No, it's not multihomed, but on a lark I tried it anyway (since there's two network cards in it, but one isn't used). It still doesn't work.
> Is the server multihomed ? > It often happends that the server will recieve a request on one IP address > and send out a reply using a different address with a multihomed system. > > If your system has multiple IP addresses, u can set "bind_address" to the > one you want to use. > > Cheers > Paul > > > -----Original Message----- > From: > [EMAIL PROTECTED] > on behalf of Ernie Dunbar > Sent: Fri 11/3/2006 2:02 PM > To: freeradius-users@lists.freeradius.org > Subject: Server logs say users authenticate, but they don't (Now with more > details!) > > This isn't a duplicate, I've just included more information about our > configuration. > > We have a Cisco AS5300 for our dialup pool. It is able to log into our new > FreeRadius server and make authentication requests, but users are not able > to authenticate. > > It's very strange, because FreeRadius produces logs like this: > > Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client > dialup port 8) > > But the client gets "Error 691: Your username or password are incorrect". > > I can tell that it's authenticating properly, because when a user gets > their password wrong, I see this instead: > > Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from > client dialup port 13) > Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from > client dialup port 13) > > We're using FreeRadius' mysql support for authentication, and I'm > absolutely positive that part is working fine. It even creates accounting > data in the database. > > This is what we have in the users file: > > DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1 > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > and this is what radiusd.conf looks like without the comments: > > prefix = /usr > exec_prefix = /usr > sysconfdir = /etc > localstatedir = /var > sbindir = ${exec_prefix}/sbin > logdir = /var/log/freeradius > raddbdir = /etc/freeradius > radacctdir = ${logdir}/radacct > confdir = ${raddbdir} > run_dir = ${localstatedir}/run/freeradius > log_file = ${logdir}/radius.log > libdir = /usr/lib/freeradius > pidfile = ${run_dir}/freeradius.pid > > user = freerad > group = freerad > > max_request_time = 30 > delete_blocked_requests = no > cleanup_delay = 5 > max_requests = 256 > bind_address = * > port = 0 > > hostname_lookups = no > allow_core_dumps = no > > regular_expressions = yes > extended_expressions = yes > > log_stripped_names = yes > log_auth = yes > log_auth_badpass = yes > log_auth_goodpass = yes > > usercollide = no > > lower_user = no > lower_pass = no > > nospace_user = after > nospace_pass = after > > checkrad = ${sbindir}/checkrad > > security { > max_attributes = 200 > reject_delay = 1 > status_server = no > } > > proxy_requests = off > $INCLUDE ${confdir}/proxy.conf > > # proxy.conf has: > # realm LOCAL { > # type = radius > # authhost = LOCAL > # accthost = LOCAL > #} > > $INCLUDE ${confdir}/clients.conf > > # clients.conf has: > # client XXX.XXX.XXX.XXX { > # secret = XXXXXX > # nastype = cisco > # shortname = dialup > #} > > $INCLUDE ${confdir}/snmp.conf > > # snmp.conf has nothing. > > snmp = no > > thread pool { > start_servers = 5 > max_servers = 32 > min_spare_servers = 3 > max_spare_servers = 10 > max_requests_per_server = 0 > } > > modules { > pap { > encryption_scheme = crypt > } > > chap { > authtype = CHAP > } > > pam { > pam_auth = radiusd > } > > unix { > cache = no > cache_reload = 600 > shadow = /etc/shadow > radwtmp = ${logdir}/radwtmp > } > > $INCLUDE ${confdir}/eap.conf > > # eap.conf has: > # eap { > # default_eap_type = md5 > # timer_expire = 60 > # ignore_unknown_eap_types = no > # cisco_accounting_username_bug = no > # > # md5 { > # } > # > # leap { > # } > # > # gtc { > # auth_type = PAP > # } > # > # mschapv2 { > # } > # } > > mschap { > authtype = MS-CHAP > } > > realm suffix { > format = suffix > delimiter = "@" > ignore_default = no > ignore_null = no > } > > checkval { > item-name = Calling-Station-Id > check-name = Calling-Station-Id > data-type = string > } > > preprocess { > huntgroups = ${confdir}/huntgroups > hints = ${confdir}/hints > with_ascend_hack = no > ascend_channels_per_line = 23 > with_ntdomain_hack = no > with_specialix_jetstream_hack = no > with_cisco_vsa_hack = no > } > > files { > usersfile = ${confdir}/users > acctusersfile = ${confdir}/acct_users > compat = no > } > > detail { > detailfile = > ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > detailperm = 0600 > } > > acct_unique { > key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port" > } > > $INCLUDE ${confdir}/sql.conf > > # sql.conf has: > # > #sql { > # > # driver = "rlm_sql_mysql" > # server = "localhost" > # login = "XXXXXX" > # radius_db = "XXXXXX" > # password = "XXXXXX" > # acct_table1 = "radacct" > # acct_table2 = "radacct" > # postauth_table = "radpostauth" > # authcheck_table = "radcheck" > # authreply_table = "radreply" > # groupcheck_table = "radgroupcheck" > # groupreply_table = "radgroupreply" > # usergroup_table = "usergroup" > # deletestalesessions = yes > # sqltrace = yes > # sqltracefile = /var/log/freeradius/sqltrace.sql > # num_sql_socks = 5 > # connect_failure_retry_delay = 60 > # safe-characters = > "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" > # sql_user_name = "%{User-Name}" > # > # authorize_check_query = "SELECT id,UserName,Attribute,Value,op > FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" > # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op > FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" > # authorize_group_check_query = "SELECT > ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op > FROM ${groupcheck_table},${usergroup_table} WHERE > ${usergroup_table}.Username = '%{SQL-User-Name}' AND > ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY > ${groupcheck_table}.id" > # authorize_group_reply_query = "SELECT > ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op > FROM ${groupreply_table},${usergroup_table} WHERE > ${usergroup_table}.Username = '%{SQL-User-Name}' AND > ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY > ${groupreply_table}.id" > # accounting_onoff_query = "UPDATE ${acct_table1} SET > AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - > unix_timestamp(AcctStartTime), > AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = > '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND > NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" > # > # accounting_update_query = "UPDATE ${acct_table1} \ > # SET FramedIPAddress = '%{Framed-IP-Address}', \ > # AcctSessionTime = '%{Acct-Session-Time}', \ > # AcctInputOctets = '%{Acct-Input-Octets}', \ > # AcctOutputOctets = '%{Acct-Output-Octets}' \ > # WHERE AcctSessionId = '%{Acct-Session-Id}' \ > # AND UserName = '%{SQL-User-Name}' \ > # AND NASIPAddress= '%{NAS-IP-Address}'" > # > # accounting_update_query_alt = "INSERT into ${acct_table1} > (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, > NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, > ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, > CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, > AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', > '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', > '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + > %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', > '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', > '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', > '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" > # accounting_start_query = "INSERT into ${acct_table1} > (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, > NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, > ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, > CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, > FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) > values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', > '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', > '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', > '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', > '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', > '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" > # accounting_start_query_alt = "UPDATE ${acct_table1} SET > AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', > ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = > '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = > '%{NAS-IP-Address}'" > # accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = > '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = > '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', > AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = > '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE > AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND > NASIPAddress = '%{NAS-IP-Address}'" > # accounting_stop_query_alt = "INSERT into ${acct_table2} > (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, > NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, > ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, > CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, > FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) > values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', > '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', > '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + > %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', > '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', > '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', > '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', > '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" > # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE > UserName='%{SQL-User-Name}' AND AcctStopTime = 0" > # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, > NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol > FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = > 0" > # group_membership_query = "SELECT GroupName FROM > ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" > # postauth_query = "INSERT into ${postauth_table} (id, user, pass, > reply, date) values ('', '%{User-Name}', > '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" > # > #} > > radutmp { > filename = ${logdir}/radutmp > username = %{User-Name} > case_sensitive = yes > check_with_nas = yes > perm = 0600 > callerid = "yes" > } > > radutmp sradutmp { > filename = ${logdir}/sradutmp > perm = 0644 > callerid = "no" > } > > attr_filter { > attrsfile = ${confdir}/attrs > } > > counter daily { > filename = ${raddbdir}/db.daily > key = User-Name > count-attribute = Acct-Session-Time > reset = daily > counter-name = Daily-Session-Time > check-name = Max-Daily-Session > allowed-servicetype = Framed-User > cache-size = 5000 > } > > always fail { > rcode = fail > } > > always reject { > rcode = reject > } > > always ok { > rcode = ok > simulcount = 0 > mpp = no > } > > expr { > } > > digest { > } > > exec { > wait = yes > input_pairs = request > } > > exec echo { > wait = yes > program = "/bin/echo %{User-Name}" > input_pairs = request > output_pairs = reply > } > > ippool main_pool { > range-start = 192.168.1.1 > range-stop = 192.168.3.254 > netmask = 255.255.255.0 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > override = no > maximum-timeout = 0 > } > } > > instantiate { > exec > expr > } > > authorize { > preprocess > sql > } > > > > authenticate { > Auth-Type PAP { > pap > } > > Auth-Type CHAP { > chap > } > > Auth-Type MS-CHAP { > mschap > } > } > > > preacct { > preprocess > suffix > } > > accounting { > detail > radutmp > sql > } > > session { > sql > } > > post-auth { > } > > pre-proxy { > } > > post-proxy { > eap > } > > ## END OF CONFIG ## > > If you've actually gotten this far, I salute you. :) > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html