Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi,
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
You can create these passwords using smbencrypt tool (deployed with samba).
This way pptp MSCHAP auth will work.
Nelson Vale
On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6
8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out,
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of you're wrong, I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with LDAP backend for pptpd (via MS-CHAP)
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
Thanks in advance,
Daniel Gomes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Why not setup your NAS to use PAP, instead of MS-CHAP.
If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory.
It would be far easier to have PAP authentication enabled on your NAS, then
it should work fine.
On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes dgo...@ipfn.ist.utl.pt wrote:
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even
