Dear Jay Lyerly, You better add radiusAuthType attribute in your LDAP schema with value of MSCHAP for MS-CHAP users.
--Thursday, March 13, 2003, 3:53:34 PM, you wrote to [EMAIL PROTECTED]: JL> Okay. That sounds like it should work. In fact, I tried that, but I JL> don't quite understand the file format of radiusd.conf yet. Do I put in JL> the line JL> authtype= MS-CHAP JL> in the config file? If that's right, where does it go? JL> thanks, JL> jay >> Dear Jay Lyerly, >> >> Remove mschap from authorize section (you don't need it to be in >> authorize) and set Auth-Type for user to MSCHAP (you have Auth-Type LDAP >> instead of MSCHAP). >> >> --Thursday, March 13, 2003, 1:21:02 AM, you wrote to >> [EMAIL PROTECTED]: >> >> JL> Hi, >> >> JL> I'm trying to set up a radius server to authenticate VPN users >> connecting JL> via a WatchGuard Firebox. The only external >> authentication mechanism the JL> Firebox supports is MS-CHAPv2 via >> Radius. I'd like to use freeradius to JL> access data in our LDAP >> database. All the steps leading up to the end JL> seem good, but the >> last crucial step keesp failing. The Firebox makes the JL> >> authentication request to the radius server, the radius server looks up >> JL> the user in LDAP and retrieves the ntPassword and lmPassword. The >> problem JL> is the rlm_mschap module never seems to fire to verify the >> login JL> credentials. I've read through all the info I can find, but I >> can't get JL> it to work. The debug output from radiusd is below. >> >> JL> Any thoughts? >> >> >> >> JL> rad_recv: Access-Request packet from host 192.168.244.4:4037, >> id=172, JL> length=135 >> JL> User-Name = "jayl" >> JL> MS-CHAP-Challenge = 0x117d9959135175e680ee77c456713eaf JL> >> MS-CHAP2-Response = >> JL> 0x8100e50b7fc08691cf23a35fb1db2be0421900000000000000 >> JL> 002e053612d932f67ad81de0df53ea48744e0912054fda8857 >> JL> NAS-Identifier = "firebox" >> JL> NAS-Port = 3012 >> JL> NAS-Port-Type = Virtual >> JL> Service-Type = Authenticate-Only >> JL> modcall: entering group authorize >> JL> modcall[authorize]: module "preprocess" returns ok >> JL> rlm_realm: No '@' in User-Name = "jayl", looking up realm NULL >> JL> rlm_realm: No such realm NULL >> JL> modcall[authorize]: module "suffix" returns noop >> JL> rlm_ldap: - authorize >> JL> rlm_ldap: performing user authorization for jayl >> JL> radius_xlat: '(uid=jayl)' >> JL> radius_xlat: 'dc=ceintl,dc=com' >> JL> ldap_get_conn: Got Id: 0 >> JL> rlm_ldap: attempting LDAP reconnection >> JL> rlm_ldap: (re)connect to igate:389, authentication 0 >> JL> rlm_ldap: bind as / to igate:389 >> JL> rlm_ldap: waiting for bind result ... >> JL> rlm_ldap: performing search in dc=ceintl,dc=com, with filter >> (uid=jayl) JL> rlm_ldap: checking if remote access for jayl is allowed >> by loginShell JL> rlm_ldap: looking for check items in directory... >> JL> rlm_ldap: Adding ntPassword as NT-Password, value >> JL> F960112331D92B555B63B469248E92 >> JL> 3F & op=21 >> JL> rlm_ldap: Adding lmPassword as LM-Password, value >> JL> 49F1F165D6182D587C3113B4A1A5E3 >> JL> A0 & op=21 >> JL> rlm_ldap: looking for reply items in directory... >> JL> rlm_ldap: user jayl authorized to use remote access >> JL> ldap_release_conn: Release Id: 0 >> JL> modcall[authorize]: module "ldap" returns ok >> JL> modcall[authorize]: module "mschap" returns notfound >> JL> modcall: group authorize returns ok >> JL> rad_check_password: Found Auth-Type LDAP >> JL> auth: type "LDAP" >> JL> auth: Failed to validate the user. >> JL> Delaying request 0 for 1 seconds >> JL> Finished request 0 >> JL> Going to the next request >> JL> --- Walking the entire request list --- >> JL> Waking up in 1 seconds... >> JL> --- Walking the entire request list --- >> JL> Waking up in 1 seconds... >> JL> --- Walking the entire request list --- >> JL> Sending Access-Reject of id 172 to 192.168.244.4:4037 >> JL> MS-CHAP-Error = "\201E=691 R=1" >> >> >> >> >> >> JL> - >> JL> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> -- >> ~/ZARAZA >> ������ ����� ���� ��������� ���� ��������� (����) >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html JL> - JL> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ������ �������� ���������� ����������. (���) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
