Freeradius with LDAP backend for pptpd (via MS-CHAP)

Mon Jul 5 17:59:08 CEST 2010

Dear list,

I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).

First of all, on the pptpd server's side (which I know it's not your
"jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.

As for freeradius itself, a summarized sites-enabled/default reads:

authorize {
        preprocess

        pap

        mschap

        ldap

        auth_log

        eap {
                ok = return
        }

        expiration
        logintime
}

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type MS-CHAP {
                mschap
        }

        Auth-Type LDAP {
                ldap
        }

        eap
}

My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.

As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:

----------------

rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
	Service-Type = Framed-User
	Framed-Protocol = PPP
	User-Name = "dgomes"
	MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
	MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a000000000000000002a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
	Calling-Station-Id = "193.136.136.200"
	NAS-IP-Address = 193.136.136.40
	NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
	expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
	expand: %t -> Thu Jul  8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
	expand: %{User-Name} -> dgomes
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request

------------------

I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...

So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!

Thanks in advance,
Daniel Gomes