Hi,
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
You can create these passwords using smbencrypt tool (deployed with samba).
This way pptp MSCHAP auth will work.
Nelson Vale
On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
> Dear list,
>
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).
>
> First of all, on the pptpd server's side (which I know it's not your
> "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
> require-mppe options enabled.
>
> As for freeradius itself, a summarized sites-enabled/default reads:
>
> authorize {
> preprocess
>
> pap
>
> mschap
>
> ldap
>
> auth_log
>
> eap {
> ok = return
> }
>
> expiration
> logintime
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
>
> Auth-Type LDAP {
> ldap
> }
>
> eap
> }
>
> My modules/ldap contains all the necessary information, and my
> modules/mschap has the options use_mppe, require_encryption and
> require_strong enabled, like most tutorials state.
>
> As for the results, radtest works fine (querying LDAP etc), but through
> pptd it always fails with this error:
>
> ----------------
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
> length=151
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "dgomes"
> MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
> MS-CHAP2-Response =
> 0x48003ac4b88e3cc4c6b5819eb258c434e27a000000000000000002a4c78177ee841a98cf6
> 8cb9686085635bd3b3083707eb3 Calling-Station-Id = "193.136.136.200"
> NAS-IP-Address = 193.136.136.40
> NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> [ldap] performing user authorization for dgomes
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
> expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
> rlm_ldap: bind as
> cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
> gold.ipfn.ist.utl.pt:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
> with filter (cn=dgomes)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap] user dgomes authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
> %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> expand: %t -> Thu Jul 8 14:08:34 2010
> ++[auth_log] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> expand: %{User-Name} -> dgomes
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
>
> ------------------
>
> I know that the error should be enough for me to fix it (since it's
> quite explanatory), but after trying many different configurations and
> searching through dozens of old mailing lists posts, I still haven't
> managed it...
>
> So yeah, of you could help me out, I'd appreciate it! All I want is
> pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
> is not even a requirement for me here, since both services are on the
> same machine, so there's not even the need for safe connections. So long
> as it works, I really don't care about any particular configuration!
>
> Thanks in advance,
> Daniel Gomes
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
