a newbie testing freeradius need help
Hi, I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. i am really very new to linux and to free radius, can some one help me what i should do, because i can only move one further with my thesis if and only if i figure this out. Thank you for the help, really appreciate any kind of help or suggestion. Thanks once again, below are my conf files and screen output. HERE IS MY SCREEN OUTPUT FROM THE RADIUS SERVER Ready to process requests. User-Name = anonymous NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020e01616e6f6e796d6f7573 Message-Authenticator = 0x948a064fcafc2f8442938817c4f353d7 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled EAP-Message = 0x010100160410a3803def371cc0ea374b74fd8923747b Message-Authenticator = 0x State = 0x47545c0a47555820cf82ad36ba08594f Finished request 0. Going to the next request Waking up in 4.9 seconds. User-Name = anonymous NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100060319 State = 0x47545c0a47555820cf82ad36ba08594f Message-Authenticator = 0x0d125e124530442dfbf043c5d6e55468 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for unsupported type 25 rlm_eap: No common EAP types found. rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [anonymous/via Auth-Type = EAP] (from client localhost port 0 cli 02-00-00-00-00-01) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 EAP-Message = 0x04010004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +28 Waking up in 0.9 seconds. Cleaning up request 1 ID 1 with timestamp +28 Ready to process requests. User-Name = anonymous NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020e01616e6f6e796d6f7573 Message-Authenticator = 0xfbfadf8ca2d1f2729ac2cabcc17dee20 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop
Re: a newbie testing freeradius need help
jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of attribute in tunnelled reply
Arran Cudbard-Bell wrote: Hi, We formulate our reply inside of the virtual server dealing with EAP and send it back to the outer server. This is the only way I could think of to insert the Inner identity into the Access-Accept. ... update outer.reply { User-Name := foo } ... It all works fine... however it seems there's a bug when dealing with multiple instances of the same attribute. Ah the code in unlang was fixed to correct this problem. The basic API used in the basic RADIUS library wasn't fixed. Ok... I'll take a look at it when I get back from my current trip. What's really weird is in the previous rounds of EAP, the attributes retain the += operator, it's only in the one where the EAP-Success message is returned where all the operators are stripped out. Yes. copy everything, versus merge via operators. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of attribute in tunnelled reply
Alan DeKok wrote: Arran Cudbard-Bell wrote: Hi, We formulate our reply inside of the virtual server dealing with EAP and send it back to the outer server. This is the only way I could think of to insert the Inner identity into the Access-Accept. ... update outer.reply { User-Name := foo } ... Hmm, it's complicated... there are authorisation issues too. It all works fine... however it seems there's a bug when dealing with multiple instances of the same attribute. Ah the code in unlang was fixed to correct this problem. The basic API used in the basic RADIUS library wasn't fixed. Ok... I'll take a look at it when I get back from my current trip. Ok that helps, didn't realise it was fixed in unlang; least I can get some dynamic ACL testing done. What's really weird is in the previous rounds of EAP, the attributes retain the += operator, it's only in the one where the EAP-Success message is returned where all the operators are stripped out. Yes. copy everything, versus merge via operators. Yep. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Thank you alan for your time, As i mentioned before i am new to linux too. I had installed openssl already and the libraries are in /usr/local/lib folder. i dont know how to enable this (path) in the server, because i guess there is another openssl (older version) installed, i had this problem when making eapol_test tool then i installed newer version in the specified directory. Then how can i restart the radiusd, is it ok to kill the demon and then start it again sorry for this naive question. thank you once again for the time you are taking for me, BR, Jreuben Alan DeKok [EMAIL PROTECTED] wrote: jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x+WLAN and radtest
Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain radtest and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše: Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain radtest and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-KnĂśll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Am 23.04.2008 um 10:56 schrieb jennie susan: Thank you alan for your time, As i mentioned before i am new to linux too. I had installed openssl already and the libraries are in /usr/local/lib folder. i dont know how to enable this (path) in the server, because i guess there is another openssl (older version) installed, i had this problem when making eapol_test tool then i installed newer version in the specified directory. You could use the LD_LIBRARY_PATH environment varaible to set the path where to find a library. Be careful that this feature might be disabled by the linux distribution that you are using (mainly due to security reasons). In that case you have to change /etc/ld.so.conf (or something like that). Then how can i restart the radiusd, is it ok to kill the demon and then start it again sorry for this naive question. As far as I know it is the recommended way. thank you once again for the time you are taking for me, BR, Jreuben Alan DeKok [EMAIL PROTECTED] wrote: jreubens wrote: I am newbie trying to test free radius for my master thesis, i installed free radius two days ago and did some initial testing, the initial test was through so the radius server is running properly, before i move on i wanted to test the eap modules, so i tried to test with the help of eapol_test tool that comes with the wpasupplicant, i cannot succeed i get failure message. ... rlm_eap: NAK asked for unsupported type 25 The system does not have the proper OpenSSL libraries installed. Install OpenSSL, and the development headers. Then re-build the server, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap certificate problems?
Great , but it was not the case of freeradius 1.x which i was using and discussing about all the time. Regards, D. 2008/4/22 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: i did a lot of reading about certificate generation, This just kills me. 2.0 ships with scripts to create certificates, and documentation saying that this is what it does. The Wiki also has a page describing certificate creation. Go to the find dialog, and type certificates. You'll be taken directly to a page documenting these things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Hi, enclose the output from radiusd -X first using radtest, the switching on the WLAN with the same useranme and password: =radiusd -X out rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228, length=68 User-Name = [EMAIL PROTECTED] User-Password = PASSWD NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module auth_log returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: Looking up realm ice.mpg.de for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy authentication request to realm DEFAULT modcall[authorize]: module suffix returns updated for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 7 modcall[authorize]: module files returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 Sending Access-Request of id 6 to 193.174.75.134 port 1812 User-Name = [EMAIL PROTECTED] User-Password = PASSWD NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x323238 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6, length=25 Proxy-State = 0x323238 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module attr_filter returns updated for request 7 modcall[post-proxy]: module eap returns noop for request 7 modcall: leaving group post-proxy (returns updated) for request 7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module auth_log returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module suffix returns noop for request 7 modcall[authorize]: module eap returns noop for request 7 modcall[authorize]: module files returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 7 modcall: leaving group authorize (returns ok) for request 7 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 7 modcall[post-auth]: module ldap returns noop for request 7 modcall: leaving group post-auth (returns noop) for request 7 Sending Access-Accept of id 228 to 141.5.16.151 port 2234 Finished request 7 Going to the next request Waking up in 6 seconds... ===Now the same over WLAN=== --- Walking the entire request list --- Cleaning up request 7 ID 228 with timestamp 480f2719 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173, length=201 User-Name = [EMAIL PROTECTED] MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa MS-CHAP2-Response
Nas IP address in logs
Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše: Hi, enclose the output from radiusd -X first using radtest, the switching on the WLAN with the same useranme and password: =radiusd -X out rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228, length=68 User-Name = [EMAIL PROTECTED] User-Password = PASSWD NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module auth_log returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: Looking up realm ice.mpg.de for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy authentication request to realm DEFAULT modcall[authorize]: module suffix returns updated for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 7 modcall[authorize]: module files returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 Sending Access-Request of id 6 to 193.174.75.134 port 1812 User-Name = [EMAIL PROTECTED] User-Password = PASSWD NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x323238 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6, length=25 Proxy-State = 0x323238 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module attr_filter returns updated for request 7 modcall[post-proxy]: module eap returns noop for request 7 modcall: leaving group post-proxy (returns updated) for request 7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module auth_log returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module suffix returns noop for request 7 modcall[authorize]: module eap returns noop for request 7 modcall[authorize]: module files returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 7 modcall: leaving group authorize (returns ok) for request 7 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 7 modcall[post-auth]: module ldap returns noop for request 7 modcall: leaving group post-auth (returns noop) for request 7 Sending Access-Accept of id 228 to 141.5.16.151 port 2234 Finished request 7 Going to the next request Waking up in 6 seconds... ===Now the same over WLAN=== --- Walking the entire request
Re: Nas IP address in logs
From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the problem about the session key
Hello,I learn that there is a MK that need to pass to the AP after the auth is complete.Do you know how to generate the key? Are they generated differently in different way of auth? Xingtom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb: This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan, I know that :) But I want get IP from NAS's that are behind a NAT-proxy-firewall server, I want the NAS IP and not the NAT-proxy-firewall server IP. In fact my clients.conf has something as follows: client 10.128.255.86 { require_message_authenticator = no secret = pepepotamo shortname = Hormiga } client 10.128.255.87 { require_message_authenticator = no secret = pepepotamo2 shortname = Avispa } client 203.221.198.59 { require_message_authenticator = no secret = pepepotamo3 shortname = Abeja } -- end of file--- client with 203.221.198.59 is a remote server (connect to radius via vpn) with NAS's behind. If I run in debug mode I can see the actual NAS IP can be read, For example: rad_recv: Access-Request packet from host 203.221.198.59 port 2048, id=0, length=123 User-Name = soyreloco NAS-IP-Address = 192.168.134.210 Called-Station-Id = 001d7edc2621 Calling-Station-Id = 001b63085e39 NAS-Identifier = 001d7edc2624 NAS-Port = 63 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a016c79616972 Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3 is there a way to get such a thing (192.168.134.210 in this case) in radius logs with radius running in non-debug mode? Thanks in advance! 2008/4/23, Ivan Kalik [EMAIL PROTECTED]: From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory anonymous rebinding when following references
Numerous posts about Active Directory OU searching and FreeRadius can be found easily via Google, but none seem to have the definitive answer/workaround for the Windows 2003 rebind failure when searching the root of the active directory On the latest freeradius-2.0.3 compiled from source, I get the the rlm_ldap errors below whenever I use the basedn = dc=my,dc=domainname,dc=com rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed I am binding to LDAP with a username/password (not anonymous) All seem to point back to bug 183, which has been open for a long time: http://bugs.freeradius.org/show_bug.cgi?id=183 Is this bug still considered valid? What further needs to be done to get the patch or a similar fix integrated into the main code tree, especially the 2.0 release? I see the patch there, and have applied it to my old freeradius-1.0.1 installation, but stability issues prompted me to investigate an upgrade, and I am not entirely sure that the patch didn't *cause* my stability problems to begin with (the comment by Alan DeKok in the bugzilla entry sounds a little ominous). FWIW, my specific stability problem is the following: Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use And the server rejects all requests until it is restarted. The server is not under a high load. The errors only occur after the server has been running for a few weeks. I could increase ldap_connections_number, but I suspect that will only band-aid the problem so it runs for a few more weeks before failing. My LDAP configuration block is below: ldap { server = xxx identity = [EMAIL PROTECTED] password = zzz basedn = dc=my,dc=domain,dc=com filter = (SamAccountName=%U) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = ((objectClass=Group)(member=%{Ldap-UserDn})) } I would be happy to produce more configuration files upon request, if it would help. Thoughts are appreciated Scott Sr. Network Engineer Great River Energy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
raddb/sqlippool.conf ## Using Calling-Station-Id works for NAS that send fixed NAS-Port ## ONLY change this if you know what you are doing! ## pool-key = %{NAS-Port} pool-key = %{Calling-Station-Id} What I suggest is that we take the NAS that send fixed NAS-Port condition off from RLM_SQLIPPOOL module. Because, as I said before it is NOT a must to send the NAS-Port always (e.g. some GGSNs) What would be the consequences of taking it off? Thanks, On Tue, Apr 22, 2008 at 9:43 PM, rsg [EMAIL PROTECTED] wrote: On Tue, Apr 22, 2008 at 9:24 PM, Alan DeKok [EMAIL PROTECTED] wrote: rsg wrote: In my opinion it should be open to be decided between NAS-Port and Calling-Station-Id depending on the service. Which is why you can edit the queries in the SQL ippool module. If the non-SQL ippool module doesn't do what you want, fix it, and supply a patch. Alan DeKok. No I'm referring to the SQL ippool; The following entry gives the result what I've indicated in my first mail. From sqlippool.c : if (pairfind(request-packet-vps, PW_NAS_PORT) == NULL) { DEBUG(rlm_sqlippool: unknown NAS-Port); return RLM_MODULE_NOOP; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: is okay
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your confirmation is required to join the Freeradius-Users mailing list Date: Wed, 23 Apr 2008 17:25:45 +0200 Mailing list subscription confirmation notice for mailing list Freeradius-Users We have received a request from 200.0.112.129 for subscription of your email address, [EMAIL PROTECTED], to the freeradius-users@lists.freeradius.org mailing list. To confirm that you want to be added to this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page: http://lists.freeradius.org/mailman/confirm/freeradius-users/207f898fd4ffaa48bbe50ae10f48767ca4f802a7 Or include the following line -- and only the following line -- in a message to [EMAIL PROTECTED]: confirm 207f898fd4ffaa48bbe50ae10f48767ca4f802a7 Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional Re: text in the Subject: is okay). If you do not wish to be subscribed to this list, please simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, send them to [EMAIL PROTECTED] _ Juega y gana, tenemos 3 Xbox a la semana. http://club.prodigymsn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open Directory and freeRadius
I currently have freeRadius running on a Macintosh 10.5 server. freeRadius is using opendirectory for authentication and authorization. This is working successfully. What I would like to do next is have the PrimaryGroupID or the gidNumber in Opendirectory for that particular user passed back to, in this case an Aruba Controller, so that the Aruba Controller can authorize the user based on the group membership. Any suggestions? Thank you, Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
No idea. That check must have some purpose. Usual workaround for this is to rewrite (update in freeradius speak) NAS-Port attribute with the value of Calling-Station-Id (in unlang, perl, ...). That sorts out missing NAS-Port in the request. There are way too many places where NAS-Port needs to be changed in the configuration, and you might need to alter code as well - hence ONLY change this if you know what you are doing!. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, rsg [EMAIL PROTECTED] piše: raddb/sqlippool.conf ## Using Calling-Station-Id works for NAS that send fixed NAS-Port ## ONLY change this if you know what you are doing! ## pool-key = %{NAS-Port} pool-key = %{Calling-Station-Id} What I suggest is that we take the NAS that send fixed NAS-Port condition off from RLM_SQLIPPOOL module. Because, as I said before it is NOT a must to send the NAS-Port always (e.g. some GGSNs) What would be the consequences of taking it off? Thanks, On Tue, Apr 22, 2008 at 9:43 PM, rsg [EMAIL PROTECTED] wrote: On Tue, Apr 22, 2008 at 9:24 PM, Alan DeKok [EMAIL PROTECTED] wrote: rsg wrote: In my opinion it should be open to be decided between NAS-Port and Calling-Station-Id depending on the service. Which is why you can edit the queries in the SQL ippool module. If the non-SQL ippool module doesn't do what you want, fix it, and supply a patch. Alan DeKok. No I'm referring to the SQL ippool; The following entry gives the result what I've indicated in my first mail. From sqlippool.c : if (pairfind(request-packet-vps, PW_NAS_PORT) == NULL) { DEBUG(rlm_sqlippool: unknown NAS-Port); return RLM_MODULE_NOOP; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
That will be logged in your accounting log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Thanks Ivan, I know that :) But I want get IP from NAS's that are behind a NAT-proxy-firewall server, I want the NAS IP and not the NAT-proxy-firewall server IP. In fact my clients.conf has something as follows: client 10.128.255.86 { require_message_authenticator = no secret = pepepotamo shortname = Hormiga } client 10.128.255.87 { require_message_authenticator = no secret = pepepotamo2 shortname = Avispa } client 203.221.198.59 { require_message_authenticator = no secret = pepepotamo3 shortname = Abeja } -- end of file--- client with 203.221.198.59 is a remote server (connect to radius via vpn) with NAS's behind. If I run in debug mode I can see the actual NAS IP can be read, For example: rad_recv: Access-Request packet from host 203.221.198.59 port 2048, id=0, length=123 User-Name = soyreloco NAS-IP-Address = 192.168.134.210 Called-Station-Id = 001d7edc2621 Calling-Station-Id = 001b63085e39 NAS-Identifier = 001d7edc2624 NAS-Port = 63 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a016c79616972 Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3 is there a way to get such a thing (192.168.134.210 in this case) in radius logs with radius running in non-debug mode? Thanks in advance! 2008/4/23, Ivan Kalik [EMAIL PROTECTED]: From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius.org 2.0.3 on Red Hat 7.3
I'm trying to compile freeradius.org version 2.0.3 on Red Hat 7.3, and I'm getting the following error: /usr/local/src/radius/freeradius-server-2.0.3/src/freeradius-devel/rad_assert.h:26: warning: `used' attribute directive ignored In file included from ../../eap.h:34, from eap_tnc.c:58: ../../libeap/eap_types.h:30: warning: `used' attribute directive ignored eap_tnc.c: In function `eaptnc_extract': eap_tnc.c:137: parse error before `unsigned' eap_tnc.c:141: parse error before `int' eap_tnc.c:147: `ptr' undeclared (first use in this function) eap_tnc.c:147: (Each undeclared identifier is reported only once eap_tnc.c:147: for each function it appears in.) eap_tnc.c:153: `thisDataLength' undeclared (first use in this function) eap_tnc.c:154: `dataStart' undeclared (first use in this function) eap_tnc.c: In function `eaptnc_compose': eap_tnc.c:212: parse error before `unsigned' eap_tnc.c:214: `swappedDataLength' undeclared (first use in this function) eap_tnc.c:217: parse error before `thisDataLength' eap_tnc.c:220: parse error before `int' eap_tnc.c:224: `offset' undeclared (first use in this function) eap_tnc.c:225: `thisDataLength' undeclared (first use in this function) gmake[9]: *** [eap_tnc.lo] Error 1 gmake[9]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types/rlm_eap_tnc' gmake[8]: *** [common] Error 2 gmake[8]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types' gmake[7]: *** [all] Error 2 gmake[7]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap/types' gmake[6]: *** [common] Error 2 gmake[6]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/radius/freeradius-server-2.0.3' make: *** [all] Error 2 I've searched the wiki site and the mailing list archives and not found much on this error. Yes, I know that RH 7.3 is old/etc., so I'm not looking for pat answers like upgrade to the latest O/S version. In searching for the error message (`used' attribute directive ignored) I haven't come up with anything helpful. Thanks for any assistance you can provide! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x+WLAN and radtest
Install SecureW2 and try EAP-TTLS/PAP. If that works then passwords are encrypted and PEAP won't work. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Dr.Peer-Joachim Koch [EMAIL PROTECTED] piše: Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb: This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas IP address in logs
Thanks Ivan that I did'n know :) also, I had disabled accounting, now, I enabled that and detailed auth log Now I get something as follow in radacct/10.128.255.80/auth-detail-20080423 : Wed Apr 23 14:16:22 2008 Packet-Type = Access-Request User-Name = quelocoquesoyche NAS-IP-Address = 10.128.255.80 Called-Station-Id = 005d7edc25de Calling-Station-Id = 005cb37ae2ee NAS-Identifier = 005d7edc25de NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020c0167736965727232 Message-Authenticator = 0x955e4a648595f3ae5dd7f3486dea99f4 Great! 2008/4/23, Ivan Kalik [EMAIL PROTECTED]: That will be logged in your accounting log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Thanks Ivan, I know that :) But I want get IP from NAS's that are behind a NAT-proxy-firewall server, I want the NAS IP and not the NAT-proxy-firewall server IP. In fact my clients.conf has something as follows: client 10.128.255.86 { require_message_authenticator = no secret = pepepotamo shortname = Hormiga } client 10.128.255.87 { require_message_authenticator = no secret = pepepotamo2 shortname = Avispa } client 203.221.198.59 { require_message_authenticator = no secret = pepepotamo3 shortname = Abeja } -- end of file--- client with 203.221.198.59 is a remote server (connect to radius via vpn) with NAS's behind. If I run in debug mode I can see the actual NAS IP can be read, For example: rad_recv: Access-Request packet from host 203.221.198.59 port 2048, id=0, length=123 User-Name = soyreloco NAS-IP-Address = 192.168.134.210 Called-Station-Id = 001d7edc2621 Calling-Station-Id = 001b63085e39 NAS-Identifier = 001d7edc2624 NAS-Port = 63 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a016c79616972 Message-Authenticator = 0x951db6ffd60187bc4b6fee7f951feef3 is there a way to get such a thing (192.168.134.210 in this case) in radius logs with radius running in non-debug mode? Thanks in advance! 2008/4/23, Ivan Kalik [EMAIL PROTECTED]: From clients.conf: # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost shortname is printed in the log. Put NAS IP there if you want it in radius.log. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, Sergio Belkin [EMAIL PROTECTED] piše: Hi, how can I get the NAS-IP-Address in radius.log? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-Error
All, We're rolling out a password-expiry policy here, and it's been suggested that it would be helpful for the VPN to prompt a user to change their password, rather than just lock them out. The VPN is poptop on Linux, authing to FreeRadius, which current talks to winbind and then to our w2k3 servers but may be moving to proxy the final inner mschap to IAS (all the policy checks and interesting stuff will be staying on FreeRadius - but using FR2 and a proxy plus pool of home servers seems like to give us better failure and recovery characteristics when an AD controller goes away) When we MS-CHAP an expired account we get a MS-CHAP-Error packet in the reply as expected: Sending Access-Request of id 7 to 192.168.29.34 port 1812 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0xSNIP MS-CHAP2-Response = 0xSNIP Calling-Station-Id = 192.168.55.55 NAS-IP-Address = 192.168.54.54 NAS-Port = 0 Proxy-State = 0x3633 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = \000E=648 R=0 V=3 ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd radius.so plugin) so my patches to pppd are unable to act on the error code. Am I wasting my time? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius.org 2.0.3 on Red Hat 7.3
Robert Haskins wrote: I'm trying to compile freeradius.org version 2.0.3 on Red Hat 7.3, and I'm getting the following error: Wow. That's a seriously OLD os install. Please consider upgrading. /usr/local/src/radius/freeradius-server-2.0.3/src/freeradius-devel/rad_assert.h:26: warning: `used' attribute directive ignored In file included from ../../eap.h:34, from eap_tnc.c:58: ../../libeap/eap_types.h:30: warning: `used' attribute directive ignored Assuming you don't need it, just remove the rlm_eap/types/rlm_eap_tnc sub-directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-Error
Hi, Sending Access-Request of id 7 to 192.168.29.34 port 1812 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0xSNIP MS-CHAP2-Response = 0xSNIP Calling-Station-Id = 192.168.55.55 NAS-IP-Address = 192.168.54.54 NAS-Port = 0 Proxy-State = 0x3633 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = \000E=648 R=0 V=3 ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd radius.so plugin) so my patches to pppd are unable to act on the error code. how about using ulang to check for the MS-CHAP-Error - and if that code exists, create a new attribute that WILL be sent back to the radius client. ...one on which other bits of code could act. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can unlang do this?
Should I expect something like this to do the right thing? ldap-localhost { server = 127.0.0.1 basedn = switch %{Huntgroup-Name} { case dsl { ou=dsl,ou=radius,dc=viptalk,dc=net } case { ou=accounts,ou=viptalk,ou=net } } } etc Basically, I want to set certain ldap variables based on the Huntgroup- Name. Without defining a bunch of different ldap servers, that is. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed Auth using users file (sometimes)
Hi Guys I have an account which I want to auth locally on our 2 proxy radius machine. The problem is that sometimes the connection authenticates and other times it does not, there are warning in the log's below so I'm sure I have something wrong. But I can not work out what I should be doing instead. Also how would I create a feature which would temporally authenticate all users for a realm as allowed ? The user file entry is nyp2inter Realm == 'xxx.com', User-Password == 'xxx', Proxy-To-Realm := LOCAL Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = xxx.xx.216.40, Framed-IP-Netmask = 255.255.255.255, Framed-Route = xxx.xx.10.128/25 0.0.0.0 1, Framed-MTU = 1492, Framed-Compression = Van-Jacobsen-TCP-IP Failed Auth: rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=155, length=106 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = xxx NAS-Port-Type = Virtual NAS-Port = 328 Calling-Station-Id = sfy713300200187 Service-Type = Framed-User NAS-IP-Address = xxx.xx.208.165 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1647 modcall[authorize]: module preprocess returns ok for request 1647 radius_xlat: '/var/log/radius/radacct/xxx.xx.208.165/auth-detail-20080424' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxx.xx.208.165/auth -detail-20080424 modcall[authorize]: module auth_log returns ok for request 1647 modcall[authorize]: module attr_filter returns noop for request 1647 modcall[authorize]: module chap returns noop for request 1647 modcall[authorize]: module mschap returns noop for request 1647 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1647 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1647 modcall[authorize]: module files returns notfound for request 1647 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1647 2008-04-24T11:29:37.613507: Verbose: RLM_PYTHON: handling Authorize request... modcall[authorize]: module python returns ok for request 1647 modcall: leaving group authorize (returns ok) for request 1647 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/nyp4inter] (from client lns1.ade port 328 cli sfy713300200187) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 1647 rlm_sql_log (sql_log): Processing sql_log_postauth radius_xlat: 'INSERT INTO radpostauth (user, password, reply, date, reply_message) VALUES ('[EMAIL PROTECTED]', 'xxx', ' Access-Reject', '2008-04-24 11:29:37', '');' radius_xlat: '/var/log/radius/radacct/sql-relay' modcall[post-auth]: module sql_log returns ok for request 1647 modcall: leaving group REJECT (returns ok) for request 1647 Delaying request 1647 for 1 seconds Finished request 1647 With no Changes this Connected: rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=167, length=106 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = xxx NAS-Port-Type = Virtual NAS-Port = 315 Calling-Station-Id = sfy713300200187 Service-Type = Framed-User NAS-IP-Address = xxx.xx.208.165 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1675 modcall[authorize]: module preprocess returns ok for request 1675 radius_xlat: '/var/log/radius/radacct/xxx.xx208.165/auth-detail-20080424' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxx.xx208.165/auth -detail-20080424 modcall[authorize]: module auth_log returns ok for request 1675 modcall[authorize]: module attr_filter returns noop for request 1675 modcall[authorize]: module chap returns noop for request 1675 modcall[authorize]: module mschap returns noop for request 1675 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Adding Stripped-User-Name = nyp2inter rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Preparing to proxy authentication request to realm xxx.com