mpd & freeradius: MS-CHAP2 problem ? and more ... (long)
Gianmarco Giovannelli
gmarco at giovannelli.it
Sat Nov 15 04:52:06 PST 2003
Hi all,
I have updated my mpd server (ppptp, on FreeBSD 4.x-stable) to use the last
mpd 3.15.
I am trying now to authenticate against a freeradius server (FreeBSD
4.x-stable , freeradius 0.9.2).
But I got an error :
[pptp1] RADIUS: RadiusAddServer Adding 172.16.33.236
[pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2) peer name: gmarco
[pptp1] RADIUS: RadiusSendRequest: RAD_ACCESS_ACCEPT for user gmarco
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_PROTOCOL: 2
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_PROTOCOL: 1
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_IP_ADDRESS: 192.168.79.253
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_IP_NETMASK: 255.255.255.255
[pptp1] RADIUS: RadiusGetParams: PANIC no MS-CHAPv2 response received
#### MPD ####
mpd.conf is:
---> begin <---
default:
load client1
load client2
[...]
client1:
new -i ng0 pptp1 pptp1
load pptp_common_settings
client2:
new -i ng1 pptp2 pptp2
load pptp_common_settings
[...]
pptp_common_settings:
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set iface enable tcpmssfix
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link mtu 1440
set link keep-alive 25 60
set ipcp yes vjcomp
set ipcp dns 172.16.16.254
set ipcp nbns 172.16.16.254
set bundle enable multilink
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
load radius
radius:
set radius retries 3
set radius timeout 3
set radius server 172.16.33.236 testing123 1812 1813
set radius me 172.16.16.239
set ipcp yes radius-ip
set bundle enable radius-auth radius-fallback
set bundle enable radius-acct
---> end <---
mpd.log are:
---> begin <---
Nov 15 12:19:08 freebsd mpd: [pptp1] IFACE: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: state change Initial --> Starting
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: LayerStart
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] bundle: OPEN event in state CLOSED
Nov 15 12:19:08 freebsd mpd: [pptp1] opening link "pptp1"...
Nov 15 12:19:08 freebsd mpd: [pptp1] link: OPEN event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Initial --> Starting
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: LayerStart
Nov 15 12:19:08 freebsd mpd: [pptp1] device: OPEN event in state DOWN
Nov 15 12:19:08 freebsd mpd: [pptp1] attaching to peer's outgoing call
Nov 15 12:19:08 freebsd mpd: [pptp1] device is now in state OPENING
Nov 15 12:19:08 freebsd mpd: [pptp1] device: UP event in state OPENING
Nov 15 12:19:08 freebsd mpd: [pptp1] device is now in state UP
Nov 15 12:19:08 freebsd mpd: [pptp1] link: UP event
Nov 15 12:19:08 freebsd mpd: [pptp1] link: origination is remote
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: Up event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Starting --> Req-Sent
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: phase shift DEAD --> ESTABLISH
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: SendConfigReq #1
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: MRU 1500
Nov 15 12:19:08 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:08 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: rec'd Configure Request #1 link 0
(Req-Sent)
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: SendConfigAck #1
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: MRU 1500
Nov 15 12:19:08 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:08 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: rec'd Configure Request #1 link 0
(Req-Sent)
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Req-Sent --> Ack-Sent
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: SendConfigReq #2
Nov 15 12:19:10 freebsd mpd: ACFCOMP
Nov 15 12:19:10 freebsd mpd: PROTOCOMP
Nov 15 12:19:10 freebsd mpd: MRU 1500
Nov 15 12:19:10 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:10 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: rec'd Configure Reject #2 link 0
(Ack-Sent)
Nov 15 12:19:10 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: SendConfigReq #3
Nov 15 12:19:10 freebsd mpd: ACFCOMP
Nov 15 12:19:10 freebsd mpd: PROTOCOMP
Nov 15 12:19:10 freebsd mpd: MRU 1500
Nov 15 12:19:10 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: rec'd Configure Ack #3 link 0
(Ack-Sent)
Nov 15 12:19:11 freebsd mpd: ACFCOMP
Nov 15 12:19:11 freebsd mpd: PROTOCOMP
Nov 15 12:19:11 freebsd mpd: MRU 1500
Nov 15 12:19:11 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: state change Ack-Sent --> Opened
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: phase shift ESTABLISH -->
AUTHENTICATE
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: auth: peer wants nothing, I want CHAP
Nov 15 12:19:11 freebsd mpd: [pptp1] CHAP: sending CHALLENGE
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: LayerUp
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: sending CHALLENGE
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: rec'd RESPONSE #2
Nov 15 12:19:13 freebsd mpd: Name: "gmarco"
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusAddServer Adding
172.16.33.236
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP
(MSOFTv2) peer name: gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusSendRequest:
RAD_ACCESS_ACCEPT for user gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 2
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP
(MSOFTv2) peer name: gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusSendRequest:
RAD_ACCESS_ACCEPT for user gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 2
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 1
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_IP_ADDRESS: 192.168.79.253
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_IP_NETMASK: 255.255.255.255
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams: PANIC no
MS-CHAPv2 response received
Nov 15 12:19:13 freebsd mpd: Peer name: "gmarco"
Nov 15 12:19:13 freebsd mpd: Can't get credentials for "gmarco"
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: sending FAILURE
Nov 15 12:19:13 freebsd mpd: [pptp1] LCP: authorization failed
Nov 15 12:19:13 freebsd mpd: [pptp1] device: CLOSE event in state UP
Nov 15 12:19:13 freebsd mpd: pptp0-0: clearing call
Nov 15 12:19:13 freebsd mpd: pptp0-0: killing channel
Nov 15 12:19:13 freebsd mpd: [pptp1] PPTP call terminated
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: state change Starting --> Initial
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: LayerFinish
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: pptp0: closing connection with
xxx.xxx.xxx.xxx:56888
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] device is now in state CLOSING
Nov 15 12:19:13 freebsd mpd: [pptp1] bundle: CLOSE event in state OPENED
[...]
---> end <---
mpd.links
--> begin <---
pptp1:
set link type pptp
set pptp self yyy.yyy.yyy.yyy
set pptp enable incoming
set pptp disable originate
[...]
---> end <---
I have an empty mpd.secrets
### FreeRadius ####
The (freeradius) users relevant part is:
---> begin <---
gmarco Auth-Type := MS-CHAP, User-Password == "mypwd"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.79.253,
Framed-IP-Netmask = 255.255.255.255,
---> end <---
and I have in the freeradius radius.conf:
---> begin <---
[...]
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
[...]
authorize {
preprocess
suffix
files
mschap
}
authenticate {
authtype MS-CHAP {
mschap
}
}
---> end <---
freeradius instead claims that eveything is fine:
---> radius.log <---
Sat Nov 15 12:23:03 2003 : Auth: Login OK: [gmarco/<no User-Password
attribute>] (from client freebsd port 0 cli xxx.xxx.xxx.xxx)
---> end <---
---> detail <---
Sat Nov 15 11:06:24 2003
NAS-Identifier = "freebsd.mydomain.it"
NAS-IP-Address = 172.16.16.239
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "xxx.xxx.xxx.xxx"
User-Name = "gmarco"
Framed-IP-Address = 192.168.79.253
Acct-Status-Type = Start
Acct-Session-Id = "8890553-pptp1"
Acct-Multi-Session-Id = "8890553-pptp1"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Timestamp = 1068890784
Sat Nov 15 11:07:04 2003
NAS-Identifier = "freebsd.mydomain.it"
NAS-IP-Address = 172.16.16.239
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "xxx.xxx.xxx.xxx"
User-Name = "gmarco"
Framed-IP-Address = 192.168.79.253
Acct-Status-Type = Stop
Acct-Session-Id = "8890553-pptp1"
Acct-Multi-Session-Id = "8890553-pptp1"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 60
Acct-Input-Octets = 5055
Acct-Input-Packets = 55
Acct-Output-Octets = 4132
Acct-Output-Packets = 47
Timestamp = 1068890824
--> end <---
If I use an mpd.secret like this for example:
---> begin <---
gmarco mypwd 192.168.78.100
---> end <---
I get authenticated but I receive a lot of errors like these:
--> begin <--
[pptp1] rec'd unexpected protocol COMPD on link 0
[pptp1] CCP: rec'd Configure Request #3 link 0 (Ack-Sent)
MPPC
0x010000e0: MPPE, 40 bit, 56 bit, 128 bit, stateless
[pptp1] CCP: Checking wether 40 bits are acceptable -> yes
[pptp1] CCP: Checking wether 56 bits are acceptable -> no
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigNak #3
MPPC
0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Ack-Sent --> Req-Sent
[pptp1] CCP: rec'd Configure Ack #6 link 0 (Req-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Req-Sent --> Ack-Rcvd
[pptp1] rec'd unexpected protocol COMPD on link 0
[pptp1] CCP: rec'd Configure Request #3 link 0 (Ack-Rcvd)
MPPC
0x010000e0: MPPE, 40 bit, 56 bit, 128 bit, stateless
[pptp1] CCP: Checking wether 40 bits are acceptable -> yes
[pptp1] CCP: Checking wether 56 bits are acceptable -> no
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigNak #3
MPPC
0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: rec'd Configure Request #4 link 0 (Ack-Rcvd)
MPPC
0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigAck #4
MPPC
0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Ack-Rcvd --> Opened
[pptp1] CCP: LayerUp
Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[pptp1] setting interface ng0 MTU to 1436 bytes
[pptp1] rec'd unexpected protocol 0x4409 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0099 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0091 on link -1, rejecting
[pptp1] rec'd proto 0xc867 on MP link! (ignoring)
---> end <---
Everything seems fine if I remove the:
load radius
line from mpd.conf and I use only mpd.secret ...
Any idea/help are welcome ....
Best Regards,
Gianmarco Giovannelli , "Unix expert since yesterday"
http://www.gufi.org/~gmarco
More information about the freebsd-net
mailing list