Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Alan DeKok
Damian Gerow [EMAIL PROTECTED] wrote:
 Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to
 have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd
 (indirectly) authenticate off of a Windows Domain (so PAM is configured to
 authenticate via pam_winbind, from the Samba3 distro).

  That will work for PAP.  Nothing else.

  The pam_winbind module doesn't so CHAP, or MS-CHAP.

 Even though rlm_chap complains about not being able to find a proper
 Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right
 in the packet debug.

  But no CHAP-Password.  The names are different, that should be a
hint.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Damian Gerow
Thus spake Sean Perry ([EMAIL PROTECTED]) [09/09/03 19:55]:
 If I change the mpd configuration to use PAP instead of CHAP, I get
 authentication success, but then there's some weirdness going on on the mpd
 side of things that I'm also trying to figure out.
 
 Even though rlm_chap complains about not being able to find a proper
 Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response 
 right
 in the packet debug.
 
 as I was told recently, you can't get there from here.

sigh

That's what I was afraid of...

 There is currently no way to authenticate via CHAP against a Windows 
 domain from Linux.  Alan explains this in the thread I started last week.

I have to do some reading up on CHAP.  Before I started this, I had
convinced myself, against my own judgement, that this would in fact be
possible.

 The best possibility I have found is using a radius relay and a Windows 
 based radius server like Internet Authentication Service which comes 
 with win2k server.  Haven't tried to get it to work yet, but it is the 
 most likely way to get it working.

Unfortunately the DC is not under my control.  I'll have to convince the
admins there to install the RADIUS server.  You don't happen to know if NT4
comes with one, do you?  /clutching at straws

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Damian Gerow
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 10:10]:
  Even though rlm_chap complains about not being able to find a proper
  Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right
  in the packet debug.
 
   But no CHAP-Password.  The names are different, that should be a
 hint.

(This is going off on a tangent...)

But rlm_chap consults the mschap module, does it not?  Ah, but it tells
mschap to look for Chap-Password, /not/ MS-CHAP-Password.  Okay, I'll stop
musing aloud, go re-learn myself some CHAP, and start over.

Thanks for the help.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Alan DeKok
Damian Gerow [EMAIL PROTECTED] wrote:
 But rlm_chap consults the mschap module, does it not?

  No.

 Ah, but it tells mschap to look for Chap-Password, /not/
 MS-CHAP-Password.

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Damian Gerow
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:12]:
 Damian Gerow [EMAIL PROTECTED] wrote:
  But rlm_chap consults the mschap module, does it not?
 
   No.
 
  Ah, but it tells mschap to look for Chap-Password, /not/
  MS-CHAP-Password.
 
   No.

Okay...  So can I get an explanation as to what's going on here:

modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = damiang, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 2
  modcall[authorize]: module files returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module chap returns noop
  modcall[authorize]: module mschap returns notfound

Is that saying, 'Could not contact the mschap module', or 'The mschap
module said it couldn't find a Chap-Passowrd', or 'I'm not supposed to look
at the mschap module, even though it's somewhere in my configuration'?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Alan DeKok
Damian Gerow [EMAIL PROTECTED] wrote:
 Okay...  So can I get an explanation as to what's going on here:
 
 rlm_chap: Could not find proper Chap-Password attribute in request
   modcall[authorize]: module chap returns noop

  There's no CHAP-Password, so the 'chap' module doesn't do anything.

   modcall[authorize]: module mschap returns notfound

  You're using an old version of the server.  Upgrade to 0.9.1.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Damian Gerow
Thus spake Alan DeKok ([EMAIL PROTECTED]) [10/09/03 13:32]:
 Damian Gerow [EMAIL PROTECTED] wrote:
  Okay...  So can I get an explanation as to what's going on here:
  
  rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module chap returns noop
 
   There's no CHAP-Password, so the 'chap' module doesn't do anything.

Makes sense.

modcall[authorize]: module mschap returns notfound
 
   You're using an old version of the server.  Upgrade to 0.9.1.

I've been running 0.9.1 this entire time.  I just installed it yesterday,
from the FreeBSD ports system.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems authenticating with mpd, MSCHAPv2

2003-09-10 Thread Alan DeKok
Damian Gerow [EMAIL PROTECTED] wrote:
You're using an old version of the server.  Upgrade to 0.9.1.
 
 I've been running 0.9.1 this entire time.  I just installed it yesterday,
 from the FreeBSD ports system.

  Then you have an older version of rlm_mschap sitting around.

  The rlm_mschap module in 0.9.1 NEVER returns 'notfound' from the
'authorize' stage.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Problems authenticating with mpd, MSCHAPv2

2003-09-09 Thread Damian Gerow
I've found some similar references to the problem I'm having here:

http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017525.html

And I get an MS-Chap-Error similar to this:

http://lists.cistron.nl/pipermail/freeradius-users/2003-March/017052.html

Basically, I have set up mpd to authenticate via RADIUS, and I'm trying to
have FreeRADIUS do it's authentication via rlm_pam, so I can have mpd
(indirectly) authenticate off of a Windows Domain (so PAM is configured to
authenticate via pam_winbind, from the Samba3 distro).

I've been banging my head against this for a while, and I'm at a loss.  Any
pointers would be greatly appreciated.  Here's the icky details...

I have FreeRADIUS set up properly, and have been able to use radtest to
authenticate successfully.  However, as soon as I introduce mpd into the
equation, this is what I see:

Login incorrect: [damiang/no User-Password attribute] (from client localhost 
port 0 cli 64.7.141.26)

At the same time I see this in the mpd logs:

Sep  9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusAddServer Adding 127.0.0.1
Sep  9 18:30:21 virtek mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2) 
peer name: damiang
Sep  9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusSendRequest: RAD_ACCESS_REJECT 
for user damiang
Sep  9 18:30:25 virtek mpd: [pptp1] RADIUS: RadiusGetParams: MS-CHAP-Error: 
^AE=691 R=1
Sep  9 18:30:25 virtek mpd: [pptp1] CHAP: sending FAILURE

If I change the mpd configuration to use PAP instead of CHAP, I get
authentication success, but then there's some weirdness going on on the mpd
side of things that I'm also trying to figure out.

Even though rlm_chap complains about not being able to find a proper
Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right
in the packet debug.

Attached is an output of radiusd -X during one of the CHAP authentication
failures.  Again, any pointers, clue sticks, RTFM's, or suggestions would be
greatly appreciated.

  - Damian
rad_recv: Access-Request packet from host 127.0.0.1:4844, id=105, length=181
NAS-Identifier = me.sentex.ca
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 64.7.141.26
User-Name = damiang
MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8
MS-CHAP2-Response = 
0x0100776b215dac06f6137ce22c91b757127fc649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = damiang, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 2
  modcall[authorize]: module files returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module chap returns noop
  modcall[authorize]: module mschap returns notfound
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Pam
auth: type PAM
modcall: entering group authenticate
rlm_pam: Attribute User-Password is required for authentication.
  modcall[authenticate]: module pam returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect: [damiang/no User-Password attribute] (from client localhost port 0 
cli 64.7.141.26)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 105 to 127.0.0.1:4844
MS-CHAP-Error = \001E=691 R=1
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:4845, id=198, length=168
NAS-Identifier = me.sentex.ca
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = damiang
MS-CHAP-Challenge = 0xbb1e6878db6ef46964e20032b6553ef8
MS-CHAP2-Response = 
0x0100776b215dac06f6137ce22c91b757127fc649289ce1433dc3c2a8e7f41fc2d82fe0d1384f2c715856
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = damiang, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 2
  modcall[authorize]: module files returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module chap returns noop
  modcall[authorize]: module mschap returns notfound
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Pam
auth: type PAM
modcall: entering group authenticate
rlm_pam: Attribute User-Password is required for authentication.
  

Re: Problems authenticating with mpd, MSCHAPv2

2003-09-09 Thread Sean Perry
Damian Gerow wrote:

If I change the mpd configuration to use PAP instead of CHAP, I get
authentication success, but then there's some weirdness going on on the mpd
side of things that I'm also trying to figure out.
Even though rlm_chap complains about not being able to find a proper
Chap-Password attribute, I can see the MS-CHAP-Challenge and -Response right
in the packet debug.
as I was told recently, you can't get there from here.

There is currently no way to authenticate via CHAP against a Windows 
domain from Linux.  Alan explains this in the thread I started last week.

The best possibility I have found is using a radius relay and a Windows 
based radius server like Internet Authentication Service which comes 
with win2k server.  Haven't tried to get it to work yet, but it is the 
most likely way to get it working.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html