Weblog entry #1 for lters
See all weblog entries made by lters.
#1
Pptpd and Radius
Posted by lters on Tue 20 Jun 2006 at 15:55
Trying to get pptp and radius to play to gether nicely.
Using Debian Etch on a Dell 1850 running the 2.6.15 kernel.
Anyone care to share some good getting started tips?
Using Debian Etch on a Dell 1850 running the 2.6.15 kernel.
Anyone care to share some good getting started tips?
Comments on this Entry
I've successfully set this up using a linux poptop server authing against a windows radius (IAS) server. Let me know how I can help. Are you having specific problems or just looking for some starter docs. IIRC, google turned up quite a few sources for me.
[ Parent | Reply to this comment ]
Posted by Anonymous (137.43.xx.xx) on Tue 20 Jun 2006 at 22:14
make sure you turn off logwtmp module since it is currently broken in debian etch. also, make sure you don't have anything in chap-secrets when you turn plugin radius.so on otherwise you might experience strange problems. you can always check whether you can login to Windows IAS with radlogin.
default debian setup does not allow mppe, so turn off 'require mppe128'. that will disable traffic encryption and increase performance. if you do want mppe, you'll have to patch.
u're welcome
default debian setup does not allow mppe, so turn off 'require mppe128'. that will disable traffic encryption and increase performance. if you do want mppe, you'll have to patch.
u're welcome
[ Parent | Reply to this comment ]
Posted by lters (69.176.xx.xx) on Wed 21 Jun 2006 at 13:12
[ Send Message | View lters's Scratchpad | View Weblogs ]
[ Send Message | View lters's Scratchpad | View Weblogs ]
Thanks for the comments.
Here is where I am not clear...
The windows XP client makes a vpn connection and uses the default settings.
The user John with password of Brown is entered, just as a test.
Here is the pptpd.conf parts:
option /etc/ppp/pptpd-options
localip 10.xx.xx.xx
remoteip 10.xx.xx.xx-xx
And the ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 10.xx.xx.xx
nodefaultroute
debug
nologfd
lock
nobsdcomp
plugin radius.so
I want pptpd to authenticate to freeradius.
From the google info, it looks like I am doing mschap-v2 to freeradius.
I see the request on the freeradius side:
Here is what it looks like...
freeradius msg *
rad_recv: Access-Request packet from host 10.xx.x.xxx:32853, id=12, length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "John"
MS-CHAP-Challenge = 0xfea9bd3771cc0bcb27816f27c2155ff2
MS-CHAP2-Response = 0x3300b5733e07e437a152b7dd4766e362218900000000000000002c4409266fa 0d57ba317ab979e7d2cbb8e7e03ab88f8826e
Calling-Station-Id = "xx.xx.xx.xx"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 4
rlm_realm: No '@' in User-Name = "John", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry DEFAULT at line 645
users: Matched entry DEFAULT at line 657
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 4
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for John with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 4
modcall: group Auth-Type returns reject for request 4
auth: Failed to validate the user.
Login incorrect: [John/] (from client MFa port 0 cli xx.xxx.xxx.xxx)
It seems like there is no password or my freeradius is not setup right.
respectfully, lters
Here is where I am not clear...
The windows XP client makes a vpn connection and uses the default settings.
The user John with password of Brown is entered, just as a test.
Here is the pptpd.conf parts:
option /etc/ppp/pptpd-options
localip 10.xx.xx.xx
remoteip 10.xx.xx.xx-xx
And the ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 10.xx.xx.xx
nodefaultroute
debug
nologfd
lock
nobsdcomp
plugin radius.so
I want pptpd to authenticate to freeradius.
From the google info, it looks like I am doing mschap-v2 to freeradius.
I see the request on the freeradius side:
Here is what it looks like...
freeradius msg *
rad_recv: Access-Request packet from host 10.xx.x.xxx:32853, id=12, length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "John"
MS-CHAP-Challenge = 0xfea9bd3771cc0bcb27816f27c2155ff2
MS-CHAP2-Response = 0x3300b5733e07e437a152b7dd4766e362218900000000000000002c4409266fa 0d57ba317ab979e7d2cbb8e7e03ab88f8826e
Calling-Station-Id = "xx.xx.xx.xx"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 4
rlm_realm: No '@' in User-Name = "John", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry DEFAULT at line 645
users: Matched entry DEFAULT at line 657
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 4
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for John with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 4
modcall: group Auth-Type returns reject for request 4
auth: Failed to validate the user.
Login incorrect: [John/] (from client MFa port 0 cli xx.xxx.xxx.xxx)
It seems like there is no password or my freeradius is not setup right.
respectfully, lters
[ Parent | Reply to this comment ]
Do you have the correct dictionary.microsoft? Apparently there are two versions out there, and only one of them really works.
http://www.debian-administration.org/articles/245
This article may be helpful in making sure radius is set up correctly. There is a section on the dictionary.microsoft issues as well.
http://www.debian-administration.org/articles/245
This article may be helpful in making sure radius is set up correctly. There is a section on the dictionary.microsoft issues as well.
[ Parent | Reply to this comment ]
Posted by lters (69.176.xx.xx) on Wed 21 Jun 2006 at 17:13
[ Send Message | View lters's Scratchpad | View Weblogs ]
[ Send Message | View lters's Scratchpad | View Weblogs ]
I found a copy made for ipcop and moved that over, but still no joy :(
It does not seem like pptp is sending the password info to freeradius or else free radius is not properly breaking out the challenge/response stuff.
respectfully, lters
It does not seem like pptp is sending the password info to freeradius or else free radius is not properly breaking out the challenge/response stuff.
respectfully, lters
[ Parent | Reply to this comment ]
one other small thing. Not sure if it is really necessary, but in my pptp-options file, I use two plugins.
plugin radius.so
plugin radattr.so
plugin radius.so
plugin radattr.so
[ Parent | Reply to this comment ]
Posted by lters (12.162.xx.xx) on Thu 22 Jun 2006 at 12:06
[ Send Message | View lters's Scratchpad | View Weblogs ]
[ Send Message | View lters's Scratchpad | View Weblogs ]
Thanks for your suggestions.
The problem turned out to be an invalid user entry in the freeradius users file.
The Auth-Type=Local seemed to be the main problem.
Here is a working user, and note that all the rest of freeradius config files
are just left at the default setting...
John User-Password == "Brown"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
pptp and freeradius does work.
It would be interesting to hear someone comment on how secure/insecure pptp versus l2tp really is.
The problem turned out to be an invalid user entry in the freeradius users file.
The Auth-Type=Local seemed to be the main problem.
Here is a working user, and note that all the rest of freeradius config files
are just left at the default setting...
John User-Password == "Brown"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
pptp and freeradius does work.
It would be interesting to hear someone comment on how secure/insecure pptp versus l2tp really is.
[ Parent | Reply to this comment ]