Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd (indirectly) authenticate off of a Windows Domain (so PAM is configured to authenticate via pam_winbind, from the Samba3 distro). That will work for PAP. Nothing else. The pam_winbind module doesn't so CHAP, or MS-CHAP. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. But no CHAP-Password. The names are different, that should be a hint. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Sean Perry ([EMAIL PROTECTED]) [09/09/03 19:55]: If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. as I was told recently, you can't get there from here. sigh That's what I was afraid of... There is currently no way to authenticate via CHAP against a Windows domain from Linux. Alan explains this in the thread I started last week. I have to do some reading up on CHAP. Before I started this, I had convinced myself, against my own judgement, that this would in fact be possible. The best possibility I have found is using a radius relay and a Windows based radius server like Internet Authentication Service which comes with win2k server. Haven't tried to get it to work yet, but it is the most likely way to get it working. Unfortunately the DC is not under my control. I'll have to convince the admins there to install the RADIUS server. You don't happen to know if NT4 comes with one, do you? /clutching at straws - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 10:10]: Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. But no CHAP-Password. The names are different, that should be a hint. (This is going off on a tangent...) But rlm_chap consults the mschap module, does it not? Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. Okay, I'll stop musing aloud, go re-learn myself some CHAP, and start over. Thanks for the help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: But rlm_chap consults the mschap module, does it not? No. Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:12]: Damian Gerow [EMAIL PROTECTED] wrote: But rlm_chap consults the mschap module, does it not? No. Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. No. Okay... So can I get an explanation as to what's going on here: modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = damiang, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound Is that saying, 'Could not contact the mschap module', or 'The mschap module said it couldn't find a Chap-Passowrd', or 'I'm not supposed to look at the mschap module, even though it's somewhere in my configuration'? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: Okay... So can I get an explanation as to what's going on here: rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop There's no CHAP-Password, so the 'chap' module doesn't do anything. modcall[authorize]: module mschap returns notfound You're using an old version of the server. Upgrade to 0.9.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:32]: Damian Gerow [EMAIL PROTECTED] wrote: Okay... So can I get an explanation as to what's going on here: rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop There's no CHAP-Password, so the 'chap' module doesn't do anything. Makes sense. modcall[authorize]: module mschap returns notfound You're using an old version of the server. Upgrade to 0.9.1. I've been running 0.9.1 this entire time. I just installed it yesterday, from the FreeBSD ports system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: You're using an old version of the server. Upgrade to 0.9.1. I've been running 0.9.1 this entire time. I just installed it yesterday, from the FreeBSD ports system. Then you have an older version of rlm_mschap sitting around. The rlm_mschap module in 0.9.1 NEVER returns 'notfound' from the 'authorize' stage. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow wrote: If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. as I was told recently, you can't get there from here. There is currently no way to authenticate via CHAP against a Windows domain from Linux. Alan explains this in the thread I started last week. The best possibility I have found is using a radius relay and a Windows based radius server like Internet Authentication Service which comes with win2k server. Haven't tried to get it to work yet, but it is the most likely way to get it working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html