Thanks for the quick response. On Mon, Dec 7, 2009 at 11:33 AM, Alan DeKok <al...@deployingradius.com> wrote: > jon michaels wrote: >> My NAS, pppd, does not grant access to a user with attribute Auth-Type >> set to Accept but radtest does work.
Perhaps i should also mention that without Auth-Type set to Accept, i can connect. I am just searching for a good way to update one field in mysql to flip access on and off. If there is another attribute that i can use for this, that would be fine too. I just tried this one because it was mentioned in the /etc/freeradius/users example. > My *guess* is that the NAS is doing MS-CHAP. You *cannot* simply set > Auth-Type = Accept to let them in. You *must* have the "known good" > password, and you *must* do a full MS-CHAP exchange. True, its doing mschap. I currently dont understand yet why the debug shows an accept but the ppp doesn't like it. Here's my freeradius debug output and my pppd and pptp debug output underneath it: rad_recv: Access-Request packet from host 127.0.0.1 port 59011, id=238, length=135 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" MS-CHAP-Challenge = 0xcf50beb20eeb75a90e5577b142c0fdfc MS-CHAP2-Response = 0xec002b8744dec345f27532594312332a563e0000000000000000ef6a691cef86e60776c054bc5180319d1eb0bff41a2275cf NAS-IP-Address = 172.16.132.204 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207 expand: %t -> Mon Dec 7 11:41:48 2009 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 148 ++[files] returns ok expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group session {...} expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> testuser ++[radutmp] returns ok +- entering group post-auth {...} expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.132.204 0 [main_pool] MD5 on 'key' directive maps to: 3f65cbc9230f10232661e598553cbde4 [main_pool] Searching for an entry for key: '3f65cbc9230f10232661e598553cbde4' [main_pool] Found a stale entry for ip: 172.16.132.163 [main_pool] num: 0 rlm_ippool: Allocating ip to key: '3f65cbc9230f10232661e598553cbde4' [main_pool] num: 1 [main_pool] Allocated ip 172.16.132.160 to client key: 3f65cbc9230f10232661e598553cbde4 ++[main_pool] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207 [reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207 expand: %t -> Mon Dec 7 11:41:48 2009 ++[reply_log] returns ok expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' expand: %{User-Password} -> expand: %{Chap-Password} -> expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', '', 'Access-Accept', '2009-12-07 11:41:48') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', '', 'Access-Accept', '2009-12-07 11:41:48') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 238 to 127.0.0.1 port 59011 Service-Type := Framed-User Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Acct-Interim-Interval = 3600 Acct-Status-Type = Interim-Update Framed-IP-Address = 172.16.132.160 Framed-IP-Netmask = 255.255.255.0 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 238 with timestamp +4214 Ready to process requests. pptpd[7714]: CTRL: pppd options file = /etc/ppp/pptpd-options pptpd[7714]: CTRL: Starting call (launching pppd, opening GRE) pptpd[7715]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd pppd[7715]: Plugin radius.so loaded. pppd[7715]: RADIUS plugin initialized. pppd[7715]: Plugin radattr.so loaded. pppd[7715]: RADATTR plugin initialized. pppd[7715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. pppd[7715]: pptpd-logwtmp: $Version$ pppd[7715]: pppd 2.4.5 started by root, uid 0 pppd[7715]: using channel 20 pppd[7715]: Using interface ppp0 pppd[7715]: Connect: ppp0 <--> /dev/pts/2 pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pptpd[7714]: GRE: Bad checksum from pppd. pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pppd[7715]: sent [LCP EchoReq id=0x0 magic=0x3a4f9548] pppd[7715]: sent [CHAP Challenge id=0xab <fee8a2f7b97dc91c29b77a21b811bd7b>, name = "pptpd"] pppd[7715]: rcvd [LCP EchoReq id=0x0 magic=0xe4a25036] pppd[7715]: sent [LCP EchoRep id=0x0 magic=0x3a4f9548] pppd[7715]: rcvd [LCP EchoRep id=0x0 magic=0xe4a25036] pppd[7715]: rcvd [CHAP Response id=0xab <cd3e1f2e7e3333563806295b83cc29e400000000000000000e5fa91bba34183221a516ca3133441b607edcb9b0a7852d00>, name = "testuser"] pppd[7715]: RADATTR plugin wrote 8 line(s) to file /var/run/radattr.ppp0. pppd[7715]: pppd[7715]: Peer hexuser failed CHAP authentication pppd[7715]: sent [CHAP Failure id=0xab ""] pppd[7715]: sent [LCP TermReq id=0x2 "Authentication failed"] pppd[7715]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] pppd[7715]: sent [LCP TermAck id=0x2] pppd[7715]: rcvd [LCP TermAck id=0x2] pppd[7715]: Connection terminated. pppd[7715]: RADATTR plugin removed file /var/run/radattr.ppp0. pppd[7715]: Exit. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html