Hi,
I'm setting up FreeRadius on RH Linux ES 3.0 using the RPM that shipped with
the relase + updates. Below is the messages I'm receiving when
authenticating to a Cisco router. I was previously using FreeBSD and
Cistron Radius and it worked fine. The "!root" user I have defined works
fine as well as any other user I supply a password for in the "users" file.
If I try to authenticate using the system password for the user it fails.
Here are the config files. Sorry for the lengthy config. Thanks for your
help.
CISCO CONFIG:
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication login no_radius enable
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
!
ip radius source-interface Ethernet0/0
radius-server host nnn.nnn.nnn.nnn auth-port 1812 acct-port 1813 key 7
aaaaaaaaaaaaaaaaaaaa
radius-server retransmit 2
radius-server deadtime 2
USERS FILE:
!root Password == "somepassword"
Service-Type == NAS-Prompt-User
userxxxx Auth-Type == System
Service-Type == Framed-User
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
RADIUSD.CONF:
bind_address = zzz.zzz.zzz.zzz
port = 1812
hostname_lookups = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
}
instantiate {
expr
}
authorize {
preprocess
auth_log
chap
eap
digest
suffix
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
pam
unix
eap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
unix # wtmp file
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
MESSAGES:
rad_recv: Access-Request packet from host nnn.nnn.nnn.nnn:1645, id=43,
length=83
NAS-IP-Address = yyy.yyy.yyy.yyy
NAS-Port = 66
NAS-Port-Type = Virtual
User-Name = "userxxxx"
Calling-Station-Id = "zzz.zzz.zzz.zzz"
User-Password = "somepassword" -------- 9configured to verify
passwords)
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/yyy.yyy.yyy.yyy/detail'
rlm_detail: %A/%{Client-IP-Address}/detail expands to
/var/log/radius/radacct/yyy.yyy.yyy.yyy/detail
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "userxxxx", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched tcardenas at 143
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 0
rlm_unix: [userxxxx]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [tuserxxxx] (from client aepnet-ras port 66 cli
zzz.zzz.zzz.zzz)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 43 to yyy.yyy.yyy.yyy:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 43 with timestamp 4077119b
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
