Menu
▾
▴
Re: [Devil-Linux-discuss] [BULK] Re: Dual VPN Servers
|
From: Serge L. <fi...@in...> - 2007-02-08 14:47:27
|
Hi Frank, Probably the root cause is in the realm syntax. Allowed realm formats are: username@realm realm/username username%realm realm\username The realm syntax is defined via the realm module config in radiusd.conf When you use radtest, your request is processed by config section with realm NULL ( try the execute the following: radtest fweis@realm whatever 127.0.0.1 1812 testing123 ) So, I believe the problem is in the proxy.conf. May I ask you to show me the file? And, may be realm module from radiusd.conf... PS. Try to run freeradius as "radiusd -x". -- Serge Frank Weis wrote: > Hi Serge, > > thanks, I begin to understand :-) > > > I have successfully tried the setup where pptp accesses MS IAS directly. > > I have then modified the setup such that pptp->local freeradius->proxy to MS > IAS based on the realm. > > This is also working as expected, but for some reason the authentication on > the IAS side fails. I believe I am very close to the solution, but not really > there yet..... I think it could have to be related to the way the password is > handled somewhere along the way... Please take a look at the logs below... > > Thanks in advance for any hints, > > Frank. > > The event on the WIndows server says: > ----8<---- > > .... > Authentication-Type = MS-CHAPv2 > EAP-Type = <undetermined> > Reason-Code = 16 > Reason = Authentication was not successful because an unknown user name or > incorrect password was used. > ----8<--- > > I am absolutely positive that the credentials are OK because when I change > back pptp to access the IAS directly it works. > > Also, when I use radtest on the DL box, it works like a charm: > ----8<--- > testradius:~# radtest fweis whatever 127.0.0.1 1812 testing123 > Sending Access-Request of id 87 to 127.0.0.1:1812 > User-Name = "fweis" > User-Password = "whatever" > NAS-IP-Address = testradius > NAS-Port = 1812 > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=87, length=94 > Framed-Protocol = PPP > Service-Type = Framed-User > Framed-IP-Address = 172.16.0.111 > Class = 0x366504570000013700010a00000201c74acc5a7feb5b0000000000000014 > MS-MPPE-Encryption-Policy = 0x00000002 > MS-MPPE-Encryption-Types = 0x0000000e > ---8<--- > The radius log says this > Sending Access-Request of id 2 to 10.0.0.2:1812 > User-Name = "fweis" > User-Password = "whatever" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > Proxy-State = 0x313134 > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Accept packet from host 10.0.0.2:1812, id=2, length=99 > Proxy-State = 0x313134 > Framed-Protocol = PPP > Service-Type = Framed-User > Framed-IP-Address = 172.16.0.111 > Class = 0x366704590000013700010a00000201c74acc5a7feb5b0000000000000016 > MS-MPPE-Encryption-Policy = 0x00000002 > MS-MPPE-Encryption-Types = 0x0000000e > ---8<--- > > > When I use the VPN client, the connection fails: > > ---8<--- > Sending Access-Request of id 3 to 10.0.0.2:1812 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "fweis" > MS-CHAP-Challenge = 0xb82fba63c4b3bd8a737aebc4b64c269d > MS-CHAP2-Response = 0xc500blablabla > Calling-Station-Id = "10.0.108.1" > NAS-Identifier = "XX_NASPPP" > NAS-Port = 0 > NAS-IP-Address = 127.0.0.1 > Proxy-State = 0x313433 > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Reject packet from host 10.0.0.2:1812, id=3, length=47 > Proxy-State = 0x313433 > MS-CHAP-Error = "\000E=691 R=0 V=3" > > ---8<----- > > > > On Tuesday 06 February 2007 13:54:52 Serge Leschinsky wrote: >> Hi Frank, >> >> Frank Weis wrote: >>> Hi, >>> >>> I have just found out that 'Portslave' is not checked in the default >>> config. That package contains radiusclient. >> Yes. But it's obsolete. It would be better if you will not use portslave at >> all. >> >>> We are effectively speaking about different things: I want to run >>> pptpd and radiusd on the DL box so I need the radiusclient stuff so pptpd >>> can talk to radius. >> Yes I see. You can use radius _plugin_ for pppd (it isn't the same to >> suchradiusclient) . I sent configs exactly for such case. >> >>> And I need the rlm_ modules (like rlm_ldap) so radius can >>> talk do my two AD servers. >> I see. But DL radius server (freeradius) can talk with IAS (MS radius >> server) without ldap module, I mean proxy mode of freeradius server... >> >> Sorry in advance, if I misunderstood something :-) >> >> -- >> Serge >> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job >> easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > |
