Hello all! I am trying to setup a working solution of PPTP + FreeRADIUS + MySQL. Software involved: FreeRADIUS 0.9.3, poptop-1.1.4, pppd 2.4.2 (from pptpclient.sf.org).
I use the following setup: 1. enabled radius plug-in for pppd: [EMAIL PROTECTED] ppp]# cat options.pptpd require-mschap-v2 plugin radius.so radius-config-file /etc/radiusclient/radiusclient.conf 2. enabled MySQL storage for RADIUS: excerpts from radiusd.conf mschap { authtype = MS-CHAP } } authorize { preprocess suffix sql mschap } authenticate { mschap } preacct { preprocess suffix files } accounting { acct_unique detail sql } session { sql } My problem is that Windows XP box can't log in with MS-CHAP v2. From pppd point of view it looks like this: Jan 5 05:31:56 ahome pppd[27471]: Connect: ppp0 <--> /dev/pts/9 Jan 5 05:31:56 ahome pppd[27471]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7e30b849> <pcomp> <accomp>] Jan 5 05:31:56 ahome pptpd[27470]: GRE: Bad checksum from pppd. Jan 5 05:31:56 ahome pppd[27471]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7e30b849> <pcomp> <accomp>] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x726c72fa> <pcomp> <accomp> <callback CBCP>] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfRej id=0x1 <callback CBCP>] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0x726c72fa> <pcomp> <accomp>] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfAck id=0x2 <mru 1400> <magic 0x726c72fa> <pcomp> <accomp>] Jan 5 05:31:58 ahome pppd[27471]: sent [CHAP Challenge id=0xfa <75602b06d0e80c3cac7244da0d1df804>, name = "pptp"] Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Received PPTP Control Message (type: 15) Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x3 72 6c 72 fa 4d 53 52 41 53 56 35 2e 31 30] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x2 0c 03 00 12 72 6c 72 fa 4d 53 52 41 53 56 35 2e 31 30] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x4 72 6c 72 fa 4d 53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x3 0c 04 00 16 72 6c 72 fa 4d 53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54] Jan 5 05:31:58 ahome pppd[27471]: rcvd [CHAP Response id=0xfa <f7624c397cabc2504b37d007f5c3b5e9000000000000000008358fb7d79f0d6ad3b93c7e5e597b38aca7f5e6a23e3ba600>, name = "anton"] Jan 5 05:32:00 ahome pppd[27471]: Peer anton failed CHAP authentication Jan 5 05:32:00 ahome pppd[27471]: sent [CHAP Failure id=0xfa "p\37777777605\010\010P"] Jan 5 05:32:00 ahome pppd[27471]: sent [LCP TermReq id=0x4 "Authentication failed"] FreeRadius with full debugging wrote this: ... rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 19 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 19 modcall: group authorize returns ok for request 19 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type for request 19 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 19 modcall: group Auth-Type returns reject for request 19 auth: Failed to validate the user. Login incorrect: [anton/<no User-Password attribute>] (from client localhost port 0) ... The most strange thing all about this is that when we change require-mschap-v2 in options.pptp to require-chap or require-pap, is works just fine. I have had some ideas about the reasons of such behavior, but no one of them proved itself. It is not the case that "WinXP sends as login one string and hashes for CHAP challenge another with e.g. domain name appended" since changing authentication method from MS-CHAPv2 to MS-CHAPv1 solves the problem without any manipulations on the client side. I also think that some postings here was reasoned by the same problem, but because of different matters won't finished till solution ("freeradius and mschap2 problem by Mauro Luzi", "MS-CHAPv2 + MySQL + group authtype failure" by Eliot Gable). I think that I use the latest possible version of programs. radius.c from ppp package is 1.21 2003/11/25 11:50:10 paulus, rlm_mschap.c from freeradius is 1.41.2.1 2003/09/16 18:40:56 phampson. I don't have enough skill to trace this problem down, so I look for your advice. I think that the problem can be either in calculating and/or comparing hash values in rlm_mschap.c, i.e. mistake in making decision about challenge/response pair. Or problem can be in radius.c of pppd which provide RADIUS with wrong composed challenge/response attributes, i.e. misunderstanding between pppd and freeradius. The argument in favor of the second supposition is that the presentation of CHAP request-responce pair is differs in PPP and RADIUS protocol (e.g. see /* The idiots use a different field order in RADIUS than PPP */ comment in radius.c of ppp). Sincerely, Anton b?r{ry'i0z(ǫf