Hello--
We're presently using the cistron 1.6.4 radiusd on our Solaris 8 SPARC
server to do basic dial up auth for our 3Com SuperStack and ASCEND
Max networking solutions as well as a small Perl RADIUS offering for
our web-based authentication.
Needless to say, this all works beautifully.
Unfortunately, we need to start offering VPN support and as such, I am
moving towards freeradius 0.4 (presently testing snapshot-20020129).
When we configure the Microsoft VPN Server Software (hosted on a
Windows 2000 Server Machine) to utilize RADIUS, I find that
authentication/authorization simply doesn't work...for any number of
reasons. Typically what we're getting in the debug info is this:
rad_recv: Access-Request packet from host some.ip.address:1253, id=76,
length=217 NAS-IP-Address = some.ip.address
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 129
MS-RAS-Vendor = 311
MS-RAS-Version = "MSRASV5.00"
NAS-Port-Type = Virtual
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IP
Calling-Station-Id = "some.ip.address"
Tunnel-Client-Endpoint:0 = "some.ip.address"
User-Name = "test"
MS-CHAP-Challenge = 0x41a80c8decc083db28403bd7c30abd54
MS-CHAP2-Response =
0x020013694a6da469a426d745a526c0a5872a00000000000000005f4a00b0ad7c7642dac66206482912fd57407467a6bd95bb
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 76 to some.ip.address:1253
MS-CHAP-Error = "\002E=691 R=1"
Finished request 2
Now, what irks me and let me admit first that I don't fully understand
the dogma of the *CHAP protocols nor RADIUS for that matter, is that
we have to involve the CHAP 'stuff' with the RADIUS server, period.
That is, why can't the M$CHAP stay between the VPN client and server,
with the server simply doing a standard RADIUS user/password lookup
with the shared key?
I'm certain there are probably good reasons for this, though
I am writing here hoping to find help and/or configuration tips that
might allow me to do a M$CHAP->RADIUS->Solaris Shadow password
authentication.
Any help is definitely appreciated!
--
Robert Sink - Asst. Dept. Head - Computer/Network Services
Univ. of Maryland Chesapeake Biological Laboratory - Solomons, MD.
[o] 410/326-7306
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
