LDAP with CHAP - can't seem to make it work

Wein Michael Michael.Wein at lotto-rlp.de
Fri Apr 15 09:26:18 CEST 2016


Hi everybody 

We have been using freeradius to authenticate about 1000 network users for quite some years without any issues. Last week we experienced problems with one of the NAS our network providers use. Please be aware of the fact that we do not have direct influence on the configuration of this machine. While roughly 100 NASs use PAP for authentication against our LDAP-datastore getting an access accept, this NAS uses CHAP, leading radius to reject the request. In consequence the network users frequenting this NAS fall back on a more expensive means of connection, creating additional cost for us. 

In parallel to requesting the provider to fix this issue we are investigating now how to make LDAP work with CHAP. We followed FAQ to this link and others in this section 

http://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-make-chap-work-with-ldap     

but found no real clue. We recreated the scenario in our testing environment and one guess so far is :



vt1radius:/etc/raddb # cat sites-enabled/vt1pppoe_localhost
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
        type = auth
        ipaddr = 127.0.0.1
        port = 1825
}
authorize {
        ldap_vt1pppoe
        if ((ok || updated) && (User-Password || CHAP-Password)) {
                update {
                    control:Auth-Type = LDAP
                }
        }
}
authenticate {
        Auth-Type LDAP {
                ldap
        }
}
}



vt1radius:/etc/raddb # cat mods-enabled/ldap_vt1pppoe
ldap ldap_vt1pppoe {
        server = 10.193.1.144
        identity = "cn=admin,dc=lotto-rlp,dc=de"
        password = secret
        update {
                control:Password-With-Header    += 'userPassword'
                control:Cleartext-Password      := 'userPassword'

        }
        user {
                base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        tls {
                start_tls = no
        }
        pool {
                #  Number of connections to start
                start = 1
                min = 1
                max = ${thread[pool].max_servers}
                spare = 10
                uses = 300
                lifetime = 0
                idle_timeout = 60
        }
}


resulting to

vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec  3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
 security {
        allow_core_dumps = no
 }
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 10
        cleanup_delay = 2
        max_requests = 30720
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
        msg_denied = "You are already logged in - access denied"
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = "no"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server dtag_localhost {
        ipaddr = 127.0.0.1
        port = 1822
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server arcor_localhost {
        ipaddr = 127.0.0.1
        port = 1823
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server ptlux_localhost {
        ipaddr = 127.0.0.1
        port = 1824
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server vt1pppoe_localhost {
        ipaddr = 127.0.0.1
        port = 1825
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server_pool dtag_pool {
        type = fail-over
        home_server = dtag_localhost
 }
 realm lotto-rlp {
        auth_pool = dtag_pool
 }
 home_server_pool arcor_pool {
        type = fail-over
        home_server = arcor_localhost
 }
 realm lotto-rlp.de {
        auth_pool = arcor_pool
 }
 home_server_pool ptlux_pool {
        type = fail-over
        home_server = ptlux_localhost
 }
 realm pt.lotto-rlp.de {
        auth_pool = ptlux_pool
 }
 home_server_pool vt1pppoe_pool {
        type = fail-over
        home_server = vt1pppoe_localhost
 }
 realm lotto-rlp.vt1 {
        auth_pool = vt1pppoe_pool
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = <<< secret >>>
        shortname = "localhost"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
 client vt1pppoe1 {
        ipaddr = 10.193.1.51
        require_message_authenticator = no
        secret = <<< secret >>>
        shortname = "vt1pppoe1"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
radiusd: #### Instantiating modules ####
  # Loaded module rlm_ldap
  # Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
  ldap ldap_dtag {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
  # Loaded module rlm_exec
  # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
  # Loaded module rlm_chap
  # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
  # Loaded module rlm_preprocess
  # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  preprocess {
        huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
        hints = "/etc/raddb/mods-config/preprocess/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
  # Loaded module rlm_always
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
        rcode = "reject"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
        rcode = "fail"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
        rcode = "ok"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
        rcode = "handled"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
        rcode = "invalid"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
        rcode = "userlock"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
        rcode = "notfound"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
        rcode = "noop"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
        rcode = "updated"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
  ldap {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
  # Loaded module rlm_realm
  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
        format = "prefix"
        delimiter = "\"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
  ldap ldap_vt1pppoe {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
  # Loaded module rlm_expr
  # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
  # Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
  ldap ldap_ptlux {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
  # Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
  ldap ldap_arcor {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
 # Creating Auth-Type = LDAP
 # Loading authenticate {...}
 # Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
 # Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1824
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1822
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1825
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1823
}
listen {
        type = "auth"
        ipaddr = *
        port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47272
Ready to process requests.


A PAP request to this server gets accepted :

client:

vt1radius:/etc/raddb # echo "User-Name = 88078 at lotto-rlp.vt1 , USER-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 53 from 0.0.0.0:57005 to 127.0.0.1:1812
        User-Name = '88078 at lotto-rlp.vt1'
        User-Password = 'jWd53332J0jCtWu'
        Framed-Protocol = PPP
Received Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005 length 20
Packet summary:
        Access-Accepts  : 1
        Access-Rejects  : 0
        Lost            : 0
        Passed filter   : 1
        Failed filter   : 0


server:

Received Access-Request Id 53 from 127.0.0.1:57005 to 127.0.0.1:1812 length 65
        User-Name = '88078 at lotto-rlp.vt1'
        User-Password = 'jWd53332J0jCtWu'
        Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> 88078 at lotto-rlp.vt1
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078 at lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0)   [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078 at lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0)   [suffix] = updated
(0)  } #  authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 121 from 0.0.0.0:47272 to 127.0.0.1:1825
        User-Name = '88078'
        User-Password = 'jWd53332J0jCtWu'
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        Message-Authenticator := 0x00
        Proxy-State = 0x3533
Waking up in 0.3 seconds.
Received Access-Request Id 121 from 127.0.0.1:47272 to 127.0.0.1:1825 length 85
        User-Name = '88078'
        User-Password = 'jWd53332J0jCtWu'
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        Message-Authenticator = 0xa02d25ed4e815243b4aea79c8c70682c
        Proxy-State = 0x3533
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1)   authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe :    --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe :    --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe :     control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe :     control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1)   [ldap_vt1pppoe] = ok
(1)    if ((ok || updated) && (User-Password || CHAP-Password))
(1)    if ((ok || updated) && (User-Password || CHAP-Password))  -> TRUE
(1)   if ((ok || updated) && (User-Password || CHAP-Password))  {
(1)    update  {
(1)     control:Auth-Type = LDAP
(1)    } # update  = noop
(1)   } # if ((ok || updated) && (User-Password || CHAP-Password))  = noop
(1)  } #  authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1)  Auth-Type LDAP {
(1) ldap : Login attempt by "88078"
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : Using user DN from request "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap : Waiting for bind result...
(1) ldap : Bind successful
(1) ldap : Bind as user "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" was successful
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 92 seconds
rlm_ldap (ldap): You probably need to lower "min"
(1)   [ldap] = ok
(1)  } # Auth-Type LDAP = ok
(1) Login OK: [88078] (from client localhost port 0)
Sending Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272
        Proxy-State = 0x3533
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
        Proxy-State = 0x3533
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) Login OK: [88078 at lotto-rlp.vt1] (from client localhost port 0)
Sending Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 1.6 seconds.
(1) Cleaning up request packet ID 121 with timestamp +92
(0) Cleaning up request packet ID 53 with timestamp +92
Ready to process requests.


Doing the same with CHAP instead leads to a reject

client:

vt1radius:/etc/raddb # echo "User-Name = 88078 at lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 12 from 0.0.0.0:57335 to 127.0.0.1:1812
        User-Name = '88078 at lotto-rlp.vt1'
        CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
        Framed-Protocol = PPP
Received Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
        Access-Accepts  : 0
        Access-Rejects  : 1
        Lost            : 0
        Passed filter   : 0
        Failed filter   : 1


server :

Received Access-Request Id 12 from 127.0.0.1:57335 to 127.0.0.1:1812 length 66
        User-Name = '88078 at lotto-rlp.vt1'
        CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
        Framed-Protocol = PPP
(2) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2)    --> 88078 at lotto-rlp.vt1
(2)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(2)     if (User-Name =~ / /)
(2)     if (User-Name =~ / /)  -> FALSE
(2)     if (User-Name =~ /@.*@/ )
(2)     if (User-Name =~ /@.*@/ )  -> FALSE
(2)     if (User-Name =~ /\\.\\./ )
(2)     if (User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(2)     if (User-Name =~ /\\.$/)
(2)     if (User-Name =~ /\\.$/)   -> FALSE
(2)     if (User-Name =~ /@\\./)
(2)     if (User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2) IPASS : No '/' in User-Name = "88078 at lotto-rlp.vt1", looking up realm NULL
(2) IPASS : No such realm "NULL"
(2)   [IPASS] = noop
(2) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078 at lotto-rlp.vt1"
(2) suffix : Found realm "lotto-rlp.vt1"
(2) suffix : Adding Stripped-User-Name = "88078"
(2) suffix : Adding Realm = "lotto-rlp.vt1"
(2) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(2) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(2)   [suffix] = updated
(2)  } #  authorize = updated
(2) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 95 from 0.0.0.0:47272 to 127.0.0.1:1825
        User-Name = '88078'
        CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
        Message-Authenticator := 0x00
        Proxy-State = 0x3132
Waking up in 0.3 seconds.
Received Access-Request Id 95 from 127.0.0.1:47272 to 127.0.0.1:1825 length 104
        User-Name = '88078'
        CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555
        Message-Authenticator = 0x3b9362d72f7dcf5365986f984cda2d43
        Proxy-State = 0x3132
(3) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3)   authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(3) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap_vt1pppoe :    --> (uid=88078)
(3) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe :    --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(3) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(3) ldap_vt1pppoe : Waiting for search result...
(3) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(3) ldap_vt1pppoe : Processing user attributes
(3) ldap_vt1pppoe :     control:Password-With-Header += ''jWd53332J0jCtWu''
(3) ldap_vt1pppoe :     control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(3)   [ldap_vt1pppoe] = ok
(3)    if ((ok || updated) && (User-Password || CHAP-Password))
(3)    if ((ok || updated) && (User-Password || CHAP-Password))  -> TRUE
(3)   if ((ok || updated) && (User-Password || CHAP-Password))  {
(3)    update  {
(3)     control:Auth-Type = LDAP
(3)    } # update  = noop
(3)   } # if ((ok || updated) && (User-Password || CHAP-Password))  = noop
(3)  } #  authorize = ok
(3) Found Auth-Type = LDAP
(3) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(3)  Auth-Type LDAP {
(3) WARNING: ldap : You have set "Auth-Type := LDAP" somewhere.
(3) WARNING: ldap : *********************************************
(3) WARNING: ldap : * THAT CONFIGURATION IS WRONG.  DELETE IT.
(3) WARNING: ldap : * YOU ARE PREVENTING THE SERVER FROM WORKING.
(3) WARNING: ldap : *********************************************
(3) ERROR: ldap : Attribute "User-Password" is required for authentication.
(3)   [ldap] = invalid
(3)  } # Auth-Type LDAP = invalid
(3) Failed to authenticate the user.
(3) Login incorrect (ldap: Attribute "User-Password" is required for authentication.): [88078] (from client localhost port 0)
(3) Using Post-Auth-Type Reject
(3) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(2) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(3) Sending delayed response
Sending Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272
        Proxy-State = 0x3132
Waking up in 0.9 seconds.
Received Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24
        Proxy-State = 0x3132
(2) Login incorrect (Home Server says so): [88078 at lotto-rlp.vt1] (from client localhost port 0)
(2) Using Post-Auth-Type Reject
(2) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Cleaning up request packet ID 95 with timestamp +227
(2) Sending delayed response
Sending Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335
Waking up in 0.9 seconds.
(2) Cleaning up request packet ID 12 with timestamp +227
Ready to process requests.


Another line of approach is 

vt1radius:/etc/raddb/sites-enabled # cat vt1pppoe_localhost  | grep "[a-z,A_Z,\}]"
# WEINM 2015-01-21 : vt1pppoe login realization
server vt1pppoe_login {
# WEINM 2015-01-21 : listen on 1825, auth only no acct
listen {
        type = auth
        ipaddr = 127.0.0.1
        port = 1825
}
authorize {
        ldap_vt1pppoe
        if ((ok || updated) && User-Password) {
                update {
                    control:Auth-Type = LDAP
                }
        }
        if ((ok || updated) && CHAP-Password) {
                update {
                    control:Auth-Type = CHAP
                }
        }
}
authenticate {
        Auth-Type LDAP {
                ldap
        }
}
}



vt1radius:/etc/raddb/sites-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec  3 2014 at 10:31
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/ldap_dtag
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/ldap_ptlux
including configuration file /etc/raddb/mods-enabled/ldap_arcor
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/ptlux_localhost
including configuration file /etc/raddb/sites-enabled/dtag_localhost
including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost
including configuration file /etc/raddb/sites-enabled/arcor_localhost
including configuration file /etc/raddb/sites-enabled/proxy_decode_realm
main {
 security {
        allow_core_dumps = no
 }
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 10
        cleanup_delay = 2
        max_requests = 30720
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
        msg_denied = "You are already logged in - access denied"
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = "no"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server dtag_localhost {
        ipaddr = 127.0.0.1
        port = 1822
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server arcor_localhost {
        ipaddr = 127.0.0.1
        port = 1823
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server ptlux_localhost {
        ipaddr = 127.0.0.1
        port = 1824
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server vt1pppoe_localhost {
        ipaddr = 127.0.0.1
        port = 1825
        type = "auth"
        secret = <<< secret >>>
        response_window = 5
        max_outstanding = 65536
        zombie_period = 20
        status_check = "status-server"
        ping_interval = 30
        check_interval = 7
        num_answers_to_alive = 4
        revive_interval = 300
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
 }
 home_server_pool dtag_pool {
        type = fail-over
        home_server = dtag_localhost
 }
 realm lotto-rlp {
        auth_pool = dtag_pool
 }
 home_server_pool arcor_pool {
        type = fail-over
        home_server = arcor_localhost
 }
 realm lotto-rlp.de {
        auth_pool = arcor_pool
 }
 home_server_pool ptlux_pool {
        type = fail-over
        home_server = ptlux_localhost
 }
 realm pt.lotto-rlp.de {
        auth_pool = ptlux_pool
 }
 home_server_pool vt1pppoe_pool {
        type = fail-over
        home_server = vt1pppoe_localhost
 }
 realm lotto-rlp.vt1 {
        auth_pool = vt1pppoe_pool
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = <<< secret >>>
        shortname = "localhost"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
 client vt1pppoe1 {
        ipaddr = 10.193.1.51
        require_message_authenticator = no
        secret = <<< secret >>>
        shortname = "vt1pppoe1"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
radiusd: #### Instantiating modules ####
  # Loaded module rlm_ldap
  # Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag
  ldap ldap_dtag {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_dtag): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_dtag): Opening additional connection (0)
rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389
rlm_ldap (ldap_dtag): Waiting for bind result...
rlm_ldap (ldap_dtag): Bind successful
  # Loaded module rlm_exec
  # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
  # Loaded module rlm_chap
  # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
  # Loaded module rlm_preprocess
  # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  preprocess {
        huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
        hints = "/etc/raddb/mods-config/preprocess/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
  # Loaded module rlm_always
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
        rcode = "reject"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
        rcode = "fail"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
        rcode = "ok"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
        rcode = "handled"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
        rcode = "invalid"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
        rcode = "userlock"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
        rcode = "notfound"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
        rcode = "noop"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
        rcode = "updated"
        simulcount = 0
        mpp = no
  }
  # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
  ldap {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to 10.193.1.144:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
  # Loaded module rlm_realm
  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
        format = "prefix"
        delimiter = "\"
        ignore_default = no
        ignore_null = no
  }
  # Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe
  ldap ldap_vt1pppoe {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_vt1pppoe): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_vt1pppoe): Opening additional connection (0)
rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389
rlm_ldap (ldap_vt1pppoe): Waiting for bind result...
rlm_ldap (ldap_vt1pppoe): Bind successful
  # Loaded module rlm_expr
  # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
  # Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux
  ldap ldap_ptlux {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_ptlux): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_ptlux): Opening additional connection (0)
rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389
rlm_ldap (ldap_ptlux): Waiting for bind result...
rlm_ldap (ldap_ptlux): Bind successful
  # Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor
  ldap ldap_arcor {
        server = "10.193.1.144"
        port = 389
        password = <<< secret >>>
        identity = "cn=admin,dc=lotto-rlp,dc=de"
   user {
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "sub"
        base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de"
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_arcor): Initialising connection pool
   pool {
        start = 1
        min = 1
        max = 130
        spare = 10
        uses = 300
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap_arcor): Opening additional connection (0)
rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389
rlm_ldap (ldap_arcor): Waiting for bind result...
rlm_ldap (ldap_arcor): Bind successful
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
} # server default
server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost
 # Creating Auth-Type = LDAP
 # Loading authenticate {...}
 # Loading authorize {...}
} # server ptlux_login
server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading post-auth {...}
} # server dtag_login
server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
} # server vt1pppoe_login
server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost
 # Loading authenticate {...}
 # Loading authorize {...}
} # server arcor_login
server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm
 # Loading authorize {...}
} # server decode_realm
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1824
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1822
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1825
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 1823
}
listen {
        type = "auth"
        ipaddr = *
        port = 1812
}
Listening on auth address 127.0.0.1 port 1824 as server ptlux_login
Listening on auth address 127.0.0.1 port 1822 as server dtag_login
Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login
Listening on auth address 127.0.0.1 port 1823 as server arcor_login
Listening on auth address * port 1812 as server decode_realm
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 36069
Ready to process requests.



Reject as seen from client

vt1radius:/etc/raddb # echo "User-Name = 88078 at lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123
Sending Access-Request Id 57 from 0.0.0.0:38849 to 127.0.0.1:1812
        User-Name = '88078 at lotto-rlp.vt1'
        CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
        Framed-Protocol = PPP
Received Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849 length 20
(0) Expected Access-Accept got Access-Reject
Packet summary:
        Access-Accepts  : 0
        Access-Rejects  : 1
        Lost            : 0
        Passed filter   : 0
        Failed filter   : 1

server :

Received Access-Request Id 57 from 127.0.0.1:38849 to 127.0.0.1:1812 length 66
        User-Name = '88078 at lotto-rlp.vt1'
        CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
        Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> 88078 at lotto-rlp.vt1
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0) IPASS : No '/' in User-Name = "88078 at lotto-rlp.vt1", looking up realm NULL
(0) IPASS : No such realm "NULL"
(0)   [IPASS] = noop
(0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078 at lotto-rlp.vt1"
(0) suffix : Found realm "lotto-rlp.vt1"
(0) suffix : Adding Stripped-User-Name = "88078"
(0) suffix : Adding Realm = "lotto-rlp.vt1"
(0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1
(0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1"
(0)   [suffix] = updated
(0)  } #  authorize = updated
(0) Proxying request to home server 127.0.0.1 port 1825
Sending Access-Request Id 214 from 0.0.0.0:36069 to 127.0.0.1:1825
        User-Name = '88078'
        CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
        Message-Authenticator := 0x00
        Proxy-State = 0x3537
Waking up in 0.3 seconds.
Received Access-Request Id 214 from 127.0.0.1:36069 to 127.0.0.1:1825 length 104
        User-Name = '88078'
        CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188
        Framed-Protocol = PPP
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873
        Message-Authenticator = 0x4eb73a374b5f5b8752e00b60f989d407
        Proxy-State = 0x3537
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1)   authorize {
rlm_ldap (ldap_vt1pppoe): Reserved connection (0)
(1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_vt1pppoe :    --> (uid=88078)
(1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe :    --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de
(1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub'
(1) ldap_vt1pppoe : Waiting for search result...
(1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de"
(1) ldap_vt1pppoe : Processing user attributes
(1) ldap_vt1pppoe :     control:Password-With-Header += ''jWd53332J0jCtWu''
(1) ldap_vt1pppoe :     control:Cleartext-Password := ''jWd53332J0jCtWu''
rlm_ldap (ldap_vt1pppoe): Released connection (0)
(1)   [ldap_vt1pppoe] = ok
(1)    if ((ok || updated) && User-Password)
(1)    if ((ok || updated) && User-Password)  -> FALSE
(1)    if ((ok || updated) && CHAP-Password)
(1)    if ((ok || updated) && CHAP-Password)  -> TRUE
(1)   if ((ok || updated) && CHAP-Password)  {
(1)    update  {
(1)     control:Auth-Type = CHAP
(1)    } # update  = noop
(1)   } # if ((ok || updated) && CHAP-Password)  = noop
(1)  } #  authorize = ok
(1) Found Auth-Type = CHAP
(1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
(1) Failed to authenticate the user.
(1) Login incorrect: [88078] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 5 seconds from now
Waking up in 0.1 seconds.
(1) Sending delayed response
Sending Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069
        Proxy-State = 0x3537
Waking up in 0.9 seconds.
Received Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069 length 24
        Proxy-State = 0x3537
(0) Login incorrect (Home Server says so): [88078 at lotto-rlp.vt1] (from client localhost port 0)
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Cleaning up request packet ID 214 with timestamp +58
(0) Sending delayed response
Sending Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849
Waking up in 0.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +58
Ready to process requests.


Now we are somewhat at a loss. Are we missing something


Best regards

Michael Wein 













More information about the Freeradius-Users mailing list