(RADIATOR) MS-MPPE-RECV-send
Hugh Irvine
hugh at open.com.au
Fri Jul 23 23:15:09 CDT 2004
Hello Judy -
You cannot use MS-CHAP(v2) with any form of encrypted password - you
must have access to the cleartext password.
See section 13.1.2 in the Radiator 3.9 reference manual
("doc/ref.html").
regards
Hugh
On 23 Jul 2004, at 21:40, Judy Angel wrote:
>
>
> --On 13 July 2004 09:07 +1000 Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Judy -
>>
>> MS-CHAPv2 expects to use the complete username string when checking
>> the
>> password.
>>
>> I suggest you remove the RewriteUsername and change "judyblue" to
>> "judyblue at pptp" in the users file.
>
>
> I am trying to authenticate against a nis+/pam unix server.
>
> I have installed radius on another unix server that shared the nis+
> password file, now the userid is without the realm, but this still
> does not work from pptp client, Is what I want to use not possible?
>
> thanks
>
> judy angel
>
>
> <Realm DEFAULT>
> <AuthBy PAM>
> # generate MPPE keys to encrypt pptp vpns
> AutoMPPEKeys Yes
>
> </AuthBy>
> </Realm>
>
> ri Jul 23 12:35:50 2004: DEBUG: Finished reading configuration file
> './goodies/kumbha.cfg
>
> ri Jul 23 12:35:50 2004: DEBUG: Reading dictionary file './dictionary'
> ri Jul 23 12:35:51 2004: DEBUG: Creating authentication port
> 0.0.0.0:1645
> ri Jul 23 12:35:51 2004: DEBUG: Creating accounting port 0.0.0.0:1646
> ri Jul 23 12:35:51 2004: NOTICE: Server started: Radiator 3.9 on kumbha
> ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
> ** Received from 147.197.200.100 port 32768 ....
> ode: Access-Request
> dentifier: 149
> uthentic: V4kO<224><134><212><224>k<210>#w<132>"n<246>
> ttributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "ccsqja"
> MS-CHAP-Challenge = "<148><242><201><146>l<132>
> <242>X<218>8<158><154><168>/l"
> MS-CHAP2-Response =
> "<1><0><217><160><250><139><175>9<229>`<138>_<207><187>1<190><
> 06><237><0><0><0><0><0><0><0><0><23>mq9Fq<235><221>w<13><253><145>ZV6<1
> 96><
> 30><187>%<240>
> 204>'<21><200>"
> NAS-IP-Address = 147.197.200.100
> NAS-Port = 0
>
> ri Jul 23 12:36:08 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> ri Jul 23 12:36:08 2004: DEBUG: Deleting session for ccsqja,
> 147.197.200.100, 0
> ri Jul 23 12:36:08 2004: DEBUG: Handling with PAM service login
> ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
> ** Received from 147.197.200.100 port 32768 ....
> ode: Access-Request
> dentifier: 149
> uthentic: V4kO<224><134><212><224>k<210>#w<132>"n<246>
> ttributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "ccsqja"
> MS-CHAP-Challenge = "<148><242><201><146>l<132>
> <242>X<218>8<158><154><168>/l"
> MS-CHAP2-Response =
> "<1><0><217><160><250><139><175>9<229>`<138>_<207><187>1<190><
> 06><237><0><0><0><0><0><0><0><0><23>mq9Fq<235><221>w<13><253><145>ZV6<1
> 96><
> 30><187>%<240>
> 204>'<21><200>"
> NAS-IP-Address = 147.197.200.100
> NAS-Port = 0
>
> ri Jul 23 12:36:08 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> ri Jul 23 12:36:08 2004: DEBUG: Deleting session for ccsqja,
> 147.197.200.100, 0
> ri Jul 23 12:36:08 2004: DEBUG: Handling with PAM service login
> ri Jul 23 12:36:08 2004: DEBUG: PAM is asking for 1: 'Password'
> ri Jul 23 12:36:08 2004: INFO: Access rejected for ccsqja:
> Authentication failed:
> ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
> ** Sending to 147.197.200.100 port 32768 ....
> ode: Access-Reject
> dentifier: 149
> uthentic: V4kO<224><134><212><224>k<210>#w<132>"n<246>
> ttributes:
> Reply-Message = "Request Denied"
>
> ri Jul 23 12:36:08 2004: DEBUG: PAM is asking for 1: 'Password'
> ri Jul 23 12:36:08 2004: INFO: Access rejected for ccsqja:
> Authentication failed:
> ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
> ** Sending to 147.197.200.100 port 32768 ....
> ode: Access-Reject
> dentifier: 149
> uthentic: V4kO<224><134><212><224>k<210>#w<132>"n<246>
> ttributes:
> Reply-Message = "Request Denied"
>
>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 12 Jul 2004, at 22:13, Judy Angel wrote:
>>
>>>
>>>
>>> --On 10 July 2004 17:10 +1000 Hugh Irvine <hugh at open.com.au> wrote:
>>>
>>>>
>>>> Hello Judy -
>>>>
>>>> You should be able to use "AutoMPPEKeys" in your AuthBy module.
>>>>
>>>> See section 6.17.23 in the Radiator 3.9 reference manual
>>>> ("doc/ref.html").
>>>
>>> ok some progress,
>>>
>>> but if I test from the bluesocket with realm pptp or without it
>>> works,
>>> but not from a pptp microsoft client.
>>> The password is clear text in the users file
>>>
>>>
>>> Mon Jul 12 12:57:12 2004: DEBUG: Packet dump:
>>> *** Received from 147.197.200.100 port 32798 ....
>>> Code: Access-Request
>>> Identifier: 111
>>> Authentic:
>>> <194>w<14><164>$1<200><208><9><179><174><5><162><13><217>9
>>> Attributes:
>>> Service-Type = Framed-User
>>> Framed-Protocol = PPP
>>> User-Name = "judyblue at pptp"
>>> MS-CHAP-Challenge =
>>> "<186>5<192>wi<205><165>|+<235><132>J<158><222><249>5"
>>> MS-CHAP2-Response =
>>> "<1><0><227><5><169>1<240><137>^<202><218>K<20>b@<144><152>`<0
>>>> <0><0><0><0><0><0><0><137>R<197><12>l<27>,L<249><136>dJ<26><153>)s<2
>>>> 29
>>>> > G<1
>>> 49>!<246>j<186>
>>> <147>"
>>> NAS-IP-Address = 147.197.200.100
>>> NAS-Port = 0
>>>
>>> Mon Jul 12 12:57:12 2004: DEBUG: Handling request with Handler
>>> 'Realm=pptp'
>>> Mon Jul 12 12:57:12 2004: DEBUG: Rewrote user name to judyblue
>>> Mon Jul 12 12:57:12 2004: DEBUG: Deleting session for judyblue at pptp,
>>> 147.197.200.100, 0
>>> Mon Jul 12 12:57:12 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jul 12 12:57:12 2004: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> judyblue
>>> Mon Jul 12 12:57:12 2004: DEBUG: Radius::AuthFILE REJECT: Bad
>>> Password
>>> Mon Jul 12 12:57:12 2004: INFO: Access rejected for judyblue: Bad
>>> Password
>>> Mon Jul 12 12:57:12 2004: DEBUG: Packet dump:
>>> *** Sending to 147.197.200.100 port 32798 ....
>>> Code: Access-Reject
>>> Identifier: 111
>>> Authentic:
>>> <194>w<14><164>$1<200><208><9><179><174><5><162><13><217>9
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>>
>>> users/....
>>>
>>> judyblue Password = "xx"
>>> Service-Type = Framed-User,
>>> Framed-Protocol = PPP,
>>> Framed-IP-Netmask = 255.255.255.255,
>>> Framed-Routing = None,
>>> Framed-MTU = 1500,
>>> Framed-Compression = Van-Jacobson-TCP-IP,
>>> Message-Authenticator = 0000000000000000,
>>> MS-MPPE-Encryption-Policy = Encryption-Allowed,
>>> MS-MPPE-Encryption-Types = Encryption-Any
>>>
>>>
>>> config..
>>>
>>>
>>>
>>> <Realm pptp>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy FILE>
>>> Filename ./users
>>> # generate MPPE keys to encrypt pptp vpns
>>> AutoMPPEKeys Yes
>>> </AuthBy>
>>> AcctLogFileName %L/detail
>>> </Realm>
>>>
>>>
>>> This is my first use of pptp, so I guess it is somthing basic that I
>>> am missing.
>>>
>>> Thanks
>>>
>>> Judy
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 10 Jul 2004, at 00:54, Judy Angel wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have seen you question to Radiator
>>>>>
>>>>> "On Wednesday, Mar 5, 2003, at 00:32 Australia/Melbourne, baxter
>>>>> wrote:
>>>>>
>>>>>> I am using radiator to authenticate wireless users (from a
>>>>>> bluesocket
>>>>>> wireless gateway) with the authentication going against an imap
>>>>>> server
>>>>>> on
>>>>>> our campus. The problem I am having is that I can't seem to
>>>>>> figure
>>>>>> out what
>>>>>> I need to return on a pptp request. The bluesocket people say I
>>>>>> need
>>>>>> to get
>>>>>> a "MS-MPPE-RECV-key" and a "MS-MPPE-RECV-send" but the log from
>>>>>> the
>>>>>> radiator
>>>>> "
>>>>>
>>>>> I have exactly the same problem and am interested to know if that
>>>>> was
>>>>> solved. I can see no reply after the request for the trace. I would
>>>>> be
>>>>> very greatful if you tell me how you solved that problem.
>>>>>
>>>>> many thanks
>>>>>
>>>>> Judy Angel
>>>>> University of Hertfordshire
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list