mpd & freeradius: MS-CHAP2 problem ? and more ... (long)

From: Gianmarco Giovannelli (gmarco_at_giovannelli.it)
Date: 11/15/03

Next message: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"

Previous message: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
Next in thread: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"
Reply: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 15 Nov 2003 13:58:28 +0100
To: net@freebsd.org

Hi all,
I have updated my mpd server (ppptp, on FreeBSD 4.x-stable) to use the last
mpd 3.15.
I am trying now to authenticate against a freeradius server (FreeBSD
4.x-stable , freeradius 0.9.2).

But I got an error :

[pptp1] RADIUS: RadiusAddServer Adding 172.16.33.236
[pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2) peer name: gmarco
[pptp1] RADIUS: RadiusSendRequest: RAD_ACCESS_ACCEPT for user gmarco
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_PROTOCOL: 2
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_PROTOCOL: 1
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_IP_ADDRESS: 192.168.79.253
[pptp1] RADIUS: RadiusGetParams: RAD_FRAMED_IP_NETMASK: 255.255.255.255
[pptp1] RADIUS: RadiusGetParams: PANIC no MS-CHAPv2 response received

#### MPD ####

mpd.conf is:
---> begin <---
default:
         load client1
         load client2
        [...]

client1:
new -i ng0 pptp1 pptp1
load pptp_common_settings

client2:
new -i ng1 pptp2 pptp2
load pptp_common_settings

[...]
pptp_common_settings:
         set iface disable on-demand
         set iface enable proxy-arp
         set iface idle 0
         set iface enable tcpmssfix
         set link yes acfcomp protocomp
         set link no pap chap
         set link enable chap
         set link mtu 1440
         set link keep-alive 25 60
         set ipcp yes vjcomp
         set ipcp dns 172.16.16.254
         set ipcp nbns 172.16.16.254
         set bundle enable multilink
         set bundle enable compression
         set ccp yes mppc
         set ccp yes mpp-e40
         set ccp yes mpp-e128
         set ccp yes mpp-stateless
         load radius

radius:
         set radius retries 3
         set radius timeout 3
         set radius server 172.16.33.236 testing123 1812 1813
         set radius me 172.16.16.239
         set ipcp yes radius-ip
         set bundle enable radius-auth radius-fallback
         set bundle enable radius-acct
---> end <---

mpd.log are:
---> begin <---
Nov 15 12:19:08 freebsd mpd: [pptp1] IFACE: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: state change Initial --> Starting
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: LayerStart
Nov 15 12:19:08 freebsd mpd: [pptp1] IPCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] bundle: OPEN event in state CLOSED
Nov 15 12:19:08 freebsd mpd: [pptp1] opening link "pptp1"...
Nov 15 12:19:08 freebsd mpd: [pptp1] link: OPEN event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: Open event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Initial --> Starting
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: LayerStart
Nov 15 12:19:08 freebsd mpd: [pptp1] device: OPEN event in state DOWN
Nov 15 12:19:08 freebsd mpd: [pptp1] attaching to peer's outgoing call
Nov 15 12:19:08 freebsd mpd: [pptp1] device is now in state OPENING
Nov 15 12:19:08 freebsd mpd: [pptp1] device: UP event in state OPENING
Nov 15 12:19:08 freebsd mpd: [pptp1] device is now in state UP
Nov 15 12:19:08 freebsd mpd: [pptp1] link: UP event
Nov 15 12:19:08 freebsd mpd: [pptp1] link: origination is remote
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: Up event
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Starting --> Req-Sent
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: phase shift DEAD --> ESTABLISH
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: SendConfigReq #1
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: MRU 1500
Nov 15 12:19:08 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:08 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: rec'd Configure Request #1 link 0
(Req-Sent)
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: SendConfigAck #1
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: ACFCOMP
Nov 15 12:19:08 freebsd mpd: PROTOCOMP
Nov 15 12:19:08 freebsd mpd: MRU 1500
Nov 15 12:19:08 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:08 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: rec'd Configure Request #1 link 0
(Req-Sent)
Nov 15 12:19:08 freebsd mpd: [pptp1] LCP: state change Req-Sent --> Ack-Sent
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: SendConfigReq #2
Nov 15 12:19:10 freebsd mpd: ACFCOMP
Nov 15 12:19:10 freebsd mpd: PROTOCOMP
Nov 15 12:19:10 freebsd mpd: MRU 1500
Nov 15 12:19:10 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:10 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: rec'd Configure Reject #2 link 0
(Ack-Sent)
Nov 15 12:19:10 freebsd mpd: MAGICNUM 57172c6d
Nov 15 12:19:10 freebsd mpd: [pptp1] LCP: SendConfigReq #3
Nov 15 12:19:10 freebsd mpd: ACFCOMP
Nov 15 12:19:10 freebsd mpd: PROTOCOMP
Nov 15 12:19:10 freebsd mpd: MRU 1500
Nov 15 12:19:10 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: rec'd Configure Ack #3 link 0
(Ack-Sent)
Nov 15 12:19:11 freebsd mpd: ACFCOMP
Nov 15 12:19:11 freebsd mpd: PROTOCOMP
Nov 15 12:19:11 freebsd mpd: MRU 1500
Nov 15 12:19:11 freebsd mpd: AUTHPROTO CHAP MSOFTv2
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: state change Ack-Sent --> Opened
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: phase shift ESTABLISH -->
AUTHENTICATE
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: auth: peer wants nothing, I want CHAP
Nov 15 12:19:11 freebsd mpd: [pptp1] CHAP: sending CHALLENGE
Nov 15 12:19:11 freebsd mpd: [pptp1] LCP: LayerUp
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: sending CHALLENGE
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: rec'd RESPONSE #2
Nov 15 12:19:13 freebsd mpd: Name: "gmarco"
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusAddServer Adding
172.16.33.236
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP
(MSOFTv2) peer name: gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusSendRequest:
RAD_ACCESS_ACCEPT for user gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 2
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusPutAuth: RADIUS_CHAP
(MSOFTv2) peer name: gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusSendRequest:
RAD_ACCESS_ACCEPT for user gmarco
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 2
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_PROTOCOL: 1
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_IP_ADDRESS: 192.168.79.253
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams:
RAD_FRAMED_IP_NETMASK: 255.255.255.255
Nov 15 12:19:13 freebsd mpd: [pptp1] RADIUS: RadiusGetParams: PANIC no
MS-CHAPv2 response received
Nov 15 12:19:13 freebsd mpd: Peer name: "gmarco"
Nov 15 12:19:13 freebsd mpd: Can't get credentials for "gmarco"
Nov 15 12:19:13 freebsd mpd: [pptp1] CHAP: sending FAILURE
Nov 15 12:19:13 freebsd mpd: [pptp1] LCP: authorization failed
Nov 15 12:19:13 freebsd mpd: [pptp1] device: CLOSE event in state UP
Nov 15 12:19:13 freebsd mpd: pptp0-0: clearing call
Nov 15 12:19:13 freebsd mpd: pptp0-0: killing channel
Nov 15 12:19:13 freebsd mpd: [pptp1] PPTP call terminated
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: state change Starting --> Initial
Nov 15 12:19:13 freebsd mpd: [pptp1] IPCP: LayerFinish
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: pptp0: closing connection with
xxx.xxx.xxx.xxx:56888
Nov 15 12:19:13 freebsd mpd: [pptp1] IFACE: Close event
Nov 15 12:19:13 freebsd mpd: [pptp1] device is now in state CLOSING
Nov 15 12:19:13 freebsd mpd: [pptp1] bundle: CLOSE event in state OPENED
[...]
---> end <---

mpd.links

--> begin <---
pptp1:
         set link type pptp
         set pptp self yyy.yyy.yyy.yyy
         set pptp enable incoming
         set pptp disable originate

[...]

---> end <---

I have an empty mpd.secrets

### FreeRadius ####

The (freeradius) users relevant part is:

---> begin <---
gmarco Auth-Type := MS-CHAP, User-Password == "mypwd"
         Service-Type = Framed-User,
         Framed-Protocol = PPP,
         Framed-IP-Address = 192.168.79.253,
         Framed-IP-Netmask = 255.255.255.255,
---> end <---

and I have in the freeradius radius.conf:

---> begin <---
[...]
         mschap {
                 authtype = MS-CHAP
                 use_mppe = yes
                 require_encryption = yes
                 require_strong = yes
         }
[...]
authorize {
         preprocess
         suffix
         files
         mschap
}

authenticate {
         authtype MS-CHAP {
                 mschap
         }
}
---> end <---

freeradius instead claims that eveything is fine:

---> radius.log <---
Sat Nov 15 12:23:03 2003 : Auth: Login OK: [gmarco/<no User-Password
attribute>] (from client freebsd port 0 cli xxx.xxx.xxx.xxx)
---> end <---

---> detail <---
Sat Nov 15 11:06:24 2003
         NAS-Identifier = "freebsd.mydomain.it"
         NAS-IP-Address = 172.16.16.239
         NAS-Port = 0
         NAS-Port-Type = Virtual
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Calling-Station-Id = "xxx.xxx.xxx.xxx"
         User-Name = "gmarco"
         Framed-IP-Address = 192.168.79.253
         Acct-Status-Type = Start
         Acct-Session-Id = "8890553-pptp1"
         Acct-Multi-Session-Id = "8890553-pptp1"
         Acct-Link-Count = 1
         Acct-Authentic = RADIUS
         Timestamp = 1068890784

Sat Nov 15 11:07:04 2003
         NAS-Identifier = "freebsd.mydomain.it"
         NAS-IP-Address = 172.16.16.239
         NAS-Port = 0
         NAS-Port-Type = Virtual
         Service-Type = Framed-User
         Framed-Protocol = PPP
         Calling-Station-Id = "xxx.xxx.xxx.xxx"
         User-Name = "gmarco"
         Framed-IP-Address = 192.168.79.253
         Acct-Status-Type = Stop
         Acct-Session-Id = "8890553-pptp1"
         Acct-Multi-Session-Id = "8890553-pptp1"
         Acct-Link-Count = 1
         Acct-Authentic = RADIUS
         Acct-Terminate-Cause = User-Request
         Acct-Session-Time = 60
         Acct-Input-Octets = 5055
         Acct-Input-Packets = 55
         Acct-Output-Octets = 4132
         Acct-Output-Packets = 47
         Timestamp = 1068890824

--> end <---

If I use an mpd.secret like this for example:

---> begin <---
gmarco mypwd 192.168.78.100
---> end <---

I get authenticated but I receive a lot of errors like these:

--> begin <--
[pptp1] rec'd unexpected protocol COMPD on link 0
[pptp1] CCP: rec'd Configure Request #3 link 0 (Ack-Sent)
  MPPC
    0x010000e0: MPPE, 40 bit, 56 bit, 128 bit, stateless
[pptp1] CCP: Checking wether 40 bits are acceptable -> yes
[pptp1] CCP: Checking wether 56 bits are acceptable -> no
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigNak #3
  MPPC
    0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Ack-Sent --> Req-Sent
[pptp1] CCP: rec'd Configure Ack #6 link 0 (Req-Sent)
  MPPC
    0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Req-Sent --> Ack-Rcvd
[pptp1] rec'd unexpected protocol COMPD on link 0
[pptp1] CCP: rec'd Configure Request #3 link 0 (Ack-Rcvd)
  MPPC
    0x010000e0: MPPE, 40 bit, 56 bit, 128 bit, stateless
[pptp1] CCP: Checking wether 40 bits are acceptable -> yes
[pptp1] CCP: Checking wether 56 bits are acceptable -> no
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigNak #3
  MPPC
    0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: rec'd Configure Request #4 link 0 (Ack-Rcvd)
  MPPC
    0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: Checking wether 128 bits are acceptable -> yes
[pptp1] CCP: SendConfigAck #4
  MPPC
    0x01000040: MPPE, 128 bit, stateless
[pptp1] CCP: state change Ack-Rcvd --> Opened
[pptp1] CCP: LayerUp
   Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[pptp1] setting interface ng0 MTU to 1436 bytes
[pptp1] rec'd unexpected protocol 0x4409 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0099 on link -1, rejecting
[pptp1] rec'd unexpected protocol 0x0091 on link -1, rejecting
[pptp1] rec'd proto 0xc867 on MP link! (ignoring)
---> end <---

Everything seems fine if I remove the:
load radius
line from mpd.conf and I use only mpd.secret ...

Any idea/help are welcome ....

Best Regards,
Gianmarco Giovannelli , "Unix expert since yesterday"
http://www.gufi.org/~gmarco

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Next message: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"

Previous message: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
Next in thread: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"
Reply: Michael Bretterklieber: "Re: mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]