[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Windows IPSec/L2TP VPN client and Linux server with RADIUS, and PPP.

Success! :)

Phil sent me his dictionary files and the radiusclient.conf file.

I compared the files to mine.
I kept my radiusclient.conf and dictionary file and used Phil's
dictionary.microsoft file.

This file is in a different format to the one supplied with freeradius.
I had tried that format before, but what I was doing wrong was:

	$INCLUDE dictionary.microsoft

When it should have been:

	INCLUDE /etc/radiusclient/dictionary.microsoft

I got the "$INCLUDE" directive by the following comment in the top of
the dictionary.ascend file included in the radiusclient1 Debian package:

#
# Ascend dictionary.
#
#               Enable by putting the line "$INCLUDE dictionary.ascend" into
#               the main dictionary file.
#
# Version:      1.00  21-Jul-1997  Jens Glaser <jens@regio.net>
#

Also after doing more testing it is very important to include the full
path to the dictionary file in the INCLUDE directive.
Just having "INCLUDE dictionary.microsoft" does not work.
So that comment is wrong on so many levels...

Talk about mis-information!

I'm still not sure why it didn't work in the past when I copied the
contents of the dictionary.microsoft file directly into the main
dictionary file, but I guess there must have been some mistake I made
since I manually generated that file by modifying the freeradius one.
Testing by inlining this good file still works (but I won't be doing
that, I just wanted to satisfy my curiousity).

I'll do more comparisons to the various dictionary.microsoft files
and if I find anything I'll post just to add some completion to this
topic if anyone else is searching in the future.

Also, once the correct strings were coming into RADIUS, the VPN still
didn't connect.

Even though the radius log said:

	  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = MS-CHAP'
	  modcall[authorize]: module "mschap" returns ok for request 16

Later on it still failed saying:

	modcall: group authorize returns ok for request 8
	  rad_check_password:  Found Auth-Type Local
	auth: type Local
	auth: No User-Password or CHAP-Password attribute in the request
	auth: Failed to validate the user.

I had to delete the entries from the MySQL database that set
	Auth-Type = Local
So basically I just truncated the radgroupcheck and usergroup tables
again since they are unnecessary.

Now it works for PAP, CHAP, MS-CHAP, and MS-CHAPv2.

So I re-enabled the following directives in the /etc/ppp/options.l2tpd
file to only allow MS-CHAPv2:

	refuse-pap
	refuse-chap
	refuse-mschap
	require-mschap-v2

Note that it also works if I enable require-mppe, but I'm not really
interested in the extra overhead this produces for no gain that I can
see.

Thanks for your help everybody.

----------
Jim Barber
DDI Health
Reply to: