Values for MySQL tables for pptpd ?

Ali Jawad ali.jawad at splendor.net
Wed May 23 12:44:28 CEST 2012 

In btw, I do not have any Auth-Type settings now.
Thanks

On Wed, May 23, 2012 at 1:42 PM, Ali Jawad <ali.jawad at splendor.net> wrote:

> Hi
> I got it to work "at least half way", I did change pptpd options from
>
>
> -chap
> -mschap
> +mschap-v2
> require-mppe
>
> TO
>
> +chap
> +mschap
> +mschap-v2
> #require-mppe
>
> And in MS Win 7 VPN settings I did set encryption to optional. This way I
> can connect, see
>
> ++[preprocess] returns ok
> [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
> 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id =
> "4FBCBB330F5000",User-Name = "test"'
> [acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872".
> ++[acct_unique] returns ok
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[files] returns noop
> # Executing section accounting from file /etc/raddb/sites-enabled/default
> +- entering group accounting {...}
> [detail]        expand: %{Packet-Src-IP-Address} -> 127.0.0.1
> [detail]        expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> -> /var/log/radius/radacct/127.0.0.1/detail-20120523
> [detail]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/detail-20120523
> [detail]        expand: %t -> Wed May 23 11:25:55 2012
> ++[detail] returns ok
> ++[unix] returns ok
> [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
> [radutmp]       expand: %{User-Name} -> test
> ++[radutmp] returns ok
> ++[exec] returns noop
> [attr_filter.accounting_response]       expand: %{User-Name} -> test
> attr_filter: Matched entry DEFAULT at line 12
> ++[attr_filter.accounting_response] returns updated
> Sending Accounting-Response of id 27 to 127.0.0.1 port 50177
> Finished request 2.
> Cleaning up request 2 ID 27 with timestamp +15
>  Going to the next request
> Waking up in 4.7 seconds.
>
>
> However when I do try to use MSCHAPV2 in VPN settings or if I do require
> encryption with appropriate settings in pptpd it fails.
>
> Test example :
>
> Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default
> options"
> Set pptpd options to :
> -chap
> -mschap
> +mschap-v2
> require-mppe
>
> I get the following in radius
>
> ++[sql] returns ok
> ++[expiration] returns noop
> rlm_logintime: Checking Login-Time: 'Al0800-1200'
> rlm_logintime: timestr returned accept
> rlm_logintime: Session-Timeout set to: 1200
> ++[logintime] returns ok
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] returns noop
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.
>   !!!
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"
>   !!!
> !!! clear text password is in Cleartext-Password, and not in
> User-Password. !!!
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> test
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 12 for 1 seconds
>  Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 12
> Sending Access-Reject of id 45 to 127.0.0.1 port 60652
> Waking up in 4.9 seconds.
> Cleaning up request 12 ID 45 with timestamp +591
> Ready to process requests.
>
> In short it works for chap but not mschap, any input please ?
>
> Regards
>
>
>
>
> On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <ali.jawad at splendor.net> wrote:
>
>> Hi
>> Thanks again
>>
>> I did remove Auth-Type entry from DB and error says now
>>
>> rlm_sql (sql): Released sql socket id: 4
>> ++[sql] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user.
>>  Authentication may fail because of this.
>> ++[pap] returns noop
>> ERROR: No authenticate method (Auth-Type) found for the request:
>> Rejecting the user
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group REJECT {...}
>> [attr_filter.access_reject]     expand: %{User-Name} -> test
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>>
>> I am using a pptpd server, it has plugin radius.so plugin radattr.so
>> loaded. The radius client is :
>>
>> rpm -qa | grep radiusclient
>> radiusclient-ng-utils-0.5.6-3.el5
>> radiusclient-ng-0.5.6-3.el5
>>
>> It's radiusclient config is :
>>
>> auth_order      radius
>> login_tries     4
>> login_timeout   60
>> nologin         /etc/nologin
>> issue           /etc/radiusclient/issue
>> authserver      localhost:1812
>> acctserver      localhost:1813
>> servers         /etc/radiusclient/servers
>> #dictionary      /etc/raddb/dictionary
>> dictionary      /usr/share/radiusclient-ng/dictionary
>> login_radius    /usr/sbin/login.radius
>> seqfile         /var/run/radius.seq
>> mapfile         /etc/radiusclient/port-id-map
>> default_realm
>> radius_timeout  10
>> radius_retries  3
>> login_local     /bin/login
>>
>> On Wed, May 23, 2012 at 12:54 PM, Alan DeKok <aland at deployingradius.com>wrote:
>>
>>> Ali Jawad wrote:
>>> > Thanks for your patience so far.
>>> >
>>> > I did edit include sql.conf and only edited authorize to uncomment sql
>>> line.
>>> >
>>> > Now I am getting the below.
>>> >
>>> > [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not
>>> > contain a CHAP-Password attribute!
>>>
>>>   Because you forced Auth-Type := CHAP.  Don't do that.
>>>
>>> > I did try as LOCAL and it says set CHAP, I also tried mschap
>>>
>>>   It's MUCH better to *understand* what's going on.  Trying random
>>> changes is terrible.
>>>
>>> > Listening on proxy address * port 1814
>>> > Ready to process requests.
>>> > rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0,
>>> > length=67
>>> >         Service-Type = Framed-User
>>> >         Framed-Protocol = PPP
>>> >         User-Name = "test"
>>> >         Calling-Station-Id = "xxxxxxxx"
>>> >         NAS-IP-Address = 127.0.0.1
>>> >         NAS-Port = 0
>>>
>>>   There's no password in this request.  Use a RADIUS client that sends a
>>> password!
>>>
>>>  Whatever RADIUS client you're using is broken.  Don't use it.
>>>
>>>  Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>> --
>> *Ali Jawad
>> *
>> *Information Systems Manager*
>> *Splendor Telecom (www.splendor.net)
>> Beirut, Lebanon
>> Phone: +9611373725/ext 116
>> FAX: +9611375554*
>>
>>
>
>
> --
> *Ali Jawad
> *
> *Information Systems Manager*
> *Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554*
>
>


-- 
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120523/437f19c5/attachment.html>

More information about the Freeradius-Users mailing list