cisco freeradius problems
Hello I have interesting problems with freeradius authentication. NAS - cisco 2801 radius - freeradius running on freebsd with mysql db. I had a lot of such errors in radius.log: Auth: Login incorrect (rlm_pap: CRYPT password check failed): [1-102/D\014\003\222\374\267plaza port 0) In debug output i get "unprintable characters". In the same time authentication was working fine from other hosts, for example smtp server. Problem was solved in interesting way, on cisco i specified radius source interface. It was working fine until mysql server crashed and i got same garbage in authentication. I removed source radius interface from cisco configuration and everything started to work fine again. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
Nobbody changed that secret. it's same for both hosts. cisco iso is an almost freshest version. Ok, will try to dig in the cisco-nas mailing list Alan DeKok wrote: Edgars Makņa wrote: a) not possible b) with client you mean cisco or end user? RADIUS client. c) not possible Then I guess the problem isn't happening. When you said that it doesn't work with one IP, but does work with the other, that means that the shared secrets are wrong. They're wrong on the Cisco end, or in FreeRADIUS. There isn't much else that can cause those problems. This isn't magic. There are always a very small number of causes for such problems. a) it's magic (transient memory fault, etc.) b) someone mis-typed a shared secret Which one is more likely? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
a) not possible b) with client you mean cisco or end user? c) not possible Alan DeKok wrote: Edgars Makņa wrote: No, shared secret was not wrong, for this case i used "special" secret, on both hosts in configuration - 1 From one works, from other no. Nothing more was changed. (a) the shared secret is wrong (b) the client is buggy (c) the client really is sending a garbage password Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
No, shared secret was not wrong, for this case i used "special" secret, on both hosts in configuration - 1 From one works, from other no. Nothing more was changed. Alan DeKok wrote: Edgars Makņa wrote: Hello I have interesting problems with freeradius authentication. NAS - cisco 2801 radius - freeradius running on freebsd with mysql db. I had a lot of such errors in radius.log: Auth: Login incorrect (rlm_pap: CRYPT password check failed): [1-102/D\014\003\222\374\267 Then the shared secret is wrong. In the same time authentication was working fine from other hosts, for example smtp server. The shared secret is different for each host. Problem was solved in interesting way, on cisco i specified radius source interface. Which changes the IP address seen by the server, meaning it uses a different shared secret. It was working fine until mysql server crashed and i got same garbage in authentication. I removed source radius interface from cisco configuration and everything started to work fine again. Any ideas? You mistyped something in MySQL, started RADIUS, noticed a problem, and then re-started both MySQL and RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ideal SO and hardware for FreeRadius+MySQL
Oh my, any linux/bsd system with 128MB of RAM or you can even try a http://www.raspberrypi.org/ :) - Original Message - From: "fknet" To: freeradius-users@lists.freeradius.org Sent: Tuesday, October 30, 2012 12:31:54 PM Subject: Re: Ideal SO and hardware for FreeRadius+MySQL What virtual machine does you recommend Alan? thanks Em 30/10/2012 07:49, Alan DeKok escreveu: > Bjørn Mork wrote: >> You're right. Time to save some power replacing all those idling x86 >> CPUs with last years phones :-) > Most people with small RADIUS systems should really be running them in > a VM. There are few reasons to run dedicated hardware for ~10K users. > > Alan DeKol. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reconnecting to mysql
Hello,
I just setup 2.2.0 from freebsd ports. In the testing environment it looks okey
except this error:
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
It appears on every second authorization attempt. Ping to mysql server runs
fine, another db's works without any clue.
Google didnt give me any answers about this problem.
rad_recv: Access-Request packet from host 127.0.0.1 port 27983, id=47,
length=50
User-Name = "2-40"
User-Password = "PjTKX2Ln"
Framed-Protocol = PPP
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2-40", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> 2-40
[sql] sql_set_user escaped user --> '2-40'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribu
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribu
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergrou
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, grou
[sql] User found in group Plaza20
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, grou
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "PjTKX2Ln"
[pap] Using CRYPT password "PCA82A.D836/k"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [2-40/PjTKX2Ln] (from client localhost port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> 2-40
[sql] sql_set_user escaped user --> '2-40'
[sql] expand: %{User-Password} -> PjTKX2Ln
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
( '%{User-Name}',
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 47 to 127.0.0.1 port 27983
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 47 with timestamp +51
Ready to process requests.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
