2 Replies Latest reply: May 21, 2013 12:20 PM by CMSeth
CMSeth Level 1 Level 1 (0 points)

After quite a bit of mucking around and getting no VPN activity through my router, I finally resolved that issue.

Only my local users can authenticate through VPN, any user from LDAP receives "The PPP server could not be authenticated"

Log:

2013-05-18 12:47:48 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
2013-05-18 12:47:48 PDT Listening for connections...
2013-05-18 12:48:01 PDT Incoming call... Address given to client = 192.168.1.210
Sat May 18 12:48:01 2013 : Directory Services Authentication plugin initialized
Sat May 18 12:48:01 2013 : Directory Services Authorization plugin initialized
Sat May 18 12:48:01 2013 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Sat May 18 12:48:01 2013 : L2TP received SCCRQ
Sat May 18 12:48:01 2013 : L2TP sent SCCRP
Sat May 18 12:48:01 2013 : L2TP received SCCCN
Sat May 18 12:48:01 2013 : L2TP received ICRQ
Sat May 18 12:48:01 2013 : L2TP sent ICRP
Sat May 18 12:48:01 2013 : L2TP received ICCN
Sat May 18 12:48:01 2013 : L2TP connection established.
Sat May 18 12:48:01 2013 : using link 0
Sat May 18 12:48:01 2013 : Using interface ppp0
Sat May 18 12:48:01 2013 : Connect: ppp0 <--> socket[34:18]
Sat May 18 12:48:01 2013 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6a5127d0> <pcomp> <accomp>]
Sat May 18 12:48:01 2013 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x241129ad> <pcomp> <accomp>]
Sat May 18 12:48:01 2013 : lcp_reqci: returning CONFACK.
Sat May 18 12:48:01 2013 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x241129ad> <pcomp> <accomp>]
Sat May 18 12:48:01 2013 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6a5127d0> <pcomp> <accomp>]
Sat May 18 12:48:01 2013 : sent [LCP EchoReq id=0x0 magic=0x6a5127d0]
Sat May 18 12:48:01 2013 : sent [CHAP Challenge id=0x26 <7e687e746a7952624e5c520d3d44336f>, name = "xxx.local"]
Sat May 18 12:48:01 2013 : rcvd [LCP EchoReq id=0x0 magic=0x241129ad]
Sat May 18 12:48:01 2013 : sent [LCP EchoRep id=0x0 magic=0x6a5127d0]
Sat May 18 12:48:01 2013 : rcvd [LCP EchoRep id=0x0 magic=0x241129ad]
Sat May 18 12:48:01 2013 : rcvd [CHAP Response id=0x26 <2565138e1e78d0acd765e71dae4b040000000000000000006c440c372117acea2dbf7fe446b999ed7c6dddba9df36e4d00>, name = "xxx"]
Sat May 18 12:50:47 2013 : sent [CHAP Success id=0x26 "S=FD5CF3E38450AF9F992662394D54832EF54DD0B2 M=Access granted"]
Sat May 18 12:50:47 2013 : CHAP peer authentication succeeded for xxx
Sat May 18 12:50:47 2013 : DSAccessControl plugin: User 'xxx' authorized for access
Sat May 18 12:50:47 2013 : sent [IPCP ConfReq id=0x1 <addr 192.168.1.110>]
Sat May 18 12:50:47 2013 : sent [ACSCP ConfReq id=0x1]
Sat May 18 12:50:47 2013 : L2TP received CDN
Sat May 18 12:50:47 2013 : L2TP hangup
Sat May 18 12:50:47 2013 : Connection terminated.
Sat May 18 12:50:47 2013 : rcvd [CHAP Response id=0x26 <2565138e1e78d0acd765e71dae4b040000000000000000006c440c372117acea2dbf7fe446b999ed7c6dddba9df36e4d00>, name = "xxx"]
Sat May 18 12:50:47 2013 : Connect time 2.8 minutes.
Sat May 18 12:50:47 2013 : Sent 0 bytes, received 0 bytes.
Sat May 18 12:50:47 2013 : L2TP disconnecting...
Sat May 18 12:50:47 2013 : L2TP sent CDN
Sat May 18 12:50:47 2013 : L2TP sent StopCCN
Sat May 18 12:50:47 2013 : L2TP disconnected
2013-05-18 12:50:47 PDT    --> Client with address = 192.168.1.210 has hungup

Xserve 10.6.8

While testing, I have all services available to all users.

LDAPv3 is on 127.0.0.1

I have run vpnaddkeyagentuser /LDAPv3/127.0.0.1

Using MS-CHAPv2 for authentication

Shared secret functions when using local user.

As per other sites and threads here, I have ensured that PPTP is currently on.

Ports are handled, we know this since VPN functions with local users.

Have reset/changed passwords for LDAP users multiple times to rule this out as an issue.

I'm not sure why the LDAP isn't able to be used. Any suggestions?


Xserve, Mac OS X (10.6.8)
  • John Lockwood Level 5 Level 5 (6,275 points)

    Some things for you to check.

     

    1. Make sure Workgroup Manager is set to and able to access your Open Directory accounts
    2. Is the VPN server also your Open Directory server? If not then LDAPv3/127.0.0.1 would not be the right choice.
    3. Check the VPN service permissions in Server Admin to see which accounts are allowed access to the VPN service, maybe you have restricted it.
  • CMSeth Level 1 Level 1 (0 points)

    I've been using Workgroup Manager to create/edit the users on LDAP.

     

    LDAP and VPN are on the same Xserve.

     

    While trying to get this to function I've set, "For all servcies" "Allow all users and groups"