Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd (indirectly) authenticate off of a Windows Domain (so PAM is configured to authenticate via pam_winbind, from the Samba3 distro). That will work for PAP. Nothing else. The pam_winbind module doesn't so CHAP, or MS-CHAP. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. But no CHAP-Password. The names are different, that should be a hint. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Sean Perry ([EMAIL PROTECTED]) [09/09/03 19:55]: If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. as I was told recently, you can't get there from here. sigh That's what I was afraid of... There is currently no way to authenticate via CHAP against a Windows domain from Linux. Alan explains this in the thread I started last week. I have to do some reading up on CHAP. Before I started this, I had convinced myself, against my own judgement, that this would in fact be possible. The best possibility I have found is using a radius relay and a Windows based radius server like Internet Authentication Service which comes with win2k server. Haven't tried to get it to work yet, but it is the most likely way to get it working. Unfortunately the DC is not under my control. I'll have to convince the admins there to install the RADIUS server. You don't happen to know if NT4 comes with one, do you? /clutching at straws - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 10:10]: Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. But no CHAP-Password. The names are different, that should be a hint. (This is going off on a tangent...) But rlm_chap consults the mschap module, does it not? Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. Okay, I'll stop musing aloud, go re-learn myself some CHAP, and start over. Thanks for the help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: But rlm_chap consults the mschap module, does it not? No. Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:12]: Damian Gerow [EMAIL PROTECTED] wrote: But rlm_chap consults the mschap module, does it not? No. Ah, but it tells mschap to look for Chap-Password, /not/ MS-CHAP-Password. No. Okay... So can I get an explanation as to what's going on here: modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = damiang, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound Is that saying, 'Could not contact the mschap module', or 'The mschap module said it couldn't find a Chap-Passowrd', or 'I'm not supposed to look at the mschap module, even though it's somewhere in my configuration'? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: Okay... So can I get an explanation as to what's going on here: rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop There's no CHAP-Password, so the 'chap' module doesn't do anything. modcall[authorize]: module mschap returns notfound You're using an old version of the server. Upgrade to 0.9.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:32]: Damian Gerow [EMAIL PROTECTED] wrote: Okay... So can I get an explanation as to what's going on here: rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop There's no CHAP-Password, so the 'chap' module doesn't do anything. Makes sense. modcall[authorize]: module mschap returns notfound You're using an old version of the server. Upgrade to 0.9.1. I've been running 0.9.1 this entire time. I just installed it yesterday, from the FreeBSD ports system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow [EMAIL PROTECTED] wrote: You're using an old version of the server. Upgrade to 0.9.1. I've been running 0.9.1 this entire time. I just installed it yesterday, from the FreeBSD ports system. Then you have an older version of rlm_mschap sitting around. The rlm_mschap module in 0.9.1 NEVER returns 'notfound' from the 'authorize' stage. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems authenticating with mpd, MSCHAPv2
I've found some similar references to the problem I'm having here: http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017525.html And I get an MS-Chap-Error similar to this: http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017052.html Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd (indirectly) authenticate off of a Windows Domain (so PAM is configured to authenticate via pam_winbind, from the Samba3 distro). I've been banging my head against this for a while, and I'm at a loss. Any pointers would be greatly appreciated. Here's the icky details... I have FreeRADIUS set up properly, and have been able to use radtest to authenticate successfully. However, as soon as I introduce mpd into the equation, this is what I see: Login incorrect: [damiang/no User-Password attribute] (from client localhost port 0 cli 64.7.141.26) At the same time I see this in the mpd logs: Sep 9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusAddServer Adding 127.0.0.1 Sep 9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2) peer name: damiang Sep 9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusSendRequest: RAD_ACCESS_REJECT for user damiang Sep 9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusGetParams: MS-CHAP-Error: ^AE=691 R=1 Sep 9 18:30:25 virtek mpd: [pptp1] CHAP: sending FAILURE If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. Attached is an output of radiusd -X during one of the CHAP authentication failures. Again, any pointers, clue sticks, RTFM's, or suggestions would be greatly appreciated. - Damian rad_recv: Access-Request packet from host 127.0.0.1:4844, id=105, length=181 NAS-Identifier = me.sentex.ca NAS-IP-Address = 127.0.0.1 NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 64.7.141.26 User-Name = damiang MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8 MS-CHAP2-Response = 0x0100776b215dac06f6137ce22c91b757127fc649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = damiang, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type Pam auth: type PAM modcall: entering group authenticate rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect: [damiang/no User-Password attribute] (from client localhost port 0 cli 64.7.141.26) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 105 to 127.0.0.1:4844 MS-CHAP-Error = \001E=691 R=1 Waking up in 4 seconds... rad_recv: Access-Request packet from host 127.0.0.1:4845, id=198, length=168 NAS-Identifier = me.sentex.ca NAS-IP-Address = 127.0.0.1 NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP User-Name = damiang MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8 MS-CHAP2-Response = 0x0100776b215dac06f6137ce22c91b757127fc649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = damiang, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type Pam auth: type PAM modcall: entering group authenticate rlm_pam: Attribute User-Password is required for authentication.
Re: Problems authenticating with mpd, MSCHAPv2
Damian Gerow wrote: If I change the mpd configuration to use PAP instead of CHAP, I get authentication success, but then there's some weirdness going on on the mpd side of things that I'm also trying to figure out. Even though rlm_chap complains about not being able to find a proper Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right in the packet debug. as I was told recently, you can't get there from here. There is currently no way to authenticate via CHAP against a Windows domain from Linux. Alan explains this in the thread I started last week. The best possibility I have found is using a radius relay and a Windows based radius server like Internet Authentication Service which comes with win2k server. Haven't tried to get it to work yet, but it is the most likely way to get it working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html