[ previous ] [ next ] [ threads ]
 
 From:  "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
 To:  "Pete Klein" <petek1827 at yahoo dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Radius & PPTP
 Date:  Fri, 16 Mar 2007 08:50:16 -0400
My settings, platform and problems are the same as yours Pete.  I have a
WRAP, but I also tried it on a CDROM image under Vmware. I won't post
the log because its identical.  Yes, I can ping myself, but no one else.
I'll just confirm the same issue as you.

I tried pfSense thinking that maybe FreeBSD 6 would fix it, but the devs
over there said they just sync the code from m0n0wall.  I am using a
Windows PPTP client under XP.  The same settings work to a Microsoft
PPTP server as well as m0n0wall with a local user list, so it is
something inherent in the Radius settings preventing it from working.

Can anyone else also confirm this problem?

-Robert


 

-----Original Message-----
From: Pete Klein [mailto:petek1827 at yahoo dot com] 
Sent: Thursday, March 15, 2007 11:20 PM
To: Holmes, Robert; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Radius & PPTP

Hi Robert,

Sorry I haven't had time to respond lately.  Things have been rather
crazy at work and I haven't had time to look into this matter.

I think the link you pointed to applies only to IPSec clients and not
PPTP clients so I don't think this will help us.

I think this problem might be an MPD configuration error but I am not
completely sure.  We are both using completely different Radius Servers
and I suspect different PPTP clients (What PPTP client are you
using?) and are having similar problems.  This means either we are both
missing something completely obvious (at least in my case this is
possible) or there is a bug in Monowall/pfSense (I'm not familiar with
pfSense but it looks like a clone of Monowall. 
Can someone confirm the relationship?)

MPD is the program that is a part of Monowall and provides the PPTP
service.  MPD.conf is the configuration file for MPD.  Unfortunately
Monowall does not (unless I am missing something) give us the ability to
directly view or edit this file so this is something Manuel will have to
fix.  

At this point we need to confirm that this is indeed a bug (and not a
mistake on our part) and try to give Manuel as much info as we can so he
can figure out a solution.  I don't think this is a Radius problem
because according to my log, MPD is properly using my Radius Server to
authenticate me.

Mar 15 21:04:19 	mpd: [pt0] LCP: phase shift ESTABLISH
--> AUTHENTICATE
Mar 15 21:04:19 	mpd: [pt0] LCP: auth: peer wants
nothing, I want CHAP
Mar 15 21:04:19 	mpd: [pt0] CHAP: sending CHALLENGE
Mar 15 21:04:19 	mpd: [pt0] LCP: LayerUp
Mar 15 21:04:19 	mpd: [pt0] CHAP: rec'd RESPONSE #1
Mar 15 21:04:19 	mpd: Name: "FERRETS\Pete"
Mar 15 21:04:19 	mpd: [pt0] RADIUS: RadiusAddServer
Adding 192.168.81.11
Mar 15 21:04:19 	mpd: [pt0] RADIUS: RadiusPutAuth:
RADIUS_CHAP (MSOFTv2) peer name: Pete
Mar 15 21:04:19 	mpd: [pt0] RADIUS: RadiusSendRequest:
RAD_ACCESS_ACCEPT for user Pete
Mar 15 21:04:19 	mpd: [pt0] RADIUS: RadiusGetParams:
RAD_MICROSOFT_MS_CHAP2_SUCCESS:
S=3EB4E813517BD7D615BFDAB3BC82F0EADEB665B6
Mar 15 21:04:19 	mpd: [pt0] RADIUS: RadiusGetParams:
Dropping MPD vendor specific attribute: 26
Mar 15 21:04:19 	mpd: Response is valid
Mar 15 21:04:19 	mpd: [pt0] CHAP: sending SUCCESS
Mar 15 21:04:19 	mpd: [pt0] LCP: authorization
successful
Mar 15 21:04:19 	mpd: [pt0] LCP: phase shift
AUTHENTICATE --> NETWORK

....

The problem starts to occur much later.  
Mar 15 21:04:20 	mpd: MPPC
Mar 15 21:04:20 	mpd: 0x01000020: MPPE, 40 bit,
stateless
Mar 15 21:04:20 	mpd: [pt0] CCP: Checking whether 40
bits are acceptable -> yes
Mar 15 21:04:20 	mpd: [pt0] CCP: SendConfigAck #3
Mar 15 21:04:20 	mpd: MPPC
Mar 15 21:04:20 	mpd: 0x01000020: MPPE, 40 bit,
stateless
Mar 15 21:04:20 	mpd: [pt0] CCP: state change Ack-Rcvd
--> Opened
Mar 15 21:04:20 	mpd: [pt0] CCP: LayerUp
Mar 15 21:04:20 	mpd: Compress using: MPPE, 40 bit,
stateless
Mar 15 21:04:20 	mpd: Decompress using: MPPE, 40 bit,
stateless
Mar 15 21:04:20 	mpd: [pt0] setting interface ng1 MTU
to 1456 bytes
Mar 15 21:04:20 	mpd: [pt0] rec'd unexpected protocol
0xa0bb on link -1, rejecting
Mar 15 21:04:23 	mpd: [pt0] rec'd unexpected protocol
0xb229 on link -1, rejecting
Mar 15 21:04:23 	mpd: [pt0] rec'd unexpected protocol
0x0035 on link -1, rejecting
.... (variations of this last line just keep
repeating)

I have posted more complete logs here

http://ksurveying.homeip.net/download/WithRadius.txt
http://ksurveying.homeip.net/download/NoRadius.txt

Can you examine your Monowall log to see if you are getting similar
entries?  You will need to examine it almost right after you attempt a
pptp login or the entries will scroll right off the screen.  You may
want to change the "Number of log entries to show"
setting to something like 500 to give you time to see the entries.  You
will mainly be looking for lines that begin with mpd: .....

Also I noticed you mentioned you cannot see anyone on your local
network.  Can you ping non-local (WAN) addresses?  I cannot ping
anything other than my own address.  On your client machine, what does
ipconfig say?  Are you getting an IP address on your PPTP interface?
Mine says I am.

What are you running Monowall on?  Mine is on a pair of Wrap 1e-2.  Is
there anything special about your settings?  Please provide as much info
as possible.

--- "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
wrote:

> I found this which may be necessary to patching Radius to work with MS

> PPTP clients.
> http://www.debian-administration.org/articles/245
> 
>  
> 
> -----Original Message-----
> From: Holmes, Robert
> Sent: Thursday, March 15, 2007 6:11 AM
> To: 'm0n0wall at lists dot m0n0 dot ch'
> Subject: RE: [m0n0wall] Radius & PPTP
> 
> Any more movement on this issue?  It's a bug that is confirmed by both

> monowall and pfsense users.
> 
> Thanks, Robert
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail:
> m0n0wall dash help at lists dot m0n0 dot ch
> 
> 



 
________________________________________________________________________
____________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo!
Games.
http://videogames.yahoo.com/platform?platform=120121