Hello,
This is my First post on this mailing list, so sorry if I am in the
wrong place!!
I am having problems getting the Radius Serv to validate my VPN clients.
Reading through the mail archives, I have found similar subjects, but
the main difference I have is the fact that I don't have authority on
the Radius Server.
The main problem comes from my windows clients, I am trying to stick to
the default Microsoft auth method (using ms-chap v2) to keep the client
side as simple as possible.
So I have set-up my pptp daemon, installed radiusclient, and have used
the dictionary.microsoft from the sources of radiusclient.
I must point out that authentication works using "User-Password" field
(say if I am wrong, but this is a clear text password?) on 802.1X
clients, and all Users in the LDAP base have a valid User-Password (but
no NT/LM Passwords)
The solutions I have come across until now tell me to use NT or LM
password field and the problem is solved, but I can't change the layout,
It has been set by "eduroam", who guides the project.
So I must get my radius client to work with User-password, but I don't
know where to start...
A log sent from the Radius Admin shows that the mschap module fails to
find User-Password (this is how I have understood it!) and refuses to
validate the user.
here is the part I am talking about:
FROM Radius log:
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
But I am sure that the field User password contains the valid password I
am trying to use.
Just in case, I shall post the dictionary.microsoft I am using:
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer
Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password
1
VALUE MS-ARAP-PW-Change-Reason Expired-Password
2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change
3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short
4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
I have tried to expose my problem the best I can, but If you find that
something is missing, don't hesitate!
Thanks,
Robert
PS: using other protocols (PAP for exemple) works fine, but we need
mschap support!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
