Cisco ACS has some Microsoft attributes to play with, such as
MS-CHAP-MPPE keys, MS-MPPE-Encrpyption-Type and
MS-MPPE-Encryption-Policy. I played with all combinations of them and
it didn't help. I'm on version 3.3 of ACS and 4.x has been out for
awhile, so I may upgrade to test that.
Glad to hear your Radius server is now working.
From: Pete Klein [mailto:petek1827 at yahoo dot com]
Sent: Friday, March 16, 2007 11:38 PM
To: Holmes, Robert; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Radius & PPTP - Problem solved (for me anyway)
I finally solved my problem. It was a bad setting on my Radius Server.
Since I am using a different Radius server than you are, this solution
won't directly solve your problem. However by understanding my
solution, it may point you in the right direction to solve yours.
I am using the Multitech Radius Server. I was going through the logs
and noticed that the error messages started to appear after all the
stuff related to setting up MPPE (Microsoft Point to Point Encryption).
I started to look at how MPPE worked and ran across the following note
in an old version the MPD manual (Compression section).
When enabled, MPPE types (40, 56 or 128 bit) and MPPE policies (whether
encryption is required or optional) are controlled by the RADIUS server.
As a result I went back to the manual for the Multitech Radius Server
and started looking for anything related to MPPE. Nothing. Then I
looked at the readme file and found the following line under a section
marked "About "users" file:"
MPPE (Microsoft Point to Point Encryption) can be enabled by adding a
Vendor-Specific = MPPE_ALLOWED
to the user file (no explanation of course).
Bingo, suddenly everything works.
Here is a link to my log after I did this:
For those who want to use the Multitech Radius Server with Monowall's
PPTP you need to edit each username in the "user" file to look something
like the following (make sure you stop and the restart the Server after
you edit the file):
Username Auth-Type = Local, Password = "password"
Vendor-Specific = MPPE_ALLOWED
Needless to say I think you need to look at your Radius Server settings
specifically as they relate to MPPE. It appears that there is nothing
wrong with Monowall.
Hope this helps. Please post if you get your system working.
--- "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
> I have tried both 40bit and 128bit and it doesn't seem to matter. The
> m0n0wall supports 128-bit just fine with local users, so it's
> something funky with Radius that makes it have this issue.
> You may be right that
> m0n0wall is creating a rule in the background we are not aware of. I
> have a firewall rule that allows PPTP users to go anywhere, which also
> works great with local users. I've dumbed down the client on XP to
> use PAP and no encryption, but it doesn't seem to help.
> Lee, I am not using Captive Portal. When I tried it with pfSense too,
> I made a very vanilla configuration and it didn't work there either.
> Now, for what it's worth, at work I once had a Watchguard Firebox
> which is another m0n0wall/Sonicwall/Netscreen type of appliance. I
> believe it ran a very old version of Linux under the hood. It too had
> problems working with my Cisco ACS Radius server. When I pointed it
> to a Microsoft Radius server on Win2003, it worked fine.
> Unfortunately, I no
> longer have this Firebox to test with. However, I suppose I could
> attempt to point my m0n0wall at that Win2003 Radius server and see if
> it works. I'll try that next.
> -----Original Message-----
> From: Pete Klein [mailto:petek1827 at yahoo dot com]
> Sent: Friday, March 16, 2007 2:24 PM
> To: Holmes, Robert; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Radius & PPTP
> Hi Robert,
> I found the following old post of someone having a similar problem
> This post doesn't solve our problem but I notice that the writer had
> one type of error message (rec'd unexpected protocol...) when his
> client was set to 40 bit encryption and a different one when the
> client was set to
> 128 bit.
> I'm using the 98se client for testing which is only 40 bit. I am
> assuming since you are using XP that it is set by default to 128 bits,
> however could you confirm this? Also could you experiment with
> different settings to see if there is any change?
> I'm wondering if the
> "Require 128-bit encryption" setting is being enable on monowall even
> if it is not set.
> I also found this post on the pfsense site:
> I don't think this is the same problem but they might be related.
> I also checked the MPD documentation
> and they say the following in their troubleshooting section
> Packets won't flow.
> Make sure you have set gateway_enable="YES" in /etc/rc.conf,
> otherwise your FreeBSD box will not route packets.
> Alternately, invoke
> sysctl -w
> net.inet.ip.forwarding=1 for immediate effect.
> Also, check your firewall settings. Mpd will create new interfaces
> which may need to be incorporated into your firewall rules. If you're
> doing PPTP, you need to allow TCP port 1723 and IP protocol
> 47 (GRE).
> Since everything seems to work if Radius is disable I don't think any
> of this applies. However it is possible that mononwall is changing
> something behind the scenes.
> For the record I have the following set in the Firewall:NAT:Inbound
> WAN TCP 1723 192.168.81.1 1723
> Has anyone on this mailing list ever successfully set up pptp to use a
> Radius Server???
> --- "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
> > My settings, platform and problems are the same as
> yours Pete. I have
> > a WRAP, but I also tried it on a CDROM image under
> Vmware. I won't
> > post the log because its identical. Yes, I can
> ping myself, but no
> > one else.
> > I'll just confirm the same issue as you.
> > I tried pfSense thinking that maybe FreeBSD 6
> would fix it, but the
> > devs over there said they just sync the code from
> m0n0wall. I am
> > using a Windows PPTP client under XP. The same
> settings work to a
> > Microsoft PPTP server as well as m0n0wall with a
> local user list, so
> > it is something inherent in the Radius settings
> preventing it from
> > working.
> > Can anyone else also confirm this problem?
> > -Robert
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo!
> Answers users.
Don't get soaked. Take a quick peek at the forecast with the Yahoo!
Search weather shortcut.