Hello all!
I am trying to setup a working solution of PPTP + FreeRADIUS + MySQL.
Software involved: FreeRADIUS 0.9.3, poptop-1.1.4, pppd 2.4.2 (from
pptpclient.sf.org).
I use the following setup:
1. enabled radius plug-in for pppd:
[EMAIL PROTECTED] ppp]# cat options.pptpd
require-mschap-v2
plugin radius.so
radius-config-file /etc/radiusclient/radiusclient.conf
2. enabled MySQL storage for RADIUS:
excerpts from radiusd.conf
mschap {
authtype = MS-CHAP
}
}
authorize {
preprocess
suffix
sql
mschap
}
authenticate {
mschap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
}
session {
sql
}
My problem is that Windows XP box can't log in with MS-CHAP v2.
From pppd point of view it looks like this:
Jan 5 05:31:56 ahome pppd[27471]: Connect: ppp0 <--> /dev/pts/9
Jan 5 05:31:56 ahome pppd[27471]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x7e30b849> <pcomp> <accomp>]
Jan 5 05:31:56 ahome pptpd[27470]: GRE: Bad checksum from pppd.
Jan 5 05:31:56 ahome pppd[27471]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x7e30b849> <pcomp> <accomp>]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic
0x726c72fa> <pcomp> <accomp> <callback CBCP>]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magic
0x726c72fa> <pcomp> <accomp>]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfAck id=0x2 <mru 1400> <magic
0x726c72fa> <pcomp> <accomp>]
Jan 5 05:31:58 ahome pppd[27471]: sent [CHAP Challenge id=0xfa
<75602b06d0e80c3cac7244da0d1df804>, name = "pptp"]
Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Received PPTP Control Message (type: 15)
Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Ignored a SET LINK INFO packet with real
ACCMs!
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x3 72 6c 72 fa 4d 53 52 41
53 56 35 2e 31 30]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x2 0c 03 00 12 72 6c 72 fa 4d
53 52 41 53 56 35 2e 31 30]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x4 72 6c 72 fa 4d 53 52 41
53 2d 30 2d 47 4f 4c 41 4e 54]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x3 0c 04 00 16 72 6c 72 fa 4d
53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [CHAP Response id=0xfa
<f7624c397cabc2504b37d007f5c3b5e9000000000000000008358fb7d79f0d6ad3b93c7e5e597b38aca7f5e6a23e3ba600>,
name = "anton"]
Jan 5 05:32:00 ahome pppd[27471]: Peer anton failed CHAP authentication
Jan 5 05:32:00 ahome pppd[27471]: sent [CHAP Failure id=0xfa "p\37777777605\010\010P"]
Jan 5 05:32:00 ahome pppd[27471]: sent [LCP TermReq id=0x4 "Authentication failed"]
FreeRadius with full debugging wrote this:
...
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 19
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 19
modcall: group authorize returns ok for request 19
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 19
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 19
modcall: group Auth-Type returns reject for request 19
auth: Failed to validate the user.
Login incorrect: [anton/<no User-Password attribute>] (from client localhost port 0)
...
The most strange thing all about this is that when we change
require-mschap-v2 in options.pptp to require-chap or require-pap,
is works just fine.
I have had some ideas about the reasons of such behavior, but no one
of them proved itself. It is not the case that "WinXP sends as login
one string and hashes for CHAP challenge another with e.g. domain name
appended" since changing authentication method from MS-CHAPv2 to
MS-CHAPv1 solves the problem without any manipulations on the client
side.
I also think that some postings here was reasoned by the same problem,
but because of different matters won't finished till solution
("freeradius and mschap2 problem by Mauro Luzi", "MS-CHAPv2 + MySQL +
group authtype failure" by Eliot Gable).
I think that I use the latest possible version of programs.
radius.c from ppp package is 1.21 2003/11/25 11:50:10 paulus,
rlm_mschap.c from freeradius is 1.41.2.1 2003/09/16 18:40:56 phampson.
I don't have enough skill to trace this problem down, so I look for
your advice. I think that the problem can be either in calculating
and/or comparing hash values in rlm_mschap.c, i.e. mistake in making
decision about challenge/response pair. Or problem can be in radius.c
of pppd which provide RADIUS with wrong composed challenge/response
attributes, i.e. misunderstanding between pppd and freeradius. The
argument in favor of the second supposition is that the presentation
of CHAP request-responce pair is differs in PPP and RADIUS protocol
(e.g. see /* The idiots use a different field order in RADIUS than PPP
*/ comment in radius.c of ppp).
Sincerely,
Anton
�b?r{ry'i0z(�ǫ�f�������������������������������������
