Hi again, I've configured FreeRADIUS to work with NTLM_AUTH. Now my freeradius logs are ok and is autheticating without clear password (I'm gonna generate some howto to post here). But I still can't connect over PPTP. There's no problem with FreeRadius but my OSX says: "Authentication failure".
I guess the problem is in pfSense's PPTP package. How can I track errors ? I've read the /var/log/vpn.log but it only gives me the successfully connections i've made without using freeradius. Thanks in advance On Tue, Jan 19, 2010 at 11:20 AM, Fabio Rampazzo Mathias <[email protected] > wrote: > Hans, > > Thanks for the help. > Gonna try this and find some help in this way. > > Cheers > > On Tue, Jan 19, 2010 at 11:13 AM, Hans Maes <[email protected]> wrote: > >> Fabio, >> >> I remember having the same problem when I configured my captive portal + >> pptp + freeradius + mysql backend. >> I'm no expert at this, but I may be able to give you a start in the right >> direction. >> >> The thing is captive portal radius check uses another authentication type >> than the pptp radius check. >> >> IMHO, the pptp authentication uses the MS-CHAP type which requires a >> plaintext password in the database. >> At least, switching from an encrypted entry to a plaintext Password entry >> fixed it for me. >> Without the password in plaintext in my db, I could not get PPTP radius >> auth working. >> >> >> Fabio Rampazzo Mathias wrote: >> >>> WARNING: No "known good" password was found in LDAP. Are you sure that >>> the user is configured correctly? >>> [ldap] user fmathias authorized to use remote access >>> >> This would support my theory. >> freeradius can find the fmathias user and says the user itself is allowed >> to connect, but only if further password checks succeed. >> >> >> Found Auth-Type = MSCHAP >>> +- entering group MS-CHAP {...} >>> [mschap] No Cleartext-Password configured. Cannot create LM-Password. >>> [mschap] No Cleartext-Password configured. Cannot create NT-Password. >>> [mschap] Told to do MS-CHAPv2 for fmathias with NT-Password >>> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. >>> [mschap] FAILED: MS-CHAP2-Response is incorrect >>> ++[mschap] returns reject >>> Failed to authenticate the user. >>> Using Post-Auth-Type Reject >>> >> It then tries to check the MS-CHAP authentication, but can't find a usable >> password to generate the NT-Password field. >> >> I solved this by putting the cleartext-password in the db, so the >> NT-Password could be generated by freeradius. >> The better approach might be to find out what this NT-Password is and just >> add that field. >> >> H. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> >
