All-

I'm in the initial stages of understanding and trying to set up our LDAP
auth environment (storing plaintext passwords) with MSCHAP.  We're using a
Cisco 30xx VPN concentrator.

I've read the rlm_mschap doc in the docs/ subdir, and I think I have my
radius config setup OK.  However, I'm starting to wonder if I'm having
client, VPN concentrator issues, and hopefully by looking at my debugs
somebody on this list can help me decide that.

This is more than likely a problem with me not understanding CHAP, but I
find it strange there is no Chap-Password supplied in the access-request
packet..  Perhaps there are multiple pieces missing here?  (Yes, non-CHAP
authentication works OK)

rad_recv: Access-Request packet from host 144.92.44.114:2474, id=50,
length=165
        User-Name = "radius.testuser"
        NAS-Port = 5735
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Tunnel-Client-Endpoint:0 = "128.104.19.106"
        MS-CHAP-Challenge = 0x93f85072a0d1b096d65d11bdc1a6ecba
        MS-CHAP2-Response =
0x0200917d137fbe6068ce0ff6497fd585346f0000000000000000083a89c344e820927e54de
0aab531960ebca12bd418e6904
        NAS-IP-Address = 144.92.44.114
        NAS-Port-Type = Virtual
...
...
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
...
...
auth: type "LDAP"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap" returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 50 to 144.92.44.114:2474
        MS-CHAP-Error = "\002E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 50 with timestamp 3e81b844
Nothing to do.  Sleeping until we see a request.


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Michael Hare 
UW-Madison/WiscNet Network Engineering
My phone: 608-262-5236 
24-Hour NOC: 608-263-4188 
WiscNet: 608-265-6761


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to