Help with freeRADIUS and PPTP authentication?

wheminghou · January 11, 2014, 4:52pm

Ok, I have freeRADIUS set up and working perfectly fine for winbox logins, I even have the groups working…

I am NOT using mySQL, just the users file. I cannot seem to get authentication to work for PPTP. I run radius in debug and get the following Errors:

rad_recv: Access-Request packet from host xx.xx.xx.xx port 43984, id=95, length=176
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 85
NAS-Port-Type = Virtual
User-Name = “joshp”
Calling-Station-Id = “xx.xxx.xx.xx”
Called-Station-Id = “xx.xx.xx.xx”
MS-CHAP-Challenge = xxxxxxxxxxxxxx
MS-CHAP2-Response = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NAS-Identifier = “Niagara3”
NAS-IP-Address = xx.xx.xx.xx

Executing section authorize from file /etc/raddb/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting ‘Auth-Type = mschap’
++[mschap] returns ok
++[digest] returns noop
[suffix] No ‘@’ in User-Name = “joshp”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP

Executing group from file /etc/raddb/sites-enabled/default

± entering group MS-CHAP {…}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: joshp
[mschap] Told to do MS-CHAPv2 for joshp with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject

Executing group from file /etc/raddb/sites-enabled/default

± entering group REJECT {…}
[attr_filter.access_reject] expand: %{User-Name} → joshp
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 71.13.94.63 port 43984, id=95, length=176
Waiting to send Access-Reject to client Niagara2 port 43984 - ID: 95
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 71.13.94.63 port 43984, id=95, length=176
Waiting to send Access-Reject to client Niagara2 port 43984 - ID: 95
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 95 to 71.13.94.63 port 43984
MS-CHAP-Error = “\001E=691 R=1”
Waking up in 4.9 seconds.
Cleaning up request 0 ID 95 with timestamp +12

wheminghou · January 14, 2014, 2:04pm

No one? Nothing? Seems that the request is getting ot the MT and the MT is polling the RADIUS server, so we got that far. What it looks like to me is that the mschap requests are not hitting the user file for authentication (not using sql). Help please

Twido · January 15, 2014, 11:13am

please show us the content of /etc/raddb/sites-enabled/default file

wheminghou · March 2, 2014, 7:08pm

default.txt (18.7 KB)

wheminghou · March 4, 2014, 12:06pm

Looks like my winbox requests are being authenticated CHAP but VPN connections from windows machines will not authenticate CHAP. I imagine they are not sending cleartext passwords? Probably have to get them to connect MSCHAP2? I thought RADIUS is supposed to convert the cleartext password to use for MSCHAP, but that does not appear to be working. What am I missing?

wheminghou · February 3, 2016, 1:35pm

Anyone?? Still never figured this out! Can’t find any related articles on how to do it

lambert · February 3, 2016, 10:03pm

Actually reading the radius debug output shows that you do not have a password for joshp in a format which is compatible with MS-CHAP.

It even tells you it needs a “Cleartext-Password”. So configure your users file to provide a “Cleartext-Password” value pair or configure your PPTP server to only allow PAP authentication.

Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: joshp
[mschap] Told to do MS-CHAPv2 for joshp with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.