All,
I've got a problem that I currently can't seem to solve, through the
docs or google that I hope you can help me with.
I'm in the process of setting up a freeradius server which is
currently acting as a proxy from an unknown BT radius server to a
Microsoft IAS server authenticating against an NT4 SAM database.
The authentication works fine, so no problems there.
My problem comes because I want to allocate IP addresses via my
freeradius server (giving me IP address allocation control based on
where the user is coming from (or what phone number they ring)).
Now initially I wanted to use DHCP, so this problem wouldn't exist,
but BT don't seem to want to RELAY my clients DHCP request onto my DHCP
server. So I've fallen back on the rlm_ippool module in freeradius.
I've got the following in my radiusd.conf file:
ippool main_pool {
range-start = 192.168.50.1
range-stop = 192.168.50.254
netmask = 255.255.255.0
cache-size = 254
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
}
I've set override to yes because I hand out a Framed-IP-Address of
255.255.255.254 on the IAS side (is this correct?)
I've also got the following in my users file.
DEFAULT Group == IT, Pool-Name := "main_pool"
So when I start radius in debug mode I can see the following output:
argon:/etc/raddb # radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = yes
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.51.220 IP address [192.168.51.220]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (NULL)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 420
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded IPPOOL
ippool: session-db = "/etc/raddb/db.ippool"
ippool: ip-index = "/etc/raddb/db.ipindex"
ippool: range-start = 192.168.50.1 IP address [192.168.50.1]
ippool: range-stop = 192.168.50.254 IP address [192.168.50.254]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 254
ippool: override = yes
Module: Instantiated ippool (main_pool)
Listening on IP address 192.168.51.220, ports 1812/udp and 1813/udp,
with proxy on 1814/udp.
Ready to process requests.
So far, so good. It loads the main_pool and from what I can tell is
ready to rock and roll.
I then get the Access-Request packet:
rad_recv: Access-Request packet from host 192.168.252.2:1645, id=183,
length=102
NAS-IP-Address = 192.168.252.2
NAS-Port = 35
NAS-Port-Type = Async
User-Name = "????????" # Edited out to protect the innocent
Called-Station-Id = "8005876531"
Calling-Station-Id = "1214575000"
User-Password = "????????" # Edited out to protect the innocent
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "???????", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "???????"
rlm_realm: Proxying request from user ??????? to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "NULL" returns updated for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 1 to 192.168.51.17:1645
User-Name = "???????"
NAS-IP-Address = 192.168.252.2
NAS-Port = 35
NAS-Port-Type = Async
Called-Station-Id = "8005876531"
Calling-Station-Id = "1214575000"
User-Password = "???????"
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313833
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 192.168.51.17:1645, id=1,
length=55
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
Proxy-State = 0x313833
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module "NULL" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [??????/??????] (from client BT_NAS_2 port 35 cli 1214575000)
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This I'm sure is my problem, I'm justing having great difficulty in
seeing where I've gone wrong and where the module is expecting the
definition for this attribute to come from.
modcall[post-auth]: module "main_pool" returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 183 to 192.168.252.2:1645
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
X-Ascend-IP-Pool-Definition = "main_pool"
Finished request 0
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.252.2:1645, id=184,
length=116
NAS-IP-Address = 192.168.252.2
NAS-Port = 35
NAS-Port-Type = Virtual
User-Name = "pools-CL1-FER2"
Called-Station-Id = "8005876531"
Calling-Station-Id = "1214575000"
User-Password = "cisco"
Service-Type = Outbound-User
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "pools-CL1-FER2", looking up realm
NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name =
"pools-Compass-Group-CL1-FER2"
rlm_realm: Proxying request from user pools-CL1-FER2 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "NULL" returns updated for request 2
modcall: group authorize returns updated for request 2
Sorry if I've included too much info, but I thought I'd try to adhere to
the list guidelines as best I could. At which point someone points out
that this is explained in a document that I've missed and I look totally
stupid.
Dave
IMPORTANT - this email and the information in it may be confidential, legally
privileged and/or protected by law. It is intended solely for the use of the person
to whom it is addressed. If you are not the intended recipient, please notify the
sender immediately and do not disclose the contents to any other person, use it for
any purpose, or store or copy the information in any medium. Please also delete all
copies of this email and any attachments from your system.
We cannot guarantee the security or confidentiality of email communications. We do not
accept any liability for losses or damages that you may suffer as a result of your
receipt of this email including but not limited to computer service or system failure,
access delays or interruption, data non-delivery or mis-delivery, computer viruses or
other harmful components.
Copyright in this email and any attachments belong to Compass Group. Should you
communicate with anyone at Compass Group by email, you consent to us monitoring and
reading any such correspondence.
Nothing in this email shall be taken or read as suggesting, proposing or relating to
any agreement concerted practice or other practice that could infringe UK or EC
competition legislation.
Compass Group, UK and Ireland Limited is a company registered in England and Wales
(Company number 02272248) whose registered office is at Parklands Court, 24 Parklands,
Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK &
Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in
England and Wales (Company number 4083914) whose registered office is at Compass
House, Guildford Street, Chertsey, Surrey, KT16 9BQ.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
