Hello. Sorry for some pause in conversation.
> >> Any of SMB-Account-CTRL, User-Password and Auth-Type > >> attributes should > >> present with :=, not == operation. I think, that with User-Password I need use '==' operation, it's condition, not defention... Here Logs without SMB-Account-CTRL And with ____________________________________________________________________________ ____________ mysql> select * from radcheck; +----+----------+---------------+----+--------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+--------+ | 1 | test | User-Password | == | test | +----+----------+---------------+----+--------+ ____________________________________________________________________________ ____________ Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=76, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x0808921378f29eef1012eb923c9e6422 MS-CHAP2-Response = 0x010050346d85f08005552ecd3307a479219c00000000000000002d0f0dc4294e112a4ff469 94ae39c290248ee6773a4585bc NAS-IP-Address = 10.128.7.13 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username= 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE user group.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE user group.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: check items User-Password == "test" rlm_sql: reply items rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authtype rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok modcall: group authtype returns ok Login OK: [test] (from client localhost port 0) Sending Access-Accept of id 76 to 127.0.0.1:32772 MS-CHAP2-Success = 0x01533d43433731343043313537364643444642444343384234433841303943303945333535 454431314144 MS-MPPE-Recv-Key = 0xa5e7ae2e265d7ed72c0a173efbf84737280912f8fea8b7ee03a1cdaf7816c331bbae MS-MPPE-Send-Key = 0xa5e43c17be9de81ae5f0a61367766998535d84e2c0dd5fdb08bce4fc65a874226a04 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000004 Finished request 0 Going to the next request --- Walking the entire request list --- ____________________________________________________________________________ ____________ mysql> select * from radcheck; +----+----------+------------------+----+--------+ | id | UserName | Attribute | op | Value | +----+----------+------------------+----+--------+ | 1 | test | User-Password | == | test | | 14 | test | SMB-Account-CTRL | := | 17 | +----+----------+------------------+----+--------+ rad_recv: Access-Request packet from host 127.0.0.1:32772, id=79, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0xc336487cabf841825e682cf0c1f5c59f MS-CHAP2-Response = 0x0100ff6a087763543f28034af97e882ed03b0000000000000000bc5b53de858d18b44c1354 20bdb69da69520395b8542598d NAS-IP-Address = 10.128.7.13 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE user group.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE user group.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: check items User-Password == "test" SMB-Account-CTRL := 17 rlm_sql: reply items rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authtype rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok modcall: group authtype returns ok Login OK: [test] (from client localhost port 0) Sending Access-Accept of id 79 to 127.0.0.1:32772 MS-CHAP2-Success = 0x01533d42453232344438334246363941423342314135454544464337433139344244343133 333831423237 MS-MPPE-Recv-Key = 0x9d697166114f24b438033148c5fee2f1f61fee68dfede623f8153a003ccc7b42184e MS-MPPE-Send-Key = 0x9d6e1d8b88bee44b8268cb5e16c44f69d568ca904ae4775abfce6 4a1eaaa7c29dfd8 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000004 Finished request 3 Going to the next request ____________________________________________________________________________ ____________ --- Walking the entire request list --- > -----Original Message----- > From: 3APA3A [mailto:[EMAIL PROTECTED]] > Sent: 24 января 2003 г. 18:24 > To: Roman Bessyadovskii > Subject: Re[5]: sql and MSCHAP and disabling user. > > > Dear Roman Bessyadovskii, > > Send logs with SMB-Account-CTRL := 17. > > > --Friday, January 24, 2003, 6:00:09 PM, you wrote to > [EMAIL PROTECTED]: > > RB> Sure :=. That's what i set. > > RB> And solution 1, as time show not enought good for me. > RB> I whant to aothorize vpn users (MS-CHAP) and Squid users with same > RB> passwords. (User can access internet via vpn or via > squid), and when i > RB> comment authtype = MS-CHAP in radiusd.conf and insert > Auth-Type = MS-CHAP in > RB> radacct then squid users can-t login, because SQUID not > use MS-CHAP... > > >> -----Original Message----- > >> From: 3APA3A [mailto:[EMAIL PROTECTED]] > >> Sent: 24 января 2003 г. 17:15 > >> To: [EMAIL PROTECTED]; Roman Bessyadovskii > >> Cc: [EMAIL PROTECTED] > >> Subject: Re[3]: sql and MSCHAP and disabling user. > >> > >> > >> Dear Roman Bessyadovskii, > >> > >> Any of SMB-Account-CTRL, User-Password and Auth-Type > >> attributes should > >> present with :=, not == operation. > >> > >> --Friday, January 24, 2003, 4:47:46 PM, you wrote to > >> [EMAIL PROTECTED]: > >> > >> RB> Ok, solution 1 is good enought, and i can solve > problem with it. > >> RB> But solution 2 (with SMB-Account-CTRL) not work for me. > >> > >> RB> I set SMB-Account-CTRL := 16 (17) In radcheck and in > >> radreply, but ther is > >> RB> no effect on authorisation process. > >> > >> > >> > >> RB> At this moment i don't clearly understand process of > >> Authorization, > >> RB> Authentication. > >> RB> I have read doc/aaa.txt (How Authorization, > >> Authentication, and Accounting > >> RB> requests are handled) file but some corners is dark at > this time. > >> > >> RB> for example > >> RB> radius recive access request with some Attribute - Value pairs. > >> RB> Server begins Authorisation process - collect data about > >> user, by calling > >> RB> modules from authorize section. > >> RB> So, question, why important order of check modules ? As i > >> write in early > >> RB> letter, i switching sql and mschap module and user recive > >> Access Deniend. > >> > >> RB> or another question > >> RB> When i specify some attributes in sql DB in radreply - > >> would that attributes > >> RB> be included in Reply Message to the client? If so, how > >> SMB-Account-CTRL > >> RB> would be considered if radius return Access-Accept? > >> > >> > >> >> -----Original Message----- > >> >> From: 3APA3A [mailto:[EMAIL PROTECTED]] > >> >> Sent: 24 января 2003 г. 12:28 > >> >> To: [EMAIL PROTECTED]; Roman Bessyadovskii > >> >> Cc: [EMAIL PROTECTED] > >> >> Subject: Re: sql and MSCHAP and disabling user. > >> >> > >> >> > >> >> Dear Roman Bessyadovskii, > >> >> > >> >> Including mschap into authorize{} section with "authtype" > >> >> configured in > >> >> mschap module configuration informs mschap module > >> >> it should > >> >> automatically detect MS-CHAP handshake and set auth to > >> >> MS-CHAP if one is > >> >> found. > >> >> > >> >> I see 2 possible solutions: > >> >> 1. Remove authtype in mschap configuration. If you need > >> >> both PAP and > >> >> MS-CHAP to work you can create authenticate{} group from pap > >> >> and mschap. > >> >> 2. Add SMB-Account-CTRL parameter. > >> >> > >> >> SMB-Account-CTRL should be 16 for normal account, 17 for > >> >> disabled account > >> >> and 1025 for auto locked account. In general case it's > >> >> combination > >> >> of OR'ed flags: > >> >> > >> >> #define ACB_DISABLED 0x0001 /* 1 = User account disabled */ > >> >> #define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory required */ > >> >> #define ACB_PWNOTREQ 0x0004 /* 1 = User password not > required */ > >> >> #define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate > >> account */ > >> >> #define ACB_NORMAL 0x0010 /* 1 = Normal user account */ > >> >> #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ > >> >> #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust > account */ > >> >> #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust > account */ > >> >> #define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ > >> >> #define ACB_PWNOEXP 0x0200 /* 1 = User password does > >> not expire */ > >> >> #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ > >> >> > >> >> (ACB_NORMAL should always present, otherwise account is ignored) > >> >> > >> >> Having SMB-Account-CTRL gives you additional advantage, > >> >> because you > >> >> Windows users will get valid message ("account disabled" > >> >> or "account > >> >> locked out") instead of "invalid password". > >> >> > >> >> --Friday, January 24, 2003, 10:45:15 AM, you wrote to > >> >> [EMAIL PROTECTED]: > >> >> > >> >> RB> Hi All. > >> >> > >> >> RB> I need to setup vpn server with radius login and store > >> >> passwords in sql. > >> >> RB> I have install all correctly (poptop, ppp, freeradius, > >> mysql), and > >> >> RB> configure, users can connect, and go throw the vpn. > >> >> > >> >> RB> And, i what to temporary disable user, but i can't. > >> >> > >> >> RB> That's what i do. > >> >> > >> >> RB> mysql> select * from radcheck; > >> >> RB> +----+----------+---------------+----+--------+ > >> >> RB> | id | UserName | Attribute | op | Value | > >> >> RB> +----+----------+---------------+----+--------+ > >> >> RB> | 1 | test | User-Password | == | test | > >> >> RB> | 2 | test | Auth-Type | == | Reject | > >> >> RB> +----+----------+---------------+----+--------+ > >> >> > >> >> >>From radiusd.conf : > >> >> RB> authorize { > >> >> RB> preprocess > >> >> RB> chap > >> >> RB> suffix > >> >> RB> sql > >> >> RB> # > >> >> RB> # If the users are logging in with an > >> MS-CHAP-Challenge > >> >> RB> # attribute for authentication, the mschap > >> >> module will find > >> >> RB> # the MS-CHAP-Challenge attribute, and add > >> >> 'Auth-Type := MS-CHAP' > >> >> RB> # to the request, which will cause the server to > >> >> then use > >> >> RB> # the mschap module for authentication. > >> >> RB> mschap > >> >> > >> >> RB> } > >> >> > >> >> RB> As describd in comment, MS-CHAP add (or rewrite) > >> >> Auth-Type for MS-CHAP and > >> >> RB> user can login independent of Reject in sql table. > >> >> > >> >> RB> If in authorize section i switch sql and mschap module > >> >> and set next order > >> >> RB> authorize { > >> >> RB> ... > >> >> RB> mschap > >> >> RB> sql > >> >> RB> } > >> >> > >> >> RB> In that configuration i recive reject if disble user in > >> >> sql table, but also > >> >> RB> recive reject with normal (not disabled users) with > >> >> following log (radiusd > >> >> RB> -X). > >> >> > >> >> RB> rlm_sql (sql): Released sql socket id: 4 > >> >> RB> modcall[authorize]: module "sql" returns ok > >> >> RB> modcall: group authorize returns ok > >> >> RB> rad_check_password: Found Auth-Type MS-CHAP > >> >> RB> auth: type "MS-CHAP" > >> >> RB> modcall: entering group authtype > >> >> RB> rlm_mschap: No LM/NT password configured. Check > authorization. > >> >> RB> modcall[authenticate]: module "mschap" returns invalid > >> >> RB> modcall: group authtype returns invalid > >> >> RB> auth: Failed to validate the user. > >> >> RB> Login incorrect: [test/<no User-Password attribute>] > >> >> (from client localhost > >> >> RB> port 0) > >> >> RB> Delaying request 0 for 1 seconds > >> >> > >> >> RB> How i need to configure radius for propertly work? > >> >> RB> Or how i can disable user in that configuration? > >> >> > >> >> RB> Thaks. > >> >> > >> >> RB> Rick. > >> >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html