I've found some similar references to the problem I'm having here:
<http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017525.html>
And I get an MS-Chap-Error similar to this:
<http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017052.html>
Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to
have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd
(indirectly) authenticate off of a Windows Domain (so PAM is configured to
authenticate via pam_winbind, from the Samba3 distro).
I've been banging my head against this for a while, and I'm at a loss. Any
pointers would be greatly appreciated. Here's the icky details...
I have FreeRADIUS set up properly, and have been able to use radtest to
authenticate successfully. However, as soon as I introduce mpd into the
equation, this is what I see:
Login incorrect: [damiang/<no User-Password attribute>] (from client localhost
port 0 cli 64.7.141.26)
At the same time I see this in the mpd logs:
Sep 9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusAddServer Adding 127.0.0.1
Sep 9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2)
peer name: damiang
Sep 9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusSendRequest: RAD_ACCESS_REJECT
for user damiang
Sep 9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusGetParams: MS-CHAP-Error:
^AE=691 R=1
Sep 9 18:30:25 virtek mpd: [pptp1] CHAP: sending FAILURE
If I change the mpd configuration to use PAP instead of CHAP, I get
authentication success, but then there's some weirdness going on on the mpd
side of things that I'm also trying to figure out.
Even though rlm_chap complains about not being able to find a proper
Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right
in the packet debug.
Attached is an output of radiusd -X during one of the CHAP authentication
failures. Again, any pointers, clue sticks, RTFM's, or suggestions would be
greatly appreciated.
- Damian
rad_recv: Access-Request packet from host 127.0.0.1:4844, id=105, length=181
NAS-Identifier = "me.sentex.ca"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "64.7.141.26"
User-Name = "damiang"
MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8
MS-CHAP2-Response =
0x0100776b215dac06f6137ce22c91b757127f0000000000000000c649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: No '@' in User-Name = "damiang", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 2
modcall[authorize]: module "files" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Pam
auth: type "PAM"
modcall: entering group authenticate
rlm_pam: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "pam" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect: [damiang/<no User-Password attribute>] (from client localhost port 0
cli 64.7.141.26)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 105 to 127.0.0.1:4844
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:4845, id=198, length=168
NAS-Identifier = "me.sentex.ca"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "damiang"
MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8
MS-CHAP2-Response =
0x0100776b215dac06f6137ce22c91b757127f0000000000000000c649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: No '@' in User-Name = "damiang", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 2
modcall[authorize]: module "files" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Pam
auth: type "PAM"
modcall: entering group authenticate
rlm_pam: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "pam" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect: [damiang/<no User-Password attribute>] (from client localhost port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 105 with timestamp 3f5e53f1
Sending Access-Reject of id 198 to 127.0.0.1:4845
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 198 with timestamp 3f5e53f3
Nothing to do. Sleeping until we see a request.
pgp00000.pgp
Description: PGP signature
