In btw, I do not have any Auth-Type settings now. Thanks On Wed, May 23, 2012 at 1:42 PM, Ali Jawad <ali.ja...@splendor.net> wrote:
> Hi > I got it to work "at least half way", I did change pptpd options from > > > -chap > -mschap > +mschap-v2 > require-mppe > > TO > > +chap > +mschap > +mschap-v2 > #require-mppe > > And in MS Win 7 VPN settings I did set encryption to optional. This way I > can connect, see > > ++[preprocess] returns ok > [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = > 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = > "4FBCBB330F5000",User-Name = "test"' > [acct_unique] Acct-Unique-Session-ID = "6bbdd9f2f808f872". > ++[acct_unique] returns ok > [suffix] No '@' in User-Name = "test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > ++[files] returns noop > # Executing section accounting from file /etc/raddb/sites-enabled/default > +- entering group accounting {...} > [detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 > [detail] expand: > /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d > -> /var/log/radius/radacct/127.0.0.1/detail-20120523 > [detail] > /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d > expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 > [detail] expand: %t -> Wed May 23 11:25:55 2012 > ++[detail] returns ok > ++[unix] returns ok > [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp > [radutmp] expand: %{User-Name} -> test > ++[radutmp] returns ok > ++[exec] returns noop > [attr_filter.accounting_response] expand: %{User-Name} -> test > attr_filter: Matched entry DEFAULT at line 12 > ++[attr_filter.accounting_response] returns updated > Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 > Finished request 2. > Cleaning up request 2 ID 27 with timestamp +15 > Going to the next request > Waking up in 4.7 seconds. > > > However when I do try to use MSCHAPV2 in VPN settings or if I do require > encryption with appropriate settings in pptpd it fails. > > Test example : > > Set in VPN client in Win 7 to require encryption and MSCHAPV2 - "default > options" > Set pptpd options to : > -chap > -mschap > +mschap-v2 > require-mppe > > I get the following in radius > > ++[sql] returns ok > ++[expiration] returns noop > rlm_logintime: Checking Login-Time: 'Al0800-1200' > rlm_logintime: timestr returned accept > rlm_logintime: Session-Timeout set to: 1200 > ++[logintime] returns ok > [pap] No clear-text password in the request. Not performing PAP. > ++[pap] returns noop > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Replacing User-Password in config items with Cleartext-Password. > !!! > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Please update your configuration so that the "known good" > !!! > !!! clear text password is in Cleartext-Password, and not in > User-Password. !!! > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > WARNING: Please update your configuration, and remove 'Auth-Type = Local' > WARNING: Use the PAP or CHAP modules instead. > No User-Password or CHAP-Password attribute in the request. > Cannot perform authentication. > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> test > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 12 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 12 > Sending Access-Reject of id 45 to 127.0.0.1 port 60652 > Waking up in 4.9 seconds. > Cleaning up request 12 ID 45 with timestamp +591 > Ready to process requests. > > In short it works for chap but not mschap, any input please ? > > Regards > > > > > On Wed, May 23, 2012 at 1:13 PM, Ali Jawad <ali.ja...@splendor.net> wrote: > >> Hi >> Thanks again >> >> I did remove Auth-Type entry from DB and error says now >> >> rlm_sql (sql): Released sql socket id: 4 >> ++[sql] returns ok >> ++[expiration] returns noop >> ++[logintime] returns noop >> [pap] WARNING! No "known good" password found for the user. >> Authentication may fail because of this. >> ++[pap] returns noop >> ERROR: No authenticate method (Auth-Type) found for the request: >> Rejecting the user >> Failed to authenticate the user. >> Using Post-Auth-Type Reject >> # Executing group from file /etc/raddb/sites-enabled/default >> +- entering group REJECT {...} >> [attr_filter.access_reject] expand: %{User-Name} -> test >> attr_filter: Matched entry DEFAULT at line 11 >> ++[attr_filter.access_reject] returns updated >> Delaying reject of request 0 for 1 seconds >> >> I am using a pptpd server, it has plugin radius.so plugin radattr.so >> loaded. The radius client is : >> >> rpm -qa | grep radiusclient >> radiusclient-ng-utils-0.5.6-3.el5 >> radiusclient-ng-0.5.6-3.el5 >> >> It's radiusclient config is : >> >> auth_order radius >> login_tries 4 >> login_timeout 60 >> nologin /etc/nologin >> issue /etc/radiusclient/issue >> authserver localhost:1812 >> acctserver localhost:1813 >> servers /etc/radiusclient/servers >> #dictionary /etc/raddb/dictionary >> dictionary /usr/share/radiusclient-ng/dictionary >> login_radius /usr/sbin/login.radius >> seqfile /var/run/radius.seq >> mapfile /etc/radiusclient/port-id-map >> default_realm >> radius_timeout 10 >> radius_retries 3 >> login_local /bin/login >> >> On Wed, May 23, 2012 at 12:54 PM, Alan DeKok >> <al...@deployingradius.com>wrote: >> >>> Ali Jawad wrote: >>> > Thanks for your patience so far. >>> > >>> > I did edit include sql.conf and only edited authorize to uncomment sql >>> line. >>> > >>> > Now I am getting the below. >>> > >>> > [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not >>> > contain a CHAP-Password attribute! >>> >>> Because you forced Auth-Type := CHAP. Don't do that. >>> >>> > I did try as LOCAL and it says set CHAP, I also tried mschap >>> >>> It's MUCH better to *understand* what's going on. Trying random >>> changes is terrible. >>> >>> > Listening on proxy address * port 1814 >>> > Ready to process requests. >>> > rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, >>> > length=67 >>> > Service-Type = Framed-User >>> > Framed-Protocol = PPP >>> > User-Name = "test" >>> > Calling-Station-Id = "xxxxxxxx" >>> > NAS-IP-Address = 127.0.0.1 >>> > NAS-Port = 0 >>> >>> There's no password in this request. Use a RADIUS client that sends a >>> password! >>> >>> Whatever RADIUS client you're using is broken. Don't use it. >>> >>> Alan DeKok. >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> >> -- >> *Ali Jawad >> * >> *Information Systems Manager* >> *Splendor Telecom (www.splendor.net) >> Beirut, Lebanon >> Phone: +9611373725/ext 116 >> FAX: +9611375554* >> >> > > > -- > *Ali Jawad > * > *Information Systems Manager* > *Splendor Telecom (www.splendor.net) > Beirut, Lebanon > Phone: +9611373725/ext 116 > FAX: +9611375554* > > -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554*
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html