(RADIATOR) MS-MPPE-RECV-send

Hugh Irvine hugh at open.com.au
Sun Jul 25 18:52:09 CDT 2004


Hello Judy -

You can only use variations of PAP.

regards

Hugh


On 26 Jul 2004, at 08:04, J.Angel at herts.ac.uk wrote:

> On Jul 24 2004, Hugh Irvine wrote:
>
>> Hello Judy -
>> You cannot use MS-CHAP(v2) with any form of encrypted password - you   
>> must have access to the cleartext password.
>> See section 13.1.2 in the Radiator 3.9 reference manual   
>> ("doc/ref.html").
>
> which authentication/encryption option are available, if I wish to  
> authenticate with a unix pam password?
>
> thanks
>
> judy angel
> University of Hertfordshire
>> regards
>> Hugh
>> On 23 Jul 2004, at 21:40, Judy Angel wrote:
>> >
>> >
>> > --On 13 July 2004 09:07 +1000 Hugh Irvine <hugh at open.com.au> wrote:
>> >
>> >>
>> >> Hello Judy -
>> >>
>> >> MS-CHAPv2 expects to use the complete username string when  
>> checking  >> the
>> >> password.
>> >>
>> >> I suggest you remove the RewriteUsername and change "judyblue" to
>> >> "judyblue at pptp" in the users file.
>> >
>> >
>> > I am trying to authenticate against a nis+/pam unix server.
>> >
>> > I have installed radius on another unix server that shared the nis+  
>>  > password file, now the userid is without the realm,  but this  
>> still  > does not work from pptp client, Is what I want to use not  
>> possible?
>> >
>> > thanks
>> >
>> > judy angel
>> >
>> >
>> > <Realm DEFAULT>
>> >        <AuthBy PAM>
>> >                # generate MPPE keys to encrypt pptp vpns
>> >                AutoMPPEKeys Yes
>> >
>> >        </AuthBy>
>> > </Realm>
>> >
>> > ri Jul 23 12:35:50 2004: DEBUG: Finished reading configuration file  
>>  > './goodies/kumbha.cfg
>> >
>> > ri Jul 23 12:35:50 2004: DEBUG: Reading dictionary file  
>> './dictionary'
>> > ri Jul 23 12:35:51 2004: DEBUG: Creating authentication port  >  
>> 0.0.0.0:1645
>> > ri Jul 23 12:35:51 2004: DEBUG: Creating accounting port  
>> 0.0.0.0:1646
>> > ri Jul 23 12:35:51 2004: NOTICE: Server started: Radiator 3.9 on  
>> kumbha
>> > ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
>> > ** Received from 147.197.200.100 port 32768 ....
>> > ode:       Access-Request
>> > dentifier: 149
>> > uthentic:  V4kO<224><134><212><224>k<210>#w<132>"n<246>
>> > ttributes:
>> >       Service-Type = Framed-User
>> >       Framed-Protocol = PPP
>> >       User-Name = "ccsqja"
>> >       MS-CHAP-Challenge = "<148><242><201><146>l<132>  >  
>> <242>X<218>8<158><154><168>/l"
>> >       MS-CHAP2-Response =  >  
>> "<1><0><217><160><250><139><175>9<229>`<138>_<207><187>1<190><
>> >  
>> 06><237><0><0><0><0><0><0><0><0><23>mq9Fq<235><221>w<13><253><145>ZV6< 
>> 1 > 96><
>> > 30><187>%<240>
>> > 204>'<21><200>"
>> >       NAS-IP-Address = 147.197.200.100
>> >       NAS-Port = 0
>> >
>> > ri Jul 23 12:36:08 2004: DEBUG: Handling request with Handler  >  
>> 'Realm=DEFAULT'
>> > ri Jul 23 12:36:08 2004: DEBUG:  Deleting session for ccsqja,  >  
>> 147.197.200.100, 0
>> > ri Jul 23 12:36:08 2004: DEBUG: Handling with PAM service login
>> > ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
>> > ** Received from 147.197.200.100 port 32768 ....
>> > ode:       Access-Request
>> > dentifier: 149
>> > uthentic:  V4kO<224><134><212><224>k<210>#w<132>"n<246>
>> > ttributes:
>> >       Service-Type = Framed-User
>> >       Framed-Protocol = PPP
>> >       User-Name = "ccsqja"
>> >       MS-CHAP-Challenge = "<148><242><201><146>l<132>  >  
>> <242>X<218>8<158><154><168>/l"
>> >       MS-CHAP2-Response =  >  
>> "<1><0><217><160><250><139><175>9<229>`<138>_<207><187>1<190><
>> >  
>> 06><237><0><0><0><0><0><0><0><0><23>mq9Fq<235><221>w<13><253><145>ZV6< 
>> 1 > 96><
>> > 30><187>%<240>
>> > 204>'<21><200>"
>> >       NAS-IP-Address = 147.197.200.100
>> >       NAS-Port = 0
>> >
>> > ri Jul 23 12:36:08 2004: DEBUG: Handling request with Handler  >  
>> 'Realm=DEFAULT'
>> > ri Jul 23 12:36:08 2004: DEBUG:  Deleting session for ccsqja,  >  
>> 147.197.200.100, 0
>> > ri Jul 23 12:36:08 2004: DEBUG: Handling with PAM service login
>> > ri Jul 23 12:36:08 2004: DEBUG: PAM is asking for 1: 'Password'
>> > ri Jul 23 12:36:08 2004: INFO: Access rejected for ccsqja:  >  
>> Authentication failed:
>> > ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
>> > ** Sending to 147.197.200.100 port 32768 ....
>> > ode:       Access-Reject
>> > dentifier: 149
>> > uthentic:  V4kO<224><134><212><224>k<210>#w<132>"n<246>
>> > ttributes:
>> >       Reply-Message = "Request Denied"
>> >
>> > ri Jul 23 12:36:08 2004: DEBUG: PAM is asking for 1: 'Password'
>> > ri Jul 23 12:36:08 2004: INFO: Access rejected for ccsqja:  >  
>> Authentication failed:
>> > ri Jul 23 12:36:08 2004: DEBUG: Packet dump:
>> > ** Sending to 147.197.200.100 port 32768 ....
>> > ode:       Access-Reject
>> > dentifier: 149
>> > uthentic:  V4kO<224><134><212><224>k<210>#w<132>"n<246>
>> > ttributes:
>> >       Reply-Message = "Request Denied"
>> >
>> >
>> >>
>> >> regards
>> >>
>> >> Hugh
>> >>
>> >>
>> >> On 12 Jul 2004, at 22:13, Judy Angel wrote:
>> >>
>> >>>
>> >>>
>> >>> --On 10 July 2004 17:10 +1000 Hugh Irvine <hugh at open.com.au>  
>> wrote:
>> >>>
>> >>>>
>> >>>> Hello Judy -
>> >>>>
>> >>>> You should be able to use "AutoMPPEKeys" in your AuthBy module.
>> >>>>
>> >>>> See section 6.17.23 in the Radiator 3.9 reference manual
>> >>>> ("doc/ref.html").
>> >>>
>> >>> ok some progress,
>> >>>
>> >>> but if I test from the bluesocket with realm pptp or without it   
>> >>> works,
>> >>> but not from a pptp microsoft client.
>> >>> The password is clear text in the users file
>> >>>
>> >>>
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Packet dump:
>> >>> *** Received from 147.197.200.100 port 32798 ....
>> >>> Code:       Access-Request
>> >>> Identifier: 111
>> >>> Authentic:   >>>  
>> <194>w<14><164>$1<200><208><9><179><174><5><162><13><217>9
>> >>> Attributes:
>> >>>        Service-Type = Framed-User
>> >>>        Framed-Protocol = PPP
>> >>>        User-Name = "judyblue at pptp"
>> >>>        MS-CHAP-Challenge =
>> >>> "<186>5<192>wi<205><165>|+<235><132>J<158><222><249>5"
>> >>>        MS-CHAP2-Response =
>> >>> "<1><0><227><5><169>1<240><137>^<202><218>K<20>b@<144><152>`<0
>> >>>>  
>> <0><0><0><0><0><0><0><137>R<197><12>l<27>,L<249><136>dJ<26><153>)s<2  
>> >>>> 29
>> >>>> > G<1
>> >>> 49>!<246>j<186>
>> >>> <147>"
>> >>>        NAS-IP-Address = 147.197.200.100
>> >>>        NAS-Port = 0
>> >>>
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Handling request with Handler
>> >>> 'Realm=pptp'
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Rewrote user name to judyblue
>> >>> Mon Jul 12 12:57:12 2004: DEBUG:  Deleting session for  
>> judyblue at pptp,
>> >>> 147.197.200.100, 0
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Handling with Radius::AuthFILE:
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Radius::AuthFILE looks for match  
>>  >>> with
>> >>> judyblue
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Radius::AuthFILE REJECT: Bad   
>> >>> Password
>> >>> Mon Jul 12 12:57:12 2004: INFO: Access rejected for judyblue: Bad
>> >>> Password
>> >>> Mon Jul 12 12:57:12 2004: DEBUG: Packet dump:
>> >>> *** Sending to 147.197.200.100 port 32798 ....
>> >>> Code:       Access-Reject
>> >>> Identifier: 111
>> >>> Authentic:   >>>  
>> <194>w<14><164>$1<200><208><9><179><174><5><162><13><217>9
>> >>> Attributes:
>> >>>        Reply-Message = "Request Denied"
>> >>>
>> >>>
>> >>>
>> >>> users/....
>> >>>
>> >>> judyblue        Password = "xx"
>> >>>        Service-Type = Framed-User,
>> >>>         Framed-Protocol = PPP,
>> >>>         Framed-IP-Netmask = 255.255.255.255,
>> >>>         Framed-Routing = None,
>> >>>         Framed-MTU = 1500,
>> >>>         Framed-Compression = Van-Jacobson-TCP-IP,
>> >>>         Message-Authenticator = 0000000000000000,
>> >>>         MS-MPPE-Encryption-Policy = Encryption-Allowed,
>> >>>         MS-MPPE-Encryption-Types = Encryption-Any
>> >>>
>> >>>
>> >>> config..
>> >>>
>> >>>
>> >>>
>> >>> <Realm pptp>
>> >>>        RewriteUsername s/^([^@]+).*/$1/
>> >>>        <AuthBy FILE>
>> >>>                Filename ./users
>> >>>                # generate MPPE keys to encrypt pptp vpns
>> >>>                AutoMPPEKeys Yes
>> >>>        </AuthBy>
>> >>>         AcctLogFileName %L/detail
>> >>> </Realm>
>> >>>
>> >>>
>> >>> This is my first use of pptp, so I guess it is somthing basic  
>> that I
>> >>> am missing.
>> >>>
>> >>> Thanks
>> >>>
>> >>> Judy
>> >>>>
>> >>>> regards
>> >>>>
>> >>>> Hugh
>> >>>>
>> >>>>
>> >>>> On 10 Jul 2004, at 00:54, Judy Angel wrote:
>> >>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I have seen you question to Radiator
>> >>>>>
>> >>>>> "On Wednesday, Mar 5, 2003, at 00:32 Australia/Melbourne, baxter
>> >>>>> wrote:
>> >>>>>
>> >>>>>> I am using radiator to authenticate wireless users (from a
>> >>>>>> bluesocket
>> >>>>>> wireless gateway) with the authentication going against an imap
>> >>>>>> server
>> >>>>>> on
>> >>>>>> our campus.  The problem I am having is that I can't seem to   
>> >>>>>> figure
>> >>>>>> out what
>> >>>>>> I need to return on a pptp request.  The bluesocket people say  
>> I
>> >>>>>> need
>> >>>>>> to get
>> >>>>>> a "MS-MPPE-RECV-key" and a "MS-MPPE-RECV-send" but the log  
>> from  >>>>>> the
>> >>>>>> radiator
>> >>>>> "
>> >>>>>
>> >>>>> I have exactly the same problem and am interested to know if  
>> that  >>>>> was
>> >>>>> solved. I can see no reply after the request for the trace. I  
>> would
>> >>>>> be
>> >>>>> very greatful if you tell me how you solved that problem.
>> >>>>>
>> >>>>> many thanks
>> >>>>>
>> >>>>> Judy Angel
>> >>>>> University of Hertfordshire
>> >>>>>
>> >>>>> --
>> >>>>> Archive at http://www.open.com.au/archives/radiator/
>> >>>>> Announcements on radiator-announce at open.com.au
>> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
>> >>>>> 'unsubscribe radiator' in the body of the message.
>> >>>>>
>> >>>>>
>> >>>>
>> >>>> NB: have you included a copy of your configuration file (no   
>> >>>> secrets),
>> >>>> together with a trace 4 debug showing what is happening?
>> >>>>
>> >>>> --
>> >>>> Radiator: the most portable, flexible and configurable RADIUS  
>> server
>> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >>>> -
>> >>>> Nets: internetwork inventory and management - graphical,  
>> extensible,
>> >>>> flexible with hardware, software, platform and database  >>>>  
>> independence.
>> >>>> -
>> >>>> CATool: Private Certificate Authority for Unix and Unix-like   
>> >>>> systems.
>> >>>>
>> >>>> --
>> >>>> Archive at http://www.open.com.au/archives/radiator/
>> >>>> Announcements on radiator-announce at open.com.au
>> >>>> To unsubscribe, email 'majordomo at open.com.au' with
>> >>>> 'unsubscribe radiator' in the body of the message.
>> >>>
>> >>>
>> >>> --
>> >>> Archive at http://www.open.com.au/archives/radiator/
>> >>> Announcements on radiator-announce at open.com.au
>> >>> To unsubscribe, email 'majordomo at open.com.au' with
>> >>> 'unsubscribe radiator' in the body of the message.
>> >>>
>> >>>
>> >>
>> >> NB: have you included a copy of your configuration file (no  
>> secrets),
>> >> together with a trace 4 debug showing what is happening?
>> >>
>> >> --
>> >> Radiator: the most portable, flexible and configurable RADIUS  
>> server
>> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> >> -
>> >> Nets: internetwork inventory and management - graphical,  
>> extensible,
>> >> flexible with hardware, software, platform and database  
>> independence.
>> >> -
>> >> CATool: Private Certificate Authority for Unix and Unix-like  
>> systems.
>> >>
>> >> --
>> >> Archive at http://www.open.com.au/archives/radiator/
>> >> Announcements on radiator-announce at open.com.au
>> >> To unsubscribe, email 'majordomo at open.com.au' with
>> >> 'unsubscribe radiator' in the body of the message.
>> >
>> >
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list