius logs show
> "Access-Accept".
You misconfigured the server, and broke it.
> My major difference is that I am using a LDAP backend
> which contains NT passwords (it is also the LDAP backend for my samba
> server).
It's not using the NT Passwords. See the debug log.
> Tried fiddling with mppe and encryption settings in the mschap module,
> but always get the same results.
The issue isn't the mschap module. It's elsewhere.
> "freeradius -X" debug below, as always any reply would be great.
>
>
> rad_recv: Access-Request packet from host 192.168.1.55 port 43210,
> id=116, length=166
> NAS-Identifier = "pfsense.local"
> NAS-Port = 0
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Calling-Station-Id = "192.168.1.153"
> User-Name = "cjohnson"
> MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f
> MS-CHAP2-Response =
> 0x0100991b81f3bbq3859d8qa75ae826662d8600000000000000009584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2
...
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
You have configured the server to *force* Auth-Type. Don't do that.
The "Auth-Type := Accept" forces the server to *not* do MS-CHAP
authentication. The client sees that the required MS-CHAP data is
missing from the response, and concludes that the server is broken, or
lying to it.
Alan DeKok.
More information about the Freeradius-Users
mailing list