[pptp-server] pptpd+chapms+radius

Dragos DOBRE ddobre at deuroconsult.ro
Wed May 31 04:32:16 CDT 2000


James MacLean wrote:
> 
> My goal with this project was to use Xtradius to authenticate on the one
> side, not on both :(.


sorry if I misled you all to this confusion!
Let me rephrase:
 

I have a tunnel server, hostname eris.It runs stock RH6.2
(today i'll update it's kernel to 2.2.15, linus tree), with pptpd
version 1.1.1 and PPP deamon v2.3.11. the ppp daemon is patched
with the following patches:

ppp-2.3.11-make.patch
ppp-2.3.11-openssl-0.9.5-mppe.patch
ppp-2.3.11-options.patch
ppp-2.3.11-require-mppe.patch
ppp-2.3.11-rh62-kill_fasync.patch
ppp-2.3.11-strip-MSdomain.patch

(they are 2.3.10 modified patches, i'll post them on a ftp site soon)

I have installed radius-client libs (radiusclient-0.3.1) and
xtradius-1.0beta , toghether with libsmbpw-1.1 ,AuthAccount-1.0,
and i patched them against the files from chap_crap-0.2 (from James)

i have also installed mysql and made the tables as specified in
chap_crap-0.2
(modified from auth-account)

The username/nthash-passwd for the clients resides in the mysql database

> But... If I understand your goal, you want both your client and the server
> to use Xtradius for authentication? Hmmm. you would need to modify auth.c
> atleast so that it only tries to match the userid when it is one of client
> or server, but not both. And it must be the correct one :).

I only want to auth the clients to eris.not eris to clients.
 
> How's that for confusing the issue:).

:)

 
> I can also say that once pppd gets a valid userid/passwd, it will not
> actually (or atleast it shouldn't) talk to radius anymore until it is
> authenticated.

so let's draw a quick picture here:

the client (let's call it jambo (user=jambo ;password=parola) , it's a 
win98 pptp client dials to 192.168.4.246 (thats eris).
jambo's IP  is 192.168.4.149.

the pptpd sees an incoming request, fires-up pppd on eris.

May 30 17:35:54 eris pptpd[14515]: CTRL: Client 192.168.4.149 control
connection started
May 30 17:35:54 eris pptpd[14515]: CTRL: Starting call (launching pppd,
opening GRE)

pppd than tries to get the username/passwd from jambo. (is that
correct?)
jambo sends the user/passwd, pppd then looks in /etc/ppp/chap-secrets
where it finds the line * * !nothing *. Given the fact that the passwd
in
chap-secrets begins with '!' , pppd (via auth.c) uses radiusclient to
forward the auth issue to xtradius. 

May 30 17:35:55 eris pppd[14516]: Trying Radius client=NULL, server=eris
devnam=/dev/pts/3

as you can see , it seems that auth.c doesnt correctly guess the
user/passwd
, it assumes that the client is NULL (should be jambo) .so the
radiusclient
doesn't even try to reach radius server, given the fact that the
username field 
is EMPTY.


client=NULL, server=eris, secret=NULL
client2=NULL, server=eris, secret=NULL word=!nothing addrs=Ok
Trying Radius client=NULL, server=eris devnam=/dev/pts/5
S eris Return=-1, passwd=!nothing 
client=NULL, server=eris, secret=NULL
HUH *
Using interface ppp0
Connect: ppp0 <--> /dev/pts/5

client=eris, server=NULL, secret= ÷ÿ¿÷ÿ¿
client=eris, server=NULL, secret=NULL
client2=eris, server=NULL, secret=NULL word=!nothing addrs=Ok
Trying Radius client=eris, server=NULL devnam=/dev/pts/5
C eris Return=-1, passwd=!nothing

client=eris, server=NULL, secret=NULL
client=NULL, server=eris, secret=NULL
client2=NULL, server=eris, secret=NULL word=!nothing addrs=Ok
Trying Radius client=NULL, server=eris devnam=/dev/pts/5
S eris Return=-1, passwd=!nothing 
client=NULL, server=eris, secret=NULL
HUH *
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap 81> <magic
0xc9a8a384> <pcomp> <accomp>]
write: warning: Input/output error (5)
Timeout 0x8050a44:0x8079c40 in 3 seconds.
Modem hangup
Untimeout 0x8050a44:0x8079c40.
Connection terminated on /dev/pts/5.




 
> Let me know if I captured what you are trying to do, and I will see about
> changing the code a bit...

I hope that i have made myself a lil' bit clear now :)
 
> JES
> --
> James B. MacLean        macleajb at ednet.ns.ca


PS: James and all the kind people on this list:
I appologize for my-not-so-deep-knowledge-of-english,
and I'm sorry if i offended anyone. please do not
get upset about my language.


respect,
-- 
Dragos Adrian DOBRE
Network Systems Specialist
Deuroconsult Brasov, Romania



More information about the pptp-server mailing list