Re: Radius reject the request
I install a new radius server as last,(for practice that know nothing
is mismatch)
and edit the correct users file, but radius reject me again.
Linux is so difficult :d
new debug output is attached.
The firewall is disabled.
Tanks and Best Regards
FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Jul 23 2012 at
10:00:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = radiusd
prefix = /usr/local
localstatedir = /usr/local/var
sbindir = /usr/local/sbin
logdir = /usr/local/var/log/radius
run_dir = /usr/local/var/run/radiusd
libdir = /usr/local/lib
radacctdir =
Re: Radius reject the request
On Mon, Jul 23, 2012 at 1:47 PM, Reza Hajjizadeh hajjiza...@gmail.com wrote:
I install a new radius server as last,(for practice that know nothing
is mismatch)
and edit the correct users file, but radius reject me again.
Really? The debug log shows otherwise
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
...
++[files] returns noop
...
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
That means files module did not do anything (i.e. it doesn't find a
line matching the request). From initialization section:
Module: Instantiating module files from file
/usr/local/etc/raddb/modules/files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Did you edit the file shown in usersfile? Did you follow the example
there? What does it contain now?
Linux is so difficult :d
Not if you use common sense. Most software (including FR) contains
pretty good documentation (including comments in the configuration
file). But you need to read it.
The alternative is actually easy: hire someone capable to do it for you.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reject the request
Thank for your help,
Really? The debug log shows otherwise
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
...
++[files] returns noop
...
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
That means files module did not do anything (i.e. it doesn't find a
line matching the request). From initialization section:
Module: Instantiating module files from file
/usr/local/etc/raddb/modules/files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Did you edit the file shown in usersfile?
yes, i was edit the users file at the shown path
Did you follow the example
yes the example in the file and in the wiki.freeradius.org
there? What does it contain now?
testuser Cleartext-Password := Test
I'm try to start with linux, read from freeradius.org
Thank that help me
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reject the request
On Mon, Jul 23, 2012 at 3:42 PM, Reza Hajjizadeh hajjiza...@gmail.com wrote: Did you edit the file shown in usersfile? yes, i was edit the users file at the shown path The debug log doesn't lie. If files module say noop on authorization phase, it usually means: - the file FR reads doesn't contain the entry, OR - the file FR reads doesn't contain the entry in the correct format, OR - you haven't restarted FR since the last time you edit the users file Did you follow the example yes the example in the file and in the wiki.freeradius.org there? What does it contain now? testuser Cleartext-Password := Test You tested with rad_recv: Access-Request packet from host 127.0.0.1 port 33550, id=60, length=78 User-Name = testuser User-Password = 123456 I'm guessing it's simply a matter of incorrect edits. Recheck the files carefully, make sure (again) that you edit the correct file, with the correct format, and the correct entry (in this case, pick either Test or 123456 as password, but be consistent about it), and make sure you restart FR afterwards (ctrl-C and rerun the command, if running in debug mode) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Freeradius password encryption
I'm trying to do some performance tests with FR 2.1.10. I'm using radperf
tool. I have two different machines with freeradius installed on them. In
one of them the test is going well for now, but in the other (where I'm
more interested on) the test fails with the following error:
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=50,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)! (Shared secret is incorrect.)
Bellow I'll put the output from the freeradius run with -XXX with some
comments on it:
rad_recv: Access-Request packet from host 127.0.0.1 port 38027, id=50,
length=45
User-Name = test1
User-Password = \340V#\307\177\221\034\355\366M\255\364\271\340\253
/*** comment 1:
the User-Password on the machine with well-working freeradius isn't
encrypted. It looks simple like this:
User-Password = test1
***/
Mon Jul 23 11:36:48 2012 : Info: # Executing section authorize from file
/netnfork/radius//etc/raddb/sites-enabled/default
Mon Jul 23 11:36:48 2012 : Info: +- entering group authorize {...}
Mon Jul 23 11:36:48 2012 : Info: ++[preprocess] returns ok
Mon Jul 23 11:36:48 2012 : Info: ++[chap] returns noop
Mon Jul 23 11:36:48 2012 : Info: [suffix] No '@' in User-Name = test1,
looking up realm NULL
Mon Jul 23 11:36:48 2012 : Info: [suffix] No such realm NULL
Mon Jul 23 11:36:48 2012 : Info: ++[suffix] returns noop
Mon Jul 23 11:36:48 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Jul 23 11:36:48 2012 : Info: ++[eap] returns noop
Mon Jul 23 11:36:48 2012 : Info: [sql] expand: %{User-Name} - test1
Mon Jul 23 11:36:48 2012 : Info: [sql] sql_set_user escaped user -- 'test1'
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = 'test1' ORDER BY id
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 5
Mon Jul 23 11:36:48 2012 : Info: [sql] User found in radcheck table
Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = 'test1' ORDER BY id
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows =
0 , fields = 5
Mon Jul 23 11:36:48 2012 : Info: [sql] expand: SELECT GroupName FROM
radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT
GroupName FROM radusergroup WHERE UserName='test1' ORDER BY priority
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql_postgresql: query affected rows =
0 , fields = 1
Mon Jul 23 11:36:48 2012 : Debug: rlm_sql (sql): Released sql socket id: 0
Mon Jul 23 11:36:48 2012 : Info: ++[sql] returns ok
Mon Jul 23 11:36:48 2012 : Info: ++[expiration] returns noop
Mon Jul 23 11:36:48 2012 : Info: ++[logintime] returns noop
Mon Jul 23 11:36:48 2012 : Info: ++[pap] returns updated
Mon Jul 23 11:36:48 2012 : Info: Found Auth-Type = PAP
Mon Jul 23 11:36:48 2012 : Info: # Executing group from file
/netnfork/radius//etc/raddb/sites-enabled/default
Mon Jul 23 11:36:48 2012 : Info: +- entering group PAP {...}
Mon Jul 23 11:36:48 2012 : Info: [pap] login attempt with password
�V#�??��M�
Mon Jul 23 11:36:48 2012 : Info: [pap] Using clear text password test1
Mon Jul 23 11:36:48 2012 : Info: [pap] Passwords don't match
Mon Jul 23 11:36:48 2012 : Info: ++[pap] returns reject
/*** comment 2:
the last four lines in the well-working server are:
Mon Jul 23 11:32:15 2012 : Info: [pap] login attempt with password test92
Mon Jul 23 11:32:15 2012 : Info: [pap] Using clear text password test92
Mon Jul 23 11:32:15 2012 : Info: [pap] User authenticated successfully
Mon Jul 23 11:32:15 2012 : Info: ++[pap] returns ok
***/
Mon Jul 23 11:36:48 2012 : Info: Failed to authenticate the user.
Mon Jul 23 11:36:48 2012 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Mon Jul 23 11:36:48 2012 : Info: Using Post-Auth-Type Reject
Mon Jul 23 11:36:48 2012 : Info: # Executing group from file
/netnfork/radius//etc/raddb/sites-enabled/default
Mon Jul 23 11:36:48 2012 : Info: +- entering group REJECT {...}
Mon Jul 23 11:36:48 2012 : Info: [attr_filter.access_reject] expand:
%{User-Name} - test1
Mon Jul 23 11:36:48 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Mon Jul 23 11:36:48 2012 : Info: ++[attr_filter.access_reject] returns
updated
Mon Jul 23 11:36:48 2012 : Info: Delaying reject of request 3 for 1 seconds
Mon Jul
Re: Radius reject the request
Hi, I install a new radius server as last,(for practice that know nothing is mismatch) and edit the correct users file, but radius reject me again. okay..i'll believe you that you edited the correct file. and you say you did testuser with password Test okay...so lets look at the output: rad_recv: Access-Request packet from host 127.0.0.1 port 33550, id=60, length=78 User-Name = testuser User-Password = 123456 NAS-IP-Address = 127.0.0.1 NAS-Port = 10 Message-Authenticator = 0xd65e729657b704159f09d0feb24eeed8 hmmm, oh wait! the request is for 'testuser' with password '123456' so, unless you expect some random magic to occur, this isnt going to work. either send the correct request, or put the correct password into the users file blaming Linux for being difficult? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius down and shows Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY)
Hi, i fond my freeradius is down and show log below Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module detail Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module pap Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module radutmp Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module suffix Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module attr_filter.access_reject Sun Jul 22 06:25:05 2012 : Info: Module: Reloaded module attr_filter.accounting_response Sun Jul 22 06:25:05 2012 : Info: Loaded virtual server inner-tunnel Sun Jul 22 06:25:05 2012 : Info: Loaded virtual server default Sun Jul 22 06:25:05 2012 : Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY) what version? if not the latest from freeradius.org, then in the first instance, upgrade your server as it may be a bug already fixed. after upgrading, see if you can replicate the incident. if so, then read doc/bugs and provide the required output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Freeradius password encryption
Hi, tool. I have two different machines with freeradius installed on them. In one of them the test is going well for now, but in the other (where I'm more interested on) the test fails with the following error: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=50, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ^^ the debug output is telling you exactly what is wrongand because the User-Password is encrypted using the shared secret, if it doesnt match, then test1 will become some string of junk check your clients.conf file (or NAS table if done via SQL entries) for the shared secret for the local host - you may find that the new install has default...but your older box that you are interested had it changed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to know packet-type when using perl script
Hi, I have add perl script execution to recv-coa section in my coa virtual server in the script I want to do different operation if I am getting CoA-Request or Disconnect-Request How do I do that? how can I tell which packet-type arrive in the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting realm from called station id regex
Hello, I have some devices that report to radius accounting but do not do any authentication or authorization. For these sessions in accounting, I would like to set a realm based on the called station id. The called station id ends with a colon and the SSID. I thought I could write a simple regular expression for the ssid and set the realm. Here is what I have right now, but it does not seem to be working: DEFAULT Called-Station-Id =~ myssid Realm = myrealm Any help is greatly appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting realm from called station id regex
On 23/07/12 16:03, Christopher Manigan wrote:
Hello,
I have some devices that report to radius accounting but do not do any
authentication or authorization. For these sessions in accounting, I would
like to set a realm based on the called station id. The called station id ends
with a colon and the SSID. I thought I could write a simple regular expression
for the ssid and set the realm. Here is what I have right now, but it does not
seem to be working:
DEFAULT Called-Station-Id =~ myssid
Realm = myrealm
That's probably updating the reply, which is not even meaningful for
accounting.
You need to use unlang, so that you can specify which variable list to
update. For example:
preacct {
if (Calling-Station-Id =~ /myssid/) {
update request {
Realm := myrealm
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting realm from called station id regex
That worked, thanks. Just had to fix your example from calling to called.
Other than that, perfect.
Chris
From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org
[freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on
behalf of Phil Mayers [p.may...@imperial.ac.uk]
Sent: Monday, July 23, 2012 11:29 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Setting realm from called station id regex
On 23/07/12 16:03, Christopher Manigan wrote:
Hello,
I have some devices that report to radius accounting but do not do any
authentication or authorization. For these sessions in accounting, I would
like to set a realm based on the called station id. The called station id
ends with a colon and the SSID. I thought I could write a simple regular
expression for the ssid and set the realm. Here is what I have right now,
but it does not seem to be working:
DEFAULT Called-Station-Id =~ myssid
Realm = myrealm
That's probably updating the reply, which is not even meaningful for
accounting.
You need to use unlang, so that you can specify which variable list to
update. For example:
preacct {
if (Calling-Station-Id =~ /myssid/) {
update request {
Realm := myrealm
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
