Re: [Devil-Linux-discuss] [BULK] Re: Dual VPN Servers

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Serge,

thanks, I begin to understand :-)

I have successfully tried the setup where pptp accesses MS IAS directly.

I have then modified the setup such that pptp->local freeradius->proxy to M=
S=20
IAS based on the realm.

This is also working as expected, but for some reason the authentication on=
=20
the IAS side fails. I believe I am very close to the solution, but not real=
ly=20
there yet..... I think it could have to be related to the way the password =
is=20
handled somewhere along the way... Please take a look at the logs below...

Thanks in advance for any hints,

=46rank.

The event on the WIndows server says:
=2D---8<----
=20
 ....
 Authentication-Type =3D MS-CHAPv2
 EAP-Type =3D <undetermined>=20
 Reason-Code =3D 16
 Reason =3D Authentication was not successful because an unknown user name =
or=20
incorrect password was used.=20
=2D---8<---

I am absolutely positive that the credentials are OK because when I change=
=20
back pptp to access the IAS directly it works.

Also, when I use radtest on the DL box, it works like a charm:
=2D---8<---
testradius:~# radtest fweis whatever 127.0.0.1 1812 testing123
Sending Access-Request of id 87 to 127.0.0.1:1812
        User-Name =3D "fweis"
        User-Password =3D "whatever"
        NAS-IP-Address =3D testradius
        NAS-Port =3D 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=3D87, length=3D=
94
        Framed-Protocol =3D PPP
        Service-Type =3D Framed-User
        Framed-IP-Address =3D 172.16.0.111
        Class =3D 0x366504570000013700010a00000201c74acc5a7feb5b00000000000=
00014
        MS-MPPE-Encryption-Policy =3D 0x00000002
        MS-MPPE-Encryption-Types =3D 0x0000000e
=2D--8<---
The radius log says this
Sending Access-Request of id 2 to 10.0.0.2:1812
        User-Name =3D "fweis"
        User-Password =3D "whatever"
        NAS-IP-Address =3D 255.255.255.255
        NAS-Port =3D 1812
        Proxy-State =3D 0x313134
=2D-- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.0.0.2:1812, id=3D2, length=3D99
        Proxy-State =3D 0x313134
        Framed-Protocol =3D PPP
        Service-Type =3D Framed-User
        Framed-IP-Address =3D 172.16.0.111
        Class =3D 0x366704590000013700010a00000201c74acc5a7feb5b00000000000=
00016
        MS-MPPE-Encryption-Policy =3D 0x00000002
        MS-MPPE-Encryption-Types =3D 0x0000000e
=2D--8<---

When I use the VPN client, the connection fails:

=2D--8<---
Sending Access-Request of id 3 to 10.0.0.2:1812
        Service-Type =3D Framed-User
        Framed-Protocol =3D PPP
        User-Name =3D "fweis"
        MS-CHAP-Challenge =3D 0xb82fba63c4b3bd8a737aebc4b64c269d
        MS-CHAP2-Response =3D 0xc500blablabla
        Calling-Station-Id =3D "10.0.108.1"
        NAS-Identifier =3D "XX_NASPPP"
        NAS-Port =3D 0
        NAS-IP-Address =3D 127.0.0.1
        Proxy-State =3D 0x313433
=2D-- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.0.0.2:1812, id=3D3, length=3D47
        Proxy-State =3D 0x313433
        MS-CHAP-Error =3D "\000E=3D691 R=3D0 V=3D3"

=2D--8<-----

On Tuesday 06 February 2007 13:54:52 Serge Leschinsky wrote:
> Hi Frank,
>
> Frank Weis wrote:
> > Hi,
> >
> > I have just found out that 'Portslave' is not checked in the default
> > config. That package contains radiusclient.
>
> Yes. But it's obsolete. It would be better if you will not use portslave =
at
> all.
>
> > We are effectively speaking about different things: I want to run
> > pptpd and radiusd on the DL box so I need the radiusclient stuff so ppt=
pd
> > can talk to radius.
>
> Yes I see. You can use radius _plugin_ for pppd (it isn't the same to
> suchradiusclient) . I sent configs exactly for such case.
>
> > And I need the rlm_ modules (like rlm_ldap)  so radius can
> > talk do my two AD servers.
>
> I see. But DL radius server (freeradius) can talk with IAS (MS radius
> server) without ldap module, I mean proxy mode of freeradius server...
>
> Sorry in advance,  if I misunderstood something :-)
>
> --
>  Serge
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=
=3D121642
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss

=2D-=20
_______________________________________________
 Centre de Technologie de l'Education
 29 avenue John F. Kennedy
 L-1855 Luxembourg-Kirchberg
 email: Fra...@ct...
 t=E9l.: +352 478-5973
 fax: +352 333797
 _______________________________________________