Hi, Sorry to bother, I've been reading almost every post here that talks about the same problem that I'm encountering, but I didn't find any solution for my trouble.
Here is the thing, I'm using freeradius + LDAP + pptpd, to authenticate windows VPN Users. When I put users Cleartext-password in the freeradius'users file, everything works fine, but when I remove this information from users'file and I want that the authentication to be done by LDAP database, nothing works. Here is my users in LDAP database, for tests : dn: uid=light,ou=vpn,dc=home objectClass: account objectClass: simpleSecurityObject objectClass: radiusprofile uid: light cn: The Tester structuralObjectClass: account entryUUID: 74eeffe8-47c0-102e-87e0-8d7f2b5bb553 creatorsName: createTimestamp: 20091007190752Z userPassword:: dGVzdGVy entryCSN: 20091007193817.121196Z#000000#000#000000 modifiersName: cn=admin,dc=home modifyTimestamp: 20091007193817Z dn: uid=flash,ou=vpn,dc=home objectClass: account objectClass: simpleSecurityObject objectClass: radiusprofile uid: flash cn: Second one userPassword:: dGVzdGVy structuralObjectClass: account entryUUID: 6fa73a2e-47c4-102e-8f78-e10206a13f31 creatorsName: createTimestamp: 20091007193621Z entryCSN: 20091007193621.607389Z#000000#000#000000 modifiersName: modifyTimestamp: 20091007193621Z And there, my Debug from freeradius : Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3 2009 at 19:16:29 Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info: PARTICULAR PURPOSE. Info: You may redistribute copies of FreeRADIUS under the terms of the Info: GNU General Public License. Info: Starting - reading configuration files ... Debug: including configuration file /etc/freeradius/radiusd.conf Debug: including configuration file /etc/freeradius/clients.conf Debug: including configuration file /etc/freeradius/policy.conf Debug: including files in directory /etc/freeradius/sites-enabled/ Debug: including configuration file /etc/freeradius/sites-enabled/default Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Debug: including dictionary file /etc/freeradius/dictionary Debug: main { Debug: prefix = "/usr" Debug: localstatedir = "/var" Debug: logdir = "/var/log/freeradius" Debug: libdir = "/usr/lib/freeradius" Debug: radacctdir = "/var/log/freeradius/radacct" Debug: hostname_lookups = no Debug: max_request_time = 30 Debug: cleanup_delay = 5 Debug: max_requests = 1024 Debug: allow_core_dumps = no Debug: pidfile = "/var/run/freeradius/freeradius.pid" Debug: user = "freerad" Debug: group = "freerad" Debug: checkrad = "/usr/sbin/checkrad" Debug: debug_level = 0 Debug: proxy_requests = yes Debug: security { Debug: max_attributes = 200 Debug: reject_delay = 1 Debug: status_server = yes Debug: } Debug: } Debug: client localhost { Debug: ipaddr = 127.0.0.1 Debug: require_message_authenticator = no Debug: secret = "hometest" Debug: nastype = "other" Debug: } Debug: client 192.168.0.0/24 { Debug: require_message_authenticator = no Debug: secret = "hometest" Debug: shortname = "private-network-1" Debug: } Debug: radiusd: #### Loading Realms and Home Servers #### Debug: radiusd: #### Instantiating modules #### Debug: instantiate { Debug: (Loaded rlm_exec, checking if it's valid) Debug: Module: Linked to module rlm_exec Debug: Module: Instantiating exec Debug: exec { Debug: wait = yes Debug: input_pairs = "request" Debug: shell_escape = yes Debug: } Debug: (Loaded rlm_expr, checking if it's valid) Debug: Module: Linked to module rlm_expr Debug: Module: Instantiating expr Debug: (Loaded rlm_expiration, checking if it's valid) Debug: Module: Linked to module rlm_expiration Debug: Module: Instantiating expiration Debug: expiration { Debug: reply-message = "Password Has Expired " Debug: } Debug: (Loaded rlm_logintime, checking if it's valid) Debug: Module: Linked to module rlm_logintime Debug: Module: Instantiating logintime Debug: logintime { Debug: reply-message = "You are calling outside your allowed timespan " Debug: minimum-timeout = 60 Debug: } Debug: } Debug: radiusd: #### Loading Virtual Servers #### Debug: server inner-tunnel { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_pap, checking if it's valid) Debug: Module: Linked to module rlm_pap Debug: Module: Instantiating pap Debug: pap { Debug: encryption_scheme = "auto" Debug: auto_header = no Debug: } Debug: (Loaded rlm_chap, checking if it's valid) Debug: Module: Linked to module rlm_chap Debug: Module: Instantiating chap Debug: (Loaded rlm_mschap, checking if it's valid) Debug: Module: Linked to module rlm_mschap Debug: Module: Instantiating mschap Debug: mschap { Debug: use_mppe = yes Debug: require_encryption = no Debug: require_strong = no Debug: with_ntdomain_hack = no Debug: } Debug: (Loaded rlm_unix, checking if it's valid) Debug: Module: Linked to module rlm_unix Debug: Module: Instantiating unix Debug: unix { Debug: radwtmp = "/var/log/freeradius/radwtmp" Debug: } Debug: (Loaded rlm_ldap, checking if it's valid) Debug: Module: Linked to module rlm_ldap Debug: Module: Instantiating ldap Debug: ldap { Debug: server = "localhost" Debug: port = 389 Debug: password = "" Debug: identity = "" Debug: net_timeout = 1 Debug: timeout = 4 Debug: timelimit = 3 Debug: tls_mode = no Debug: start_tls = no Debug: tls_require_cert = "allow" Debug: tls { Debug: start_tls = no Debug: require_cert = "allow" Debug: } Debug: basedn = "ou=vpn,dc=home" Debug: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" Debug: base_filter = "(objectclass=radiusprofile)" Debug: password_attribute = "userPassword" Debug: auto_header = yes Debug: access_attr_used_for_allow = yes Debug: groupname_attribute = "cn" Debug: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap" Debug: ldap_debug = 0 Debug: ldap_connections_number = 5 Debug: compare_check_items = no Debug: do_xlat = yes Debug: edir_account_policy_check = no Debug: set_auth_type = no Debug: } Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap Debug: rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP digestHA1 mapped to RADIUS Digest-HA1 Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP ntHash mapped to RADIUS NT-Hash Debug: rlm_ldap: LDAP lmHash mapped to RADIUS LM-Hash Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message Debug: conns: 0x85f0988 Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_realm, checking if it's valid) Debug: Module: Linked to module rlm_realm Debug: Module: Instantiating suffix Debug: realm suffix { Debug: format = "suffix" Debug: delimiter = "@" Debug: ignore_default = no Debug: ignore_null = no Debug: } Debug: (Loaded rlm_files, checking if it's valid) Debug: Module: Linked to module rlm_files Debug: Module: Instantiating files Debug: files { Debug: usersfile = "/etc/freeradius/users" Debug: acctusersfile = "/etc/freeradius/acct_users" Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" Debug: compat = "no" Debug: } Debug: Module: Checking session {...} for more modules to load Debug: (Loaded rlm_radutmp, checking if it's valid) Debug: Module: Linked to module rlm_radutmp Debug: Module: Instantiating radutmp Debug: radutmp { Debug: filename = "/var/log/freeradius/radutmp" Debug: username = "%{User-Name}" Debug: case_sensitive = yes Debug: check_with_nas = yes Debug: perm = 384 Debug: callerid = yes Debug: } Debug: Module: Checking post-auth {...} for more modules to load Debug: (Loaded rlm_attr_filter, checking if it's valid) Debug: Module: Linked to module rlm_attr_filter Debug: Module: Instantiating attr_filter.access_reject Debug: attr_filter attr_filter.access_reject { Debug: attrsfile = "/etc/freeradius/attrs.access_reject" Debug: key = "%{User-Name}" Debug: } Debug: } Debug: } Debug: server { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_preprocess, checking if it's valid) Debug: Module: Linked to module rlm_preprocess Debug: Module: Instantiating preprocess Debug: preprocess { Debug: huntgroups = "/etc/freeradius/huntgroups" Debug: hints = "/etc/freeradius/hints" Debug: with_ascend_hack = no Debug: ascend_channels_per_line = 23 Debug: with_ntdomain_hack = no Debug: with_specialix_jetstream_hack = no Debug: with_cisco_vsa_hack = no Debug: with_alvarion_vsa_hack = no Debug: } Debug: Module: Checking preacct {...} for more modules to load Debug: (Loaded rlm_acct_unique, checking if it's valid) Debug: Module: Linked to module rlm_acct_unique Debug: Module: Instantiating acct_unique Debug: acct_unique { Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Debug: } Debug: Module: Checking accounting {...} for more modules to load Debug: (Loaded rlm_detail, checking if it's valid) Debug: Module: Linked to module rlm_detail Debug: Module: Instantiating detail Debug: detail { Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" Debug: header = "%t" Debug: detailperm = 384 Debug: dirperm = 493 Debug: locking = no Debug: log_packet_header = no Debug: } Debug: Module: Instantiating attr_filter.accounting_response Debug: attr_filter attr_filter.accounting_response { Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" Debug: key = "%{User-Name}" Debug: } Debug: Module: Checking session {...} for more modules to load Debug: Module: Checking post-auth {...} for more modules to load Debug: } Debug: } Debug: radiusd: #### Opening IP addresses and Ports #### Debug: listen { Debug: type = "auth" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: listen { Debug: type = "acct" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: main { Debug: snmp = no Debug: smux_password = "" Debug: snmp_write_access = no Debug: } Debug: Listening on authentication address * port 1812 Debug: Listening on accounting address * port 1813 Debug: Listening on proxy address * port 1814 Debug: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 42393, id=88, length=144 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "light" MS-CHAP-Challenge = 0xb0e4f30555c866750a41eca5b070dd38 MS-CHAP2-Response = 0x0600ee6e8f48c9792c51f31cd89d99b33bdb0000000000000000b2e5571c233fe74a670d9dc9fbc59caf3076ab53eff195fe Calling-Station-Id = "192.168.0.1" NAS-IP-Address = 0x0101 NAS-Port = 0 Debug: +- entering group authorize Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Debug: ++[preprocess] returns ok Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Debug: ++[chap] returns noop Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Debug: rlm_ldap: - authorize Debug: rlm_ldap: performing user authorization for light Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=light) Debug: expand: ou=vpn,dc=home -> ou=vpn,dc=home Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Debug: rlm_ldap: attempting LDAP reconnection Debug: rlm_ldap: (re)connect to localhost:389, authentication 0 Debug: rlm_ldap: bind as / to localhost:389 Debug: rlm_ldap: waiting for bind result ... Debug: rlm_ldap: Bind was successful Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter (uid=light) Debug: rlm_ldap: No default NMAS login sequence Debug: rlm_ldap: looking for check items in directory... Debug: rlm_ldap: looking for reply items in directory... Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Debug: rlm_ldap: user light authorized to use remote access Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Debug: ++[ldap] returns ok Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Debug: ++[mschap] returns ok Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Debug: rlm_realm: No '@' in User-Name = "light", looking up realm NULL Debug: rlm_realm: No such realm "NULL" Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Debug: ++[suffix] returns noop Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 Debug: ++[unix] returns notfound Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Debug: ++[files] returns noop Debug: modsingle[authorize]: calling expiration (rlm_expiration) for request 0 Debug: modsingle[authorize]: returned from expiration (rlm_expiration) for request 0 Debug: ++[expiration] returns noop Debug: modsingle[authorize]: calling logintime (rlm_logintime) for request 0 Debug: modsingle[authorize]: returned from logintime (rlm_logintime) for request 0 Debug: ++[logintime] returns noop Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Debug: ++[pap] returns noop Debug: rad_check_password: Found Auth-Type mschap Debug: auth: type "MSCHAP" Debug: +- entering group MS-CHAP Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 Debug: rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. Debug: rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. Debug: rlm_mschap: Told to do MS-CHAPv2 for light with NT-Password Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 0 Debug: ++[mschap] returns reject Debug: auth: Failed to validate the user. Auth: Login incorrect: [light/<via Auth-Type = mschap>] (from client localhost port 0 cli 192.168.0.1) Debug: Found Post-Auth-Type Reject Debug: +- entering group REJECT Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Debug: expand: %{User-Name} -> light Debug: attr_filter: Matched entry DEFAULT at line 11 Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Debug: ++[attr_filter.access_reject] returns updated Debug: Delaying reject of request 0 for 1 seconds Debug: Going to the next request Debug: Waking up in 0.9 seconds. Debug: Sending delayed reject for request 0 Sending Access-Reject of id 88 to 127.0.0.1 port 42393 Debug: Waking up in 4.9 seconds. Debug: Cleaning up request 0 ID 88 with timestamp +8 Debug: Ready to process requests. Thank you very much for your Help. Tede -- View this message in context: http://www.nabble.com/Freeradius-can%27t-authenticate-pptp-users-from-Windows-XP-to-LDAP-tp25801493p25801493.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html