(I'm reposting this message because previous message was sent with wrong e-mail account, moderator has not yet approved message. Please forgive me for possible double entry)
Hi all, I have a NAS, a Nortel Contivity VPN-Concentrator (in this case used for PPTP tunnels) which I have configured to use freeradius as a proxy for a VASCO radius-server (with response-only tokens). The reason for using freeradius as a proxy is that Vasco does not support custom attributes which are very helpful for the Contivity: freeradius is configured to add an attribute Class which varies depending on the Realm. If I configure the Contivity to authenticate directly to the Vasco all works fine. This is also the case if I configure the Contivity to authenticate directly on the freeradius (not proxy-ing the request to the vasco). However if freeradius acts as a proxy, when setting up a PPTP WinXP reports: "Error 778: It was not possible to verify the identity of the server". Both Vasco and freeradius reply with: Login Ok Below is the output if radiusd is started with -X -A Ready to process requests. rad_recv: Access-Request packet from host IPnumber-contivity:3460, id=16, length=154 User-Name = "[EMAIL PROTECTED]" MS-CHAP2-Response = 0x0200756c0c8f74d1a3ac8b9f0d2b233699d600000000000000006719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8 MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094 Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = IPnumber-contivity NAS-Port = 566439 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119 modcall[authorize]: module "reply_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Looking up realm "company.realm " for User-Name = "rene@ company.realm " rlm_realm: Found realm "company.realm" rlm_realm: Proxying request from user rene to realm company.realm rlm_realm: Adding Realm = "company.realm " rlm_realm: Preparing to proxy authentication request to realm "company.realm" modcall[authorize]: module "suffix" returns updated for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to IPnumber-Vasco:1645 User-Name = "[EMAIL PROTECTED] " MS-CHAP2-Response = 0x0200756c0c8f74d1a3ac8b9f0d2b233699d600000000000000006719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8 MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094 Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = IPnumber-contivity NAS-Port = 566439 NAS-Port-Type = Virtual Proxy-State = 0x3136 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0, length=198 Reply-Message = "Login successful." MS-CHAP2-Success = 0x02533d46453430464243324341313641363730453135463039443438314145423830364331463031423943 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xe4b73fbf37c00ff323fe50b697961dd0 MS-MPPE-Recv-Key = 0x02fc5aa8347af34df114fc9072e70240 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 modcall[post-proxy]: module "eap" returns noop for request 0 modcall: group post-proxy returns noop for request 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119 modcall[authorize]: module "reply_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 attr_filter: Matched entry company.realm at line 87 modcall[authorize]: module "attr_filter" returns updated for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED] (from client Contivity port 566439) Sending Access-Accept of id 16 to IPnumber-contivity:3460 Finished request 0 Going to the next request Waking up in 6 seconds... proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes # require_strong = yes } #and so on.. } authorize { preprocess chap attr_filter eap suffix sql mschap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix # Allow EAP authentication. eap } pre-proxy { } post-proxy { eap } In proxy.conf: realm company.realm { type = radius authhost = IPnumber-Vasco:1645 accthost = LOCAL secret = verysecret nostrip } Since direct authentication works just fine, I figure it's a proxy problem. Using Fedora Core 2 with freeradius RPM freeradius-1.0.1-0.FC2 Thanks in advance, René - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html