Freeradius + Cisco PPTP + Win98
Hi evreybody, I've a cisco 7100 to terminate PPTP/mppe vpn. When I've configured it to authenticate through Freeradius+ldap, Win98 (second edition) clients doesm't work anymore; the authentication process is ok, but then I cannot generate any kind of traffic; what is the problem? can you help me? thanks -- Sergio SAGLIOCCO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP+RADIUS+LDAP+MSCHAP
"Jason Schultz" <[EMAIL PROTECTED]> wrote:
> I'm a newbie to radius and am trying to get mschap to authenticate over ppp
> using an ldap server. I have read through many archives and checked the
> faq's but still no luck.
The output of the server helps, too.
> rlm_ldap: Password header not found in password usertestpwd for user
> RadiusTestUID
In the 'ldap' module, you've got:
> password_header = "{clear}"
Try adding that to the password in LDAP.
> rad_recv: Access-Request packet from host 127.0.0.1:32807, id=111, length=59
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "RadiusTestUID"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
And that's an Access-Request without a password, CHAP password, or
MS-CHAP password. The server will *never* authenticate it.
> modcall[authorize]: module "mschap" returns noop for request 0
The "mschap" module hasn't seen anything it recognizes in the
packet. MS-CHAP will never work with that packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP+RADIUS+LDAP+MSCHAP
Hi.
I'm a newbie to radius and am trying to get mschap to authenticate over ppp
using an ldap server. I have read through many archives and checked the
faq's but still no luck. I can authenticate successfully using text
passwords and everything works fine connecting to poptop without radius.
I am storing the userpassword as text in ldap. radiusd.conf and the output
from radius are below. Any help would be appreciated!
tia
radiusd.conf:
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "10.1.1.2"
identity = "cn=Manager,dc=tsoftware,dc=com"
password = mypass
basedn = "dc=tsoftware,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = "{clear}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# access_attr_used_for_allow = yes
}
}
authorize {
preprocess
ldap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
# Auth-Type LDAP {
# ldap
# }
}
radiusd output:
rad_recv: Access-Request packet from host 127.0.0.1:32807, id=111, length=59
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "RadiusTestUID"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for RadiusTestUID
radius_xlat: '(uid=RadiusTestUID)'
radius_xlat: 'dc=tsoftware,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.1.1.2:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=tsoftware,dc=com/mypass to 10.1.1.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=tsoftware,dc=com, with filter
(uid=RadiusTestUID)
rlm_ldap: checking if remote access for RadiusTestUID is allowed by
dialupAccess
rlm_ldap: Password header not found in password usertestpwd for user
RadiusTestUID
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user RadiusTestUID authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 111 to 127.0.0.1:32807
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 111 with timestamp 3f9438ca
Nothing to do. Sleeping until we see a request.
_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP MS-CHAP Authorization from a CISCO NAS proxied to a Win2k IASradius server fails
Hello all, I am trying to authorize PPTP dialins with MS-CHAP or MS-CHAPv2 from a Cisco nas. I do this by proxying the request to the Radius service that comes with windows2000. Structure: [Win2k PPTP Client] | [Cisco IOS 12.2.13T] | [FreeRadius 8.0] | [Win2k IAS Radius] It fails with this message 'Required data enryption not supported.' when I use MS-CHAP. When I cut out freeradius from above step, all is fine for ms-chap (and for ms-chap-v2 I get 619 port not connected, but thats not a freeradius issue - see below with freeradius the ms-chap-v2 error is different) Is this something that can be attributed to FR? Thanks for your help, debug and configs below. Joe Maimon Radius -X output for this request is: --- Walking the entire request list --- Cleaning up request 60 ID 107 with timestamp 3e559b8d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 66.199.132.1:21677, id=108, length=161 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" MS-CHAP-Challenge = 0xaba1c9739e933a4f MS-CHAP-Response = 0x0101ecc8cb00faa02ed703515e184606250828e2379720533 2c0 NAS-Port-Type = Virtual Cisco-NAS-Port = "Uniq-Sess-ID299" NAS-Port = 299 Service-Type = Framed-User NAS-IP-Address = 66.199.132.1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_realm: Looking up realm ttec.com for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm ttec.com rlm_realm: Proxying request from user joe to realm ttec.com rlm_realm: Adding Realm = "ttec.com" rlm_realm: Preparing to proxy authentication request to realm ttec.com modcall[authorize]: module "suffix" returns updated radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op F ROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op F ROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound modcall[authorize]: module "files" returns notfound modcall[authorize]: module "mschap" returns notfound modcall: group authorize returns updated Sending Access-Request of id 6 to 64.95.32.131:1812 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" MS-CHAP-Challenge = 0xaba1c9739e933a4f MS-CHAP-Response = 0x0101ecc8cb00faa02ed703515e184606250828e2379720533 2c0 NAS-Port-Type = Virtual Cisco-NAS-Port = "Uniq-Sess-ID299" NAS-Port = 299 Service-Type = Framed-User NAS-IP-Address = 66.199.132.1 Proxy-State = "108" --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 64.95.32.131:1812, id=6, length=122 Proxy-State = 0x313038 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x471a051301370001405f208301c2c26443537f700029 MS-CHAP-MPPE-Keys = 0x422837ab83ca71121f5348900a8fef9b551e01b69fdf4cbfaba1c9739e933a4f MS-CHAP-Domain = "\001TTEC" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop attr_filter: Matched entry DEFAULT at line 86 modcall[authorize]: module "attr_filter" returns updated rlm_realm: Proxy reply, or no user name. Ignoring. modcall[authorize]: module "suffix" returns noop radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName
PPTP + Cisco - is it possible for RADIUS server to allocate IPs?
Hello all, I have problem with Cisco - it do not accept (do not use) my Framed-IP-Address attribute, but only use Cisco's internal IP pools for allocating IPs for PPTP users. Is it possible for Cisco to accept RADIUS's Framed-IP-Address attribute to correct setting up IP address for incoming PPTP user? I have watched attributes recieved from NAS (Cisco) in accounting Stop packet, and had seen interesting seen: . . . Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "10.0.0.1" Framed-IP-Address = 10.10.0.1 . . . The 10.10.0.1. address - is (externel) IP, which used in NAT, and real client's IP content Tunnel-Client-Endpoint:0 attribute. I think it is a problem - Cisco use not Framed-IP-Address attribute as IP of end-user, but other. How to influence in this situation? Is it possible to correct such Cisco behaviour? Thanks a lot for any comments. -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco PPTP
Hello anyone of the list have already configured freeradius to work with a Cisco IOS to authenticate users of a PPTP/MPPE VPN? Can somebody help me? thanks sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptp & radius & mysql
"Nikodim Nikodimov" <[EMAIL PROTECTED]> wrote: > I'm trying set freeradius-0.5 You should upgrade to the latest CVS snapshot. 0.7 will be released very soon. > Jul 22 14:30:33 proxy pppd[2626]: rc_check_reply: received invalid reply = > digest from RADIUS server So the shared secret is probably wrong. Did you read the FAQ? And please don't CC me on messages to the list. I *do* read the list, and I *don't* like getting multiple copies of the same email. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptp & radius & mysql
Hmm, I add another user with Attribute CHAP-Password in the radcheck tables and here is my radius log: Mon Jul 22 15:26:30 2002 : Auth: Login OK: [nick/] (from nas local port 0) but I still can not connect and still receive: Jul 22 15:26:30 proxy pppd[3759]: rcvd [CHAP Response id=0x1 , name = "nick"]Jul 22 15:26:30 proxy pppd[3759]: rc_check_reply: received invalid reply digest from RADIUS serverJul 22 15:26:30 proxy pppd[3759]: sent [CHAP Failure id=0x1 "I don't like you. Go 'way."]Jul 22 15:26:30 proxy pppd[3759]: CHAP peer authentication failed for remote host nickJul 22 15:26:30 proxy pppd[3759]: sent [LCP TermReq id=0x4 "Authentication failed"]Jul 22 15:26:30 proxy pptpd[3758]: CTRL: Received PPTP Control Message (type: 15)Jul 22 15:26:30 proxy pptpd[3758]: CTRL: Got a SET LINK INFO packet with standard ACCMsJul 22 15:26:30 proxy pppd[3759]: rcvd [LCP TermAck id=0x4 "Authentication failed"]Jul 22 15:26:30 proxy pppd[3759]: Connection terminated.Jul 22 15:26:30 proxy pppd[3759]: Exit.Jul 22 15:26:30 proxy pptpd[3758]: GRE: read(fd=5,buffer=804da00,len=8196) from PTY failed: status = -1 error = Input/output errorJul 22 15:26:30 proxy pptpd[3758]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)Jul 22 15:26:30 proxy pptpd[3758]: CTRL: Client 192.168.210.55 control connection finishedJul 22 15:26:30 proxy pptpd[3758]: CTRL: Exiting nowJul 22 15:26:30 proxy pptpd[3640]: MGR: Reaped child 3758 Best Regards NN --Risk Engineering Ltd. Nikodim Nikodimov34 Totleben Bulv. System AdministratorSofia 1604, Bulgaria e-mail: [EMAIL PROTECTED]http://www.riskeng.bg/ Phone: +359 (2) 9525236-110---
pptp & radius & mysql
Hi there, I'm trying set freeradius-0.5 to authenticate trough mysql database. And I'm receiving the following log: ... Jul 22 14:30:23 proxy pppd[2626]: rcvd [CHAP Response id=0x1 <25aa03e195d05d392570518bf79a3ed0>, name = "dizma"]Jul 22 14:30:33 proxy pppd[2626]: rc_check_reply: received invalid reply digest from RADIUS serverJul 22 14:30:33 proxy pppd[2626]: sent [CHAP Failure id=0x1 "I don't like you. Go 'way."]Jul 22 14:30:33 proxy pppd[2626]: CHAP peer authentication failed for remote host dizmaJul 22 14:30:33 proxy pppd[2626]: sent [LCP TermReq id=0x4 "Authentication failed"]Jul 22 14:30:33 proxy pppd[2626]: rcvd [CHAP Response id=0x1 <25aa03e195d05d392570518bf79a3ed0>, name = "dizma"]Jul 22 14:30:33 proxy last message repeated 2 timesJul 22 14:30:33 proxy pptpd[2625]: CTRL: Received PPTP Control Message (type: 15)Jul 22 14:30:33 proxy pptpd[2625]: CTRL: Got a SET LINK INFO packet with standard ACCMsJul 22 14:30:33 proxy pppd[2626]: rcvd [LCP TermAck id=0x4 "Authentication failed"]Jul 22 14:30:33 proxy pppd[2626]: Connection terminated.Jul 22 14:30:33 proxy pppd[2626]: Exit.Jul 22 14:30:33 proxy pptpd[2625]: GRE: read(fd=5,buffer=804da00,len=8196) from PTY failed: status = -1 error = Input/output errorJul 22 14:30:33 proxy pptpd[2625]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)Jul 22 14:30:33 proxy pptpd[2625]: CTRL: Client 192.168.210.55 control connection finishedJul 22 14:30:33 proxy pptpd[2625]: CTRL: Exiting nowJul 22 14:30:33 proxy pptpd[2007]: MGR: Reaped child 2625 and the following radius log: Mon Jul 22 14:30:23 2002 : Auth: Login incorrect: [dizma/] (from nas local port 0)Mon Jul 22 14:30:33 2002 : Info: Sending duplicate authentication reply to client 192.168.210.2:32770 - ID: 111 I think that I didn't configure correct the CHAP authentication. Can someone help me please. NN ---Risk Engineering Ltd. Nikodim Nikodimov34 Totleben Bulv. System AdministratorSofia 1604, Bulgaria e-mail: [EMAIL PROTECTED]http://www.riskeng.bg/ Phone: +359 (2) 9525236-110---
pptp & radius & mysql
Can someone give my some guidelines hot to make my pptp server to make authentication trough radius and mysql? The problem is actually to make pptp to speak to radius I think... Thanks NN ---Risk Engineering Ltd. Nikodim Nikodimov34 Totleben Bulv. System AdministratorSofia 1604, Bulgaria e-mail: [EMAIL PROTECTED]http://www.riskeng.bg/ Phone: +359 (2) 9525236-110---
Re: PPTP+MSCHAPv2+FreeRadius+SQL(Postgres)
Dear Sergey Holod, --Tuesday, July 2, 2002, 12:57:51 AM, you wrote to [EMAIL PROTECTED]: >>From looking on configs, it seems that MSCHAPv2 authentification info may be SH> only in smbpasswd file.. rlm_mschap is authentication module. You can store your passwords and authorize users via any module (SQL, LDAP, etc). All you need is to obtain either plaintext Password or encoded NT-Password from database. smbpasswd support in rlm_mschap is for compatibility only, it will be removed in newer versions. -- ~/ZARAZA îÏ çÁÒÒÉ... Ñ ÂÅÚÕÓÌÏ×ÎÏ ÏÔÄÁÀ ÐÒÅÄÐÏÞÔÅÎÉÅ ÅÍÕ, ÚÁ ×ÙÓÏËÕÀ ÐÉÔÁÔÅÌØÎÏÓÔØ É ËÁËÏÅ-ÔÏ ÏÓÏÂÅÎÎÏ ÎÅÖÎÏÅ ÍÑÓÏ. (ô×ÅÎ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP+MSCHAPv2+FreeRadius+SQL(Postgres)
Hello Sergey, Tuesday, July 02, 2002, 12:57:51 AM, you wrote: SH> Hi! SH> We need subj. SH> In general, idea is to identificate users, who are connected by ethernet+hub SH> to router, abd then give them access to internet. SH> Because they can use sniffers, we need MSCHAPv2 as a most secure SH> method which exists on most OSes. Use pppd 2.4.2 from ftp://pserver.samba.org/pub/unpacked/ppp/ Compile it, put in options: plugin radius.so SH> And need central user database and authentification (Radius+SQL) + accounting. SH> _Question_, is it possible to make subj with FreeRadius? >>From looking on configs, it seems that MSCHAPv2 authentification info may be SH> only in smbpasswd file.. -- Best regards, rustmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP+MSCHAPv2+FreeRadius+SQL(Postgres)
Sergey Holod <[EMAIL PROTECTED]> wrote: > In general, idea is to identificate users, who are connected by ethernet+hub > to router, abd then give them access to internet. Huh? How many hubs do authentication? > Because they can use sniffers, we need MSCHAPv2 as a most secure > method which exists on most OSes. Uh, I doubt that. CHAP should be fine. Whoever told you that MSCHAPv2 was the "most secure" was interested more in politics than in practicalities. CHAP and SQL work fine in the latest CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP+MSCHAPv2+FreeRadius+SQL(Postgres)
Hi! We need subj. In general, idea is to identificate users, who are connected by ethernet+hub to router, abd then give them access to internet. Because they can use sniffers, we need MSCHAPv2 as a most secure method which exists on most OSes. And need central user database and authentification (Radius+SQL) + accounting. _Question_, is it possible to make subj with FreeRadius? >From looking on configs, it seems that MSCHAPv2 authentification info may be only in smbpasswd file.. -- With Best Regards, Sergey Holod SAH1-RIPE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: PPTP
Dear Gonzalez, Pedro,
crypt() cann't be use for MS-CHAP passwords. You should use some utility
to make NT-Password and/or LM-Password from cleartext password.
--Tuesday, June 4, 2002, 11:54:52 PM, you wrote to [EMAIL PROTECTED]:
>>
>> What's the way to encrypt the passwords in the database.
>>
>> I am using...
>>
>> mysql> update radcheck set value = encrypt('pptp2002') where id = 730;
>>
>> +-+--+-+---+--+
>> | id | UserName | Attribute | Value | op |
>> +-+--+-+---+--+
>> | 732 | pptp | Auth-Type | MS-CHAP | := |
>> | 730 | pptp | NT-Password | uFdiBao.l.ijQ | := |
>> +-+--+-+---+--+
>>
>> This is what I got:
>>
>> rlm_sql: Released sql socket id: 4
>> modcall[authorize]: module "sql" returns ok
>> modcall[authorize]: module "mschap" returns ok
>> modcall: group authorize returns ok
>> rad_check_password: Found Auth-Type MS-CHAP
>> auth: type "MS-CHAP"
>> modcall: entering group authenticate
>> rlm_mschap: Invalid NT Password text
>> modcall[authenticate]: module "mschap" returns reject
>> modcall: group authenticate returns reject
>> ....
>>
>> > -Original Message-
>> > From: 3APA3A [mailto:[EMAIL PROTECTED]]
>> > Sent: Tuesday, June 04, 2002 11:04 AM
>> > To: [EMAIL PROTECTED]; Gonzalez, Pedro
>> > Cc: '[EMAIL PROTECTED]'
>> > Subject: Re[4]: PPTP
>> >
>> >
>> > Dear Gonzalez, Pedro,
>> >
>> > You have Password attribute configures for user. It means
>> > you need to
>> > have mschap in authorize{}. You have to configure
>> > NT-Password and
>> > LM-Password if you want to use MS-crypted passwords.
>> >
>> > --Tuesday, June 4, 2002, 6:53:01 PM, you wrote to
>> > [EMAIL PROTECTED]:
>> >
>>
GP> -
GP> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: PPTP
Hello Pedro,
Tuesday, June 04, 2002, 11:54:52 PM, you wrote:
>>
>> What's the way to encrypt the passwords in the database.
>>
>> I am using...
>>
>> mysql> update radcheck set value = encrypt('pptp2002') where id = 730;
>>
>> +-+--+-+---+--+
>> | id | UserName | Attribute | Value | op |
>> +-+--+-+---+--+
>> | 732 | pptp | Auth-Type | MS-CHAP | := |
>> | 730 | pptp | NT-Password | uFdiBao.l.ijQ | := |
>> +-+--+-+---+--+
Sorry fo bad english
You not read my previuos letter :(
I detaily give you my working configuration for MS-CHAP + pptp
NT-Password is NOT encrypt password :(
Use program by [EMAIL PROTECTED] (big thanks)
put it to rlm_mschap and compile
gcc -o smbencrypt deskey.c desport.c smbencrypt.c md4c.c
$ smbencrypt qwerty<-Pass 'qwerty'
LM Hash NT Hash
598DDCE2660D3193AAD3B435B51404EE2D20D252A479F485CDF5E171D93985BF
Now do
>> mysql> update radcheck set value = '2D20D252A479F485CDF5E171D93985BF' where id =
>730;
>select id,UserName,Attribute,Value,op from radcheck where UserName='q1test';
+-+--+-+--+--+
| id | UserName | Attribute | Value| op |
+-+--+-+--+--+
| 310 | q1test | NT-Password | 2D20D252A479F485CDF5E171D93985BF | := |
+-+--+-+--+--+
1 row in set (0.00 sec)
Change in sql.conf
authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName =
'%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR
Attribute =
'Crypt-Password' OR Attribute = 'NT-Password') ORDER BY Attribute DESC"
--
Best regards,
rustmailto:[EMAIL PROTECTED]
smbencrypt.c
Description: Binary data
RE: Re[4]: PPTP
>
> What's the way to encrypt the passwords in the database.
>
> I am using...
>
> mysql> update radcheck set value = encrypt('pptp2002') where id = 730;
>
> +-+--+-+---+--+
> | id | UserName | Attribute | Value | op |
> +-+--+-+---+--+
> | 732 | pptp | Auth-Type | MS-CHAP | := |
> | 730 | pptp | NT-Password | uFdiBao.l.ijQ | := |
> +-+--+-+---+--+
>
> This is what I got:
>
> rlm_sql: Released sql socket id: 4
> modcall[authorize]: module "sql" returns ok
> modcall[authorize]: module "mschap" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type MS-CHAP
> auth: type "MS-CHAP"
> modcall: entering group authenticate
> rlm_mschap: Invalid NT Password text
> modcall[authenticate]: module "mschap" returns reject
> modcall: group authenticate returns reject
>
>
> > -Original Message-
> > From: 3APA3A [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, June 04, 2002 11:04 AM
> > To: [EMAIL PROTECTED]; Gonzalez, Pedro
> > Cc: '[EMAIL PROTECTED]'
> > Subject: Re[4]: PPTP
> >
> >
> > Dear Gonzalez, Pedro,
> >
> > You have Password attribute configures for user. It means
> > you need to
> > have mschap in authorize{}. You have to configure
> > NT-Password and
> > LM-Password if you want to use MS-crypted passwords.
> >
> > --Tuesday, June 4, 2002, 6:53:01 PM, you wrote to
> > [EMAIL PROTECTED]:
> >
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: PPTP
Dear Alan DeKok, --Tuesday, June 4, 2002, 8:22:09 PM, you wrote to [EMAIL PROTECTED]: AD> The authorize section of the MSCHAP module can still set Auth-Type AD> to MSCHAP. But if another module sets Auth-Type to MSCHAP, you AD> shouldn't need mschap in authorize. OK. I'll move this code to authenticate. -- ~/ZARAZA Åñòü òàì âåðñèè Îòåëëî, ãäå Äåçäåìîíà äóøèò Ìàâðà. (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[4]: PPTP
3APA3A <[EMAIL PROTECTED]> wrote:
> You have Password attribute configures for user. It means you need to
> have mschap in authorize{}. You have to configure NT-Password and
> LM-Password if you want to use MS-crypted passwords.
Which is why I would prefer to have all of that work done in the
authenticate section of the MSCHAP module.
The authorize section of the MSCHAP module can still set Auth-Type
to MSCHAP. But if another module sets Auth-Type to MSCHAP, you
shouldn't need mschap in authorize.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: PPTP
Dear Gonzalez, Pedro,
You have Password attribute configures for user. It means you need to
have mschap in authorize{}. You have to configure NT-Password and
LM-Password if you want to use MS-crypted passwords.
--Tuesday, June 4, 2002, 6:53:01 PM, you wrote to [EMAIL PROTECTED]:
GP> This is what I have now. Still not working but I think we have made some
GP> progress.
GP> rad_recv: Access-Request packet from host 10.16.3.98:1331, id=16, length=145
GP> User-Name = "pptp"
GP> NAS-Port = 3789
GP> Service-Type = Framed-User
GP> Framed-Protocol = PPP
GP> Tunnel-Client-Endpoint:0 = "64.218.189.47"
GP> MS-CHAP-Response =
GP> 0x0201194aab92ae3a1eaa9e281a
GP> 9640a207ec802943af2ade44f8
GP> MS-CHAP-Challenge = 0xa91b47b2c20a4b44
GP> NAS-IP-Address = 10.16.3.98
GP> NAS-Port-Type = Virtual
GP> ..
GP> rlm_sql: Released sql socket id: 4
GP> modcall[authorize]: module "sql" returns ok
GP> modcall[authorize]: module "mschap" returns ok
GP> modcall: group authorize returns ok
GP> rad_check_password: Found Auth-Type MS-CHAP
GP> auth: type "MS-CHAP"
GP> modcall: entering group authenticate
GP> modcall[authenticate]: module "mschap" returns reject
GP> modcall: group authenticate returns reject
GP> auth: Failed to validate the user.
GP> Database:
GP> mysql> select * from radcheck where username = 'pptp';
GP> +-+--+---+---+--+
GP> | id | UserName | Attribute | Value | op |
GP> +-+--+---+---+--+
GP> | 730 | pptp | Password | ctBFfcBOu1j4g | := |
GP> +-+--+---+---+--+
GP> 1 row in set (0.00 sec)
GP> mysql> select * from radgroupcheck where groupname = 'pptp';
GP> ++---+---+-+--+
GP> | id | GroupName | Attribute | Value | op |
GP> +----+---+---+-+--+
GP> | 21 | pptp | Auth-Type | MS-CHAP | := |
GP> | 22 | pptp | Framed-Protocol | PPP | := |
GP> | 23 | pptp | Service-Type | Framed-User | := |
GP> | 24 | pptp | MS-Acct-Auth-Type | MS-CHAP-2 | := |
GP> ++---+---+-+--+
GP> 4 rows in set (0.00 sec)
>> -Original Message-
>> From: Gonzalez, Pedro [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, June 04, 2002 9:13 AM
>> To: '[EMAIL PROTECTED]'
>> Subject: RE: Re[2]: PPTP
>>
>>
>> Dear 3APA3A,
>>
>> What's the dictionary's attribute entry for Auth-Type MS-CHAP?
>>
>> Thanks
>> Pedro
>>
>> > -Original Message-
>> > From: 3APA3A [mailto:[EMAIL PROTECTED]]
>> > Sent: Tuesday, June 04, 2002 7:42 AM
>> > To: Gonzalez, Pedro
>> > Subject: Re[2]: PPTP
>> >
>> >
>> > Dear Gonzalez, Pedro,
>> >
>> >
>> > --Tuesday, June 4, 2002, 4:27:00 PM, you wrote to
>> > [EMAIL PROTECTED]:
>> >
>> > GP> 3APA3A
>> >
>> > GP> I had mschap in the authentication {} section. I did not
>> > have mschap in
>> > GP> authorize {} section though. From your recomendation you
>> > are saying that if
>> > GP> I have clear text passwords I have to enable mschap in
>> > authorize {} section?
>> > GP> and if I want to use encrypted passwords I don't?
>> >
>> > Yes, mschap in authorize{} may be required for one of 2 purposes:
>> >
>> > 1. Convert cleartext password to NT/LM passwords
>> > 2. Autodetect MS-CHAP authentication (in a case user
>> > allowed to use
>> > different authentication type).
>> >
>> > GP> The point is I am using encrypted password for most of my
>> > users. I was
>> > GP> testing this one that is clear text password but I am
>> > converting all my
>> > GP> users to encrypted password so they feel better about
>> > their privacy.
>> >
>> > GP> I'll do the testing this afternoon.
>> >
>> > GP> Thanks
>> > GP> Pedro
>> >
>> > >> -Original Message-
>> > >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
>> > >> Sent: Tuesday, June 04, 2002 4:12 AM
>> > >> To: Gonzalez, Pedro
>> > >> Subject: Re: PPTP
>> > >>
>> > >>
&
Re: PPTP
"Gonzalez, Pedro" <[EMAIL PROTECTED]> wrote: > Could you tell me how to activate MS-CHAP authentication? Don't tell it to use 'Local' > These are user's attributes > > +-+--+---+---+--+ > | id | UserName | Attribute | Value | op | > +-+--+---+---+--+ > | 727 | shicks | MS-CHAP-Challenge | password | := | > | 728 | shicks | Auth-Type | Local | := | That's the problem. It's doing what you tell it to do, NOT what you want it to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: PPTP
This is what I have now. Still not working but I think we have made some
progress.
rad_recv: Access-Request packet from host 10.16.3.98:1331, id=16, length=145
User-Name = "pptp"
NAS-Port = 3789
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "64.218.189.47"
MS-CHAP-Response =
0x0201194aab92ae3a1eaa9e281a
9640a207ec802943af2ade44f8
MS-CHAP-Challenge = 0xa91b47b2c20a4b44
NAS-IP-Address = 10.16.3.98
NAS-Port-Type = Virtual
..
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
modcall[authenticate]: module "mschap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Database:
mysql> select * from radcheck where username = 'pptp';
+-+--+---+---+--+
| id | UserName | Attribute | Value | op |
+-+--+---+---+--+
| 730 | pptp | Password | ctBFfcBOu1j4g | := |
+-+--+---+---+--+
1 row in set (0.00 sec)
mysql> select * from radgroupcheck where groupname = 'pptp';
++---+---+-+--+
| id | GroupName | Attribute | Value | op |
++---+---+-----+--+
| 21 | pptp | Auth-Type | MS-CHAP | := |
| 22 | pptp | Framed-Protocol | PPP | := |
| 23 | pptp | Service-Type | Framed-User | := |
| 24 | pptp | MS-Acct-Auth-Type | MS-CHAP-2 | := |
++---+---+-+--+
4 rows in set (0.00 sec)
> -Original Message-
> From: Gonzalez, Pedro [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 9:13 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Re[2]: PPTP
>
>
> Dear 3APA3A,
>
> What's the dictionary's attribute entry for Auth-Type MS-CHAP?
>
> Thanks
> Pedro
>
> > -----Original Message-
> > From: 3APA3A [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, June 04, 2002 7:42 AM
> > To: Gonzalez, Pedro
> > Subject: Re[2]: PPTP
> >
> >
> > Dear Gonzalez, Pedro,
> >
> >
> > --Tuesday, June 4, 2002, 4:27:00 PM, you wrote to
> > [EMAIL PROTECTED]:
> >
> > GP> 3APA3A
> >
> > GP> I had mschap in the authentication {} section. I did not
> > have mschap in
> > GP> authorize {} section though. From your recomendation you
> > are saying that if
> > GP> I have clear text passwords I have to enable mschap in
> > authorize {} section?
> > GP> and if I want to use encrypted passwords I don't?
> >
> > Yes, mschap in authorize{} may be required for one of 2 purposes:
> >
> > 1. Convert cleartext password to NT/LM passwords
> > 2. Autodetect MS-CHAP authentication (in a case user
> > allowed to use
> > different authentication type).
> >
> > GP> The point is I am using encrypted password for most of my
> > users. I was
> > GP> testing this one that is clear text password but I am
> > converting all my
> > GP> users to encrypted password so they feel better about
> > their privacy.
> >
> > GP> I'll do the testing this afternoon.
> >
> > GP> Thanks
> > GP> Pedro
> >
> > >> -Original Message-
> > >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> > >> Sent: Tuesday, June 04, 2002 4:12 AM
> > >> To: Gonzalez, Pedro
> > >> Subject: Re: PPTP
> > >>
> > >>
> > >> Dear Gonzalez, Pedro,
> > >>
> > >> Add mschap to authorize{} section (if you store cleartext
> > >> password) and
> > >> to authenticate{} section, set Auth-Type to MS-CHAP instead
> > >> of Local or
> > >> add authtype = MS-CHAP to mschap module configuration.
> > >>
> > >> --Tuesday, June 4, 2002, 12:29:38 AM, you wrote to
> > >> [EMAIL PROTECTED]:
> > >>
> > >> GP> Could you tell me how to activate MS-CHAP authentication?
> > >>
> > >> GP> This is the request:
> > >>
> > >> GP> rad_recv: Access-Request packet from host
> > >> 10.16.3.98:1331, id=11, length=154
> > >> GP> User-
RE: Re[2]: PPTP
Dear 3APA3A,
What's the dictionary's attribute entry for Auth-Type MS-CHAP?
Thanks
Pedro
> -Original Message-
> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 7:42 AM
> To: Gonzalez, Pedro
> Subject: Re[2]: PPTP
>
>
> Dear Gonzalez, Pedro,
>
>
> --Tuesday, June 4, 2002, 4:27:00 PM, you wrote to
> [EMAIL PROTECTED]:
>
> GP> 3APA3A
>
> GP> I had mschap in the authentication {} section. I did not
> have mschap in
> GP> authorize {} section though. From your recomendation you
> are saying that if
> GP> I have clear text passwords I have to enable mschap in
> authorize {} section?
> GP> and if I want to use encrypted passwords I don't?
>
> Yes, mschap in authorize{} may be required for one of 2 purposes:
>
> 1. Convert cleartext password to NT/LM passwords
> 2. Autodetect MS-CHAP authentication (in a case user
> allowed to use
> different authentication type).
>
> GP> The point is I am using encrypted password for most of my
> users. I was
> GP> testing this one that is clear text password but I am
> converting all my
> GP> users to encrypted password so they feel better about
> their privacy.
>
> GP> I'll do the testing this afternoon.
>
> GP> Thanks
> GP> Pedro
>
> >> -Original Message-
> >> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> >> Sent: Tuesday, June 04, 2002 4:12 AM
> >> To: Gonzalez, Pedro
> >> Subject: Re: PPTP
> >>
> >>
> >> Dear Gonzalez, Pedro,
> >>
> >> Add mschap to authorize{} section (if you store cleartext
> >> password) and
> >> to authenticate{} section, set Auth-Type to MS-CHAP instead
> >> of Local or
> >> add authtype = MS-CHAP to mschap module configuration.
> >>
> >> --Tuesday, June 4, 2002, 12:29:38 AM, you wrote to
> >> [EMAIL PROTECTED]:
> >>
> >> GP> Could you tell me how to activate MS-CHAP authentication?
> >>
> >> GP> This is the request:
> >>
> >> GP> rad_recv: Access-Request packet from host
> >> 10.16.3.98:1331, id=11, length=154
> >> GP> User-Name = "shicks"
> >> GP> NAS-Port = 3753
> >> GP> Service-Type = Framed-User
> >> GP> Framed-Protocol = PPP
> >> GP> Tunnel-Client-Endpoint:0 = "68.15.204.39"
> >> GP> MS-CHAP-Challenge = 0x425bf34f5b693a8420d8416da4c333d6
> >> GP> MS-CHAP2-Response =
> >> GP>
> >> 0x020087aa098db1d035629ac54738288a0fef9b2efc6e
> >> c56f127ec72e10
> >> GP> 5a50c3c706c899c3d133c8d5db
> >> GP> NAS-IP-Address = 10.16.3.98
> >> GP> NAS-Port-Type = Virtual.
> >>
> >> GP> This is the result:
> >>
> >> GP>
> >> GP> rlm_sql: Released sql socket id: 4
> >> GP> rlm_sql_authorize: no rows returned from query (no such user)
> >> GP> modcall[authorize]: module "sql" returns ok
> >> GP> modcall: group authorize returns ok
> >> GP> rad_check_password: Found Auth-Type Local
> >> GP> auth: type Local
> >> GP> auth: No User-Password or CHAP-Password attribute in
> the request
> >> GP> auth: Failed to validate the user.
> >>
> >> GP> These are user's attributes
> >>
> >> GP> +-+--+---+---+--+
> >> GP> | id | UserName | Attribute | Value | op |
> >> GP> +-+--+---+---+--+
> >> GP> | 727 | shicks | MS-CHAP-Challenge | password | := |
> >> GP> | 728 | shicks | Auth-Type | Local | := |
> >> GP> | 726 | shicks | MS-Acct-Auth-Type | MS-CHAP-2 | := |
> >> GP> +-+--+---+---+--+
> >>
> >> GP> Thanks
> >> GP> Pedro
> >>
> >>
> >> --
> >> ~/ZARAZA
> >> Èòàê, ÿ áóäó êðàòîê. (Òâåí)
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
>
> GP> -
> GP> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
> ~/ZARAZA
> Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: PPTP
Dear Gonzalez, Pedro,
--Tuesday, June 4, 2002, 4:27:00 PM, you wrote to [EMAIL PROTECTED]:
GP> 3APA3A
GP> I had mschap in the authentication {} section. I did not have mschap in
GP> authorize {} section though. From your recomendation you are saying that if
GP> I have clear text passwords I have to enable mschap in authorize {} section?
GP> and if I want to use encrypted passwords I don't?
Yes, mschap in authorize{} may be required for one of 2 purposes:
1. Convert cleartext password to NT/LM passwords
2. Autodetect MS-CHAP authentication (in a case user allowed to use
different authentication type).
GP> The point is I am using encrypted password for most of my users. I was
GP> testing this one that is clear text password but I am converting all my
GP> users to encrypted password so they feel better about their privacy.
GP> I'll do the testing this afternoon.
GP> Thanks
GP> Pedro
>> -Original Message-
>> From: 3APA3A [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, June 04, 2002 4:12 AM
>> To: Gonzalez, Pedro
>> Subject: Re: PPTP
>>
>>
>> Dear Gonzalez, Pedro,
>>
>> Add mschap to authorize{} section (if you store cleartext
>> password) and
>> to authenticate{} section, set Auth-Type to MS-CHAP instead
>> of Local or
>> add authtype = MS-CHAP to mschap module configuration.
>>
>> --Tuesday, June 4, 2002, 12:29:38 AM, you wrote to
>> [EMAIL PROTECTED]:
>>
>> GP> Could you tell me how to activate MS-CHAP authentication?
>>
>> GP> This is the request:
>>
>> GP> rad_recv: Access-Request packet from host
>> 10.16.3.98:1331, id=11, length=154
>> GP> User-Name = "shicks"
>> GP> NAS-Port = 3753
>> GP> Service-Type = Framed-User
>> GP> Framed-Protocol = PPP
>> GP> Tunnel-Client-Endpoint:0 = "68.15.204.39"
>> GP> MS-CHAP-Challenge = 0x425bf34f5b693a8420d8416da4c333d6
>> GP> MS-CHAP2-Response =
>> GP>
>> 0x020087aa098db1d035629ac54738288a0fef9b2efc6e
>> c56f127ec72e10
>> GP> 5a50c3c706c899c3d133c8d5db
>> GP> NAS-IP-Address = 10.16.3.98
>> GP> NAS-Port-Type = Virtual.
>>
>> GP> This is the result:
>>
>> GP>
>> GP> rlm_sql: Released sql socket id: 4
>> GP> rlm_sql_authorize: no rows returned from query (no such user)
>> GP> modcall[authorize]: module "sql" returns ok
>> GP> modcall: group authorize returns ok
>> GP> rad_check_password: Found Auth-Type Local
>> GP> auth: type Local
>> GP> auth: No User-Password or CHAP-Password attribute in the request
>> GP> auth: Failed to validate the user.
>>
>> GP> These are user's attributes
>>
>> GP> +-+--+---+---+--+
>> GP> | id | UserName | Attribute | Value | op |
>> GP> +-+--+---+---+--+
>> GP> | 727 | shicks | MS-CHAP-Challenge | password | := |
>> GP> | 728 | shicks | Auth-Type | Local | := |
>> GP> | 726 | shicks | MS-Acct-Auth-Type | MS-CHAP-2 | := |
>> GP> +-+--+---+---+--+
>>
>> GP> Thanks
>> GP> Pedro
>>
>>
>> --
>> ~/ZARAZA
>> Èòàê, ÿ áóäó êðàòîê. (Òâåí)
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
GP> -
GP> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PPTP
3APA3A
I had mschap in the authentication {} section. I did not have mschap in
authorize {} section though. From your recomendation you are saying that if
I have clear text passwords I have to enable mschap in authorize {} section?
and if I want to use encrypted passwords I don't?
The point is I am using encrypted password for most of my users. I was
testing this one that is clear text password but I am converting all my
users to encrypted password so they feel better about their privacy.
I'll do the testing this afternoon.
Thanks
Pedro
> -Original Message-
> From: 3APA3A [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 4:12 AM
> To: Gonzalez, Pedro
> Subject: Re: PPTP
>
>
> Dear Gonzalez, Pedro,
>
> Add mschap to authorize{} section (if you store cleartext
> password) and
> to authenticate{} section, set Auth-Type to MS-CHAP instead
> of Local or
> add authtype = MS-CHAP to mschap module configuration.
>
> --Tuesday, June 4, 2002, 12:29:38 AM, you wrote to
> [EMAIL PROTECTED]:
>
> GP> Could you tell me how to activate MS-CHAP authentication?
>
> GP> This is the request:
>
> GP> rad_recv: Access-Request packet from host
> 10.16.3.98:1331, id=11, length=154
> GP> User-Name = "shicks"
> GP> NAS-Port = 3753
> GP> Service-Type = Framed-User
> GP> Framed-Protocol = PPP
> GP> Tunnel-Client-Endpoint:0 = "68.15.204.39"
> GP> MS-CHAP-Challenge = 0x425bf34f5b693a8420d8416da4c333d6
> GP> MS-CHAP2-Response =
> GP>
> 0x020087aa098db1d035629ac54738288a0fef9b2efc6e
> c56f127ec72e10
> GP> 5a50c3c706c899c3d133c8d5db
> GP> NAS-IP-Address = 10.16.3.98
> GP> NAS-Port-Type = Virtual.
>
> GP> This is the result:
>
> GP>
> GP> rlm_sql: Released sql socket id: 4
> GP> rlm_sql_authorize: no rows returned from query (no such user)
> GP> modcall[authorize]: module "sql" returns ok
> GP> modcall: group authorize returns ok
> GP> rad_check_password: Found Auth-Type Local
> GP> auth: type Local
> GP> auth: No User-Password or CHAP-Password attribute in the request
> GP> auth: Failed to validate the user.
>
> GP> These are user's attributes
>
> GP> +-+--+---+---+--+
> GP> | id | UserName | Attribute | Value | op |
> GP> +-+--+---+---+--+
> GP> | 727 | shicks | MS-CHAP-Challenge | password | := |
> GP> | 728 | shicks | Auth-Type | Local | := |
> GP> | 726 | shicks | MS-Acct-Auth-Type | MS-CHAP-2 | := |
> GP> +-+--+---+---+--+
>
> GP> Thanks
> GP> Pedro
>
>
> --
> ~/ZARAZA
> Èòàê, ÿ áóäó êðàòîê. (Òâåí)
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP
Dear Gonzalez, Pedro,
Add mschap to authorize{} section (if you store cleartext password) and
to authenticate{} section, set Auth-Type to MS-CHAP instead of Local or
add authtype = MS-CHAP to mschap module configuration.
--Tuesday, June 4, 2002, 12:29:38 AM, you wrote to [EMAIL PROTECTED]:
GP> Could you tell me how to activate MS-CHAP authentication?
GP> This is the request:
GP> rad_recv: Access-Request packet from host 10.16.3.98:1331, id=11, length=154
GP> User-Name = "shicks"
GP> NAS-Port = 3753
GP> Service-Type = Framed-User
GP> Framed-Protocol = PPP
GP> Tunnel-Client-Endpoint:0 = "68.15.204.39"
GP> MS-CHAP-Challenge = 0x425bf34f5b693a8420d8416da4c333d6
GP> MS-CHAP2-Response =
GP> 0x020087aa098db1d035629ac54738288a0fef9b2efc6ec56f127ec72e10
GP> 5a50c3c706c899c3d133c8d5db
GP> NAS-IP-Address = 10.16.3.98
GP> NAS-Port-Type = Virtual.
GP> This is the result:
GP>
GP> rlm_sql: Released sql socket id: 4
GP> rlm_sql_authorize: no rows returned from query (no such user)
GP> modcall[authorize]: module "sql" returns ok
GP> modcall: group authorize returns ok
GP> rad_check_password: Found Auth-Type Local
GP> auth: type Local
GP> auth: No User-Password or CHAP-Password attribute in the request
GP> auth: Failed to validate the user.
GP> These are user's attributes
GP> +-+--+---+---+--+
GP> | id | UserName | Attribute | Value | op |
GP> +-+--+---+---+--+
GP> | 727 | shicks | MS-CHAP-Challenge | password | := |
GP> | 728 | shicks | Auth-Type | Local | := |
GP> | 726 | shicks | MS-Acct-Auth-Type | MS-CHAP-2 | := |
GP> +-+--+---+---+--+
GP> Thanks
GP> Pedro
--
~/ZARAZA
Èòàê, ÿ áóäó êðàòîê. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP
Hello Pedro,
Tuesday, June 04, 2002, 12:29:38 AM, you wrote:
GP> Could you tell me how to activate MS-CHAP authentication?
Look at my configs
I have dialup users with PAP and PPTP users with MSCHAP
radiusd.conf
# Microsoft CHAP authentication
mschap {
authtype = MS-CHAP
}
pap {
encryption_scheme = crypt
}
authorize {
preprocess
suffix
sql
monthlycounter
mschap
}
authenticate {
unix
mschap
authtype PAP {
pap
}
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
radutmp
}
session {
sql
radutmp
}
In sql.conf change
authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName =
'%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR
Attribute = 'Crypt-Password' OR Attribute = 'NT-Password') ORDER BY Attribute DESC"
>select id,UserName,Attribute,Value,op from radcheck where UserName='q1test';
+-+--+-+--+--+
| id | UserName | Attribute | Value| op |
+-+--+-+--+--+
| 310 | q1test | NT-Password | 2D20D252A479F485CDF5E171D93985BF | := |
+-+--+-+--+--+
1 row in set (0.00 sec)
--
Best regards,
rustmailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP
Could you tell me how to activate MS-CHAP authentication? This is the request: rad_recv: Access-Request packet from host 10.16.3.98:1331, id=11, length=154 User-Name = "shicks" NAS-Port = 3753 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "68.15.204.39" MS-CHAP-Challenge = 0x425bf34f5b693a8420d8416da4c333d6 MS-CHAP2-Response = 0x020087aa098db1d035629ac54738288a0fef9b2efc6ec56f127ec72e105a50c3c706c899c3d133c8d5db NAS-IP-Address = 10.16.3.98 NAS-Port-Type = Virtual. This is the result: rlm_sql: Released sql socket id: 4rlm_sql_authorize: no rows returned from query (no such user) modcall[authorize]: module "sql" returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type Localauth: type Localauth: No User-Password or CHAP-Password attribute in the requestauth: Failed to validate the user. These are user's attributes +-+--+---+---+--+| id | UserName | Attribute | Value | op |+-+--+---+---+--+| 727 | shicks | MS-CHAP-Challenge | password | := || 728 | shicks | Auth-Type | Local | := || 726 | shicks | MS-Acct-Auth-Type | MS-CHAP-2 | := |+-+--+---+---+--+ Thanks Pedro
Re: FreeRadius v0.5 and PPTP
Raymond <[EMAIL PROTECTED]> wrote: > As FreeRadius supports MS-CHAP v2 and MPPE and a tunnel dictionary is > included, can FreeRadius function as a PPTP Server (terminator) for Win9x / > Win2K clients to encapsulate WEP in a Wireless LAN environment? > > Is PAM supported with the above configuration? PoPToP looks good but I really > need PAM support. Why? If you can authenticate MS-CHAP via FreeRADIUS, I don't understand why you also need PAM. > Lastly, is there a Suse 0.5 RPM available; the Suse 8.0 distro includes > version 0.4. You would have to task the Suse people that, I don't know if there's anyone else on the list using Suse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius v0.5 and PPTP
I am unclear regarding the feature set of FreeRadius v0.5. As FreeRadius supports MS-CHAP v2 and MPPE and a tunnel dictionary is included, can FreeRadius function as a PPTP Server (terminator) for Win9x / Win2K clients to encapsulate WEP in a Wireless LAN environment? Is PAM supported with the above configuration? PoPToP looks good but I really need PAM support. Lastly, is there a Suse 0.5 RPM available; the Suse 8.0 distro includes version 0.4. Advise please. Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
