Re: Radius reject the request
I install a new radius server as last,(for practice that know nothing is mismatch) and edit the correct users file, but radius reject me again. Linux is so difficult :d new debug output is attached. The firewall is disabled. Tanks and Best Regards FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Jul 23 2012 at 10:00:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = radiusd prefix = /usr/local localstatedir = /usr/local/var sbindir = /usr/local/sbin logdir = /usr/local/var/log/radius run_dir = /usr/local/var/run/radiusd libdir = /usr/local/lib radacctdir =
Re: Radius reject the request
On Mon, Jul 23, 2012 at 1:47 PM, Reza Hajjizadeh hajjiza...@gmail.com wrote: I install a new radius server as last,(for practice that know nothing is mismatch) and edit the correct users file, but radius reject me again. Really? The debug log shows otherwise # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ... ++[files] returns noop ... [pap] WARNING! No known good password found for the user. Authentication may fail because of this. That means files module did not do anything (i.e. it doesn't find a line matching the request). From initialization section: Module: Instantiating module files from file /usr/local/etc/raddb/modules/files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Did you edit the file shown in usersfile? Did you follow the example there? What does it contain now? Linux is so difficult :d Not if you use common sense. Most software (including FR) contains pretty good documentation (including comments in the configuration file). But you need to read it. The alternative is actually easy: hire someone capable to do it for you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reject the request
Thank for your help, Really? The debug log shows otherwise # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ... ++[files] returns noop ... [pap] WARNING! No known good password found for the user. Authentication may fail because of this. That means files module did not do anything (i.e. it doesn't find a line matching the request). From initialization section: Module: Instantiating module files from file /usr/local/etc/raddb/modules/files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Did you edit the file shown in usersfile? yes, i was edit the users file at the shown path Did you follow the example yes the example in the file and in the wiki.freeradius.org there? What does it contain now? testuser Cleartext-Password := Test I'm try to start with linux, read from freeradius.org Thank that help me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reject the request
On Mon, Jul 23, 2012 at 3:42 PM, Reza Hajjizadeh hajjiza...@gmail.com wrote: Did you edit the file shown in usersfile? yes, i was edit the users file at the shown path The debug log doesn't lie. If files module say noop on authorization phase, it usually means: - the file FR reads doesn't contain the entry, OR - the file FR reads doesn't contain the entry in the correct format, OR - you haven't restarted FR since the last time you edit the users file Did you follow the example yes the example in the file and in the wiki.freeradius.org there? What does it contain now? testuser Cleartext-Password := Test You tested with rad_recv: Access-Request packet from host 127.0.0.1 port 33550, id=60, length=78 User-Name = testuser User-Password = 123456 I'm guessing it's simply a matter of incorrect edits. Recheck the files carefully, make sure (again) that you edit the correct file, with the correct format, and the correct entry (in this case, pick either Test or 123456 as password, but be consistent about it), and make sure you restart FR afterwards (ctrl-C and rerun the command, if running in debug mode) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Freeradius password encryption
I'm trying to do some performance tests with FR 2.1.10. I'm using radperf tool. I have two different machines with freeradius installed on them. In one of them the test is going well for now, but in the other (where I'm more interested on) the test fails with the following error: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=50, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Bellow I'll put the output from the freeradius run with -XXX with some comments on it: rad_recv: Access-Request packet from host 127.0.0.1 port 38027, id=50, length=45 User-Name = test1 User-Password = \340V#\307\177\221\034\355\366M\255\364\271\340\253 /*** comment 1: the User-Password on the machine with well-working freeradius isn't encrypted. It looks simple like this: User-Password = test1 ***/ Mon Jul 23 11:36:48 2012 : Info: # Executing section authorize from file /netnfork/radius//etc/raddb/sites-enabled/default Mon Jul 23 11:36:48 2012 : Info: +- entering group authorize {...} Mon Jul 23 11:36:48 2012 : Info: ++[preprocess] returns ok Mon Jul 23 11:36:48 2012 : Info: ++[chap] returns noop Mon Jul 23 11:36:48 2012 : Info: [suffix] No '@' in User-Name = test1, looking up realm NULL Mon Jul 23 11:36:48 2012 : Info: [suffix] No such realm NULL Mon Jul 23 11:36:48 2012 : Info: ++[suffix] returns noop Mon Jul 23 11:36:48 2012 : Info: [eap] No EAP-Message, not doing EAP Mon Jul 23 11:36:48 2012 : Info: ++[eap] returns noop Mon Jul 23 11:36:48 2012 : Info: [sql] expand: %{User-Name} - test1 Mon Jul 23 11:36:48 2012 : Info: [sql] sql_set_user escaped user -- 'test1' Mon Jul 23 11:36:48 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 0 Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test1' ORDER BY id Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 , fields = 5 Mon Jul 23 11:36:48 2012 : Info: [sql] User found in radcheck table Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'test1' ORDER BY id Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows = 0 , fields = 5 Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='test1' ORDER BY priority Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows = 0 , fields = 1 Mon Jul 23 11:36:48 2012 : Debug: rlm_sql (sql): Released sql socket id: 0 Mon Jul 23 11:36:48 2012 : Info: ++[sql] returns ok Mon Jul 23 11:36:48 2012 : Info: ++[expiration] returns noop Mon Jul 23 11:36:48 2012 : Info: ++[logintime] returns noop Mon Jul 23 11:36:48 2012 : Info: ++[pap] returns updated Mon Jul 23 11:36:48 2012 : Info: Found Auth-Type = PAP Mon Jul 23 11:36:48 2012 : Info: # Executing group from file /netnfork/radius//etc/raddb/sites-enabled/default Mon Jul 23 11:36:48 2012 : Info: +- entering group PAP {...} Mon Jul 23 11:36:48 2012 : Info: [pap] login attempt with password �V#�??��M� Mon Jul 23 11:36:48 2012 : Info: [pap] Using clear text password test1 Mon Jul 23 11:36:48 2012 : Info: [pap] Passwords don't match Mon Jul 23 11:36:48 2012 : Info: ++[pap] returns reject /*** comment 2: the last four lines in the well-working server are: Mon Jul 23 11:32:15 2012 : Info: [pap] login attempt with password test92 Mon Jul 23 11:32:15 2012 : Info: [pap] Using clear text password test92 Mon Jul 23 11:32:15 2012 : Info: [pap] User authenticated successfully Mon Jul 23 11:32:15 2012 : Info: ++[pap] returns ok ***/ Mon Jul 23 11:36:48 2012 : Info: Failed to authenticate the user. Mon Jul 23 11:36:48 2012 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Mon Jul 23 11:36:48 2012 : Info: Using Post-Auth-Type Reject Mon Jul 23 11:36:48 2012 : Info: # Executing group from file /netnfork/radius//etc/raddb/sites-enabled/default Mon Jul 23 11:36:48 2012 : Info: +- entering group REJECT {...} Mon Jul 23 11:36:48 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} - test1 Mon Jul 23 11:36:48 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Jul 23 11:36:48 2012 : Info: ++[attr_filter.access_reject] returns updated Mon Jul 23 11:36:48 2012 : Info: Delaying reject of request 3 for 1 seconds Mon Jul
Re: Radius reject the request
Hi, I install a new radius server as last,(for practice that know nothing is mismatch) and edit the correct users file, but radius reject me again. okay..i'll believe you that you edited the correct file. and you say you did testuser with password Test okay...so lets look at the output: rad_recv: Access-Request packet from host 127.0.0.1 port 33550, id=60, length=78 User-Name = testuser User-Password = 123456 NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Message-Authenticator = 0xd65e729657b704159f09d0feb24eeed8 hmmm, oh wait! the request is for 'testuser' with password '123456' so, unless you expect some random magic to occur, this isnt going to work. either send the correct request, or put the correct password into the users file blaming Linux for being difficult? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius down and shows Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY)
Hi, i fond my freeradius is down and show log below Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module detail Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module pap Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module radutmp Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module suffix Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module attr_filter.access_reject Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module attr_filter.accounting_response Sun Jul 22 06:25:05 2012 : Info: Loaded virtual server inner-tunnel Sun Jul 22 06:25:05 2012 : Info: Loaded virtual server default Sun Jul 22 06:25:05 2012 : Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY) what version? if not the latest from freeradius.org, then in the first instance, upgrade your server as it may be a bug already fixed. after upgrading, see if you can replicate the incident. if so, then read doc/bugs and provide the required output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Freeradius password encryption
Hi, tool. I have two different machines with freeradius installed on them. In one of them the test is going well for now, but in the other (where I'm more interested on) the test fails with the following error: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=50, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ^^ the debug output is telling you exactly what is wrongand because the User-Password is encrypted using the shared secret, if it doesnt match, then test1 will become some string of junk check your clients.conf file (or NAS table if done via SQL entries) for the shared secret for the local host - you may find that the new install has default...but your older box that you are interested had it changed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to know packet-type when using perl script
Hi, I have add perl script execution to recv-coa section in my coa virtual server in the script I want to do different operation if I am getting CoA-Request or Disconnect-Request How do I do that? how can I tell which packet-type arrive in the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting realm from called station id regex
Hello, I have some devices that report to radius accounting but do not do any authentication or authorization. For these sessions in accounting, I would like to set a realm based on the called station id. The called station id ends with a colon and the SSID. I thought I could write a simple regular expression for the ssid and set the realm. Here is what I have right now, but it does not seem to be working: DEFAULT Called-Station-Id =~ myssid Realm = myrealm Any help is greatly appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting realm from called station id regex
On 23/07/12 16:03, Christopher Manigan wrote: Hello, I have some devices that report to radius accounting but do not do any authentication or authorization. For these sessions in accounting, I would like to set a realm based on the called station id. The called station id ends with a colon and the SSID. I thought I could write a simple regular expression for the ssid and set the realm. Here is what I have right now, but it does not seem to be working: DEFAULT Called-Station-Id =~ myssid Realm = myrealm That's probably updating the reply, which is not even meaningful for accounting. You need to use unlang, so that you can specify which variable list to update. For example: preacct { if (Calling-Station-Id =~ /myssid/) { update request { Realm := myrealm } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting realm from called station id regex
That worked, thanks. Just had to fix your example from calling to called. Other than that, perfect. Chris From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Monday, July 23, 2012 11:29 AM To: freeradius-users@lists.freeradius.org Subject: Re: Setting realm from called station id regex On 23/07/12 16:03, Christopher Manigan wrote: Hello, I have some devices that report to radius accounting but do not do any authentication or authorization. For these sessions in accounting, I would like to set a realm based on the called station id. The called station id ends with a colon and the SSID. I thought I could write a simple regular expression for the ssid and set the realm. Here is what I have right now, but it does not seem to be working: DEFAULT Called-Station-Id =~ myssid Realm = myrealm That's probably updating the reply, which is not even meaningful for accounting. You need to use unlang, so that you can specify which variable list to update. For example: preacct { if (Calling-Station-Id =~ /myssid/) { update request { Realm := myrealm } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html