[pptp-server] pptpd+chapms+radius

Dragos DOBRE ddobre at deuroconsult.ro
Tue May 30 05:15:48 CDT 2000 

James MacLean wrote:
> 
> > The server should authenticate the tunnels (users) via a Radius server.
> 
> The key to this hack is the radius server. Currently it _must_ be
> xtradius, and it _must_ use the checkmysql or whatever I called it :(. The
> reason being that it does send the wrong passwd, but the radius server
> sends back the magic NtHash which is used to do the rest.


ok, i have the xtradius server configured as said in the readme from
chap_crap-0.2/README :

that is i have applied the patches to :

xtradius , ppp-2.3.11 and AuthAccount

my /etc/ppp/chap-secrets file looks like:

# client        server  secret                  IP addresses
*               *    !nothing        *

my hostname is eris. 
(the username/password pairs in mySQL are:

eris/parola
jambo/parola



from /var/log/messages

(logging from 192.168.4.149 as jambo/parola)

May 30 13:02:21 eris pptpd[10900]: CTRL: Client 192.168.4.149 control
connection started
May 30 13:02:21 eris pptpd[10900]: CTRL: Starting call (launching pppd,
opening GRE)
May 30 13:02:21 eris pppd[10901]: client=NULL, server=eris, secret=NULL
May 30 13:02:21 eris pppd[10901]: client2=NULL, server=eris, secret=NULL
word=!nothing addrs=Ok
May 30 13:02:21 eris pppd[10901]: Trying Radius client=NULL, server=eris
devnam=/dev/pts/7
May 30 13:02:21 eris pppd[10901]: User eris:eris
May 30 13:02:21 eris pppd[10901]: S eris Return=1,
passwd=CF5228C5298773D96A40A2E55008531A 
May 30 13:02:21 eris pppd[10901]: client=NULL, server=eris, secret=NULL
May 30 13:02:21 eris pppd[10901]: HUH 192.168.30.11
May 30 13:02:21 eris pppd[10901]: pppd 2.3.11 started by root, uid 0
May 30 13:02:21 eris pppd[10901]: Using interface ppp0
May 30 13:02:21 eris pppd[10901]: Connect: ppp0 <--> /dev/pts/7
May 30 13:02:21 eris pppd[10901]: client=eris, server=NULL,
secret=¤÷ÿ¿¨÷ÿ¿
May 30 13:02:21 eris pppd[10901]: client=eris, server=NULL, secret=NULL
May 30 13:02:21 eris pppd[10901]: client2=eris, server=NULL, secret=NULL
word=!nothing addrs=Ok
May 30 13:02:21 eris pppd[10901]: Trying Radius client=eris, server=NULL
devnam=/dev/pts/7
May 30 13:02:21 eris pppd[10901]: Client sneaks in addr:192.168.30.11
May 30 13:02:21 eris pppd[10901]: C eris Return=1,
passwd=CF5228C5298773D96A40A2E55008531A
May 30 13:02:21 eris pppd[10901]: client=eris, server=NULL, secret=NULL
May 30 13:02:21 eris pppd[10901]: client=NULL, server=eris, secret=NULL
May 30 13:02:21 eris pppd[10901]: client2=NULL, server=eris, secret=NULL
word=!nothing addrs=Ok
May 30 13:02:21 eris pppd[10901]: Trying Radius client=NULL, server=eris
devnam=/dev/pts/7
May 30 13:02:21 eris pppd[10901]: Server sneaks in addr:192.168.30.11
May 30 13:02:21 eris pppd[10901]: S eris Return=1,
passwd=CF5228C5298773D96A40A2E55008531A 
May 30 13:02:21 eris pppd[10901]: client=NULL, server=eris, secret=NULL
May 30 13:02:21 eris pppd[10901]: HUH 192.168.30.11
May 30 13:02:22 eris pptpd[10900]: CTRL: Ignored a SET LINK INFO packet
with real ACCMs!
May 30 13:02:22 eris pppd[10901]: client=jambo, server=eris, secret=
May 30 13:02:22 eris pppd[10901]: client2=jambo, server=eris, secret=
word=!nothing addrs=Ok
May 30 13:02:22 eris pppd[10901]: Trying Radius client=jambo,
server=eris devnam=/dev/pts/7
May 30 13:02:22 eris pppd[10901]: Client sneaks in addr:192.168.30.11
May 30 13:02:22 eris pppd[10901]: C jambo Return=1,
passwd=CF5228C5298773D96A40A2E55008531A
May 30 13:02:22 eris pppd[10901]: client=jambo, server=eris,
secret=CF5228C5298773D96A40A2E55008531A
May 30 13:02:22 eris kernel: PPP BSD Compression module registered 
May 30 13:02:22 eris pppd[10901]: MSCHAP peer authentication succeeded
for jambo
May 30 13:02:22 eris pppd[10901]: Cannot determine ethernet address for
proxy ARP
May 30 13:02:22 eris pppd[10901]: local  IP address 10.10.10.1
May 30 13:02:22 eris pppd[10901]: remote IP address 192.168.30.11
May 30 13:02:55 eris pppd[10901]: CCP: timeout sending Config-Requests 

you may see that pppd goes to ask radius about eris user, and not about
jambo user!!!

that is the reason for I've created  2 entries (eris and jambo) with the
same
pass in the SQL database

radius auth. the user eris !!!!! (192.168.30.11 is for user/tunnel eris
, for jambo
it should be 192.168.30.7)

(/var/log/radius.log)

Tue May 30 13:02:21 2000: Debug: Exec-Program-Wait: value-pairs:
Callback-Number=CF5228C5298773D96A40A2E55008531A,Framed-IP-Address=192.168.30.11
Reply-Message=Authok,
Tue May 30 13:02:21 2000: Auth: Login OK: [eris/!nothing] (from nas
eris/S0)


so,why does auth.c from pppd tries to send the wrong username/password
pairs?

i mean, if the user eris has different password than jambo, radius.log
shows:

Tue May 30 10:51:56 2000: Auth: Login incorrect: [eris/!nothing] (from
nas eris/S0)
Tue May 30 10:51:57 2000: Auth: Login incorrect: [eris/!nothing] (from
nas eris/S0)
Tue May 30 10:51:59 2000: Auth: Login incorrect: [eris/!nothing] (from
nas eris/S0)
Tue May 30 10:52:00 2000: Auth: Login incorrect: [jambo/!nothing] (from
nas eris/S0)
Tue May 30 10:52:01 2000: Auth: Login incorrect: [eris/!nothing] (from
nas eris/S0)

the 4-th time auth sends the correct username but not the password.


can someone help me with this?



> > has anyone succesfully installed all the above and does this work?
> 
> Only me I guess :).

/me is on the way :)
 
> James B. MacLean        macleajb at ednet.ns.ca

deep respect,
-- 
Dragos Adrian DOBRE
Network Systems Specialist
Deuroconsult Brasov, Romania

More information about the pptp-server mailing list