MSChap/LDAP Question

[Douglas Phillips]

I'm trying to authenticate MSChap with LDAP (LDAP has crypted  
passwords) for PPTP from a Cisco VPN box.  I'm getting a strange  
error.  Here's the logs:

rad_recv: Access-Request packet from host ************:1071, id=138,  
length=153
        User-Name = "csdgp"
        NAS-Port = 2311
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Tunnel-Client-Endpoint:0 = "**********"
        MS-CHAP-Challenge = 0x6ad5d5a423e76b09aeb8ac329215d4b1
        MS-CHAP2-Response =  
0x02000b2f32af6a677146bd81ec222958a45f00000000000000007249bfd5eb81dd31ee 
0af1a17712be08a7bc758820949d71
        NAS-IP-Address = **********
        NAS-Port-Type = Virtual
rlm_ldap: - authorize
rlm_ldap: performing user authorization for csdgp
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as *************** to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user csdgp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Login incorrect: [csdgp/<no User-Password attribute>] (from client  
vpn1 port 2311)
rad_recv: Access-Request packet from host ********:1071, id=138,  
length=153
Sending Access-Reject of id 138 to ********:1071
        MS-CHAP-Error = "\002E=691 R=1"

Here's the config:

chap {
                authtype = CHAP
     }

mschap {
                authtype = MS-CHAP
                use_mppe = yes
       }

ldap {
                server = "localhost"
                identity = ***************
                password = ***************
                basedn = ***************
                filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}) 
(host=ux1))"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = "userPassword"
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

authorize {
    preprocess
    auth_log
    chap
    mschap
    suffix
    ldap
}

authenticate {
    Auth-Type MS-CHAP {
        mschap
    }
    Auth-Type LDAP {
        ldap
    }
}


-- End of config --

Am I up a creek here or is there something I can do?  I haven't been  
able to find much online, but I may not be hitting the right things.

--
  Douglas G. Phillips
     Development                     Information Technology Services
Eastern Illinois University                     (217) 581-7631

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html