I install freeradius2, add to raddb/users:
test Cleartext-Password := "test1"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.36.0.2,
Framed-IP-Netmask = 255.255.255.0,
start radiusd, and check auth:
radtest test test1 127.0.0.1 1002 testing123
Sending Access-Request of id 199 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test1"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1002
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=199, length=44
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.36.0.2
Framed-IP-Netmask = 255.255.255.0
Works fine.
Next step. Add to mpd.conf:
radius:
set auth disable internal
set auth max-logins 1 CI
set auth enable radius-auth
set radius timeout 90
set radius retries 2
set radius server 127.0.0.1 testing123 1812 1813
set radius me 127.0.0.1
create link template L pppoe
set link action bundle B
set link max-children 1000
set link no multilink
set link no shortseq
set link no pap chap-md5 chap-msv1 chap-msv2
set link enable chap
set pppoe acname Internet
load radius
create link template em1 L
set pppoe iface em1
set link enable incoming
And trying to connect, auth failed, here is mpd log:
mpd: [em1-2] LCP: auth: peer wants nothing, I want CHAP
mpd: [em1-2] CHAP: sending CHALLENGE #1 len: 21
mpd: [em1-2] LCP: LayerUp
mpd: [em1-2] CHAP: rec'd RESPONSE #1 len: 58
mpd: [em1-2] Name: "test"
mpd: [em1-2] AUTH: Trying RADIUS
mpd: [em1-2] RADIUS: Authenticating user 'test'
mpd: [em1-2] RADIUS: Rec'd RAD_ACCESS_REJECT for user 'test'
mpd: [em1-2] AUTH: RADIUS returned: failed
mpd: [em1-2] AUTH: ran out of backends
mpd: [em1-2] CHAP: Auth return status: failed
mpd: [em1-2] CHAP: Reply message: ^AE=691 R=1
mpd: [em1-2] CHAP: sending FAILURE #1 len: 14
mpd: [em1-2] LCP: authorization failed
Then i start freeradius as radiusd -fX, and get this log:
rad_recv: Access-Request packet from host 127.0.0.1 port 46400, id=223, length=282
NAS-Identifier = "rubin.svyaz-nt.ru"
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0x14d36639bed8074ec2988118125367ea
Acct-Session-Id = "815965-em1-2"
NAS-Port = 2
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00e05290b3e3 / 00:e0:52:90:b3:e3 / em1"
NAS-Port-Id = "em1"
Vendor-12341-Attr-12 = 0x656d312d32
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Client-Endpoint:0 = "00:e0:52:90:b3:e3"
User-Name = "test"
MS-CHAP-Challenge = 0xbb1e68d5bbc30f228725a133877de83e
MS-CHAP2-Response = 0x010088746ae65b68e435e9d045ad6f9569b60000000000000000b56991b4f20704cb6c68e5982eec5e98a7f4b470c109c1b9
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test] (from client localhost port 2 cli 00e05290b3e3 / 00:e0:52:90:b3:e3 / em1)
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 223 to 127.0.0.1 port 46400
MS-CHAP-Error = "\001E=691 R=1"
Why i have error "[mschap] No Cleartext-Password configured. Cannot create LM-Password." ? I define cleartext-password in users.
I check raddb/sites-enabled/default
authorize {
chap
mschap
eap {
ok = return
}
files
}
looks ok for me.
Whats wrong with mpd/chap/radius ?