Re: FR 2.0.5 MPPE problem - worked in 2.0.4
On Sun, 2008-07-06 at 00:38 +1200, Pshem Kowalczyk wrote:
> Hi
>
> We've encountered exactly the same behaviour. Basically - you're not
> supposed to relay on this functionality as it is was an unsupported
> feature. If you have to add some attributes to the reply from the home
> server - use unlang in the post proxy section, like this:
>
> post-proxy {
>
> if ("%{Packet-Type}" == Access-Request) {
> if ("%{proxy-reply:Framed-IP-Address}" =~ /^10\.20.*$/){
>update reply {
> Session-Timeout := 1
> Filter-Id := "redirect"
> }
> }
> }
>
> }
>
>
Okay, thanks for this and for Alan DeKok's reply. I'll reconfigure the
server and retest when I get back to work.
Thanks,
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.0.5 MPPE problem - worked in 2.0.4
John Horne wrote: > As said, none of the configuration files have changed at all. It seems > that FR 2.0.5 is dropping the reply items from the 'users' file after > proxying, rather than passing them on. Yes. Version 1.x re-ran the packet through the "authorize" section before replying to the NAS. This feature was removed in 2.x, and somehow seemed to get back in. It was removed in 2.0.5... because it's wrong. Any post-proxy rules should be applied in the post-proxy section. You can work around this by adding the line "files.authorize" to the post-proxy section. That tells the server to run the "authorize" section of the "files" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.0.5 MPPE problem - worked in 2.0.4
Hi
We've encountered exactly the same behaviour. Basically - you're not
supposed to relay on this functionality as it is was an unsupported
feature. If you have to add some attributes to the reply from the home
server - use unlang in the post proxy section, like this:
post-proxy {
if ("%{Packet-Type}" == Access-Request) {
if ("%{proxy-reply:Framed-IP-Address}" =~ /^10\.20.*$/){
update reply {
Session-Timeout := 1
Filter-Id := "redirect"
}
}
}
}
kind regards
Pshem
2008/7/5 John Horne <[EMAIL PROTECTED]>:
> Hello,
>
> We are running Freeradius on some VPN servers using MPPE and PPTP. I
> have upgraded one server this afternoon from FR 2.0.4 to 2.0.5. We are
> now seeing the old (?!) error messages of MPPE not being available:
>
> ==
> Jul 4 17:40:01 betty pppd[23739]: rcvd [CHAP Response id=0x37
> <20f649170924934c
> aea705692a8495615000d7a07dae438cc630dfe93a6f147c9a031d758b8cf2d300>,
> name = "jhorne"]
> Jul 4 17:40:01 betty pppd[23739]: sent [CHAP Success id=0x37
> "S=2A085F4D0A91C6832D347AF4305ED84C2ACF32E0"]
> Jul 4 17:40:01 betty pppd[23739]: MPPE required, but keys are not
> available. Possible plugin problem?
> Jul 4 17:40:01 betty pppd[23739]: sent [LCP TermReq id=0x2 "MPPE
> required but not available"]
> Jul 4 17:40:01 betty pppd[23739]: rcvd [CCP ConfReq id=0x4+M +S +L -D +C>]
> ==
>
>
> None of the configuration files were changed. Our 'users' file contains
> a DEFAULT entry of:
>
> DEFAULT Service-Type == Framed-User
> MS-MPPE-Encryption-Policy = 0x0002,
> MS-MPPE-Encryption-Types = 0x0006
>
>
> When running FR 2.0.4 using 'radiusd -X' we can see the MPPE reply items
> present (and FR then passes them on to the PPP daemon):
>
> ==
> Login OK: [jhorne/] (from client localhost port
> 0 cli 141.163.60.7)
> Sending Access-Accept of id 141 to 127.0.0.1 port 32769
>MS-CHAP2-Success =
> 0x9c533d43393244394538333244413042433745324241443135463241354437354233443034394544313230
>Reply-Message = "Yes"
>MS-MPPE-Recv-Key = 0x0e7596f28778d7d71a7553aadfa57e92
>MS-MPPE-Send-Key = 0x41496804da30ffb8550fa9437ee6ae5e
>MS-MPPE-Encryption-Policy = 0x0002
>MS-MPPE-Encryption-Types = 0x0006
> Finished request 0.
> ==
>
>
> However, with FR 2.0.5 the MPPE reply items are missing:
>
> ==
> Login OK: [jhorne] (from client localhost port 0 cli 141.163.60.7)
> Sending Access-Accept of id 144 to 127.0.0.1 port 32769
>MS-CHAP2-Success =
> 0x37533d32413038354634443041393143363833324433343741463433303545443834433241434633324530
>Reply-Message = "Yes"
>MS-MPPE-Recv-Key = 0x00fbe23240bfd5a27fa70a2e32b581b3
>MS-MPPE-Send-Key = 0xff5da890119101d1c08693d65bc3fc5b
> Finished request 0.
> ==
>
>
> As said, none of the configuration files have changed at all. It seems
> that FR 2.0.5 is dropping the reply items from the 'users' file after
> proxying, rather than passing them on.
>
>
> Has anyone else noticed this? I cannot really see anything relevant in
> the Changelog that would explain this. I'm a little stumped as to how to
> proceed with this (other than going back to 2.0.4), and it's late on a
> Friday afternoon so I'm going home to think :-)
>
>
>
> Thanks,
>
> John.
>
> --
> ---
> John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
> E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.0.5 MPPE problem - worked in 2.0.4
Hello, We are running Freeradius on some VPN servers using MPPE and PPTP. I have upgraded one server this afternoon from FR 2.0.4 to 2.0.5. We are now seeing the old (?!) error messages of MPPE not being available: == Jul 4 17:40:01 betty pppd[23739]: rcvd [CHAP Response id=0x37 <20f649170924934c aea705692a8495615000d7a07dae438cc630dfe93a6f147c9a031d758b8cf2d300>, name = "jhorne"] Jul 4 17:40:01 betty pppd[23739]: sent [CHAP Success id=0x37 "S=2A085F4D0A91C6832D347AF4305ED84C2ACF32E0"] Jul 4 17:40:01 betty pppd[23739]: MPPE required, but keys are not available. Possible plugin problem? Jul 4 17:40:01 betty pppd[23739]: sent [LCP TermReq id=0x2 "MPPE required but not available"] Jul 4 17:40:01 betty pppd[23739]: rcvd [CCP ConfReq id=0x4 ] == None of the configuration files were changed. Our 'users' file contains a DEFAULT entry of: DEFAULT Service-Type == Framed-User MS-MPPE-Encryption-Policy = 0x0002, MS-MPPE-Encryption-Types = 0x0006 When running FR 2.0.4 using 'radiusd -X' we can see the MPPE reply items present (and FR then passes them on to the PPP daemon): == Login OK: [jhorne/] (from client localhost port 0 cli 141.163.60.7) Sending Access-Accept of id 141 to 127.0.0.1 port 32769 MS-CHAP2-Success = 0x9c533d43393244394538333244413042433745324241443135463241354437354233443034394544313230 Reply-Message = "Yes" MS-MPPE-Recv-Key = 0x0e7596f28778d7d71a7553aadfa57e92 MS-MPPE-Send-Key = 0x41496804da30ffb8550fa9437ee6ae5e MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0006 Finished request 0. == However, with FR 2.0.5 the MPPE reply items are missing: == Login OK: [jhorne] (from client localhost port 0 cli 141.163.60.7) Sending Access-Accept of id 144 to 127.0.0.1 port 32769 MS-CHAP2-Success = 0x37533d32413038354634443041393143363833324433343741463433303545443834433241434633324530 Reply-Message = "Yes" MS-MPPE-Recv-Key = 0x00fbe23240bfd5a27fa70a2e32b581b3 MS-MPPE-Send-Key = 0xff5da890119101d1c08693d65bc3fc5b Finished request 0. == As said, none of the configuration files have changed at all. It seems that FR 2.0.5 is dropping the reply items from the 'users' file after proxying, rather than passing them on. Has anyone else noticed this? I cannot really see anything relevant in the Changelog that would explain this. I'm a little stumped as to how to proceed with this (other than going back to 2.0.4), and it's late on a Friday afternoon so I'm going home to think :-) Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
