SBR 6.1.1 Openldap back-end for PPTP connections

hexluthor_ · ‎07-28-2011

We are using Openldap as the back-end for an SBR 6.1.1 implementation.

We successfully have clients authenticating ( using the Juniper radius testing software ). However, when configuring our Cisco switches to look at the SBR implementation we find that the MS-CHAP-MPPE-Keys is not being sent from SBR to the switch despite it being in our profile and being sent from the user itself in the ldapauth.aut.

The exact same setup on the Cisco switch side works fine if we change our SBR setup to return the same userid from the 'Native-User" setup. Doing this, the difference we see is the presence of this MS-CHAP-MPPE-Keys in the Radius response on the switch.

NON-WORKING EXAMPLE:

Jul 28 10:59:09.689 EDT: RADIUS(00000033): Config NAS IP: < INTERNAL IP >_

Jul 28 10:58:49.321 EDT: RADIUS/ENCODE(00000032)rig. component type = VPDN

Jul 28 10:58:49.321 EDT: RADIUS(00000032): Using existing nas_port 39

Jul 28 10:58:49.321 EDT: RADIUS(00000032): Config NAS IP: < INTERNAL IP >_

Jul 28 10:59:09.653 EDT: RADIUS/ENCODE(00000033)rig. component type = VPDN

Jul 28 10:59:09.653 EDT: RADIUS: AAA Unsupported Attr: interface [153] 14

Jul 28 10:59:09.653 EDT: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 [Uniq-Sess-ID]

Jul 28 10:59:09.653 EDT: RADIUS(00000033): Storing nasport 40 in rad_db

Jul 28 10:59:09.657 EDT: RADIUS(00000033): Config NAS IP: < INTERNAL IP >__

Jul 28 10:59:09.657 EDT: RADIUS/ENCODE(00000033): acct_session_id: 86

Jul 28 10:59:09.657 EDT: RADIUS(00000033): sending

Jul 28 10:59:09.657 EDT: RADIUS(00000033): Send Access-Request to <RADIUS IP >:1645 id 1645/40, len 131

Jul 28 10:59:09.657 EDT: RADIUS: authenticator CE 38 5D 8B B0 E5 D2 17 - 00 00 00 00 00 00 00 00

Jul 28 10:59:09.657 EDT: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jul 28 10:59:09.657 EDT: RADIUS: User-Name [1] 7 "TEST1"

Jul 28 10:59:09.657 EDT: RADIUS: Vendor, Microsoft [26] 16

Jul 28 10:59:09.657 EDT: RADIUS: MSCHAP_Challenge [11] 10

Jul 28 10:59:09.657 EDT: RADIUS: CE 38 5D 8B B0 E5 D2 17 [?8]?????]

Jul 28 10:59:09.657 EDT: RADIUS: Vendor, Microsoft [26] 58

Jul 28 10:59:09.657 EDT: RADIUS: MS-CHAP-Response [1] 52 *

Jul 28 10:59:09.657 EDT: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jul 28 10:59:09.657 EDT: RADIUS: NAS-Port [5] 6 40

Jul 28 10:59:09.657 EDT: RADIUS: Service-Type [6] 6 Framed [2]

Jul 28 10:59:09.657 EDT: RADIUS: NAS-IP-Address [4] 6 10.21.64.8

Jul 28 10:59:09.665 EDT: RADIUS: Received from id 1645/40 <RADIUS IP>:1645, Access-Accept, len 101

Jul 28 10:59:09.665 EDT: RADIUS: authenticator 47 D3 52 9E 83 AF 5B 47 - B2 DE 36 E5 70 81 D2 0B

Jul 28 10:59:09.665 EDT: RADIUS: Class [25] 57

Jul 28 10:59:09.669 EDT: RADIUS: 53 42 52 32 43 4C A3 C1 B8 EB 9C C8 86 FB F8 80 [SBR2CL??????????]

Jul 28 10:59:09.669 EDT: RADIUS: 11 80 24 01 80 04 81 99 8C 86 80 02 80 06 81 AA [??$?????????????]

Jul 28 10:59:09.669 EDT: RADIUS: 91 AA B5 A1 C4 12 80 0E 81 A3 C1 B8 EB 9C C8 86 [????????????????]

Jul 28 10:59:09.669 EDT: RADIUS: FB F8 80 80 80 80 88 [???????]

Jul 28 10:59:09.669 EDT: RADIUS: Vendor, Microsoft [26] 12

Jul 28 10:59:09.669 EDT: RADIUS: MS-MPPE-Enc-Policy [7] 6

Jul 28 10:59:09.669 EDT: RADIUS: 00 00 00 [???]

Jul 28 10:59:09.669 EDT: RADIUS: Vendor, Microsoft [26] 12

Jul 28 10:59:09.669 EDT: RADIUS: MS-MPPE-Enc-Type [8] 6

Jul 28 10:59:09.669 EDT: RADIUS: FF 00 00 00 [????]

Jul 28 10:59:09.669 EDT: RADIUS(00000033): Received from id 1645/40

Jul 28 10:59:09.673 EDT: RADIUS/ENCODE(00000033)rig. component type = VPDN

Jul 28 10:59:09.673 EDT: RADIUS(00000033): Using existing nas_port 40

Jul 28 10:59:09.673 EDT: RADIUS(00000033): Config NAS IP: 10.21.64.8

Jul 28 10:59:09.689 EDT: RADIUS/ENCODE(00000033)rig. component type = VPDN

Jul 28 10:59:09.689 EDT: RADIUS(00000033): Using existing nas_port 40

WORKING EXAMPLE:

Jul 28 10:58:39.748 EDT: RADIUS(00000032): Config NAS IP: < INTERNAL IP >___

Jul 28 10:58:39.732 EDT: RADIUS/ENCODE(00000032)rig. component type = VPDN

Jul 28 10:58:39.732 EDT: RADIUS: AAA Unsupported Attr: interface [153] 14

Jul 28 10:58:39.732 EDT: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 [Uniq-Sess-ID]

Jul 28 10:58:39.732 EDT: RADIUS(00000032): Storing nasport 39 in rad_db

Jul 28 10:58:39.732 EDT: RADIUS(00000032): Config NAS IP: < INTERNAL IP >_

Jul 28 10:58:39.732 EDT: RADIUS/ENCODE(00000032): acct_session_id: 84

Jul 28 10:58:39.732 EDT: RADIUS(00000032): sending

Jul 28 10:58:39.732 EDT: RADIUS(00000032): Send Access-Request to <RADIUS IP>:1645 id 1645/39, len 131

Jul 28 10:58:39.732 EDT: RADIUS: authenticator 35 F1 A1 28 E0 E6 CE 50 - 00 00 00 00 00 00 00 00

Jul 28 10:58:39.732 EDT: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jul 28 10:58:39.732 EDT: RADIUS: User-Name [1] 7 "TEST1"

Jul 28 10:58:39.732 EDT: RADIUS: Vendor, Microsoft [26] 16

Jul 28 10:58:39.732 EDT: RADIUS: MSCHAP_Challenge [11] 10

Jul 28 10:58:39.732 EDT: RADIUS: 35 F1 A1 28 E0 E6 CE 50 [5??(???P]

Jul 28 10:58:39.732 EDT: RADIUS: Vendor, Microsoft [26] 58

Jul 28 10:58:39.732 EDT: RADIUS: MS-CHAP-Response [1] 52 *

Jul 28 10:58:39.732 EDT: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jul 28 10:58:39.732 EDT: RADIUS: NAS-Port [5] 6 39

Jul 28 10:58:39.732 EDT: RADIUS: Service-Type [6] 6 Framed [2]

Jul 28 10:58:39.732 EDT: RADIUS: NAS-IP-Address [4] 6 <INTERNAL IP>

Jul 28 10:58:39.740 EDT: RADIUS: Received from id 1645/39 <RADIUS IP>_:1645, Access-Accept, len 138

Jul 28 10:58:39.740 EDT: RADIUS: authenticator 2E C2 1B A5 E6 5F 81 12 - 27 C2 32 70 DE 46 27 41

Jul 28 10:58:39.740 EDT: RADIUS: Class [25] 55

Jul 28 10:58:39.740 EDT: RADIUS: 53 42 52 32 43 4C A3 C1 B8 EB 9C C8 86 FB F8 80 [SBR2CL??????????]

Jul 28 10:58:39.740 EDT: RADIUS: 11 80 22 01 80 02 81 98 80 02 80 06 81 AA 91 AA [??"?????????????]

Jul 28 10:58:39.740 EDT: RADIUS: B5 A1 C4 12 80 0E 81 A3 C1 B8 EB 9C C8 86 FB F8 [????????????????]

Jul 28 10:58:39.740 EDT: RADIUS: 80 80 80 80 84 [?????]

Jul 28 10:58:39.740 EDT: RADIUS: Vendor, Microsoft [26] 40

Jul 28 10:58:39.740 EDT: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *

Jul 28 10:58:39.740 EDT: RADIUS: Vendor, Microsoft [26] 12

Jul 28 10:58:39.740 EDT: RADIUS: MS-MPPE-Enc-Policy [7] 6

Jul 28 10:58:39.740 EDT: RADIUS: 00 00 00 [???]

Jul 28 10:58:39.740 EDT: RADIUS: Vendor, Microsoft [26] 11

Jul 28 10:58:39.740 EDT: RADIUS: MS-MPPE-Enc-Type [8] 5

Jul 28 10:58:39.740 EDT: RADIUS: 00 00 [??]

Jul 28 10:58:39.740 EDT: RADIUS(00000032): Received from id 1645/39

Jul 28 10:58:39.748 EDT: RADIUS/ENCODE(00000032)rig. component type = VPDN

Jul 28 10:58:39.748 EDT: RADIUS(00000032): Using existing nas_port 39

Here are our SBR logs excerpts showing the values and atributes being returned. I've experimented with the upper and lower case over and over here for the MS-CHAP-MPPE-Keys attribute.

10:59:08 LDAPAUTH: Returning attribute MS-CHAP-MPPE-Keys = "N/A"

10:59:08 LDAPAUTH: Returning attribute MS-MPPE-Encryption-Policy = "Encryption-Allowed"

10:59:08 LDAPAUTH: Returning attribute MS-MPPE-Encryption-Type = "0x000000"

The values above are what our Openldap is returning to SBR and hence returning to the Cisco switch. Experimenting shows that the values DO come through for the Encryption-Type and Encryption-Policy... but for some reason the MS-CHAP-MPPE-Keys does not come through.

Any help is greatly appreciated. I've been hacking at this for several hours and researching it to no avail.

CraigB_ · ‎08-24-2011

When you are using the Cisco as the NAS device, what type of authentication protocol are you using on the client end? Is it EAP-PEAP or something along those lines?

The reason I ask is that it is possible to disable the MPPE keys in the PEAP or TTLS methods.

If you are using an MD5 auth method, this will prevent SBR from dynamically generating the MPPE keys as there is no keying material in an MD5 request we can use to do this.

Can you get me the SBR log in debug level logging (LogLevel =2 and TraceLevel = 2 in the radius.ini).

This should be completely possible.

Thanks

Craig Brauckmiller

SBR 6.1.1 Openldap back-end for PPTP connections

SBR 6.1.1 Openldap back-end for PPTP connections

Re: SBR 6.1.1 Openldap back-end for PPTP connections