Error 778: It was not possible to verify the identity of the server

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Error 778: It was not possible to verify the identity of the server

Thomas Boutell
Soooo close. I have no trouble fetching a cheerful response from
the IAS radius server with my simple proxy. I print its output to
standard output and return with exit code 0. FreeRADIUS reports
the whole thing as a success. And I get:

Error 778: It was not possible to verify the identity of the server.

... From the Windows workstation involved. Note that I have also set
up mschap and ntlm_auth to handle accounts on the local Samba server,
and *those* logons work perfectly. So my feeling is that there's something
special I need to do in my faux-proxy to match what a real proxy
would do, but I can't imagine what.

To test my theory, I configured proxy.conf so that FreeRADIUS would
use its built-in proxy code. Yes, that works perfectly. But I can't
seem to find a debugging option that causes FreeRADIUS to print not
just the request and helpful tracing information but the full *response*
that it sends to the client. And that seems to be what I need to
disentangle the difference between the "real" proxy code and what
I wrote and sort out why RAS on the PPTP server accepts the output of the
former but not of the latter.

(Of course, for those who may be wondering, I would gladly use the
built-in proxy code, except that I need to try something else if
the user is not found, and the standard FreeRADIUS proxy code
can't do that.)

Any ideas? I think I'm very close here. Thanks!

--
Thomas Boutell
Boutell.Com, Inc.
http://www.boutell.com/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 778: It was not possible to verify the identity of the server

Alan DeKok
Thomas Boutell <[hidden email]> wrote:
> Soooo close. I have no trouble fetching a cheerful response from
> the IAS radius server with my simple proxy. I print its output to
> standard output and return with exit code 0. FreeRADIUS reports
> the whole thing as a success. And I get:
>
> Error 778: It was not possible to verify the identity of the server.

  You're probably doing MSCHAP in your script. That won't work.

> (Of course, for those who may be wondering, I would gladly use the
> built-in proxy code, except that I need to try something else if
> the user is not found, and the standard FreeRADIUS proxy code
> can't do that.)

  Edit rlm_files, to add an "authenticate" section.  Just copy & paste
one of the other functions, and change "authorize" to "authenticate",
or whatever.  You can then set Proxy-To-Realm in that variant of the
"users" file, and use configurable fail-over.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html