Hello all,
I am trying to authorize PPTP dialins with MS-CHAP or MS-CHAPv2 from a
Cisco nas. I do this by proxying the request to the Radius service that
comes with windows2000. Structure:
[Win2k PPTP Client]
|
[Cisco IOS 12.2.13T]
|
[FreeRadius 8.0]
|
[Win2k IAS Radius]
It fails with this message 'Required data enryption not supported.'
when I use MS-CHAP. When I cut out freeradius from above step, all is
fine for ms-chap (and for ms-chap-v2 I get 619 port not connected, but
thats not a freeradius issue - see below with freeradius the ms-chap-v2
error is different)
Is this something that can be attributed to FR?
Thanks for your help, debug and configs below.
Joe Maimon
Radius -X output for this request is:
--- Walking the entire request list ---
Cleaning up request 60 ID 107 with timestamp 3e559b8d
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 66.199.132.1:21677, id=108,
length=161
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xaba1c9739e933a4f
MS-CHAP-Response =
0x0101000000000000000000000000000000000000000000000000ecc8cb00faa02ed703515e184606250828e2379720533
2c0
NAS-Port-Type = Virtual
Cisco-NAS-Port = "Uniq-Sess-ID299"
NAS-Port = 299
Service-Type = Framed-User
NAS-IP-Address = 66.199.132.1
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "attr_filter" returns noop
rlm_realm: Looking up realm ttec.com for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm ttec.com
rlm_realm: Proxying request from user joe to realm ttec.com
rlm_realm: Adding Realm = "ttec.com"
rlm_realm: Preparing to proxy authentication request to realm ttec.com
modcall[authorize]: module "suffix" returns updated
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
F
ROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
F
ROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns notfound
modcall[authorize]: module "files" returns notfound
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns updated
Sending Access-Request of id 6 to 64.95.32.131:1812
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xaba1c9739e933a4f
MS-CHAP-Response =
0x0101000000000000000000000000000000000000000000000000ecc8cb00faa02ed703515e184606250828e2379720533
2c0
NAS-Port-Type = Virtual
Cisco-NAS-Port = "Uniq-Sess-ID299"
NAS-Port = 299
Service-Type = Framed-User
NAS-IP-Address = 66.199.132.1
Proxy-State = "108"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 64.95.32.131:1812, id=6, length=122
Proxy-State = 0x313038
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x471a0513000001370001405f208301c2c26443537f700000000000000029
MS-CHAP-MPPE-Keys =
0x422837ab83ca71121f5348900a8fef9b551e01b69fdf4cbfaba1c9739e933a4f
MS-CHAP-Domain = "\001TTEC"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
attr_filter: Matched entry DEFAULT at line 86
modcall[authorize]: module "attr_filter" returns updated
rlm_realm: Proxy reply, or no user name. Ignoring.
modcall[authorize]: module "suffix" returns noop
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
F
ROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
F
ROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound
modcall[authorize]: module "files" returns notfound
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns updated
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [[EMAIL PROTECTED]] (from client noc08rt08 port 299)
Sending Access-Accept of id 108 to 66.199.132.1:21677
MS-CHAP-Error = "\001E=691 R=1"
Finished request 61
-------------------------------------------------------
And With MS-CHAPv2 I get It was not possible to verify the identity of
the server.
Radius -X output is:
------------------------------------------------------
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 66.199.132.1:21678, id=9,
length=169
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xc8630fa1c3629c72b160dd7e4a305b53
MS-CHAP2-Response =
0x01003c770f6c37ffa4df49fa36769ea1bd050000000000000000ba254cc80adb3f4df94273717d80f9b1e035f60635de
0bb9
NAS-Port-Type = Virtual
Cisco-NAS-Port = "Uniq-Sess-ID302"
NAS-Port = 302
Service-Type = Framed-User
NAS-IP-Address = 66.199.132.1
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "attr_filter" returns noop
rlm_realm: Looking up realm ttec.com for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm ttec.com
rlm_realm: Proxying request from user joe to realm ttec.com
rlm_realm: Adding Realm = "ttec.com"
rlm_realm: Preparing to proxy authentication request to realm ttec.com
modcall[authorize]: module "suffix" returns updated
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
F
ROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
F
ROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns notfound
modcall[authorize]: module "files" returns notfound
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns updated
Sending Access-Request of id 13 to 64.95.32.131:1812
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xc8630fa1c3629c72b160dd7e4a305b53
MS-CHAP2-Response =
0x01003c770f6c37ffa4df49fa36769ea1bd050000000000000000ba254cc80adb3f4df94273717d80f9b1e035f60635de
0bb9
NAS-Port-Type = Virtual
Cisco-NAS-Port = "Uniq-Sess-ID302"
NAS-Port = 302
Service-Type = Framed-User
NAS-IP-Address = 66.199.132.1
Proxy-State = "9"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 64.95.32.131:1812, id=13,
length=215
Proxy-State = 0x39
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x471d0516000001370001405f208301c2c26443537f70000000000000002c
MS-MPPE-Recv-Key = 0xdb710b84f15411a29ad20196ac12b80f
MS-MPPE-Send-Key = 0xf99dc2668f89652ab56d3b5b69d45b08
MS-CHAP2-Success =
0x01533d34334536323744344441414646333738374441324435343241343244343643424637343234434638
MS-CHAP-Domain = "\001TTEC"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
attr_filter: Matched entry DEFAULT at line 86
modcall[authorize]: module "attr_filter" returns updated
rlm_realm: Proxy reply, or no user name. Ignoring.
modcall[authorize]: module "suffix" returns noop
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
F
ROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
F
ROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]'
AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound
modcall[authorize]: module "files" returns notfound
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns updated
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [[EMAIL PROTECTED]] (from client noc08rt08 port 302)
Sending Access-Accept of id 9 to 66.199.132.1:21678
MS-CHAP-Error = "\001E=691 R=1"
Finished request 225
---------------------------------------------
Config file comments whitespace scraped .
--------------------------------------------
[root@nameserver2 doc]# grep -v '^[[:space:]]*#' /etc/raddb/radiusd.conf
| grep -v '^[[:space:]]*$' | less
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = after
lower_pass = after
nospace_user = after
nospace_pass = after
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 2
max_servers = 32
min_spare_servers = 2
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
md5 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
chap
attr_filter
suffix
sql
files
mschap
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
mschap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
unix # wtmp file
radutmp
}
session {
sql
}
post-auth {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
