FreeRadius+ntlm_auth and SG580 router with PPTP Radius Auth

Hibscher · 11-30-2009, 01:25 PM

I've tried google'ing this and have not found any that come close. I think the problem lies in the communication between the SG580 and the FreeRadius server, but am not sure.

Any direction of where I should look would be most helpful. The Linux machine running FreeRadius is a VM with CentOS, latest patches have been applied. This machine is also able to allow domain logons through SBS 2008. I have not been successful in authenticating the SG580 with SBS2008 through radius so am trying on the CentOS machine. The SG580 is also running the latest firmware available. (As of yesterday). Am I reading the logs wrong? What am I missing? Let me know what else you need to know.

Thank you!

A log file from the CentOS machine and the SG580 follow:

Here is the log from running radiusd -X: Note that it appears to grant access.

rad_recv: Access-Request packet from host 172.21.40.1 port 59382, id=12, length=159
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "domain\\user"
MS-CHAP-Challenge = 0x#Challenge-Edit#
MS-CHAP2-Response = 0x#Response-edit#
Calling-Station-Id = "options.pptp"
NAS-IP-Address = 192.168.158.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "domain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user with NT-Password
[mschap] expand: --username=%{mschap:User-Name} -> --username=user
[mschap] mschap2: b8
[mschap] expand: --challenge=%{mschap:Challenge} -> --challenge=#edit#
[mschap] expand: --nt-response=%{mschap:NT-Response} -> --nt-response=#edit#
Exec-Program output: NT_KEY: #edit#
Exec-Program-Wait: plaintext: NT_KEY: #edit#
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 12 to 172.21.40.1 port 59382
Framed-Protocol = PPP
Calling-Station-Id = "options.pptp"
MS-CHAP2-Success = 0x#edit#
MS-MPPE-Recv-Key = 0x#edit#
MS-MPPE-Send-Key = 0x#edit#
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000004
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 12 with timestamp +4275
Ready to process requests.

<END OF Radiusd -X llg>

I also have the log from the SG580 denying access:

Nov 30 19:03:44 pptpd[25247]: CTRL: Client 192.168.0.124 control connection started
Nov 30 19:03:44 pptpd[25247]: CTRL: Starting call (launching pppd, opening GRE)
Nov 30 19:03:44 pppd[25248]: Plugin radius loaded.
Nov 30 19:03:44 pppd[25248]: RADIUS plugin initialized.
Nov 30 19:03:44 pppd[25248]: pppd 2.4.4 started by root, uid 0
Nov 30 19:03:44 pppd[25248]: using channel 20
Nov 30 19:03:44 pppd[25248]: Using interface ppp0
Nov 30 19:03:44 pppd[25248]: Connect: ppp0 <--> /dev/pts/0
Nov 30 19:03:44 pppd[25248]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x3bc8ecd7> <pcomp> <accomp>]
Nov 30 19:03:44 pptpd[25247]: GRE: Bad checksum from pppd.
Nov 30 19:03:44 pppd[25248]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0xfe85668> <pcomp> <accomp> <callback CBCP>]
Nov 30 19:03:44 pppd[25248]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x3bc8ecd7> <pcomp> <accomp>]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0xfe85668> <pcomp> <accomp>]
Nov 30 19:03:44 pppd[25248]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0xfe85668> <pcomp> <accomp>]
Nov 30 19:03:44 pppd[25248]: sent [CHAP Challenge id=0xa <#edit#>, name = "PoPToP"]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP Ident id=0x2 magic=0xfe85668 "MSRASV5.20"]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP Ident id=0x3 magic=0xfe85668 "MSRAS-0-WS18"]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP Ident id=0x4 magic=0xfe85668 "\235iS\344\232\352^J\207\320 ,\343\265N\214"]
Nov 30 19:03:44 pppd[25248]: rcvd [CHAP Response id=0xa <#edit>, name = "domain\\user"]
Nov 30 19:03:44 pptpd[25247]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Nov 30 19:03:44 pppd[25248]: Peer domain\\user failed PAM Account provisions
Nov 30 19:03:44 pppd[25248]: sent [CHAP Failure id=0xa "S=B#edit#"]
Nov 30 19:03:44 pppd[25248]: sent [LCP TermReq id=0x2 "Authentication failed"]
Nov 30 19:03:44 pppd[25248]: rcvd [LCP TermAck id=0x2 "Authentication failed"]
Nov 30 19:03:44 pppd[25248]: Connection terminated.
Nov 30 19:03:44 pptpd[25247]: CTRL: Reaping child PPP[25248]
Nov 30 19:03:44 pppd[25248]: Exit.
Nov 30 19:03:44 pptpd[25247]: CTRL: Client 192.168.0.124 control connection finished
Nov 30 19:03:44 pptpd[25247]: CTRL: Asked to free call when no call open, not handled well
Nov 30 19:03:44 pptpd[25247]: CTRL: Could not free Call ID [admin shutdown]!
Nov 30 19:03:44 pptpd[25247]: CTRL: Couldn't write packet to client.

<END of SG580 Error log.>