Joey McDonald wrote:
I've got authentication working via radtest, e.g.
rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56
User-Name = "joey"
User-Password = "xxxxxxxx"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for joey
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldap.example.net:389, authentication 0
rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user joey authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
ldap.example.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP
request from radtest. This ONLY works with PAP because an LDAP simple
bind needs the plaintext password.
Login OK: [joey/xxxxxxx] (from client el-oso port 0)
Sending Access-Accept of id 116 to 172.33.100.18:32811
So that tells me that I've got the communication to my LDAP server
properly configured.
However when my PPTP server sends authentication requests to my radius
server, I always get "Login incorrect: [joey/<no User-Password
attribute>]"
Since it's a PPTP server you are almost certainly going to be using
MS-CHAP, which requires either:
1. The NT password hash to be in LDAP and readable by FreeRadius
2. The plaintext password to be in LDAP and readable
3. Samba, domain membership, winbind and the ntlm_auth plugin option
for the mschap module
For example:
rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "joey"
MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6
MS-CHAP2-Response =
0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442
Calling-Station-Id = "67.41.208.129"
NAS-Identifier = "pptp"
NAS-Port = 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for joey
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line directly above looks wrong - value "{" ?
So you've probably got a crypted password in LDAP, which you won't be
able to do MS-CHAP from (unless the "crypt" happens to be "{nt}32bytes")
rlm_ldap: looking for reply items in directory...
rlm_ldap: user joey authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
Login incorrect: [joey/<no User-Password attribute>] (from client
vpn-external port 0 cli 67.41.208.129)
Sending Access-Reject of id 15 to 71.39.18.170:32784
I have no idea where to troubleshoot this at this point. The usual
suspects seem to be properly configured (ldap.attrmap, clients.conf,
radiusd.conf and users). Anybody have thoughts? Thanks.
--joey
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
