(RADIATOR) Make Radiator working with PPTPD
Hugh Irvine
hugh at open.com.au
Thu Aug 4 23:45:33 CDT 2005
Hello Chairul -
Unfortunately RFC 2548 only defines the Microsoft VSA's up to number 33.
You should find out from Microsoft what the definitions are for these
new VSA's.
When you find the definitions please send us a copy so we can add
them to the Radiator dictionary.
In the meantime you can add the following to the standard Radiator
dictionary:
# additional Microsoft VSA's (add after the existing ones)
VENDORATTR 311 MS-Bogus-34
34 string
VENDORATTR 311 MS-Bogus-35
35 string
The Radiator dictionary is the file called "dictionary" in the main
distribution directory.
You can add the definitions with any text editor.
regards
Hugh
On 5 Aug 2005, at 12:52, Chairul Anwar wrote:
> Hi,
> Yes finally I can get connected.
> But why this error comes out?
>
> Fri Aug 5 09:25:28 2005: ERR: Attribute number 35 (vendor 311) is not
> defined in your dictionary
>
>
> Here's the whole log:
>
> Fri Aug 5 09:25:28 2005: ERR: Attribute number 35 (vendor 311) is not
> defined in your dictionary
> Fri Aug 5 09:25:28 2005: ERR: Attribute number 34 (vendor 311) is not
> defined in your dictionary
> Fri Aug 5 09:25:28 2005: DEBUG: Packet dump:
> *** Received from 202.135.145.185 port 3009 ....
> Code: Access-Request
> Identifier: 1
> Authentic:
> r<247><142><186><208><12>U<153>1<202><188><236><183>><142><195>
> Attributes:
> Acct-Session-Id = "32"
> NAS-IP-Address = 202.135.145.185
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 129
> MS-RAS-Vendor = 311
> MS-RAS-Version = "MSRASV5.20"
> NAS-Port-Type = Virtual
> Tunnel-Type = 0:PPTP
> Tunnel-Medium-Type = 0:IP
> Calling-Station-Id = "202.135.5.24"
> Tunnel-Client-Endpoint = 202.135.5.24
> User-Name = "sistelindo"
> MS-CHAP-Challenge = <8><217><162>?u,<13>g1FO<19><150>)
> <249><150>
> MS-CHAP2-Response =
> <0><0><254><219><7>P<168><252><147>w<154>
> $<250><238>C<155><142>_<0><0><0><0>
> <0><0><0><0><241><20>F<149><220><163>oyx&s?
> <170><139>l<1><176>I<188><250>Y<2
> 55>g<18>
> Message-Authenticator =
> <203><227><183><18>2<30><192><28>Q-[c<250>\<13>\
>
> Fri Aug 5 09:25:28 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 5 09:25:28 2005: DEBUG: Deleting session for sistelindo,
> 202.135.145.185, 129
> Fri Aug 5 09:25:28 2005: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 5 09:25:28 2005: DEBUG: Reading users file ./users
> Fri Aug 5 09:25:28 2005: DEBUG: Radius::AuthFILE looks for match with
> sistelindo
> Fri Aug 5 09:25:28 2005: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Aug 5 09:25:28 2005: DEBUG: AuthBy FILE result: ACCEPT,
> Fri Aug 5 09:25:28 2005: DEBUG: Access accepted for sistelindo
> Fri Aug 5 09:25:28 2005: DEBUG: Packet dump:
> *** Sending to 202.135.145.185 port 3009 ....
> Code: Access-Accept
> Identifier: 1
> Authentic:
> r<247><142><186><208><12>U<153>1<202><188><236><183>><142><195>
> Attributes:
> MS-CHAP2-Success =
> "<0>S=FFB1C819B95DA7B39C78A71AF76D0DBA1E61B8F3"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Fri Aug 5 09:25:30 2005: ERR: Attribute number 35 (vendor 311) is not
> defined in your dictionary
> Fri Aug 5 09:25:30 2005: ERR: Attribute number 34 (vendor 311) is not
> defined in your dictionary
> Fri Aug 5 09:25:30 2005: DEBUG: Packet dump:
> *** Received from 202.135.145.185 port 3010 ....
> Code: Accounting-Request
> Identifier: 1
> Authentic: ~<180><129><230>}}9<22><138><156>$"<24><149><183>x
> Attributes:
> Acct-Status-Type = Start
> Acct-Delay-Time = 0
> NAS-IP-Address = 202.135.145.185
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 129
> MS-RAS-Vendor = 311
> MS-RAS-Version = "MSRASV5.20"
> NAS-Port-Type = Virtual
> Tunnel-Type = 0:PPTP
> Tunnel-Medium-Type = 0:IP
> Calling-Station-Id = "202.135.5.24"
> Tunnel-Client-Endpoint = 202.135.5.24
> Acct-Session-Id = "32"
> User-Name = "sistelindo"
> Framed-IP-Address = 192.168.1.102
> Framed-MTU = 1500
> Acct-Multi-Session-Id = "1"
> Acct-Link-Count = 1
> Event-Timestamp = 1123208904
> Acct-Authentic = RADIUS
> MS-MPPE-Encryption-Types = 0
>
> Fri Aug 5 09:25:30 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 5 09:25:30 2005: DEBUG: Adding session for sistelindo,
> 202.135.145.185, 129
> Fri Aug 5 09:25:30 2005: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 5 09:25:30 2005: DEBUG: AuthBy FILE result: ACCEPT,
> Fri Aug 5 09:25:30 2005: DEBUG: Accounting accepted
> Fri Aug 5 09:25:30 2005: DEBUG: Packet dump:
> *** Sending to 202.135.145.185 port 3010 ....
> Code: Accounting-Response
> Identifier: 1
> Authentic: ~<180><129><230>}}9<22><138><156>$"<24><149><183>x
> Attributes:
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Thursday, August 04, 2005 2:02 PM
> To: Chairul Anwar
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Make Radiator working with PPTPD
>
>
> Hello Chairul -
>
> Thanks for the additional information - I think you are almost there.
>
> As the debug message shows, to process MS-CHAPv2 you must install the
> Digest-MD4 module (available from CPAN).
>
> regards
>
> Hugh
>
>
> On 4 Aug 2005, at 16:41, Chairul Anwar wrote:
>
>
>> Hi I've tried the following step:
>>
>> 1. configure VPN on my windows 2003 and authenticate using windows
>> authentication.
>> 2. test dial with VPN client on Windows 2000 using PAP, MS-CHAP and
>> MS-CHAP
>> V2, all of them successfully connected.
>> 3. configure the VPN to authenticate to Radius using Internet
>> Authentication
>> Service (IAS) on windows 2003 and configure IAS to handle the VPN
>> Server as
>> its client.
>> 4. test dial using PAP, MS-CHAP and MS-CHAP V2, all of them
>> successfully
>> connected.
>> 5. configure radiator radius using step by step you've given (exept
>> for vpn
>> I'm using windows 2003 instead of pptpd)
>> 6. running rudpwtest successful with simple.cfg
>> 7. then I add in /etc/radiator/users:
>> sistelindo User-Password=XXXXXX
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP,
>> Framed-IP-Netmask = 255.255.255.255,
>> Framed-Routing = None,
>> Framed-MTU = 1500,
>> Framed-Compression = Van-Jacobson-TCP-IP
>> 8. and I also add in /etc/radiator/radius.cfg:
>> <Client 202.135.145.185>
>> Secret XXXXXX
>> DupInterval 0
>> </Client>
>> 9. Then I run radiusd as your instructions before.
>> 10. I run my vpn client and found this error of radiator debug:
>>
>> Thu Aug 4 13:27:22 2005: ERR: Attribute number 35 (vendor 311) is
>> not
>> defined in your dictionary
>> Thu Aug 4 13:27:22 2005: ERR: Attribute number 34 (vendor 311) is
>> not
>> defined in your dictionary
>> Thu Aug 4 13:27:22 2005: DEBUG: Packet dump:
>> *** Received from 202.135.145.185 port 3132 ....
>> Code: Access-Request
>> Identifier: 5
>> Authentic:
>> <244><225>G<176><177><148><194><216><218><250>fv<213><197><<159>
>> Attributes:
>> Acct-Session-Id = "34"
>> NAS-Identifier = "MIKEM"
>> NAS-IP-Address = 202.135.145.185
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> NAS-Port = 129
>> MS-RAS-Vendor = 311
>> MS-RAS-Version = "MSRASV5.20"
>> NAS-Port-Type = Virtual
>> Tunnel-Type = 0:PPTP
>> Tunnel-Medium-Type = 0:IP
>> Calling-Station-Id = "202.135.5.48"
>> Tunnel-Client-Endpoint = 202.135.5.48
>> User-Name = "sistelindo"
>> MS-CHAP-Challenge =
>> <143>wZ"<170><161><177><152><167><7><232><147><244><193>:<207>
>> MS-CHAP2-Response =
>> <0><0>!I<254><184>PoW<131><16>Q
>> \<212><247><231><138><189><0><0><0><0><0><0><
>> 0><0><198><157>F<16>3<178><135><198><134><19>3<220>i<207>W<172><188>k
>> <
>> 238><1
>> 84>(/<228><157>
>> Message-Authenticator =
>> <155><158>sA<147>I<23>2<21><241><134><227><15><3>@A
>>
>> Thu Aug 4 13:27:22 2005: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Thu Aug 4 13:27:22 2005: DEBUG: Deleting session for sistelindo,
>> 202.135.145.185, 129
>> Thu Aug 4 13:27:22 2005: DEBUG: Handling with Radius::AuthFILE:
>> Thu Aug 4 13:27:22 2005: DEBUG: Reading users file ./users
>> Thu Aug 4 13:27:22 2005: DEBUG: Radius::AuthFILE looks for match
>> with
>> sistelindo
>> Thu Aug 4 13:27:22 2005: ERR: Could not load Radius::MSCHAP to
>> handle an
>> MS-CHAP2 request: Can't locate Digest/MD4.pm in @INC (@INC
>> contains: .
>> /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5
>> /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4
>> /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2
>> /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0
>> /usr/lib/perl5/site_perl
>> /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4
>> /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2
>> /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0
>> /usr/lib/perl5/vendor_perl .) at
>> /usr/lib/perl5/site_perl/5.8.5/Radius/MSCHAP.pm line 47.
>> BEGIN failed--compilation aborted at
>> /usr/lib/perl5/site_perl/5.8.5/Radius/MSCHAP.pm line 47.
>> Compilation failed in require at
>> /usr/lib/perl5/site_perl/5.8.5/Radius/AuthGeneric.pm line 631.
>>
>> Thu Aug 4 13:27:22 2005: DEBUG: Radius::AuthFILE REJECT: Bad
>> Password
>> Thu Aug 4 13:27:22 2005: DEBUG: AuthBy FILE result: REJECT, Bad
>> Password
>> Thu Aug 4 13:27:22 2005: INFO: Access rejected for sistelindo: Bad
>> Password
>> Thu Aug 4 13:27:22 2005: DEBUG: Packet dump:
>> *** Sending to 202.135.145.185 port 3132 ....
>> Code: Access-Reject
>> Identifier: 5
>> Authentic:
>> <244><225>G<176><177><148><194><216><218><250>fv<213><197><<159>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>> Please let me know what happened, and how to solve this....
>>
>> Thank you.
>>
>>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-
>> radiator at open.com.au] On
>> Behalf Of Hugh Irvine
>> Sent: Friday, July 29, 2005 2:21 PM
>> To: number_one at attglobal.net
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) Make Radiator working with PPTPD
>>
>>
>> Hello Chairul -
>>
>> To get started with radius I suggest you read the RADIUS RFC's (doc/
>> rfc2865.txt and doc/rfc2866.txt) and then read the Radiator reference
>> manual (doc/ref.html). Then you can do some simple experiments with
>> radpwtst (test utility) and goodies/simple.cfg.
>>
>> The steps involved for your application are as follows:
>>
>> 1. configure PPTP to do RADIUS authentication
>>
>> 2. configure PPTP radius to send radius requests to Radiator (IP
>> address / UDP port number / shared secret)
>>
>> 3. configure Radiator starting with "goodies/simple.cfg" (Client
>> clause to match point 2 above, Realm DEFAULT, AuthBy FILE)
>>
>> 4. run Radiator from the command line so you can see what is going
>> on:
>>
>> perl radiusd -foreground -log_stdout -trace 4 -
>> config_file .....
>>
>> 5. in a separate window run radpwtst to verify correct operation
>>
>> 6. then run VPN tests to PPTP
>>
>> At all stages check the trace 4 debug from Radiator so you can see
>> what is happening.
>>
>> hope this helps
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 29 Jul 2005, at 14:42, number_one at attglobal.net wrote:
>>
>>
>>
>>> Yes,
>>> I've tried it but still have problems getting authenticated.
>>>
>>> I said that wrong user id and password, but I'm sure I've put the
>>> right one.
>>> No documents for newbies on the net about how to configure
>>> freeradius
>>> correctly.
>>> And I've download radiator manual and cannot find the clues either.
>>> I'm new in this stuff, and I need step by step guide to make it
>>> running.
>>> Can Radiator provide it?
>>> It was very easy in configuring windows 2003 VPN to authenticate
>>> with
>>> windows radius (IAS) and also complete guide to make it happens.
>>> I've done it not more than 1 hour to configure it correctly using
>>> step by
>>> step guide from microsoft webpage.
>>>
>>> But it is very hard to make pptpd authenticate through Radiator or
>>> any
>>> linux based radius, because lacks of documents for newbies like
>>> me ... :(
>>>
>>> Chairul
>>>
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list