hints and PPTP/MPPE

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

hints and PPTP/MPPE

David Batterham

Hi All,

I'm trying to get hints and huntgroups working with PPTP using MPPE
MSCHAPv2.

I want users to be able to login with uname or uname.suffix. When
logging in with uname.suffix, the suffix is stripped and a hint is set
using the hints file. They are also set in a huntgroup.

The users file as a DEFAULT entry for that hint and huntgroup.

This *works* when users connect a certain way (ipsec using clear text
passwords), but fails on PPTP connections using MPPE.

When connecting via PPTP, the DEFAULT entry does not get hit and it
falls through to the DEFAULT entry with Auth-Type := Reject. The correct
entry is hit when connecting via IPSEC.

Despite this, it still sends an Access-Accept (albeit with the
Reply-Message in the Reject).

My suspicion is that MS Windows is generating MPPE keys based on the
username with the suffix, and freeradius is correctly authenticating
against the system (SMBPASSWD file) without the suffix, but generating
MPPE responses also without the SUFFIX, therefore windows drops the
connection.

Version is 1.0.3.

Any ideas?

Regs,
Dave
--
-----------------------------------------------------------------------------
David Batterham
Information Systems & Services Manager
Department of Electrical & Electronic Engineering
The University of Melbourne, Victoria 3010
Email: [hidden email]
Phone: +61 3 8344 3366
Fax: +61 3 8344 6678
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: hints and PPTP/MPPE

Alan DeKok
David Batterham <[hidden email]> wrote:
> Despite this, it still sends an Access-Accept (albeit with the
> Reply-Message in the Reject).

  Huh?

> My suspicion is that MS Windows is generating MPPE keys based on the
> username with the suffix, and freeradius is correctly authenticating
> against the system (SMBPASSWD file) without the suffix, but generating
> MPPE responses also without the SUFFIX, therefore windows drops the
> connection.

  This makes no sense to me.

  Can you post the debug log on a webstie somewhere?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html