RE: Weird issue regarding authentification...
> If you run the queries printed in debug output, what do you get returned? > Note to login to mysql as the same user that Radius uses ala: > mysql -u RADIUS_USER -p DBNAME The weird thing is that exactly the *same* database worked!! Check them out. > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = 'mobius' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 1 mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mobius' ORDER BY id; +-+--+---+--++ | id | UserName | Attribute | Value| op | +-+--+---+--++ | 931 | mobius | User-Password | mperf| := | +-+--+---+--++ 1 row in set (0.00 sec) > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute, > radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'mobius' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id' mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mobius' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---++ | id | GroupName | Attribute| Value | op | ++---+--+---++ | 11 | PSTN | Auth-Type| Local | := | | 22 | PSTN | Pool-Name| main_pool | = | | 29 | PSTN | Simultaneous-Use | 1 | = | ++---+--+---++ 3 rows in set (0.01 sec) > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > Username = 'mobius' ORDER BY id' mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE UserName = "mobius" ORDER BY id; Empty set (0.00 sec) ** Note: I don't believe this to be a mistake, since most if not all the users don't have separate settings of their own but they get theirs from radgroupreply. > radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute, > radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'mobius' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id' mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mobius' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---++-++ | id | GroupName | Attribute | Value | op | ++---++-++ | 10 | PSTN | Framed-Protocol| PPP | = | | 11 | PSTN | Framed-IP-Address | 255.255.255.254 | = | | 12 | PSTN | Framed-IP-Netmask | 255.255.255.255 | = | | 13 | PSTN | Framed-MTU | 1500| = | | 14 | PSTN | Framed-Compression | Van-Jacobson-TCP-IP | = | | 15 | PSTN | Idle-Timeout | 600 | = | | 44 | PSTN | NAS-Port-Type | Async | = | | 53 | PSTN | Port-Limit | 1 | = | | 54 | PSTN | Service-Type | Framed-User | = | ++---++-++ 9 rows in set (0.00 sec) This is pretty much it. I tried messing around with rlm_sql.c enabling the extra DEBUG2 messages but I am still searching...But after so many hours I am missing the half I am reading :-) Regards, m0bius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird issue regarding authentification...
Hello people,
I had a pretty good working configuration for the past month using
FreeRadius with mySQL and Dialup Admin. However yesterday we had an
enormous power failure and after some hours on running on the UPS the
radius server was down. Today, at the morning however the server was up
and running successfully. However at some point while I was tampering
with some vendor specific attributes for our Lucents hell broke free.
>From that point on I can not seem to get any user authentificated. I am
constantly getting the error: rlm_sql (sql): No matching entry in the
database for request from user [exuser]. I should point out that the
database seems intact, (actually the sql queries done my radius are
repeated by me successfully) and all tables and contents exist.
I've tried everything from reconfiguration, to fresh installation of
radius on a new linux box. It seems like it cannot get the group the
user exists and authentificate him. A failed connection follows as shown
by radiusd -X:
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=224,
length=53
Service-Type = Framed-User
User-Name = "mobius"
CHAP-Password = 0xe014cf9e7f9ea7ef95ea57eb50b9709dd1
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20031208'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/127.0.0.1/auth-detail-20031208
modcall[authorize]: module "auth_log" returns ok for request 8
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "mobius", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "mobius"
rlm_realm: Proxying request from user mobius to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 8
radius_xlat: 'mobius'
rlm_sql (sql): sql_set_user escaped user --> 'mobius'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobius' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'mobius' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobius' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'mobius' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user
[mobius]
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns notfound for request 8
modcall[authorize]: module "mschap" returns noop for request 8
modcall: group authorize returns updated for request 8
There was no response configured: rejecting request 8
Server rejecting request 8.
Finished request 8
I am running FreeRadius 0.9.3. *Please* people if anyone can help do so,
because I've spend 10 hours on this thing and I am on the edge...
Regards,
m0bius
P.S. Please note that the configuration used in this radiusd previously
worked!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool Unused IPs deallocation?
> > > On the other hand: why not just let the MAX distribute the IPs? make a > > > pools-NAS-NAME entry which assigns your pools to the NAS and choose > > > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have > > > about a dozend MAX 2000/4000/6000/TNT with this setup). > > > > So let me see if I get this straight. I should create something like: > > > > pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ? > No. > Example (makes three pools on nas1 and has 3 test users which each get > an ip from a different pool): > pools-nas1Auth-Type := Local, User-Password == "ascend" > Service-Type = Outbound-User, > Ascend-IP-Pool-Definition = "1 10.10.10.1 126", > Ascend-IP-Pool-Definition = "2 10.10.20.1 126", > Ascend-IP-Pool-Definition = "3 10.10.30.1 126" > user1 Auth-Type := Local, User-Password == "test1" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 1, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > > user2 Auth-Type := Local, User-Password == "test2" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 2, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > user3 Auth-Type := Local, User-Password == "test3" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 3, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > This works well with fallback defaults / sql group replies. I see. I will forward these changes to see whether the problems are totally solved and let you know of the outcome. This hole issue with the IP Pools has been in my mind since I first started working along with Radius. > > I don't know if I understood exactly what you mean. I've never worked > > with ascend before. If however it's pretty much the above has this > > anything to do with the countless auth requests regarding > > pools-nas1/ascend I receive or have I screwed everything badly? :-) > Oh, missed that paragraph... > Yep. pool defs must go to the pools user of the nas. As soon as the max > powers up, it asks for its pools. If it gets a user reply which has a > unknown pool, it should ask again. Another helpful tip. Browsing the archives this subject had been mentioned before but the answer was simply to put this user in Service-Type = REJECT to avoid the logging of these connections. Let along the manuals of the NAS equipment have been lost through the centuries making my life much more difficult :-) > I don't trust freeradius to assign IP addresses, cause the NAS is the one > who knows if a session is there or if it is not. There is no real point in > letting the radius assign ip adresses if your NAS equipment can do it. And > if you are changing pools often, this is also no problem if your running > some sort of dynamic routing protocol, cause the nas will announce it's > learned pools via this way... Well you may actually be correct but from what I have read during the past months some NAS equipment didn't have any problems with the ip management via the radius server so I though this should be a most applicable method to setup radius. > Oliver. Thank you very much for all your help. Regards, Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool Unused IPs deallocation?
> > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > > Framed-MTU = 1500, > > Service-Type = Framed-User, > > Fall-Through = 1, > > Ascend-IP-Pool-Definition = "1 111.222.333.97 93" > As far as I understand, an Ascend-Pool def is not needed in the > described setup. If the radius assigns IPs, the MAX does not need a > pool, just route the IPs to it. Actually Ascend-IP-Pool-Definition has been there since my early tests and hasn't been removed by a mistake. > On the other hand: why not just let the MAX distribute the IPs? make a > pools-NAS-NAME entry which assigns your pools to the NAS and choose > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have > about a dozend MAX 2000/4000/6000/TNT with this setup). So let me see if I get this straight. I should create something like: pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ? I don't know if I understood exactly what you mean. I've never worked with ascend before. If however it's pretty much the above has this anything to do with the countless auth requests regarding pools-nas1/ascend I receive or have I screwed everything badly? :-) > Oliver. Regards, Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool Unused IPs deallocation?
Hi there,
For once more I seem to be having a slight problem with
FreeRadius. During mostly times of high connectivity from the dialup
users some users they connect normally but only a few seconds later the
link fails and get an error for redialing without any reason.
I've noticed a few strange things while searching for this...First of
all while I get a Login OK line on radiusd.log there is absolutely
nothing passed obviously to radacct since the dialup admin does not show
the connection attempt (By comparing the time of the last successful
connections).
I have the following IP Pool configuration:
ippool main_pool {
range-start = 111.222.333.97
range-stop = 111.222.333.189
netmask = 255.255.255.0
cache-size = 93
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
}
And also something like:
DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool"
Framed-MTU = 1500,
Service-Type = Framed-User,
Fall-Through = 1,
Ascend-IP-Pool-Definition = "1 111.222.333.97 93"
So I've noticed the following. While running radiusd on debug mode the
rlm-ippool seems to assign ips correctly. However I've noticed that the
ips on the db.* files are not seem to be freed on Accounting Stop. For
example at this very moment radwho | wc -l returns a value of 12 while
rlm_ippool_tool -c db.ippool db.ipindex returns 62. Shouldn't the ips
not used anymore become free or am I missing something more vital?
I cant seem to determine what is going on. I fear that there may be a
problem regarding the Ascend Lucent Max 6000 we are using that causes
the disconnections, since by reading past threads it seems that the
Ascend Maxes do not always work as they should be. But since the
configurations are enormous I would like to make sure that the radius is
configured properly so that I could focus on the Nases.
Anyway I would be most grateful for any hints given that could finally
finish the radius issue for me once and for good :-)
Regards,
Paris Stamatopoulos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pools Error?
Hi there, I seem to be having a strange error occurring during the past few days that I think has something to do with the IP Pools Management. We use two Ascend Lucent MAX 3000 NAS (the one with one PRI while the second carries two). The problem occurs while there are more than 50 dialup users in which case the users can't connect and get an error type 738: Server did not assign an IP address... I've enabled ippools in radius.conf with the correct start and stop values and added the main_pool in the accounting and post-auth section as mentioned. However the weird thing is that I don't seem to have any logs via the radius of the unsuccessful attempts (either via the detail/reply logs or the dialup admin) and I can't trace the problem by debugging mode since the error doesn't happen all the times. It would look like the nases are blocking the connections. I believe that it has something to do with the NASes but the strange thing is that while using the Cistron radius server no such issue had been observed. Also I observed that the nases with each authentication attempt send a radius packet for a pools-nas1, pools-nas2 connection which I can't really figure out which purpose they have. Anyway, I hope someone would be willing to give me a hand cause I am pretty confused.. Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue regarding radius logs & dialup admin
Greetings,
I have just replaced my old radius server with FreeRadius & dialup
admin. The authorization works perfectly and everyone can log in but
however I cant see any statistics about the persons that are logged in.
The Statistics page of the dialup admin returns the correct number of
session but no information regarding the total usage time and the
downloads. The Failed logins page is working as it should. The
accounting page only returns information about failed logins while the
page for each user does not return any statistics apart the failed
connection attempts. (For example It returns that the user has never
logged in even though he is currently online) Same for User Statistics
that return nothing.
The radius.conf contains the following:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= yes
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
So let me get this right...
Hello once more, Well after a few attempts I've made the FreeRadius to work more or less. Both PSTN and ISDN 64 & 128K are working. Tell me however if I get the following correct. In order to get the logs through the radacct table and view them by the dialup admin I should have enabled the following logging facilities on the radiusd.conf log_yser = yes, log_auth_badpass = yes, log_auth_goodpass = yes, auth_log, and the detail auth_log sections. Then I should execute some or most of the programs on the /usr/local/dialup_admin/bin in order to pass them to radacct? I am a bit confused on this issue. Well, thanks in advance and sorry if this question is as stupid as I think it is :-) Regards, Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius On a Lucent NAS
> Manoj Reddy wrote: > y don't u check ur server, hosting RADIUS for ports on > which it is listening. there might a possible mismatch > of ports on which ur server is listening and the ports > on which ur NAS is operating for RADIUS Connections. > check it out once and let me know the results. Both you and Alan Dekok were actually quite right. Foolish mistake :-) Thanks a lot Btw has anyone figured anything out regarding the snmpfinger issue I mentioned on my previous e-mail? Is opening the finger daemon on the NAS the only way? Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius On a Lucent NAS
Hello there, I am doing an upgrade on the radius server, and I've decided to switch from Clistron Radius Server to FreeRadius. I have set FreeRadius to use mySQL and I've transformed the users file to the database format. I believe that I have configured freeradius enough to work fine. (radtest and radclient works as expected) However I've encountered some issues. 1st) The first time I tried to see if our Lucent NAS worked well with the freeradius (clients.conf has been properly set, with all the correct ip's and passwords) and running radiusd on debug mode (-X) I never saw a single connection from the NASes. It's kinda confusing since if the password was incorrect I would probably see a message. I believe that it is a Lucent issue but the weird thing is that it previously worked just fine with the Cistron Radius (I've not changed anything on the NASes). Could anyone know if there is anything that should be taken into consideration regarding the configuration of the nas? 2nd) I've set the dialup admin pretty well and it seems to work (Check Server and each Test User works as expected) however I don't seem to see the online users on the nas. I've set as fingering method snmp. I've tried running snmpfinger manually to see that it didn't work giving out errors. Mostly this was because of the different version of the snmpwalk I have installed on the system. (I use net-snmp latest version). I've edited snmpfinger for snmpwalk to work well, however now when I manually execute it I never get anything back... I don't want to use radacct for such purposes and I am most confused on what is going on. (Shouldn't snmpfinger return something back? Please note that when I do something like: snmpwalk -c community host -v 1 system I get a response from the nas) 3rd) The nases are supposed to server both dialup PSTN and ISDN 64k and 128k at the same time. I've included the NAS-Port-Type on the dictionary and the dialup admin user_edit.attr file, however, while in Cistron the difference between PSTN, ISDN 64k, ISDN 128K was something like: PSTN: NAS-Port-Type = Async Simultaneus Use = 1 ISDN 64 Simultaneus Use = 1 ISDN 128 Simultaneus Use = 2 I've been searching the documentations and saw something like: NAS-Port-Type = ISDN. Would such a thing work as well? Btw I should mention that the Cistron Radius was not set by me and the people do not know how or why it was done this way back then. Well it's pretty much about that. I am sorry about the extended mail Really looking forward for any help available Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
