Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes dgomes at
Fri Jul 9 12:34:48 CEST 2010

Hey there,

first of all, thanks for all the tips!

Commenting them, in the order in which they came:

@peter lambrechtsen:

  I actually had tried PAP before, but I gave up then because pptpd was 
refusing clients without even consulting the RADIUS server... But I 
noticed (a couple of minutes ago) that I had the client (ie. Windows) 
configured to try MS-CHAP and not PAP...

@ nf-vale:

nice detailed description on how to fix it, but I ended up using peter's 
solution, as it seemed easier.

@ana dekok (inline comments):

Em 09-07-2010 11:23, Alan DeKok escreveu:
> Daniel Gomes wrote:
>> I know this is a question which has been thoroughly asked and answered,
>> but after spending several days configuring, debugging, searching the
>> internet, rec-configuring, etc, I still can't get my freeradius server
>> to properly authenticate users (for a pptd server).
>    Go read the debug log.  It's not finding the password for the user.
> Fix that.
>> So yeah, of you could help me out, I'd appreciate it! All I want is
>> pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
>> is not even a requirement for me here, since both services are on the
>> same machine, so there's not even the need for safe connections. So long
>> as it works, I really don't care about any particular configuration!
>    A simple LDAP query for the user is *not* returning a password.
> That's the problem.
>    Does the user even have a password in LDAP?

 From the logs, and as I wrote on my initial cry for help, I could see 
that the password wasn't being found, I just couldn't puzzle out why... 
And yes, the users do have passwords on LDAP (we are using it to 
authenticate many other applications), and as I wrote down, radtest was 
working fine, so freeradius was able to authenticate users via LDAP.

>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Anyway, once again, thanks for all the tips! It seems to be working fine 
with PAP, so I guess I'll go with it!


Daniel Gomes (SysAdmin)
dgomes at
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

More information about the Freeradius-Users mailing list