RE: Access-Reject has no Reply-Message (2nd try)

2003-10-20 Thread Paul Hampson 
> From: $BLnB<(B $B7z(B
(B> Sent: Monday, 20 October 2003 6:35 PM
(B
(B> I want my freeradius server to send Access-Reject packet with Reply-Message 
(B> in it, 
(B> so that NAS can alert user when authentication fails.  But, it's not 
(B> working so far.
(B> When authentication succeeds, my freeradius server sends Access-Accept 
(B> packet
(B> with Reply-Message in it.  But when authentication fails, it sends Access 
(B> Reject packet
(B> with no Reply-Message in it..
(B
(B> So my question is why my freeradius doesn't include Reply-Message into 
(B> Access-Reject
(B>  packet, and how can I fix this problem?
(B
(B> ---users
(B> [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(B> Service-Type = Framed-User,
(B> Framed-Protocol = PPP,
(B> Framed-IP-address = 192.168.200.1,
(B> Framed-IP-Netmask = 255.255.255.0,
(B> Session-Timeout = 30,
(B> Reply-Message="111",
(B> Reply-Message="222",
(B> Reply-Message="333",
(B> 
(B
(BAs you've observed, this will only add a Reply-Message if the authentication
(Bsucceeds. In the same way as it will only give an IP address or Session
(BTimeout if it succeeds.
(B
(BAs for how to send a Reply-Message on failure, I dunno off hand. :-)
(B
(B--
(BPaul "TBBle" Hampson
(BBubblesworth Pty Ltd (ABN: 51 095 284 361)
(B[EMAIL PROTECTED]
(B
(BOn a sidewalk near Portland State
(BUniversity someone wrote `Trust Jesus', and
(Bsomeone else wrote `But Cut the Cards'.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject has no Reply-Message (2nd try)

2003-10-20 Thread $BLnB<(B $B7z(B 
(BSorry, this may annoy some of you.
(BSome people pointed out that I didnt put enough information in my last 
(Bmail, so I am 
(Bsending this mail again with informations required in FAQ.
(B
(BI want my freeradius server to send Access-Reject packet with Reply-Message 
(Bin it, 
(Bso that NAS can alert user when authentication fails.  But, it's not 
(Bworking so far.
(BWhen authentication succeeds, my freeradius server sends Access-Accept 
(Bpacket
(Bwith Reply-Message in it.  But when authentication fails, it sends Access 
(BReject packet
(Bwith no Reply-Message in it..
(B
(BSo my question is why my freeradius doesn't include Reply-Message into 
(BAccess-Reject
(B packet, and how can I fix this problem?
(B
(BAttached logs are:
(B1)relevant portion of users
(B2)debugging output of 'radiusd -X'
(B   (I have send 2 access-request messages after radiusd boots up, one with 
(Bcorrect password
(B and one with wrong password.)
(B3)debuggin output of 'radtest'
(B4)version of Linux and radiusd
(B
(B
(B---users
(B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(BService-Type = Framed-User,
(BFramed-Protocol = PPP,
(BFramed-IP-address = 192.168.200.1,
(BFramed-IP-Netmask = 255.255.255.0,
(BSession-Timeout = 30,
(BReply-Message="111",
(BReply-Message="222",
(BReply-Message="333",
(B
(B
(B
(B
(B
(Bradius -X-
(B[EMAIL PROTECTED] raddb]#
(B[EMAIL PROTECTED] raddb]# radiusd -X
(BStarting - reading configuration files ...
(Breread_config:  reading radiusd.conf
(BConfig:   including file: /etc/raddb/proxy.conf
(BConfig:   including file: /etc/raddb/clients.conf
(BConfig:   including file: /etc/raddb/snmp.conf
(BConfig:   including file: /etc/raddb/sql.conf
(B main: prefix = "/usr"
(B main: localstatedir = "/var"
(B main: logdir = "/var/log/radius"
(B main: libdir = "/usr/lib"
(B main: radacctdir = "/var/log/radius/radacct"
(B main: hostname_lookups = no
(Bread_config_files:  reading dictionary
(Bread_config_files:  reading clients
(Bread_config_files:  reading realms
(Bread_config_files:  reading naslist
(B main: max_request_time = 30
(B main: cleanup_delay = 5
(B main: max_requests = 1024
(B main: delete_blocked_requests = 0
(B main: port = 1645
(B main: allow_core_dumps = no
(B main: log_stripped_names = no
(B main: log_auth = no
(B main: log_auth_badpass = no
(B main: log_auth_goodpass = no
(B main: pidfile = "/var/run/radiusd.pid"
(B main: user = "root"
(B main: group = "root"
(B main: usercollide = no
(B main: lower_user = "no"
(B main: lower_pass = "no"
(B main: nospace_user = "no"
(B main: nospace_pass = "no"
(B main: proxy_requests = yes
(B proxy: retry_delay = 5
(B proxy: retry_count = 3
(B proxy: synchronous = no
(B proxy: default_fallback = yes
(B proxy: dead_time = 120
(B security: max_attributes = 200
(B security: reject_delay = 0
(B main: debug_level = 0
(Bread_config_files:  entering modules setup
(BModule: Library search path is /usr/lib
(BModule: Loaded System
(B unix: cache = no
(B unix: passwd = "/etc/passwd"
(B unix: shadow = "(null)"
(B unix: group = "/etc/group"
(B unix: radwtmp = "/var/log/radius/radwtmp"
(B unix: usegroup = no
(B unix: cache_reload = 600
(BModule: Instantiated unix (unix)
(BModule: Loaded preprocess
(B preprocess: huntgroups = "/etc/raddb/huntgroups"
(B preprocess: hints = "/etc/raddb/hints"
(B preprocess: with_ascend_hack = no
(B preprocess: ascend_channels_per_line = 23
(B preprocess: with_ntdomain_hack = no
(B preprocess: with_specialix_jetstream_hack = no
(B preprocess: with_cisco_vsa_hack = no
(BModule: Instantiated preprocess (preprocess)
(BModule: Loaded realm
(B realm: format = "suffix"
(B realm: delimiter = "@"
(BModule: Instantiated realm (suffix)
(BModule: Loaded files
(B files: usersfile = "/etc/raddb/users"
(B files: acctusersfile = "/etc/raddb/acct_users"
(B files: compat = "no"
(BModule: Instantiated files (files)
(BModule: Loaded detail
(B detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
(B detail: detailperm = 384
(B detail: dirperm = 493
(BModule: Instantiated detail (detail)
(BModule: Loaded radutmp
(B radutmp: filename = "/var/log/radius/radutmp"
(B radutmp: username = "%{User-Name}"
(B radutmp: perm = 384
(B radutmp: callerid = yes
(BModule: Instantiated radutmp (radutmp)
(BListening on IP address *, ports 1645/udp and 1646/udp, with proxy on 
(B1647/udp.
(BReady to process requests.
(B  /*authentication request with 
(Bcorrect password is received*/
(Brad_recv: Access-Request packet from host 10.151.0.2:21645, id=77, 
(Blength=85
(BFramed-Protocol = PPP
(BUser-Name = "[EMAIL PROTECTED]"
(B

Re: Access-Reject has no Reply-Message

2003-10-17 Thread Alan DeKok 
=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= <[EMAIL PROTECTED]> wrote:
> According to RFC, Access-Reject packet MAY contain Reply-Message.
> I have searched this ML, and found out that freeradius normally contain
> Reply-Message in Access-Reject packet if Reply-Message is configured.

  Have you configured a Reply-Message?

> So my question is:
>  Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
> how can I fix this problem?
> 
> I have attached some logs below.

  You attached 'radiusd.conf', not the output of 'radiusd -X', as
requested in the FAQ and README's.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject has no Reply-Message

2003-10-17 Thread Thor Spruyt 
- Original Message - 
(BFrom: "$BLnB<(B $B7z(B" <[EMAIL PROTECTED]>
(B> I want my freeradius to send Access-Reject packet with Reply-Message in
(Bit,
(B>
(B> so that NAS can alert user in some fancy way when authentication fails.
(B> But, it's not working so far.
(B> When authentication succeeds, my freeradius sends Access-Accept packet
(B> with Reply-Message in it, but this is not the way I want it to be.
(B>
(B> According to RFC, Access-Reject packet MAY contain Reply-Message.
(B> I have searched this ML, and found out that freeradius normally contain
(B> Reply-Message in Access-Reject packet if Reply-Message is configured.
(B>
(B> So my question is:
(B>  Why my freeradius doesn't put Reply-Message into Access-Reject packet,
(Band
(B> how can I fix this problem?
(B>
(B> I have attached some logs below.
(B> I really need help.
(B> Any information would be greatly appreciated.
(B
(BI have sent a patch for this, but probably it wasn't accepted.
(BMaybe you now a better way to patch, so that it's accepted?
(B
(BHere's my patch, which works fine for my needs:
(B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200
(B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200
(B@@ -805,15 +805,18 @@
(B * had a non-zero exit status.
(B */
(Bif (umsg[0] == '\0') {
(B-user_msg = "\r\nAccess denied (external check failed).";
(B+/* Don't tell NAS that auth failed by external check */
(B+user_msg = NULL;
(B} else {
(B user_msg = &umsg[0];
(B}
(B
(Brequest->reply->code = PW_AUTHENTICATION_REJECT;
(B-   tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B-
(B-   pairadd(&request->reply->vps, tmp);
(B+   /* Only add reply-message when one is available */
(B+   if (user_msg != NULL) {
(B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B+pairadd(&request->reply->vps, tmp);
(B+   }
(Brad_authlog("Login incorrect (external check failed)",
(B  request, 0);
(B
(B
(B
(BThor.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject has no Reply-Message

2003-10-17 Thread $BLnB<(B $B7z(B 
(BI want my freeradius to send Access-Reject packet with Reply-Message in it, 
(B
(Bso that NAS can alert user in some fancy way when authentication fails.
(BBut, it's not working so far.
(BWhen authentication succeeds, my freeradius sends Access-Accept packet
(Bwith Reply-Message in it, but this is not the way I want it to be.
(B
(BAccording to RFC, Access-Reject packet MAY contain Reply-Message.
(BI have searched this ML, and found out that freeradius normally contain
(BReply-Message in Access-Reject packet if Reply-Message is configured.
(B
(BSo my question is:
(B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
(Bhow can I fix this problem?
(B
(BI have attached some logs below.
(BI really need help.
(BAny information would be greatly appreciated.
(B
(B
(BRegards,
(BTakeru
(B
(B---
(B[version]
(B[EMAIL PROTECTED] raddb]# radiusd -v
(Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on 
(BApr  4
(B 2002 at 04:33:11
(B
(B
(B[users]
(B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(BService-Type = Framed-User,
(BFramed-Protocol = PPP,
(BFramed-IP-address = 192.168.200.1,
(BFramed-IP-Netmask = 255.255.255.0,
(BSession-Timeout = 30,
(BReply-Message="111",
(B
(B
(B[radius.conf]
(B[EMAIL PROTECTED] raddb]# more radiusd.conf
(B##
(B## radiusd.conf -- FreeRADIUS server configuration file.
(B##
(B##  http://www.freeradius.org/
(B##  $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $
(B##
(B
(B#   The location of other config files and
(B#   logfiles are declared in this file
(B#
(B#   Also general configuration for modules can be done
(B#   in this file, it is exported through the API to
(B#   modules that ask for it.
(B#
(B#   The configuration variables defined here are of the form ${foo}
(B#   They are local to this file, and do not change from request to
(B#   request.
(B#
(B#   The per-request variables are of the form %{Attribute-Name}, and
(B#   are taken from the values of the attribute in the incoming
(B#   request.  See 'doc/variables.txt' for more information.
(B
(B# Stuff from autoconf
(Bprefix = /usr
(Bexec_prefix = /usr
(Bsysconfdir = /etc
(Blocalstatedir = /var
(Bsbindir = /usr/sbin
(Blogdir = ${localstatedir}/log/radius
(Braddbdir = ${sysconfdir}/raddb
(Bradacctdir = ${logdir}/radacct
(B
(B#  Location of config and logfiles.
(Bconfdir = ${raddbdir}
(Brun_dir = ${localstatedir}/run
(B
(B#
(B# libdir: Where to find the rlm_* modules.
(B#
(B#   This should be automatically set at configuration time.
(B#
(B#   If the server builds and installs, but fails at execution time
(B#   with an 'undefined symbol' error, then you can use the libdir
(B#   directive to work around the problem.
(B#
(B#   The cause is usually that a library has been installed on your
(B#   system in a place where the dynamic linker CANNOT find it.  When
(B#   executing as root (or another user), your personal environment MAY
(B#   be set up to allow the dynamic linker to find the library.  When
(B#   executing as a daemon, FreeRADIUS MAY NOT have the same
(B#   personalized configuration.
(B#
(B#   To work around the problem, find out which library contains that 
(Bsymbol,
(B#   and add the directory containing that library to the end of 'libdir',
(B#   with a colon separating the directory names.  NO spaces are allowed.
(B#
(B#   e.g. libdir = /usr/local/lib:/opt/package/lib
(B#
(B#   If that does not work, then you can re-configure and re-build the
(B#   server to NOT use shared libraries, via:
(B#
(B#   ./configure --disable-shared
(B#   make
(B#   make install
(B#
(Blibdir = /usr/lib
(B
(B#  pidfile: Where to place the PID of the RADIUS server.
(B#
(B#  The server may be signalled while it's running by using this
(B#  file.
(B#
(B#  This file is written when ONLY running in daemon mode.
(B#
(B#  e.g.:  kill -HUP `cat /var/run/radiusd.pid`
(B#
(Bpidfile = ${run_dir}/radiusd.pid
(B
(B
(B# user/group: The name (or #number) of the user/group to run radiusd as.
(B#
(B#   We STRONGLY recommend that you run the server with as few permissions
(B#   as possible.  That is, if you're not using shadow passwords, the
(B#   user and group items below should be set to 'nobody'.
(B#
(B#On SCO (ODT 3) use "user = nouser" and "group = nogroup".
(B#
(B#  NOTE that some kernels refuse to setgid(group)
(B#  when the value of (unsigned)group is above 6;
(B#  don't use group nobody on these systems!
(B#
(B#  On systems with shadow passwords, you might have to set 'group = shadow'
(B#  for the server to be able to read the shadow password file.  If you can
(B#  authenticate users while in debug mode, but not in normal us