Dear Michael Hare,
Send complete log for request processing.
--Wednesday, March 26, 2003, 8:06:43 PM, you wrote to [EMAIL PROTECTED]:
MH> Thanks for your continued help.
MH> Yup, if you mean the following configs, already there!
MH> mschap {
MH> ...
MH> ...
MH> # authtype value, if present, will be used
MH> # to overwrite (or add) Auth-Type during
MH> # authorization. Normally should be MS-CHAP
MH> authtype = MS-CHAP
MH> }
MH> ldap {
MH> ...
MH> password_attribute := userPassword
MH> ...
MH> }
MH> My intent is to have all users use LDAP with or without chap, so I have this
MH> setup in my users file.
MH> DEFAULT Auth-Type := LDAP
MH> Like I said, I'm still learning about MSCHAP, so I'm not even sure my vpn
MH> concentrator is setting the correct radius attributes in the initial
MH> access-request. I'm assuming no news is good news, and that part looked
MH> good to you?
MH> -Michael
MH> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH> Michael Hare
MH> UW-Madison/WiscNet Network Engineering
MH> My phone: 608-262-5236
MH> 24-Hour NOC: 608-263-4188
MH> WiscNet: 608-265-6761
MH> -----Original Message-----
MH> From: [EMAIL PROTECTED]
MH> [mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A
MH> Sent: Wednesday, March 26, 2003 10:53 AM
MH> To: Michael Hare
MH> Subject: Re[2]: What's a 'normal' looking debug for mschap (with ldap)?
MH> Dear Michael Hare,
MH> Either your LDAP is not configured to add User-Password attribute to
MH> configuration (:= operation should be used) or mschap module is not
MH> configured to set Auth-Type to MS-CHAP (see module configuration).
MH> --Wednesday, March 26, 2003, 7:47:48 PM, you wrote to
MH> [EMAIL PROTECTED]:
MH>> Hello-
MH>> Yes, I've seen that advice many times on the mailing list, however, I do
MH>> have that setup already.
MH>> authorize {
MH>> preprocess
MH>> attr_filter
MH>> suffix
MH>> files
MH>> ldap
MH>> chap
MH>> mschap
MH>> force_username
MH>> }
MH>> authenticate {
MH>> authtype PAP {
MH>> pap
MH>> }
MH>> authtype CHAP {
MH>> chap
MH>> }
MH>> authtype MS-CHAP {
MH>> mschap
MH>> }
MH>> authtype LDAP {
MH>> ldap
MH>> }
MH>> }
MH>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH>> Michael Hare
MH>> UW-Madison/WiscNet Network Engineering
MH>> My phone: 608-262-5236
MH>> 24-Hour NOC: 608-263-4188
MH>> WiscNet: 608-265-6761
MH>> -----Original Message-----
MH>> From: [EMAIL PROTECTED]
MH>> [mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A
MH>> Sent: Wednesday, March 26, 2003 9:54 AM
MH>> To: Michael Hare
MH>> Subject: Re: What's a 'normal' looking debug for mschap (with ldap)?
MH>> Dear Michael Hare,
MH>> In authorize section mschap should follow the module retrieving user's
MH>> password (for example ldap).
MH>> --Wednesday, March 26, 2003, 6:26:01 PM, you wrote to
MH>> [EMAIL PROTECTED]:
MH>>> All-
MH>>> I'm in the initial stages of understanding and trying to set up our
MH> LDAP
MH>>> auth environment (storing plaintext passwords) with MSCHAP. We're
MH> using
MH>> a
MH>>> Cisco 30xx VPN concentrator.
MH>>> I've read the rlm_mschap doc in the docs/ subdir, and I think I have my
MH>>> radius config setup OK. However, I'm starting to wonder if I'm having
MH>>> client, VPN concentrator issues, and hopefully by looking at my debugs
MH>>> somebody on this list can help me decide that.
MH>>> This is more than likely a problem with me not understanding CHAP, but
MH> I
MH>>> find it strange there is no Chap-Password supplied in the
MH> access-request
MH>>> packet.. Perhaps there are multiple pieces missing here? (Yes,
MH>> non-CHAP
MH>>> authentication works OK)
MH>>> rad_recv: Access-Request packet from host 144.92.44.114:2474, id=50,
MH>>> length=165
MH>>> User-Name = "radius.testuser"
MH>>> NAS-Port = 5735
MH>>> Service-Type = Framed-User
MH>>> Framed-Protocol = PPP
MH>>> Tunnel-Client-Endpoint:0 = "128.104.19.106"
MH>>> MS-CHAP-Challenge = 0x93f85072a0d1b096d65d11bdc1a6ecba
MH>>> MS-CHAP2-Response =
MH>>>
MH>>
MH> 0x0200917d137fbe6068ce0ff6497fd585346f0000000000000000083a89c344e820927e54de
MH>>> 0aab531960ebca12bd418e6904
MH>>> NAS-IP-Address = 144.92.44.114
MH>>> NAS-Port-Type = Virtual
MH>>> ...
MH>>> ...
MH>>> rlm_chap: Could not find proper Chap-Password attribute in request
MH>>> modcall[authorize]: module "chap" returns noop
MH>>> modcall[authorize]: module "mschap" returns notfound
MH>>> ...
MH>>> ...
MH>>> auth: type "LDAP"
MH>>> modcall: entering group authtype
MH>>> rlm_ldap: - authenticate
MH>>> rlm_ldap: Attribute "User-Password" is required for authentication.
MH>>> modcall[authenticate]: module "ldap" returns invalid
MH>>> modcall: group authtype returns invalid
MH>>> auth: Failed to validate the user.
MH>>> Delaying request 1 for 1 seconds
MH>>> Finished request 1
MH>>> Going to the next request
MH>>> --- Walking the entire request list ---
MH>>> Waking up in 1 seconds...
MH>>> --- Walking the entire request list ---
MH>>> Sending Access-Reject of id 50 to 144.92.44.114:2474
MH>>> MS-CHAP-Error = "\002E=691 R=1"
MH>>> Waking up in 4 seconds...
MH>>> --- Walking the entire request list ---
MH>>> Cleaning up request 1 ID 50 with timestamp 3e81b844
MH>>> Nothing to do. Sleeping until we see a request.
MH>>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
MH>>> Michael Hare
MH>>> UW-Madison/WiscNet Network Engineering
MH>>> My phone: 608-262-5236
MH>>> 24-Hour NOC: 608-263-4188
MH>>> WiscNet: 608-265-6761
MH>>> -
MH>>> List info/subscribe/unsubscribe? See
MH>> http://www.freeradius.org/list/users.html
--
~/ZARAZA
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
