Hello-
Yes, I've seen that advice many times on the mailing list, however, I do
have that setup already.
authorize {
preprocess
attr_filter
suffix
files
ldap
chap
mschap
force_username
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP {
mschap
}
authtype LDAP {
ldap
}
}
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Michael Hare
UW-Madison/WiscNet Network Engineering
My phone: 608-262-5236
24-Hour NOC: 608-263-4188
WiscNet: 608-265-6761
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A
Sent: Wednesday, March 26, 2003 9:54 AM
To: Michael Hare
Subject: Re: What's a 'normal' looking debug for mschap (with ldap)?
Dear Michael Hare,
In authorize section mschap should follow the module retrieving user's
password (for example ldap).
--Wednesday, March 26, 2003, 6:26:01 PM, you wrote to
[EMAIL PROTECTED]:
MH> All-
MH> I'm in the initial stages of understanding and trying to set up our LDAP
MH> auth environment (storing plaintext passwords) with MSCHAP. We're using
a
MH> Cisco 30xx VPN concentrator.
MH> I've read the rlm_mschap doc in the docs/ subdir, and I think I have my
MH> radius config setup OK. However, I'm starting to wonder if I'm having
MH> client, VPN concentrator issues, and hopefully by looking at my debugs
MH> somebody on this list can help me decide that.
MH> This is more than likely a problem with me not understanding CHAP, but I
MH> find it strange there is no Chap-Password supplied in the access-request
MH> packet.. Perhaps there are multiple pieces missing here? (Yes,
non-CHAP
MH> authentication works OK)
MH> rad_recv: Access-Request packet from host 144.92.44.114:2474, id=50,
MH> length=165
MH> User-Name = "radius.testuser"
MH> NAS-Port = 5735
MH> Service-Type = Framed-User
MH> Framed-Protocol = PPP
MH> Tunnel-Client-Endpoint:0 = "128.104.19.106"
MH> MS-CHAP-Challenge = 0x93f85072a0d1b096d65d11bdc1a6ecba
MH> MS-CHAP2-Response =
MH>
0x0200917d137fbe6068ce0ff6497fd585346f0000000000000000083a89c344e820927e54de
MH> 0aab531960ebca12bd418e6904
MH> NAS-IP-Address = 144.92.44.114
MH> NAS-Port-Type = Virtual
MH> ...
MH> ...
MH> rlm_chap: Could not find proper Chap-Password attribute in request
MH> modcall[authorize]: module "chap" returns noop
MH> modcall[authorize]: module "mschap" returns notfound
MH> ...
MH> ...
MH> auth: type "LDAP"
MH> modcall: entering group authtype
MH> rlm_ldap: - authenticate
MH> rlm_ldap: Attribute "User-Password" is required for authentication.
MH> modcall[authenticate]: module "ldap" returns invalid
MH> modcall: group authtype returns invalid
MH> auth: Failed to validate the user.
MH> Delaying request 1 for 1 seconds
MH> Finished request 1
MH> Going to the next request
MH> --- Walking the entire request list ---
MH> Waking up in 1 seconds...
MH> --- Walking the entire request list ---
MH> Sending Access-Reject of id 50 to 144.92.44.114:2474
MH> MS-CHAP-Error = "\002E=691 R=1"
MH> Waking up in 4 seconds...
MH> --- Walking the entire request list ---
MH> Cleaning up request 1 ID 50 with timestamp 3e81b844
MH> Nothing to do. Sleeping until we see a request.
MH> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH> Michael Hare
MH> UW-Madison/WiscNet Network Engineering
MH> My phone: 608-262-5236
MH> 24-Hour NOC: 608-263-4188
MH> WiscNet: 608-265-6761
MH> -
MH> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
~/ZARAZA
Всегда будем рады послушать ваше чириканье (Твен)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
