Freeradius with LDAP backend for pptpd (via MS-CHAP)

nf-vale nf-vale at critical-links.com
Fri Jul 9 11:02:46 CEST 2010 

Hi,

You can add NT / LM pairs to each LDAP user object. You must include the 
samba.schema into the ldap server schemas.

Ex:

sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE

You can create these passwords using smbencrypt tool (deployed with samba).

This way pptp MSCHAP auth will work.


Nelson Vale


On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
> Dear list,
> 
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).
> 
> First of all, on the pptpd server's side (which I know it's not your
> "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
> require-mppe options enabled.
> 
> As for freeradius itself, a summarized sites-enabled/default reads:
> 
> authorize {
>         preprocess
> 
>         pap
> 
>         mschap
> 
>         ldap
> 
>         auth_log
> 
>         eap {
>                 ok = return
>         }
> 
>         expiration
>         logintime
> }
> 
> authenticate {
>         Auth-Type PAP {
>                 pap
>         }
> 
>         Auth-Type MS-CHAP {
>                 mschap
>         }
> 
>         Auth-Type LDAP {
>                 ldap
>         }
> 
>         eap
> }
> 
> My modules/ldap contains all the necessary information, and my
> modules/mschap has the options use_mppe, require_encryption and
> require_strong enabled, like most tutorials state.
> 
> As for the results, radtest works fine (querying LDAP etc), but through
> pptd it always fails with this error:
> 
> ----------------
> 
> rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
> length=151
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
> 	User-Name = "dgomes"
> 	MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
> 	MS-CHAP2-Response =
> 0x48003ac4b88e3cc4c6b5819eb258c434e27a000000000000000002a4c78177ee841a98cf6
> 8cb9686085635bd3b3083707eb3 Calling-Station-Id = "193.136.136.200"
> 	NAS-IP-Address = 193.136.136.40
> 	NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [ldap] performing user authorization for dgomes
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
> 	expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
> 	expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
> rlm_ldap: bind as
> cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
> gold.ipfn.ist.utl.pt:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
> with filter (cn=dgomes)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user dgomes authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
> %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> expand: %t -> Thu Jul  8 14:08:34 2010
> ++[auth_log] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> 	expand: %{User-Name} -> dgomes
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> 
> ------------------
> 
> I know that the error should be enough for me to fix it (since it's
> quite explanatory), but after trying many different configurations and
> searching through dozens of old mailing lists posts, I still haven't
> managed it...
> 
> So yeah, of you could help me out, I'd appreciate it! All I want is
> pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
> is not even a requirement for me here, since both services are on the
> same machine, so there's not even the need for safe connections. So long
> as it works, I really don't care about any particular configuration!
> 
> Thanks in advance,
> Daniel Gomes
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list