Hello all,
I'm trying to set up Freeradius 0.9.3 on FreeBSD to allow users to connect
with the Windows VPN client to a vpn implemented with MPD(PPTP). I'm
authenticating users against a smbpasswd file which works fine. The
problem I'm running into is using their membership of a particular unix
group to authorize them to connect to the VPN. I'm following the examples
in the documentation using the users file.
The problem boils down to this: The example for rejecting an individual
user works fine, namely
amotel Auth-Type := Reject
Reply-Message = "You aren't allowed to connect"
(note that I had to put := there to get the reject to take place, I
followed the example in the OReilly book for this)
I'm taking the fact that this works to mean that the users file is working
correctly for authorization.
For thoroughness, here's the log of this connection:
-------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:1569, id=86,
length=174
NAS-Identifier = "appliance.XXXXXXXXX.com"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.2.254"
User-Name = "amotel"
MS-CHAP-Challenge = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MS-CHAP2-Response =
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_passwd: Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to
config_items
rlm_passwd: Added NT-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to
config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: module "etc_smbpasswd" returns ok for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
users: Matched amotel at 1
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Sending Access-Reject of id 86 to 127.0.0.1:1569
Reply-Message = "Account not authorized for VPN access"
Finished request 0
Going to the next request
-------------------------------------------------------------------------------
However, the following, also based on the documentation(FAQ) doesn't work:
DEFAULT Group = "noaccess", Auth-Type = Reject
Reply-Message = "Account not authorized for VPN access"
Note that I've also tried this with Group == "noaccess", per the O'Reilly
Radius book, with the same result. I've also tried using := just as a
blind stab to get it working. This actually did match, but just rejected
everyone outright. I've tried every permutation of the different notations
in the OReilly book:
DEFAULT Group == "suspended", Auth-Type := Reject
Reply-Message = "Account suspended for late payment."
and in the FAQ:
DEFAULT Group = "disabled", Auth-Type = Reject
Reply-Message = "Your account has been disabled"
Here's the log of the connection attempt:
--------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:1560, id=7, length=175
NAS-Identifier = "appliance.XXXXXXXXXX.com"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.2.254"
User-Name = "mikesch"
MS-CHAP-Challenge = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MS-CHAP2-Response =
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_passwd: Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to
config_items
rlm_passwd: Added NT-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to
config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: module "etc_smbpasswd" returns ok for request 1
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 1
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 7 to 127.0.0.1:1560
MS-CHAP2-Success = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MS-MPPE-Recv-Key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MS-MPPE-Send-Key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 127.0.0.1:1561, id=72,
length=147
NAS-Identifier = "appliance.XXXXXXXXXX.com"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.2.254"
User-Name = "mikesch"
Framed-IP-Address = 192.168.2.240
Acct-Status-Type = Start
Acct-Session-Id = "9026099-pptp0"
Acct-Multi-Session-Id = "9026099-pptp0"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
modcall: group preacct returns noop for request 2
modcall: entering group accounting for request 2
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id = "9026099-pptp0",User-Name = "mikesch"'
rlm_acct_unique: Acct-Unique-Session-ID = "d174a18bb5ab46dd".
modcall[accounting]: module "acct_unique" returns ok for request 2
radius_xlat: '/var/log/radacct/127.0.0.1/detail-20040311'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/127.0.0.1/detail-20040311
modcall[accounting]: module "detail" returns ok for request 2
radius_xlat: '/var/log/radutmp'
radius_xlat: 'mikesch'
modcall[accounting]: module "radutmp" returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 72 to 127.0.0.1:1561
Finished request 2
Going to the next request
Cleaning up request 2 ID 72 with timestamp 4050a1b3
rl_next: returning NULL
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 7 with timestamp 4050a1b3
Nothing to do. Sleeping until we see a request.
--------------------------------------------------------------------------
mikesch is in the group noaccess:
su-2.05b# groups mikesch
office admins noaccess
I notice the line "modcall[authorize]: module "files" returns notfound for
request 1" in this connection vs.
------
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
------
For the connection that works as expected.
Also, here's the relevent lines from radiusd.conf:
modules {
..................
passwd etc_smbpasswd {
filename = /usr/local/private/smbpasswd
format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
..................
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
}
authorize {
preprocess
etc_smbpasswd
mschap
files
}
authenticate {
Auth-Type MS-CHAP{
mschap
}
}
>From what I can tell this problem may be as simple as Radius not being
able to see what groups a user is in (based on the "notfound" message)
Can anyone give me any pointers on what's wrong with this? I apologize for
the length of this post, but I'm trying to include all of the relevent
information. (Hopefully I did).
Thanks for any replies,
Andrew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
