I have previously set up a vpn based on pptp and pppd, using a
chap-secrets file for authentication. However, I want to move this
service to a larger audience, and thus decided to use FreeRadius to
authenticate against PAM (NIS Unix passwords) for this service.
My 'users' file contains:
DEFAULT Auth-Type = Pam
and all other config files are as the distribution, except with pam
enabled, and PAP, CHAP, MSCHAP and EAP commented out.
I'm also using the plugin radius.so, provided with the source of
ppp-2.4.2, to get radius auth from the vp connection.
I have installed FreeRadius on the same box, and have configured it to
use PAM for authentication. Testing this with radtest is successful:
root]# radtest josoap password localhost 10 testing
Sending Access-Request of id 251 to 127.0.0.1:1812
User-Name = "josoap"
User-Password = "password"
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=251,
length=20
and the radiusd log shows:
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: No '@' in User-Name = "josoap", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Pam
auth: type "PAM"
modcall: entering group authenticate for request 1
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <josoap>
modcall[authenticate]: module "pam" returns ok for request 1
modcall: group authenticate returns ok for request 1
Login OK: [josoap/password] (from client localhost port 10)
Sending Access-Accept of id 251 to 127.0.0.1:33766
Finished request 1
------
However, a connection launched from a Windows XP machine to the vpn,
gets the following result:
<SNIP...(all identical)>
auth: type "PAM"
modcall: entering group authenticate for request 0
rlm_pam: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "pam" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Login incorrect: [josoap/<no User-Password attribute>] (from client
localhost
+port 0)
Delaying request 0 for 1 seconds
Finished request 0
------
Can anyone help explain why it seems that a connection via the vpn
doesn't pass on the password to FreeRadius? Or is this a more complex
issue to do with the encryption through the vpn that I'm missing?
Thanks,
Matthew
--
---------------------
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
