Thanks for your continued help.
Yup, if you mean the following configs, already there!
mschap {
...
...
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
}
ldap {
...
password_attribute := userPassword
...
}
My intent is to have all users use LDAP with or without chap, so I have this
setup in my users file.
DEFAULT Auth-Type := LDAP
Like I said, I'm still learning about MSCHAP, so I'm not even sure my vpn
concentrator is setting the correct radius attributes in the initial
access-request. I'm assuming no news is good news, and that part looked
good to you?
-Michael
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Michael Hare
UW-Madison/WiscNet Network Engineering
My phone: 608-262-5236
24-Hour NOC: 608-263-4188
WiscNet: 608-265-6761
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A
Sent: Wednesday, March 26, 2003 10:53 AM
To: Michael Hare
Subject: Re[2]: What's a 'normal' looking debug for mschap (with ldap)?
Dear Michael Hare,
Either your LDAP is not configured to add User-Password attribute to
configuration (:= operation should be used) or mschap module is not
configured to set Auth-Type to MS-CHAP (see module configuration).
--Wednesday, March 26, 2003, 7:47:48 PM, you wrote to
[EMAIL PROTECTED]:
MH> Hello-
MH> Yes, I've seen that advice many times on the mailing list, however, I do
MH> have that setup already.
MH> authorize {
MH> preprocess
MH> attr_filter
MH> suffix
MH> files
MH> ldap
MH> chap
MH> mschap
MH> force_username
MH> }
MH> authenticate {
MH> authtype PAP {
MH> pap
MH> }
MH> authtype CHAP {
MH> chap
MH> }
MH> authtype MS-CHAP {
MH> mschap
MH> }
MH> authtype LDAP {
MH> ldap
MH> }
MH> }
MH> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH> Michael Hare
MH> UW-Madison/WiscNet Network Engineering
MH> My phone: 608-262-5236
MH> 24-Hour NOC: 608-263-4188
MH> WiscNet: 608-265-6761
MH> -----Original Message-----
MH> From: [EMAIL PROTECTED]
MH> [mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A
MH> Sent: Wednesday, March 26, 2003 9:54 AM
MH> To: Michael Hare
MH> Subject: Re: What's a 'normal' looking debug for mschap (with ldap)?
MH> Dear Michael Hare,
MH> In authorize section mschap should follow the module retrieving user's
MH> password (for example ldap).
MH> --Wednesday, March 26, 2003, 6:26:01 PM, you wrote to
MH> [EMAIL PROTECTED]:
MH>> All-
MH>> I'm in the initial stages of understanding and trying to set up our
LDAP
MH>> auth environment (storing plaintext passwords) with MSCHAP. We're
using
MH> a
MH>> Cisco 30xx VPN concentrator.
MH>> I've read the rlm_mschap doc in the docs/ subdir, and I think I have my
MH>> radius config setup OK. However, I'm starting to wonder if I'm having
MH>> client, VPN concentrator issues, and hopefully by looking at my debugs
MH>> somebody on this list can help me decide that.
MH>> This is more than likely a problem with me not understanding CHAP, but
I
MH>> find it strange there is no Chap-Password supplied in the
access-request
MH>> packet.. Perhaps there are multiple pieces missing here? (Yes,
MH> non-CHAP
MH>> authentication works OK)
MH>> rad_recv: Access-Request packet from host 144.92.44.114:2474, id=50,
MH>> length=165
MH>> User-Name = "radius.testuser"
MH>> NAS-Port = 5735
MH>> Service-Type = Framed-User
MH>> Framed-Protocol = PPP
MH>> Tunnel-Client-Endpoint:0 = "128.104.19.106"
MH>> MS-CHAP-Challenge = 0x93f85072a0d1b096d65d11bdc1a6ecba
MH>> MS-CHAP2-Response =
MH>>
MH>
0x0200917d137fbe6068ce0ff6497fd585346f0000000000000000083a89c344e820927e54de
MH>> 0aab531960ebca12bd418e6904
MH>> NAS-IP-Address = 144.92.44.114
MH>> NAS-Port-Type = Virtual
MH>> ...
MH>> ...
MH>> rlm_chap: Could not find proper Chap-Password attribute in request
MH>> modcall[authorize]: module "chap" returns noop
MH>> modcall[authorize]: module "mschap" returns notfound
MH>> ...
MH>> ...
MH>> auth: type "LDAP"
MH>> modcall: entering group authtype
MH>> rlm_ldap: - authenticate
MH>> rlm_ldap: Attribute "User-Password" is required for authentication.
MH>> modcall[authenticate]: module "ldap" returns invalid
MH>> modcall: group authtype returns invalid
MH>> auth: Failed to validate the user.
MH>> Delaying request 1 for 1 seconds
MH>> Finished request 1
MH>> Going to the next request
MH>> --- Walking the entire request list ---
MH>> Waking up in 1 seconds...
MH>> --- Walking the entire request list ---
MH>> Sending Access-Reject of id 50 to 144.92.44.114:2474
MH>> MS-CHAP-Error = "\002E=691 R=1"
MH>> Waking up in 4 seconds...
MH>> --- Walking the entire request list ---
MH>> Cleaning up request 1 ID 50 with timestamp 3e81b844
MH>> Nothing to do. Sleeping until we see a request.
MH>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH>> Michael Hare
MH>> UW-Madison/WiscNet Network Engineering
MH>> My phone: 608-262-5236
MH>> 24-Hour NOC: 608-263-4188
MH>> WiscNet: 608-265-6761
MH>> -
MH>> List info/subscribe/unsubscribe? See
MH> http://www.freeradius.org/list/users.html
--
~/ZARAZA
Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил!
(Твен)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
