Re: Errors when installing FreeRADIUS 1.1.7
[EMAIL PROTECTED] wrote: > I am a newbie at using FreeRADIUS. After I run ./configure, I run make > and get the following errors: This will be fixed in the next release. Until then, if you're not using that module, just delete that directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius support eap-fast?
Hangjun He wrote: > Eap-fast introduction from cisco said freeradius support eap-fast. Is it > right? No. This came up on the EAP standards list: http://permalink.gmane.org/gmane.ietf.emu/597 > http://www.t11.org/ftp/t11/pub/fc/sp-2/07-595v0.pdf A simple look on freeradius.org would reveal that EAP-FAST is not in the list of supported protocols. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
Dan Gahlinger wrote: > the pam_radius_auth documentation says to email YOU and refers to the > radius mailing list, > which is where I am. you are the author of that as well. And I'm not the author of the PAM system. If you can get PAM to call the module, ask questions here. If not, ask questions on a PAM list. > There's no useful documentation on pam on the system, man pages are useless. Then complain to the PAM people. > I'll try to find a PAM mailing list. That's what I've been trying to tell you... > yes, I guess after decades you get tired of answering questions of newbies. I'm resigned to the fact that some people just don't want to be helped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius support eap-fast?
Hi, > Hi, > Eap-fast introduction from cisco said freeradius support eap-fast. Is it > right? > http://www.t11.org/ftp/t11/pub/fc/sp-2/07-595v0.pdf iirc, there was a small patch submitted to the devel list a few weeks back...but it needed some formatting changes etc and a re-posting. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius support eap-fast?
Hi, Eap-fast introduction from cisco said freeradius support eap-fast. Is it right? http://www.t11.org/ftp/t11/pub/fc/sp-2/07-595v0.pdf John - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Errors when installing FreeRADIUS 1.1.7
I am a newbie at using FreeRADIUS. After I run ./configure, I run make and get the following errors: usr/home/jose/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error: syntax error before "lt_dlhandle" rlm_sqlippool.c: In function `sqlippool_postauth': rlm_sqlippool.c:526: warning: unused variable `self' gmake[5]: *** [rlm_sqlippool.lo] Error 1 gmake[5]: Leaving directory `/usr/home/jose/freeradius-1.1.7/src/modules/rlm_sqlippool' gmake[4]: *** [common] Error 2 gmake[4]: Leaving directory `/usr/home/jose/freeradius-1.1.7/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/usr/home/jose/freeradius-1.1.7/src/modules' gmake[2]: *** [common] Error 2 gmake[2]: Leaving directory `/usr/home/jose/freeradius-1.1.7/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/usr/home/jose/freeradius-1.1.7/src' gmake: *** [common] Error 2 *** Error code 2 Could someone please enlighten me as to what I could be missing here? Thank you in advance, Jose - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
Run server in debug mode and post the output. Open one session for radtest and another for radiusd -X. Ivan Kalik Kalik Informatika ISP Dana 26/11/2007, "Dan Gahlinger" <[EMAIL PROTECTED]> piše: > >if I do that, I get this: > >radtest testing callme 127.0.0.1 10 testing123 >Sending Access-Request of id 196 to 127.0.0.1 port 1812 >User-Name = "testing" >User-Password = "callme" >NAS-IP-Address = 255.255.255.255 >NAS-Port = 10 >Re-sending Access-Request of id 196 to 127.0.0.1 port 1812 >User-Name = "testing" >User-Password = "callme" >NAS-IP-Address = 255.255.255.255 >NAS-Port = 10 >rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=20 > >users config for that test is just this: >testing Cleartext-Password := "callme" > >> To: freeradius-users@lists.freeradius.org >> Subject: RE: local ssh authentication via radius possible? >> Date: Mon, 26 Nov 2007 21:58:00 +0100 >> From: [EMAIL PROTECTED] >> >> >Login-Service is set to "TCP-Clear" now, >> >> Leave just username and password. Delete all the rest for that user. You >> don't need that. >> >> >and the log file produces only this: >> >Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. >> >Did you mean output=none? >> >Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. >> > >> >and nothing else. No other logs anywhere, not even a failed "ssh" log in >> >messages, warn, etc. >> >> Which is good. It's a step in the right direction - at least users file >> isn't broken anymore. Now send a request to it. First use radtest. Then >> try PAM. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > >_ >R U Ready for Windows Live Messenger Beta 8.5? Try it today! >http://entertainment.sympatico.msn.ca/WindowsLiveMessenger > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
the pam_radius_auth documentation says to email YOU and refers to the radius mailing list, which is where I am. you are the author of that as well. There's no useful documentation on pam on the system, man pages are useless. I'll try to find a PAM mailing list. yes, I guess after decades you get tired of answering questions of newbies. I'd have thought this would all be well documented by now. oh well. > Date: Mon, 26 Nov 2007 22:48:11 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: local ssh authentication via radius possible? > > Dan Gahlinger wrote: > > I'm not fighting you at all. > > Having answered questions on this list for nearly a decade, I > see patterns. > > > All of your answers previously were "read the documentation, it's there". > > well, it's not. definitely not. > > The parts I was pointing you to were documented. Or, I was pointing > you to other non-RADIUS documentation. i.e. PAM. > > > the pam_radius_auth link you gave me states: > ... > > take a look at my config - /etc/pam.d/sshd > > Which is different. Unfortunately, every distribution has their own > "special" flavor of their PAM configuration. The documentation in > pam_radius_auth is generic, and matches many commonly used > configurations. If it doesn't, see: > > a) the documentation for your OS > b) the generic PAM documentation > > i.e. configuring PAM to use pam_radius_auth is a... PAM issue. The > best place to look for help is the PAM documentation, or a PAM list, or > OS-specific help. > > > a "Default" radiusd install with NO changes (except server file as follows: > > 127.0.0.1 testing123 3 > > > > users in password file can login, but it doesn't seem to be using radius. > > Then see the PAM documentation for debugging, and how to see if it's > calling pam_radius_auth. > > > the documentation for pam is as clear as mud. did it mean to modify the > > login file like this: > ... > Modifying the "login" file affects only the "login" process. Not "sshd". > > > because that doesnt make any difference either. same result as with just > > sshd above > > See the PAM documentation for debugging PAM. Once you have it calling > pam_radius_auth, ask more questions here. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself with free Messenger emoticons. Get them today! http://www.freemessengeremoticons.ca/?icid=EMENCA122- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius add_cookie segfault
Brandon Ewing wrote: > I am having some issues with mod_auth_radius causing httpd to segfault > when "set_cookie" is called. Try grabbing the latest version from CVS (http://freeradius.org/development.html) That may have a fix. If so, I'll release another version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
Dan Gahlinger wrote: > I'm not fighting you at all. Having answered questions on this list for nearly a decade, I see patterns. > All of your answers previously were "read the documentation, it's there". > well, it's not. definitely not. The parts I was pointing you to were documented. Or, I was pointing you to other non-RADIUS documentation. i.e. PAM. > the pam_radius_auth link you gave me states: ... > take a look at my config - /etc/pam.d/sshd Which is different. Unfortunately, every distribution has their own "special" flavor of their PAM configuration. The documentation in pam_radius_auth is generic, and matches many commonly used configurations. If it doesn't, see: a) the documentation for your OS b) the generic PAM documentation i.e. configuring PAM to use pam_radius_auth is a... PAM issue. The best place to look for help is the PAM documentation, or a PAM list, or OS-specific help. > a "Default" radiusd install with NO changes (except server file as follows: > 127.0.0.1 testing123 3 > > users in password file can login, but it doesn't seem to be using radius. Then see the PAM documentation for debugging, and how to see if it's calling pam_radius_auth. > the documentation for pam is as clear as mud. did it mean to modify the > login file like this: ... Modifying the "login" file affects only the "login" process. Not "sshd". > because that doesnt make any difference either. same result as with just > sshd above See the PAM documentation for debugging PAM. Once you have it calling pam_radius_auth, ask more questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
if I do that, I get this: radtest testing callme 127.0.0.1 10 testing123 Sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Re-sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=20 users config for that test is just this: testing Cleartext-Password := "callme" > To: freeradius-users@lists.freeradius.org > Subject: RE: local ssh authentication via radius possible? > Date: Mon, 26 Nov 2007 21:58:00 +0100 > From: [EMAIL PROTECTED] > > >Login-Service is set to "TCP-Clear" now, > > Leave just username and password. Delete all the rest for that user. You > don't need that. > > >and the log file produces only this: > >Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. > >Did you mean output=none? > >Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. > > > >and nothing else. No other logs anywhere, not even a failed "ssh" log in > >messages, warn, etc. > > Which is good. It's a step in the right direction - at least users file > isn't broken anymore. Now send a request to it. First use radtest. Then > try PAM. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
I'm not fighting you at all. All of your answers previously were "read the documentation, it's there". well, it's not. definitely not. the pam_radius_auth link you gave me states: In the per-application configuration add: authsufficient /lib/security/pam_radius_auth.so AFTER authsufficient /lib/security/pam_securetty.so and BEFORE: authrequired /lib/security/pam_unix_auth.so take a look at my config - /etc/pam.d/sshd #%PAM-1.0 auth requisite pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth includecommon-auth account sufficient /lib/security/pam_radius_auth.so account includecommon-account password includecommon-password session required pam_loginuid.so session includecommon-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname pam_securetty is never referenced, except in /etc/pam.d/login so should it be in sshd or login, or both? it doesn't seem to make any difference. a "Default" radiusd install with NO changes (except server file as follows: 127.0.0.1 testing123 3 users in password file can login, but it doesn't seem to be using radius. the documentation for pam is as clear as mud. did it mean to modify the login file like this: #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth includecommon-auth account includecommon-account password includecommon-password session required pam_loginuid.so session includecommon-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_ck_connector.so because that doesnt make any difference either. same result as with just sshd above I now have a "vanilla" radiusd config (with the one change to server file above), and trying to figure out the pam config. the documentation also states: "The pam configuration can be:" ... authsufficient/lib/security/pam_radius_auth.so [options] ... accountsufficient/lib/security/pam_radius_auth.so which is the first time the account directive is mentioned. so you now have my entire config, back to basics, trying to figure out the pam stuff... logins work, but they're not using radius. and there's nothing in the logs. even with "debug" option specified. Dan. > Date: Mon, 26 Nov 2007 21:51:34 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: local ssh authentication via radius possible? > > Dan Gahlinger wrote: > > I don't understand most of what you said here. Hence my problem. > > The problem is that you're trying to configure 4-5 separate things at > the same time, without understanding how most of them work. As a > result, you're frustrated, and not making progress. > > > Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output > > defined. Did you mean output=none? > > Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. > > > > and nothing else. No other logs anywhere, not even a failed "ssh" log in > > messages, warn, etc. > > i.e. PAM isn't using RADIUS for authentication. Fix that. Read the > PAM documentation. > > > we need a regular user using SSH client such as SecureCRT, or Putty, etc > > without modification, to login > > via SSH to a linux server, and have the server use Radius for > > authentication. > > > > These are "local" users with shell access. The radius would be local. > > So instead of using the local password file, we want to use Radius. > > That will work, but they will need a uid/gid etc. in /etc/passwd. > > > Using everything in the defaults without changing the user file doesn't > > make sense, because that's what we want to use for authentication, > > only, in our case, it'd be on a central server instead of local, but I > > want to get local testing working first, just to make sure I understand > > it all. > > Which is why I said to use the defaults. If you don't know what it's > doing, then DON'T CHANGE ANTYTHING. The default configuration WORKS. > Every change you've made has broken it. > > > at this point, I don't understand any of it, and yelling at me for doing > > the wrong things isn't helping. > > No, I'm telling you that making random changes won't work. I'm > telling you that making changes that aren't recommended in the > documentation is not a good idea. I'm telling you that reading the > documentation and following it's recommendations is a good idea. > > > you've seen my configuration files. I don't know how it should work, > > because I have no idea how it should look. > > They should look like the samples. It's n
mod_auth_radius add_cookie segfault
Greetings, I am having some issues with mod_auth_radius causing httpd to segfault when "set_cookie" is called. The server in question is CentOS 4.5, with httpd-2.0.52-32.3 and apr-0.9.4-24.5.c4.2 RPMs installed. I downloaded mod_auth_radius from http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c It compiled correctly via apxs after I added #include "apr_compat.h" I compiled with the following line: apxs -i -a -c mod_auth_radius-2.0.c I have the following in the .htaccess for the directory I wish to protect: AddRadiusAuth 10.10.17.15:1812 secret 5:3 AuthName "RADIUS Access" AuthType Basic Require valid-user AuthRadiusActive On If I access the page, I am presented with a basic authtype prompt -- however, after I enter a valid username and password, the httpd child segfaults: [Mon Nov 26 15:00:01 2007] [notice] child pid 21136 exit signal Segmentation fault (11) I know that the issue is in the set_cookie routine, because if I comment out the "set_cookie" call after a successful authentication and recompile, the segfault does not happen. However, this results in a RADIUS call for every single GET request, which is not desired. I am not proficient in C, so if anyone has any suggestions as to further troubleshooting/resolution for this issue, I would appreciate the input, off or on-list. -- Brandon Ewing([EMAIL PROTECTED]) pgpmtmw37ZBQf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
>Login-Service is set to "TCP-Clear" now, Leave just username and password. Delete all the rest for that user. You don't need that. >and the log file produces only this: >Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did >you mean output=none? >Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. > >and nothing else. No other logs anywhere, not even a failed "ssh" log in >messages, warn, etc. Which is good. It's a step in the right direction - at least users file isn't broken anymore. Now send a request to it. First use radtest. Then try PAM. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
Dan Gahlinger wrote: > I don't understand most of what you said here. Hence my problem. The problem is that you're trying to configure 4-5 separate things at the same time, without understanding how most of them work. As a result, you're frustrated, and not making progress. > Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output > defined. Did you mean output=none? > Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. > > and nothing else. No other logs anywhere, not even a failed "ssh" log in > messages, warn, etc. i.e. PAM isn't using RADIUS for authentication. Fix that. Read the PAM documentation. > we need a regular user using SSH client such as SecureCRT, or Putty, etc > without modification, to login > via SSH to a linux server, and have the server use Radius for > authentication. > > These are "local" users with shell access. The radius would be local. > So instead of using the local password file, we want to use Radius. That will work, but they will need a uid/gid etc. in /etc/passwd. > Using everything in the defaults without changing the user file doesn't > make sense, because that's what we want to use for authentication, > only, in our case, it'd be on a central server instead of local, but I > want to get local testing working first, just to make sure I understand > it all. Which is why I said to use the defaults. If you don't know what it's doing, then DON'T CHANGE ANTYTHING. The default configuration WORKS. Every change you've made has broken it. > at this point, I don't understand any of it, and yelling at me for doing > the wrong things isn't helping. No, I'm telling you that making random changes won't work. I'm telling you that making changes that aren't recommended in the documentation is not a good idea. I'm telling you that reading the documentation and following it's recommendations is a good idea. > you've seen my configuration files. I don't know how it should work, > because I have no idea how it should look. They should look like the samples. It's not hard. > I'd appreciate a little bit of help here, some hints, some sample > configs, would really really help. The sample configurations work. However, it's clear that for whatever reason, SSH isn't using PAM, *or*, PAM isn't using the pam_radius_auth module, *or* the pam_radius_auth module isn't configured to use the correct RADIUS server. As a result, the RADIUS server isn't receiving login requests. As a result of that, no amount of fighting with the RADIUS configuration will help. So all of the time you put into configuring "Login-Server" was wasted. > I mean, if it's even possible to do what we're trying to do. Yes. I will also note that I asked a number of questions in my last message, and you haven't answered any of them. Either you didn't understand them, or you don't think they're important. Part of the reason this is so difficult for you is that you are fighting every attempt by anyone to help you. You're stuck on one particular mind-set that is preventing anyone from helping you, and preventing you from solving the problem. Until you give up that mindset, and let people help you, you won't solve the problem. You'll only get more and more frustrated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
the client software I'm using is SecureCRT (windows - from vandyke) its a windows SSH client. I don't understand most of what you said here. Hence my problem. I did configure pam_radius with "debug" option. there is no output created. It's impossible to tell if things are working the way they should Login-Service is set to "TCP-Clear" now, and the log file produces only this: Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc. Maybe I should restate, clearly, what I'm trying to do. and see if it's possible, or makes sense. we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login via SSH to a linux server, and have the server use Radius for authentication. These are "local" users with shell access. The radius would be local. So instead of using the local password file, we want to use Radius. Eventually the server they're logging into will point their radius to another radius server (also linux) running on the network. I have no idea what I'm doing, so I'm grasping at straws. You said to read the documentation, which, there wasn't much of in this regard, but I did anyhow. Then you said to read pam_radius_auth, which I did, and attempted to implement. Thankfully, logins using the local password file still works. Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication, only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all. at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping. you've seen my configuration files. I don't know how it should work, because I have no idea how it should look. I'd appreciate a little bit of help here, some hints, some sample configs, would really really help. I mean, if it's even possible to do what we're trying to do. > Date: Mon, 26 Nov 2007 20:33:13 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: local ssh authentication via radius possible? > > Dan Gahlinger wrote: > > The SSH documentation doesnt say anything about using radius or > > configuring the Radius users file. > > why would it? that makes no sense. > > Because you haven't said which RADIUS client you're using. Maybe SSH > has a RADIUS plugin... > > > The pam_radius_auth documentation, while useful, makes no mention of the > > radius users file. > > Of course not. It's a client. The "users" file is only for the server. > > > I have not been "careful" to hide or keep anything. I just didn't think > > the log output was useful > > but, since I'm new to this, here you go (from the most recent attempt): > > The FAQ, README, INSTALL, and many messages on this list make it clear > that running in debugging mode, and posting the output to this list, is > the only way to solve many problems. > > > Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output > > defined. Did you mean output=none? > > Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error > > (reply) for entry testing: Expected end of line or comma > > You edited the "users" file, and broke it. > > > and here it is from the previous attempt at using "ssh" as a login-service: > > Which isn't documented as a permitted Login-Service for the server. > And it isn't documented as being necessary for the pam_radius_auth module. > > > I will check the dictionary and see how "tcp clear" should be entered. > > However, your email suggests that this is not the correct avenue to > > pursue, and as such, I'm lost, again. > > Perhaps you could explain why you're so fixated on setting > Login-Service? The pam_radius_auth documentation doesn't say that it's > needed. > > > everything else is straight out of the box, I even used the sample > > secrets to keep it simple. > > I want as few variables as possible while testing this. > > Try starting the server without changing ANYTHING. When you log in > over SSH, does the PAM module send a RADIUS request? Does the server > receive it? > > You seem to have wandered down a configuration path that isn't > required, and you're doing things that aren't documented. Stop trying > to do complicated things, and go back to the default configurations and > simple tests. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
Dan Gahlinger wrote: > The SSH documentation doesnt say anything about using radius or > configuring the Radius users file. > why would it? that makes no sense. Because you haven't said which RADIUS client you're using. Maybe SSH has a RADIUS plugin... > The pam_radius_auth documentation, while useful, makes no mention of the > radius users file. Of course not. It's a client. The "users" file is only for the server. > I have not been "careful" to hide or keep anything. I just didn't think > the log output was useful > but, since I'm new to this, here you go (from the most recent attempt): The FAQ, README, INSTALL, and many messages on this list make it clear that running in debugging mode, and posting the output to this list, is the only way to solve many problems. > Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output > defined. Did you mean output=none? > Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error > (reply) for entry testing: Expected end of line or comma You edited the "users" file, and broke it. > and here it is from the previous attempt at using "ssh" as a login-service: Which isn't documented as a permitted Login-Service for the server. And it isn't documented as being necessary for the pam_radius_auth module. > I will check the dictionary and see how "tcp clear" should be entered. > However, your email suggests that this is not the correct avenue to > pursue, and as such, I'm lost, again. Perhaps you could explain why you're so fixated on setting Login-Service? The pam_radius_auth documentation doesn't say that it's needed. > everything else is straight out of the box, I even used the sample > secrets to keep it simple. > I want as few variables as possible while testing this. Try starting the server without changing ANYTHING. When you log in over SSH, does the PAM module send a RADIUS request? Does the server receive it? You seem to have wandered down a configuration path that isn't required, and you're doing things that aren't documented. Stop trying to do complicated things, and go back to the default configurations and simple tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
The SSH documentation doesnt say anything about using radius or configuring the Radius users file. why would it? that makes no sense. The pam_radius_auth documentation, while useful, makes no mention of the radius users file. I have not been "careful" to hide or keep anything. I just didn't think the log output was useful but, since I'm new to this, here you go (from the most recent attempt): Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma Mon Nov 26 11:15:30 2007 : Error: Errors reading /etc/raddb/users Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1852] Unknown module "files". Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. and here it is from the previous attempt at using "ssh" as a login-service: Mon Nov 26 11:14:54 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:14:54 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Unknown value ssh for attribute Logi n-Service Mon Nov 26 11:14:54 2007 : Error: Errors reading /etc/raddb/users Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1852] Unknown module "files". Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. BTW that is the REAL name of my server, it just happens to be in a test environment. I wanted to keep things simple. I will check the dictionary and see how "tcp clear" should be entered. However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again. I'm using the base install, and changed only the users file for the radius server config the pam config seemed fairly straight-forward, just add the auth/account lines. everything else is straight out of the box, I even used the sample secrets to keep it simple. I want as few variables as possible while testing this. here's my pam sshd config anyhow: #%PAM-1.0 auth requisite pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth includecommon-auth account sufficient /lib/security/pam_radius_auth.so account includecommon-account password sufficient /lib/security/pam_radius_auth.so password includecommon-password session required pam_loginuid.so session includecommon-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname nothing too exciting > Date: Mon, 26 Nov 2007 18:17:33 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: local ssh authentication via radius possible? > > Dan Gahlinger wrote: > > it doesn't like my config, even with "TCP Clear"- > > > > testing Cleartext-Password := "callme" > > Service-Type = Login-User, > > Login-Service = TCP Clear, > > Login-IP-Host = testing.mydomain.com > > You have to use the names from the dictionaries. "TCP clear" is two > words, and is not a name from the dictionaries. > > In any case, the PAM RADIUS module doesn't need "TCP Clear". If > you're using something else to do RADIUS authentication, see it's > documentation for what it needs. > > > this is frustrating. > > and i'm not even sure this is correct for SSH? > > Perhaps the SSH documentation says something? > > You've been very careful to not show the output of debugging mode, > either on the server or on the client (if it has one). You've also been > careful to hide which RADIUS client you're using. > > This makes it difficult to help you. You're saying "Hi, I'm using > stuff to login, but it doesn't work. Help me!" Those kind of questions > are content-free, and actively prevent anyone from helping you. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED]
[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
Dan Gahlinger wrote: > it doesn't like my config, even with "TCP Clear"- > > testing Cleartext-Password := "callme" > Service-Type = Login-User, > Login-Service = TCP Clear, > Login-IP-Host = testing.mydomain.com You have to use the names from the dictionaries. "TCP clear" is two words, and is not a name from the dictionaries. In any case, the PAM RADIUS module doesn't need "TCP Clear". If you're using something else to do RADIUS authentication, see it's documentation for what it needs. > this is frustrating. > and i'm not even sure this is correct for SSH? Perhaps the SSH documentation says something? You've been very careful to not show the output of debugging mode, either on the server or on the client (if it has one). You've also been careful to hide which RADIUS client you're using. This makes it difficult to help you. You're saying "Hi, I'm using stuff to login, but it doesn't work. Help me!" Those kind of questions are content-free, and actively prevent anyone from helping you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
it doesn't like my config, even with "TCP Clear"- testing Cleartext-Password := "callme" Service-Type = Login-User, Login-Service = TCP Clear, Login-IP-Host = testing.mydomain.com this is frustrating. and i'm not even sure this is correct for SSH? > To: freeradius-users@lists.freeradius.org > Subject: RE: local ssh authentication via radius possible? > Date: Mon, 26 Nov 2007 17:08:59 +0100 > From: [EMAIL PROTECTED] > > > > >radiusd also complains unknown module "files" > > > > And that would be the result of you hacking the default radiusd.conf. > Leave it alone, and it will work. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
nope. I didn't touch the default radiusd.conf (out of the package) I think I need to resolve this Login-Service first. it can't parse the users file because of it. so which Login-Service do I use? > To: freeradius-users@lists.freeradius.org > Subject: RE: local ssh authentication via radius possible? > Date: Mon, 26 Nov 2007 17:08:59 +0100 > From: [EMAIL PROTECTED] > > > > >radiusd also complains unknown module "files" > > > > And that would be the result of you hacking the default radiusd.conf. > Leave it alone, and it will work. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
> >radiusd also complains unknown module "files" > And that would be the result of you hacking the default radiusd.conf. Leave it alone, and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
So what are we supposed to use for SSH then? TCP Clear? or TCP Clear Quiet? Dan. > To: freeradius-users@lists.freeradius.org > Subject: RE: local ssh authentication via radius possible? > Date: Mon, 26 Nov 2007 17:02:16 +0100 > From: [EMAIL PROTECTED] > > >From RFC: > > Values for RADIUS Attribute 15, Login-Service: > > ValueDescription Reference > ---- - > 0Telnet > 1Rlogin > 2TCP Clear > 3PortMaster (proprietary) > 4LAT > 5X25-PAD > 6X25-T3POS > 7(unassigned) > 8TCP Clear Quiet (suppresses any NAS-generated connect > string) > > >setting it to "SSH" doesn't work. > > Now you know why. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CHAP
Thanks, i put the users at the top of the users file and connect. I don't read in any place that the users must be added in the top of the file. Javier. > To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> > Date: Mon, 26 Nov 2007 16:30:17 +0100> From: [EMAIL PROTECTED]> > >users: > Matched entry DEFAULT at line 173> >users: Matched entry DEFAULT at line 185 > > > You have added user entries at the end of users file. You should put > user> entries towards the front of the users file. If you need to process > some> default entries, user entry should have Fall-Through = Yes at the end.> > > Ivan Kalik> Kalik Informatika ISP> > > Dana 26/11/2007, "Javier Fernando" > <[EMAIL PROTECTED]> piše:> > > >This is the last log:> > > >Thanks.> > > > >Javier.> > > > > >radiusd -X :> > > >Nothing to do. Sleeping until we see a > request.rad_recv: Access-Request packet from host 10.10.200.252:1645, id=139, > length=125 Framed-Protocol = PPP User-Name = "bob" CHAP-Password = > 0x010ae11cfe98a4aea0f0244e3337c26de4 NAS-Port-Type = Virtual NAS-Port = 180 > Calling-Station-Id = "1141323200" Called-Station-Id = "8003450410" > Connect-Info = "TLS-DIALUP" Service-Type = Framed-User NAS-IP-Address = > 10.10.200.252 Processing the authorize section of radiusd.confmodcall: > entering group authorize for request 8 modcall[authorize]: module > "preprocess" returns ok for request 8 rlm_chap: Setting 'Auth-Type := CHAP' > modcall[authorize]: module "chap" returns ok for request 8 > modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No > '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm > "NULL" modcall[authorize]: module "suffix" returns noop for request 8 > rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" > returns noop for request 8 users: Matched entry DEFAULT at line 173 users: > Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns > ok for request 8rlm_pap: WARNING! No "known good" password found for the > user. Authentication may fail because of this. modcall[authorize]: module > "pap" returns noop for request 8modcall: leaving group authorize (returns ok) > for request 8 rad_check_password: Found Auth-Type CHAPauth: type "CHAP" > Processing the authenticate section of radiusd.confmodcall: entering group > CHAP for request 8 rlm_chap: login attempt by "bob" with CHAP password > rlm_chap: Could not find clear text password for user bob > modcall[authenticate]: module "chap" returns invalid for request 8modcall: > leaving group CHAP (returns invalid) for request 8auth: Failed to validate > the user.Login incorrect (rlm_chap: Clear text password not available): > [bob/] (from client rasiplan2 port 180 cli 1141323200)Delaying > request 8 for 1 secondsFinished request 8Going to the next request--- Walking > the entire request list ---Waking up in 1 seconds...--- Walking the entire > request list ---Waking up in 1 seconds...--- Walking the entire request list > ---Sending Access-Reject of id 139 to 10.10.200.252 port 1645Waking up in 4 > seconds...--- Walking the entire request list ---Cleaning up request 8 ID 139 > with timestamp 474acfb9Nothing to do. Sleeping until we see a request.> > > > >> To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> > Date: Mon, 26 Nov 2007 15:38:50 +0100> From: [EMAIL PROTECTED]> > Can you > send the whole debug from the request. I can't see if anything> matched in > users file or not.> > Ivan Kalik> Kalik Informatika ISP> > > Dana 26/11/2007, > "Javier Fernando" <[EMAIL PROTECTED]> piše:> > >> >I have this users in the > users file:> > > > > ># Usuarios de prueba> >chap Auth-Type := Local, > Cleartext-Password := "test2007"> >test Auth-Type := Local, Password := > "test2007"> >lock Auth-Type := Reject Reply-Message = "Cuenta > deshabilitada."> >steve Cleartext-Password := "test"> >javier > Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = > PPP, Framed-IP-Address = -, Framed-IP-Netmask = > , Framed-Routing = Broadcast-Listen, Framed-Filter-Id = > "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP> >bob > User-Password == "test"> >prueba1 Auth-Type := CHAP, Password := "test"> > > > > > >I try with all of this users and again have the error:> > > >modcall: > leaving group authorize (returns ok) for request 5 rad_check_password: Found > Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of > radiusd.confmodcall: entering group CHAP for request 5 rlm_chap: login > attempt by "javier" with CHAP password rlm_chap: Could not find clear text > password for user javier modcall[authenticate]: module "chap" returns invalid > for request 5modcall: leaving group CHAP (returns invalid) for request 5auth: > Failed to validate the user.Login incorrect (rlm_chap: Clear text password > not available): [javier/] (from cl
RE: local ssh authentication via radius possible?
>From RFC: Values for RADIUS Attribute 15, Login-Service: ValueDescription Reference ---- - 0Telnet 1Rlogin 2TCP Clear 3PortMaster (proprietary) 4LAT 5X25-PAD 6X25-T3POS 7(unassigned) 8TCP Clear Quiet (suppresses any NAS-generated connect string) >setting it to "SSH" doesn't work. Now you know why. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: local ssh authentication via radius possible?
there is a lot of documentation missing. for example, when users are using "SSH" what's the "Login-Service" supposed to be? setting it to "SSH" doesn't work. so many unanswered questions about this. with SSH we don't want to assign the user an IP address so I just used "Login-IP-Host" and Service-Type "Login-User" radiusd also complains unknown module "files" this could really use a "newbie" setup guide with examples > Date: Sat, 24 Nov 2007 07:35:54 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: local ssh authentication via radius possible? > > Dan Gahlinger wrote: > > How do I configure PAM to use radius? > > See the documentation in the pam_radius_auth module. It's on the > freeradius web page. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Are you ready for Windows Live Messenger Beta 8.5 ? Get the latest for free today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child and accounting
Christophe Saillard wrote: > Our first experience with Freeradius on a FreeBSD server was a nightmare > (it seemed to be a thread related problem, the server stopped working > with a lot of "unresponsive child" error logs). Hmm... the code *did* work well on FreeBSD at one point. > So, we tried on a Linux server (kernel 2.6.22-14-server ubuntu feisty > fawn) and it worked fine since last week : ... > Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id > 2841623456) for request 2419798 (in component accounting module > rlm_radutmp) That's a lot more helpful than earlier versions. My guess is that the radumtp file is *huge*. If you don't need it, it should not be used. If you do need it, it should be rotated frequently. Or, use a database to store that information. > The CPU went up to 100%. Consistent with spending lots of time reading the radutmp file > There was about 300 802.1X clients connected (with a 2 minutes reauth > period). Any commodity machine should be able to handle that. > At this time we had no other choice than upgrading the hardware, it runs > now on a 8 processor server but even with more CPU power we noticed a > 20% system load. 300 clients shouldn't need that much CPU power. > Here's the threading part of the radiusd.conf : ... > max_requests_per_server = 300 Please set that to zero. That portion of the code isn't very well tested. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child and accounting
Hi,
I use freeradius (1.1.7) to authenticate wireless users (EAP-TTLS/PAP)
with an OpenLDAP backend.
Our first experience with Freeradius on a FreeBSD server was a nightmare
(it seemed to be a thread related problem, the server stopped working
with a lot of "unresponsive child" error logs).
So, we tried on a Linux server (kernel 2.6.22-14-server ubuntu feisty
fawn) and it worked fine since last week :
Wed Nov 21 15:33:21 2007 : Auth: Login OK: [] (from client localhost
port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:21 2007 : Auth: Login OK: [EMAIL PROTECTED] (from
client wds3 port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id
3046112160) for request 2419782 (in component accounting module rlm_radutmp)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id
2841623456) for request 2419798 (in component accounting module rlm_radutmp)
The CPU went up to 100%.
There was about 300 802.1X clients connected (with a 2 minutes reauth
period).
At this time we had no other choice than upgrading the hardware, it runs
now on a 8 processor server but even with more CPU power we noticed a
20% system load.
Here's the threading part of the radiusd.conf :
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1000
thread pool {
start_servers = 10
max_servers = 1000
min_spare_servers = 15
max_spare_servers = 30
max_requests_per_server = 300
}
I don't know if it's relevant but there were about 80 Eduroam users
connected when the problem happens.
Thanks.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CHAP
>users: Matched entry DEFAULT at line 173 >users: Matched entry DEFAULT at line 185 You have added user entries at the end of users file. You should put user entries towards the front of the users file. If you need to process some default entries, user entry should have Fall-Through = Yes at the end. Ivan Kalik Kalik Informatika ISP Dana 26/11/2007, "Javier Fernando" <[EMAIL PROTECTED]> piše: >This is the last log: > >Thanks. > >Javier. > > >radiusd -X : > >Nothing to do. Sleeping until we see a request.rad_recv: Access-Request >packet from host 10.10.200.252:1645, id=139, length=125Framed-Protocol >= PPPUser-Name = "bob"CHAP-Password = >0x010ae11cfe98a4aea0f0244e3337c26de4NAS-Port-Type = Virtual >NAS-Port = 180Calling-Station-Id = "1141323200" >Called-Station-Id = "8003450410"Connect-Info = "TLS-DIALUP" >Service-Type = Framed-UserNAS-IP-Address = 10.10.200.252 Processing >the authorize section of radiusd.confmodcall: entering group authorize for >request 8 modcall[authorize]: module "preprocess" returns ok for request 8 >rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" >returns ok for request 8 modcall[authorize]: module "mschap" returns noop for >request 8rlm_realm: No '@' in User-Name = "bob", looking up realm NULL >rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns >noop for request 8 rlm_eap: No EAP-Message, not doing EAP >modcall[authorize]: module "eap" returns noop for request 8users: Matched >entry DEFAULT at line 173users: Matched entry DEFAULT at line 185 >modcall[authorize]: module "files" returns ok for request 8rlm_pap: WARNING! >No "known good" password found for the user. Authentication may fail because >of this. modcall[authorize]: module "pap" returns noop for request 8modcall: >leaving group authorize (returns ok) for request 8 rad_check_password: Found >Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of >radiusd.confmodcall: entering group CHAP for request 8 rlm_chap: login >attempt by "bob" with CHAP password rlm_chap: Could not find clear text >password for user bob modcall[authenticate]: module "chap" returns invalid >for request 8modcall: leaving group CHAP (returns invalid) for request 8auth: >Failed to validate the user.Login incorrect (rlm_chap: Clear text password not >available): [bob/] (from client rasiplan2 port 180 cli >1141323200)Delaying request 8 for 1 secondsFinished request 8Going to the next >request--- Walking the entire request list ---Waking up in 1 seconds...--- >Walking the entire request list ---Waking up in 1 seconds...--- Walking the >entire request list ---Sending Access-Reject of id 139 to 10.10.200.252 port >1645Waking up in 4 seconds...--- Walking the entire request list ---Cleaning >up request 8 ID 139 with timestamp 474acfb9Nothing to do. Sleeping until we >see a request. > >> To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> >> Date: Mon, 26 Nov 2007 15:38:50 +0100> From: [EMAIL PROTECTED]> > Can you >> send the whole debug from the request. I can't see if anything> matched in >> users file or not.> > Ivan Kalik> Kalik Informatika ISP> > > Dana >> 26/11/2007, "Javier Fernando" <[EMAIL PROTECTED]> pie:> > >> >I have this >> users in the users file:> > > > > ># Usuarios de prueba> >chap Auth-Type := >> Local, Cleartext-Password := "test2007"> >test Auth-Type := Local, Password >> := "test2007"> >lock Auth-Type := Reject Reply-Message = "Cuenta >> deshabilitada."> >steve Cleartext-Password := "test"> >javier >> Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = >> PPP, Framed-IP-Address = -, Framed-IP-Netmask = >> , Framed-Routing = Broadcast-Listen, Framed-Filter-Id = >> "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP> >bob >> User-Password == "test"> >prueba1 Auth-Type := CHAP, Password := "test"> > > >> > > >I try with all of this users and again have the error:> > > >modcall: >> leaving group authorize (returns ok) for request 5 rad_check_password: Found >> Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of >> radiusd.confmodcall: entering group CHAP for request 5 rlm_chap: login >> attempt by "javier" with CHAP password rlm_chap: Could not find clear text >> password for user javier modcall[authenticate]: module "chap" returns >> invalid for request 5modcall: leaving group CHAP (returns invalid) for >> request 5auth: Failed to validate the user.Login incorrect (rlm_chap: Clear >> text password not available): [javier/] (from client >> rasiplan2 port 2119 cli 1141323200)Delaying request 5 for 1 seconds> > > >> >THANKS!!!> > > >Javier.> > > > > > > > > >> To: [EMAIL PROTECTED]> Subject: >> RE: Problem with CHAP> Date: Mon, 26 Nov 2007 14:05:07 +0100> From: [EMAIL >> PROTECTED]> >
RE: Problem with CHAP
This is the last log: Thanks. Javier. radiusd -X : Nothing to do. Sleeping until we see a request.rad_recv: Access-Request packet from host 10.10.200.252:1645, id=139, length=125Framed-Protocol = PPP User-Name = "bob"CHAP-Password = 0x010ae11cfe98a4aea0f0244e3337c26de4NAS-Port-Type = Virtual NAS-Port = 180Calling-Station-Id = "1141323200" Called-Station-Id = "8003450410"Connect-Info = "TLS-DIALUP" Service-Type = Framed-UserNAS-IP-Address = 10.10.200.252 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8rlm_realm: No '@' in User-Name = "bob", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8users: Matched entry DEFAULT at line 173users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 8rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 8modcall: leaving group authorize (returns ok) for request 8 rad_check_password: Found Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of radiusd.confmodcall: entering group CHAP for request 8 rlm_chap: login attempt by "bob" with CHAP password rlm_chap: Could not find clear text password for user bob modcall[authenticate]: module "chap" returns invalid for request 8modcall: leaving group CHAP (returns invalid) for request 8auth: Failed to validate the user.Login incorrect (rlm_chap: Clear text password not available): [bob/] (from client rasiplan2 port 180 cli 1141323200)Delaying request 8 for 1 secondsFinished request 8Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 139 to 10.10.200.252 port 1645Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 8 ID 139 with timestamp 474acfb9Nothing to do. Sleeping until we see a request. > To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> > Date: Mon, 26 Nov 2007 15:38:50 +0100> From: [EMAIL PROTECTED]> > Can you > send the whole debug from the request. I can't see if anything> matched in > users file or not.> > Ivan Kalik> Kalik Informatika ISP> > > Dana 26/11/2007, > "Javier Fernando" <[EMAIL PROTECTED]> piše:> > >> >I have this users in the > users file:> > > > > ># Usuarios de prueba> >chap Auth-Type := Local, > Cleartext-Password := "test2007"> >test Auth-Type := Local, Password := > "test2007"> >lock Auth-Type := Reject Reply-Message = "Cuenta > deshabilitada."> >steve Cleartext-Password := "test"> >javier > Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = > PPP, Framed-IP-Address = -, Framed-IP-Netmask = > , Framed-Routing = Broadcast-Listen, Framed-Filter-Id = > "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP> >bob > User-Password == "test"> >prueba1 Auth-Type := CHAP, Password := "test"> > > > > > >I try with all of this users and again have the error:> > > >modcall: > leaving group authorize (returns ok) for request 5 rad_check_password: Found > Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of > radiusd.confmodcall: entering group CHAP for request 5 rlm_chap: login > attempt by "javier" with CHAP password rlm_chap: Could not find clear text > password for user javier modcall[authenticate]: module "chap" returns invalid > for request 5modcall: leaving group CHAP (returns invalid) for request 5auth: > Failed to validate the user.Login incorrect (rlm_chap: Clear text password > not available): [javier/] (from client rasiplan2 port 2119 cli > 1141323200)Delaying request 5 for 1 seconds> > > >THANKS!!!> > > >Javier.> > > > > > > > > > >> To: freeradius-users@lists.freeradius.org> Subject: RE: > Problem with CHAP> Date: Mon, 26 Nov 2007 14:05:07 +0100> From: [EMAIL > PROTECTED]> > >When I connect I use this username and password and the radius > don't validate the request.> > > No. You didn't use username usuario3. Look > at the request:> > User-Name = "chap"> > Ivan Kalik> Kalik Informatika ISP> > > -> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html> > >_> > >Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines
RE: Problem with CHAP
Can you send the whole debug from the request. I can't see if anything matched in users file or not. Ivan Kalik Kalik Informatika ISP Dana 26/11/2007, "Javier Fernando" <[EMAIL PROTECTED]> piše: > >I have this users in the users file: > > ># Usuarios de prueba >chap Auth-Type := Local, Cleartext-Password := "test2007" >test Auth-Type := Local, Password := "test2007" >lock Auth-Type := RejectReply-Message = "Cuenta deshabilitada." >steve Cleartext-Password := "test" >javier Cleartext-Password := "test" Service-Type = Framed-User, >Framed-Protocol = PPP, Framed-IP-Address = -, >Framed-IP-Netmask = , Framed-Routing = >Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP >bob User-Password == "test" >prueba1 Auth-Type := CHAP, Password := "test" > > >I try with all of this users and again have the error: > >modcall: leaving group authorize (returns ok) for request 5 >rad_check_password: Found Auth-Type CHAPauth: type "CHAP" Processing the >authenticate section of radiusd.confmodcall: entering group CHAP for request 5 > rlm_chap: login attempt by "javier" with CHAP password rlm_chap: Could not >find clear text password for user javier modcall[authenticate]: module "chap" >returns invalid for request 5modcall: leaving group CHAP (returns invalid) for >request 5auth: Failed to validate the user.Login incorrect (rlm_chap: Clear >text password not available): [javier/] (from client rasiplan2 >port 2119 cli 1141323200)Delaying request 5 for 1 seconds > >THANKS!!! > >Javier. > > > > >> To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> >> Date: Mon, 26 Nov 2007 14:05:07 +0100> From: [EMAIL PROTECTED]> > >When I >> connect I use this username and password and the radius don't validate the >> request.> > > No. You didn't use username usuario3. Look at the request:> > >> User-Name = "chap"> > Ivan Kalik> Kalik Informatika ISP> > -> List >> info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >_ >Tecnología, moda, motor, viajes, suscríbete a nuestros boletines para estar a >la última >http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CHAP
I have this users in the users file: # Usuarios de prueba chap Auth-Type := Local, Cleartext-Password := "test2007" test Auth-Type := Local, Password := "test2007" lock Auth-Type := RejectReply-Message = "Cuenta deshabilitada." steve Cleartext-Password := "test" javier Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = -, Framed-IP-Netmask = , Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP bob User-Password == "test" prueba1 Auth-Type := CHAP, Password := "test" I try with all of this users and again have the error: modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of radiusd.confmodcall: entering group CHAP for request 5 rlm_chap: login attempt by "javier" with CHAP password rlm_chap: Could not find clear text password for user javier modcall[authenticate]: module "chap" returns invalid for request 5modcall: leaving group CHAP (returns invalid) for request 5auth: Failed to validate the user.Login incorrect (rlm_chap: Clear text password not available): [javier/] (from client rasiplan2 port 2119 cli 1141323200)Delaying request 5 for 1 seconds THANKS!!! Javier. > To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> > Date: Mon, 26 Nov 2007 14:05:07 +0100> From: [EMAIL PROTECTED]> > >When I > connect I use this username and password and the radius don't validate the > request.> > > No. You didn't use username usuario3. Look at the request:> > > User-Name = "chap"> > Ivan Kalik> Kalik Informatika ISP> > -> List > info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar a la última http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CHAP
>When I connect I use this username and password and the radius don't validate >the request. No. You didn't use username usuario3. Look at the request: User-Name = "chap" Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CHAP
I connect to the radius over a dialup modem, I add a CHAP user with this line in the users file: usuario3 Cleartext-Password := "testusuario3" When I connect I use this username and password and the radius don't validate the request. Javier. > To: freeradius-users@lists.freeradius.org> Subject: RE: Problem with CHAP> > Date: Sat, 24 Nov 2007 01:16:04 +0100> From: [EMAIL PROTECTED]> > You are not > sending that username:> > User-Name = "chap"> > Put usuario3 as a username on > XP PC.> > Ivan Kalik> Kalik Informatika ISP> > > Dana 23/11/2007, "Javier > Fernando" <[EMAIL PROTECTED]> piše:> > >> >I think that this is a CHAP USER:> > > > >usuario3 Cleartext-Password := "testusuario3"> > > >How to add a Chap > user to the users file?> > > >Javier.> >> > Do you have user chap in your > users file? You have posted entries for> some other usernames.> > Ivan Kalik> > Kalik Informatika ISP> > > Dana 23/11/2007, "Javier Fernando" <[EMAIL > PROTECTED]> pi�e:> > >> >I configure Freeradius , when the client try > to connect with CHAP i have this error, and only connect with linux system > users. When I connect locally with radtest i connect ok but when i connect > remotely whit Windows Xp using CHAP don't connect. I run radius in debug mode > with -X option.> > > >Part of clients.conf> > > >usuario1 Auth-Type := Local, > Cleartext-Password := "testusuario1"> >usuario2 Auth-Type := Local, Password > := "testusuario2"> >usuario3 Cleartext-Password := "testusuario3"> > > >Error > of freeradius running with -X option:> > > >rad_recv: Access-Request packet > from host 192.168..1.100:1645, id=106, length=126 Framed-Protocol = PPP > User-Name = "chap" CHAP-Password = 0x019c1a0fb685942ed07fdb1e2d100e93f0 > NAS-Port-Type = Virtual NAS-Port = 1586 Calling-Station-Id = "1141323200" > Called-Station-Id = "8003450410" Connect-Info = "TLS-MISERVER-DIALUP" > Service-Type = Framed-User NAS-IP-Address = 192.168.1.100 Processing the > authorize section of radiusd.confmodcall: entering group authorize for > request 2 modcall[authorize]: module "preprocess" returns ok for request 2 > rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" > returns ok for request 2 modcall[authorize]: module "mschap" returns noop for > request 2 rlm_realm: No '@' in User-Name = "chap", looking up realm NULL > rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns > noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: > module "eap" returns noop for request 2 users: Matched entry DEFAULT at line > 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module > "files" returns ok for request 2rlm_pap: WARNING! No "known good" password > found for the user. Authentication may fail because of this. > modcall[authorize]: module "pap" returns noop for request 2modcall: leaving > group authorize (returns ok) for request 2 rad_check_password: Found > Auth-Type CHAPauth: type "CHAP" Processing the authenticate section of > radiusd.confmodcall: entering group CHAP for request 2 rlm_chap: login > attempt by "chap" with CHAP password rlm_chap: Could not find clear text > password for user chap modcall[authenticate]: module "chap" returns invalid > for request 2modcall: leaving group CHAP (returns invalid) for request 2auth: > Failed to validate the user.Login incorrect (rlm_chap: Clear text password > not available): [chap/] (from client rasiplan2 port 1586 cli > 1141323200)Delaying request 2 for 1 secondsFinished request 2Going to the > next request--- Walking the entire request list ---Waking up in 1 > seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- > Walking the entire request list ---Sending Access-Reject of id 106 to > 192.168.1.1 port 1645Waking up in 4 seconds.--- Walking the entire > request list ---Cleaning up request 2 ID 106 with timestamp 47472e23Nothing > to do. Sleeping until we see a request.> > >_> > >Tecnología, moda, motor, viajes,�suscríbete a nuestros boletines para > estar a la última> > >http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com> > >> > -> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html> > >_> > >Tecnología, moda, motor, viajes,�suscríbete a nuestros boletines para > estar a la última> > >http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com> > >> > -> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html _ Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar a la última http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmai
