[ previous ] [ next ] [ threads ]
 From:  "Chet Harvey" <chet at pittech dot com>
 To:  "Sysdata" <claudemir at sysdata dot ind dot br>, "m0n0wall at lists dot m0n0 dot ch"
 Subject:  Rv: [m0n0wall] PPTP autentication against Radius Server
 Date:  Thu, 22 Apr 2004 10:24:44 -0100
error 691 is generally an auth error.

"Error 691: Access was denied because the username and/or password was
invalid on the domain"

It shows up a lot when MS-CHAP tries to not only senf the username
"claudemir" but will append the domain so the user really looks like
"domain\claudemir" when it hits the radius server.

Error 691 is an authentication problem probably due to the fact that MS chap
uses the domain name and username combo to authenticate. If you look at the
logs you will probably see a message saying that MS chap is trying to
authenticate user "domain\\username". I got it to work by putting the full
domain and user string in the client portion of the chap-secrets file.
# Secrets for authentication using CHAP
# client                server          secret          IP addresses
workgroup\\user         server          password        *

There is also a patch called chapms-strip-domain out there which strips of
the domain.

--------- Mensagem Original --------
From: Sysdata <claudemir at sysdata dot ind dot br>
To: m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch>
Subject: [m0n0wall] PPTP autentication against Radius Server
Date: 22/04/04 11:19

> Dear Friend

When I use VPN with PPTP authentication, it works perfectly, but when  I try
to authenticate by using PPTP against a radius server, I got some errors !

mpd: Name: "claudemir"

Apr 15 09:25:17 mpd: [pptpc0] RADIUS: RadiusAddServer Adding

Apr 15 09:25:17 mpd: [pptpc0] RADIUS: RadiusPutAuth: RADIUS_CHAP (MSOFTv2)
peer name: claudemir

Apr 15 09:25:19 mpd: [pptpc0] RADIUS: RadiusSendRequest: RAD_ACCESS_REJECT
for user claudemir

Apr 15 09:25:19 mpd: [pptpc0] RADIUS: RadiusGetParams: MS-CHAP-Error:
^AE=691 R=1

Apr 15 09:25:19 mpd: [pptpc0] CHAP: sending FAILURE

Apr 15 09:25:19 mpd: [pptpc0] error writing len 18 frame to bypass: Network
is down

Apr 15 09:25:19 mpd: [pptpc0] LCP: authorization failed

Apr 15 09:25:19 mpd: [pptpc0] bundle: CLOSE event in state OPENED

Apr 15 09:25:19 mpd: [pptpc0] closing link "pptpc0"...

Apr 15 09:25:19 mpd: [pptpc0] device: DOWN event in state CLOSING

Apr 15 09:25:19 mpd: [pptpc0] device is now in state DOWN

Apr 15 09:25:19 mpd: pptp0: CID 0xeb83 in SetLinkInfo not found

Apr 15 09:25:19 mpd: [pptpc0] CHAP: rec'd RESPONSE #1

Apr 15 09:25:19 mpd: Not expected, but that's OK

The Radius Server is running FreeBSD + FreeRadius + MySQL to authentication
and accounting, is possible to authenticate by using PPPOE clients without
problems, however the PPTP clients cannot.

I believe the problem is something related to MS-CHAP, The FreeRadius
configuration already have a session for MS-CHAP authentication, but still
don't work.

Any suggestion, please ?


Claudemir F. Martins