Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi, You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE You can create these passwords using smbencrypt tool (deployed with samba). This way pptp MSCHAP auth will work. Nelson Vale On Monday 05 July 2010 16:59:08 Daniel Gomes wrote: Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6 8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out,
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of you're wrong, I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with LDAP backend for pptpd (via MS-CHAP)
Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! Thanks in advance, Daniel Gomes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Why not setup your NAS to use PAP, instead of MS-CHAP. If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory. It would be far easier to have PAP authentication enabled on your NAS, then it should work fine. On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes dgo...@ipfn.ist.utl.pt wrote: Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even