2x authorize_check_query
Hi All! It's a situation in which i have two authorize_check_query. I'm using pppoe+sql and I also want to implement dhcp. But the thing is that when dhcp nas asks freeradius it uses mac address as username. So i want sth like two sql { } sections with two different authorize_check_query for two different auth types. Sorry for my lame eng. Big thanks! -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
Switch to the newsiest freeradius version. Maybe it will help. 2010/6/2 Andras Dosztal adosz...@gmail.com: Hi, I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the Automatically use my Windows logon name and password on a WinXP client's PEAP properties. This is the output of radiusd -A -X: rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15, length=194 User-Name = E00\\user1 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-26-CA-8D-A7-85 Calling-Station-Id = 00-0B-CD-04-75-8C Attr-102 = 0x NAS-Port-Type = Ethernet NAS-Port = 50005 NAS-Port-Id = FastEthernet0/5 NAS-IP-Address = 10.128.128.1 EAP-Message = 0x0201000e014530305c7573657231 Proxy-State = 0x280646014009a74212c6bb2daec4f3110aa90d1af235 Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry user1 at line 88 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(uid=user1)' radius_xlat: 'o=snac' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64 rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=snac, with filter (uid=user1) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [user1/no User-Password attribute] (from client lan port 50005 cli 00-0B-CD-04-75-8C) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 modcall[post-auth]: module ldap returns noop for request 0 modcall: leaving group REJECT (returns noop) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 10.128.128.3 port 1812 Proxy-State = 0x280646014009a74212c6bb2daec4f3110aa90d1af235 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 4c06337d Nothing to do. Sleeping until we see a request. The with_ntdomain_hack directive is set to yes in the preprocess and mschap modules of radiusd.conf. When I set it to no and uncheck the Automatically use my Windows... and enter the user's credentials in a pop-up box, it's working fine. Could you guys help me with this problem? Thanks in advance. Regards, Andras - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
In freeradius 2.x use ClearText-Password instead of User-Password! 2010/6/2 Andras Dosztal adosz...@gmail.com: I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922 Regards, Andras On Wed, 02 Jun 2010 12:35:11 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: Switch to the newsiest freeradius version. Maybe it will help. 2010/6/2 Andras Dosztal adosz...@gmail.com: Hi, I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the Automatically use my Windows logon name and password on a WinXP client's PEAP properties. This is the output of radiusd -A -X: [...] The with_ntdomain_hack directive is set to yes in the preprocess and mschap modules of radiusd.conf. When I set it to no and uncheck the Automatically use my Windows... and enter the user's credentials in a pop-up box, it's working fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
If you are using users file, you have it located there. exp: testuser Cleartext-Password := test123 2010/6/2 Andras Dosztal adosz...@gmail.com: Sorry for the dumb question, but where can I configure that? On Wed, 02 Jun 2010 13:34:29 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: In freeradius 2.x use ClearText-Password instead of User-Password! 2010/6/2 Andras Dosztal adosz...@gmail.com: I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
I'm not using ldap(and i've never used before) so try to find some where the variable User-Password and replace it with ClearText-Password. 2010/6/2 Andras Dosztal adosz...@gmail.com: I'm using LDAP with an eDirectory backend. On Wed, 02 Jun 2010 16:26:19 +0200, Maciej Drobniuch mac...@drobniuch.pl wrote: If you are using users file, you have it located there. exp: testuser Cleartext-Password := test123 2010/6/2 Andras Dosztal adosz...@gmail.com: Sorry for the dumb question, but where can I configure that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.x EAP-MSCHAPv2 + MySQL
Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
My NAS-es are located in the clients file and they are working fine with pppoe auth. 2010/5/19 dorra aa dj_dido2...@hotmail.com: hi, in sql.conf did you modify that line :readclients = no to readclients = yes ? Date: Wed, 19 ! May 2010 13:52:59 +0200 Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL From: mac...@drobniuch.pl To: freeradius-users@lists.freeradius.org Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hotmail: Trusted email with powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting access to NAS via http login authentication list
i think that only the NAS has the power to decide it. RADIUS sends only the accounts 2010/5/19 Peter Carlstedt pc_...@hotmail.com: Hello, Didnt really know what kind of title I should have given this one but I will try to explain what it is I am aiming for. The switches I use supports both http and https login towards the switch to administrate it. The switch has support for using an athentication towards a radius server to check if the user wanting to login to the switch is a existing user in the radius server. The problem I have is that every user in the user file in Freeradius can access the switch when im using an authentication list which checks against the radius server. Is there anyway to restrict so that only one specific user in the users file can get access to the NAS? Best regards/ Peter Carlstedt Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
= 0x State = 0xbd4bf931ba42e07726e24ebbe3a70713 Finished request 25. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 93.175.129.30 port 34473, id=48, length=186 Service-Type = Framed-User Framed-MTU = 1400 User-Name = mario State = 0xbd4bf931ba42e07726e24ebbe3a70713 NAS-Port-Id = wlan1 Calling-Station-Id = 00-24-23-05-18-62 Called-Station-Id = 00-0E-8E-12-5C-0B:PROV EAP-Message = 0x0209002b190017030100206a58c78b2bc64359b7abccfc8811c5f762ad6a538bdc50e41414c76c5e1253be Message-Authenticator = 0x7a4f0112fc90130c87304c87def0ef94 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.1.141 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = mario, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - mario attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 26 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 93.175.129.30 port 34473, id=48, length=186 Waiting to send Access-Reject to client PROV -EST port 34473 - ID: 48 Waking up in 0.6 seconds. 2010/5/19 Maciej Drobniuch mac...@drobniuch.pl: My NAS-es are located in the clients file and they are working fine with pppoe auth. 2010/5/19 dorra aa dj_dido2...@hotmail.com: hi, in sql.conf did you modify that line :readclients = no to readclients = yes ? Date: Wed, 19 ! May 2010 13:52:59 +0200 Subject: freeradius 2.x EAP-MSCHAPv2 + MySQL From: mac...@drobniuch.pl To: freeradius-users@lists.freeradius.org Hi ALL!! I'm trying to get authenticated with mikrotik wireless AP. All works but only when I add the user into the users file. The thing is that i want to get the users from mysql. In this moment the authentication requests are coming from PPPoE concentrator, and the users are in MySQL database - it works fine. The freeradius server while authenticating is not searching in the sql database. Why that? Please help and sorry for my lame eng. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hotmail: Trusted email with powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. I'm using EAP PEAP MSCHAPv2 The sql is enabled and it works fine with pap,chap,mschap, mschapv2 on pppoe concentrators, but while using EAP it isn't working. Here is the whole debug: http://testowy.langw.net/text.txt 2010/5/19 Alan DeKok al...@deployingradius.com: Maciej Drobniuch wrote: The freeradius server while authenticating is not searching in the sql database. Why that? You didn't configure it. What does the debug log say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.x EAP-MSCHAPv2 + MySQL
Thanks Alan, I did not knew about the inner-tunnel. Now everything works fine. BIG THANKS TO ALL!! 2010/5/19 Alan DeKok al...@deployingradius.com: Maciej Drobniuch wrote: Maybe you did not understand me, but when the mario user is in files all works fine but when not the freeradius isn't asking the sql. Because you didn't configure it to ask SQL. I'm using EAP PEAP MSCHAPv2 Did you edit raddb/sites-available/inner-tunnel? The sql is enabled Where? Here is the whole debug: http://testowy.langw.net/text.txt Can you read it? [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. This is pretty obvious. Now read *backwards* from that. You'll see that there's no mention of SQL, but there is some text: Sending tunneled request EAP-Message = ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = mario State = 0x66cdb16066c5abec558fec6768936d41 server inner-tunnel { It's telling you that it's running the inner-tunnel virtual server. Did you edit it? It looks like you didn't. Should you edit it? Absolutely. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam! Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikrotik as NAS with PPPoE - checkval
Hi! I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Please help! Thanks for all!!! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
I want to check by the pppd 3 attributes that must match: -Login -Password -MAC Address So if someone on another machine who uses the login and the password will be rejected. The mikrotik NAS doc shows that there is a Calling-Station-ID http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php I want EVERYONE to be checked for the calling station id. Thank you for the reply. On Wed, 20 Aug 2008 11:26:05 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik as NAS with PPPoE - checkval
Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik as NAS with PPPoE - checkval
It works now properly! BIG THANKS! On Wed, 20 Aug 2008 14:40:12 +0200, Marinko Tarlac [EMAIL PROTECTED] wrote: id - username - attribute - op 1139 gojko Calling-Station-Id 00:50:70:AE:04:54 == Mikrotik wants uppercase MAC address and OP must be == It works for me and you need to insert this in radcheck table On Wed, Aug 20, 2008 at 2:34 PM, Maciej Drobniuch [EMAIL PROTECTED]wrote: Thank you for the reply but you did miss the point of Calling-Station-ID Greetz! On Wed, 20 Aug 2008 12:05:58 +, Santiago Balaguer García [EMAIL PROTECTED] wrote: Yes, you needn't. What you need is to create a normal user account and add these attributes in radreply: Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.x, Framed-IP-Netmask = 255.255.255.0, Be carefull because you have to modify the ppp profiles in the Mikrotik client in the option /ppp profiles. You have to set the remote address with the PPP gateway. See the next explample where my PPP gateway is 10.200.0.10 /ppp profile set default change-tcp-mss=yes comment= name=default only-one=default \remote-address=10.200.0.10 use-compression=default use-encryption=default \use-vj-compression=default you set the pptp/l2tp client with this profile when you insert the username/password. You needn't to add Dafault route. If you need mor help, ask for and I will send you my manual in Spanish. Sanitago To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik as NAS with PPPoE - checkval Date: Wed, 20 Aug 2008 11:26:05 +0100 From: [EMAIL PROTECTED] I want to bind a login with Calling-Station-Id but i've got problems... *I've had added the Calling-Station-Id to mysql radcheck table. *I've had turned on the rlm_checkval by adding it into authorize section *I've had set the notfound-reject variable to yes I get the following errors in debug: rlm_checkval: Item Name: Calling-Station-Id, Value: 00:11:22:33:44:55 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound What is the problem? Why do you need checkval? User will be rejected if there is no Calling-Station-Id in the request anyway since you have that attribute in radcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Nuevo Canal Messenger http://www.vivelive.com/ilovemessenger/ -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to assign default gatway?
It's possible when you are using PPPoE, but it's rather not posible to do that with freeradius(or any radius) On Thu, 7 Aug 2008 13:25:05 -0400, Xiaochen Jing [EMAIL PROTECTED] wrote: Hello all, Is that possible to assign users a default gateway while allocating dynamic IP addresses from IP pool? Thank you -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_chap: Password check failed
Hi! I have a problem with chap authorization. PAP works fine but chap gives out this output: http://paste-it.net/public/id5f751/ Thanks! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius server
http://wiki.freeradius.org/HOWTO http://www.google.com It also depends on what do you want to bind with freeradius and what auth. mech. do you want to use. Just use uncle google ;] On 15 Jul 2008 06:37:18 -, Sandeep [EMAIL PROTECTED] wrote: Hi, all members of free radius..I install fras fedora9 and want to make radius server but i am new in this field is any body help me to do this. first of all please provide me step to step tutorials so that i can read it and install configure my server .. with testing PLEASE HELP ME Sandeep rohilla -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling client PAM files on Mac OS
1. Are all dependencies and includes satisfied? If yes, try moving them from a *nix system and put them into your build dir(edit properly pam_rad source code). [a guess] 2. If you are not a coder then you are located in a blackhole. 3. IMHO it's better to use slackintosh(http://workaround.ch/) than MacOSX. 4. Try to search over the net once more. On Tue, 15 Jul 2008 10:02:22 +0200, Nicolas Goutte [EMAIL PROTECTED] wrote: Am 14.07.2008 um 17:09 schrieb Paul Goodman: Sorry, but this doesn't really help me very much. Are you saying that because Mac OS is neither BSD nor GNU, the client files cannot be compiled? If there is a way to get them compiled, what is it? Sorry, I cannot help more, as neither I am the developer who worte the code nor I have time to look at the problem. I have only tried to give hints to where the problem could be. I am sorry if that is too short for you. Have a nice day! Nicolas Goutte wrote: Am 10.07.2008 um 18:28 schrieb Paul Goodman: Does anyone have some hacks to enable a clean compile on Mac OS X? When I try to run make, I get the following compile errors: cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘get_random_vector’: pam_radius_auth.c:358: error: storage size of ‘tz’ isn’t known pam_radius_auth.c:363: warning: implicit declaration of function ‘gettimeofday’ This would suggests that sys/time.h is not included. pam_radius_auth.c:358: warning: unused variable ‘tz’ pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 Is there something besides the X Code that I need to have installed? Probably this is more a configuration problem, where MacOS is not BSD or even less GNU. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange password when authenticating via pppoe-server.
Hi! Now I have a new problem. When auth via radiusclient, everyting works fine: radtest steve testing localhost 1813 somesecret Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop Sending Access-Accept of id 146 to 127.0.0.1 port 32770 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP I've also tried to auth using this command(and the login is also successful): echo User-Name = steve, CHAP-Password = testing | radclient localhost auth somesecret But when i've had tried to login from a client (windows xp) station using the pppoe-server(on the server) the debug output looks like this: Force PAP(require-pap) on pppoe-server: Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password ŞĂ23ćtn?? 8šľ1RĄ Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns updated Force CHAP(require-chap) on PPPoE server: Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with CHAP password Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password testing for user steve authentication. Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 57 to 127.0.0.1 port 32770 Sat Jul 12 12:13:04 2008 : Debug: Finished request 0. Sat Jul 12 12:13:04 2008 : Debug: Going to the next request Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds. Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with timestamp +8 Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests. What's wrong again? Thanks ! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange password when authenticating via pppoe-server.
Hi! Now I have a new problem. When auth via radiusclient, everyting works fine: radtest steve testing localhost 1813 somesecret Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop Sending Access-Accept of id 146 to 127.0.0.1 port 32770 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP I've also tried to auth using this command(and the login is also successful): echo User-Name = steve, CHAP-Password = testing | radclient localhost auth somesecret But when i've had tried to login from a client (windows xp) station using the pppoe-server(on the server) the debug output looks like this: Force PAP(require-pap) on pppoe-server: Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password ŞĂ23ćtn?? 8šľ1RĄ Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns updated Force CHAP(require-chap) on PPPoE server: Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with CHAP password Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password testing for user steve authentication. Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 57 to 127.0.0.1 port 32770 Sat Jul 12 12:13:04 2008 : Debug: Finished request 0. Sat Jul 12 12:13:04 2008 : Debug: Going to the next request Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds. Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with timestamp +8 Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests. What's wrong again? Thanks ! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange password when authenticating via pppoe-server.
. Sat Jul 12 15:54:03 2008 : Debug: Going to the next request Sat Jul 12 15:54:03 2008 : Debug: Waking up in 4.9 seconds. Sat Jul 12 15:54:08 2008 : Debug: Cleaning up request 0 ID 59 with timestamp +8 Sat Jul 12 15:54:08 2008 : Debug: Ready to process requests. On Sat, 12 Jul 2008 12:25:44 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: Post the whole debug including the request. You have chopped off the front bit. Ivan Kalik Kalik Informatika ISP Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše: Hi! Now I have a new problem. When auth via radiusclient, everyting works fine: radtest steve testing localhost 1813 somesecret Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop Sending Access-Accept of id 146 to 127.0.0.1 port 32770 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP I've also tried to auth using this command(and the login is also successful): echo User-Name = steve, CHAP-Password = testing | radclient localhost auth somesecret But when i've had tried to login from a client (windows xp) station using the pppoe-server(on the server) the debug output looks like this: Force PAP(require-pap) on pppoe-server: Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533; Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns updated Force CHAP(require-chap) on PPPoE server: Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with CHAP password Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password testing for user steve authentication. Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 57 to 127.0.0.1
Re: Strange password when authenticating via pppoe-server.
Now it work's fine! The password in the radiusclient was misspelled. SORRY for trouble ;) On Sat, 12 Jul 2008 12:25:44 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: Post the whole debug including the request. You have chopped off the front bit. Ivan Kalik Kalik Informatika ISP Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše: Hi! Now I have a new problem. When auth via radiusclient, everyting works fine: radtest steve testing localhost 1813 somesecret Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from exec (rlm_exec) for request 4 Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop Sending Access-Accept of id 146 to 127.0.0.1 port 32770 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP I've also tried to auth using this command(and the login is also successful): echo User-Name = steve, CHAP-Password = testing | radclient localhost auth somesecret But when i've had tried to login from a client (windows xp) station using the pppoe-server(on the server) the debug output looks like this: Force PAP(require-pap) on pppoe-server: Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533; Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password testing Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 7 Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns updated Force CHAP(require-chap) on PPPoE server: Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with CHAP password Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password testing for user steve authentication. Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user. Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 57 to 127.0.0.1 port 32770 Sat Jul 12 12:13:04 2008 : Debug: Finished request 0. Sat Jul 12 12:13:04 2008 : Debug: Going to the next request Sat Jul 12 12:13:04 2008 : Debug: Waking up
rlm_pap: WARNING! No known good password found for the user.
Hi! radtest fred somepass localhost 1813 somesecret Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = fred User-Password = somepass NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102, length=56 User-Name = fred User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - fred attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 102 to 127.0.0.1 port 32770 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 102 with timestamp +151 Ready to process requests. cat client.conf client 127.0.0.1 { secret = somesecret shortname = localhost nastype = other } cat users fred Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP wilma Auth-Type := CHAP, User-password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP barney Auth-Type := MS-CHAP, User-Password == somepass Service-Type = Framed-User, Framed-Protocol = PPP What's wrong with this line User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ ??? Thanks for the support! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
Hi! I've deleted the old /sbin /bin /raddb dirs and then i've executed make install in the freerad 2.0.5 dir... So what is the fastest and the cleanest way to remove the old version? Usually I use packages but I've had problems running radiusd when installing from them... Thanks and sorry for my lame eng. On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: You probably have two instances of the server installed. These files don't belong to the server that is running. Ivan Kalik Kalik Informatika ISP Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše: Hi! radtest fred somepass localhost 1813 somesecret Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = fred User-Password = somepass NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102, length=56 User-Name = fred User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - fred attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 102 to 127.0.0.1 port 32770 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 102 with timestamp +151 Ready to process requests. cat client.conf client 127.0.0.1 { secret = somesecret shortname = localhost nastype = other } cat users fred Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP wilma Auth-Type := CHAP, User-password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP barney Auth-Type := MS-CHAP, User-Password == somepass Service-Type = Framed-User, Framed-Protocol = PPP What's wrong with this line User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ ??? Thanks for the support! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
I've cleaned the mess up like you've said, but i've got new errors for you which are not familiar to me ;) Fri Jul 11 21:17:56 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Fri Jul 11 21:17:56 2008 : Debug: auth: Failed to validate the user. Am I using an old definition of Auth-Type in my users file? Or what ? fred Auth-Type := Local, Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP With what should i replace the Auth-Type variable or variable name? Thanks for your tips! On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: You probably have two instances of the server installed. These files don't belong to the server that is running. Ivan Kalik Kalik Informatika ISP Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše: Hi! radtest fred somepass localhost 1813 somesecret Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = fred User-Password = somepass NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102, length=56 User-Name = fred User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - fred attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 102 to 127.0.0.1 port 32770 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 102 with timestamp +151 Ready to process requests. cat client.conf client 127.0.0.1 { secret = somesecret shortname = localhost nastype = other } cat users fred Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP wilma Auth-Type := CHAP, User-password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP barney Auth-Type := MS-CHAP, User-Password == somepass Service-Type = Framed-User, Framed-Protocol = PPP What's wrong with this line User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ ??? Thanks for the support! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pap: WARNING! No known good passwor d found for the user.
-07-11 at 21:21 +0200, Maciej Drobniuch wrote: I've cleaned the mess up like you've said, but i've got new errors for you which are not familiar to me ;) Fri Jul 11 21:17:56 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Fri Jul 11 21:17:56 2008 : Debug: auth: Failed to validate the user. Am I using an old definition of Auth-Type in my users file? Or what ? fred Auth-Type := Local, Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP With what should i replace the Auth-Type variable or variable name? Thanks for your tips! On Fri, 11 Jul 2008 19:30:26 +0100, Ivan Kalik [EMAIL PROTECTED] wrote: You probably have two instances of the server installed. These files don't belong to the server that is running. Ivan Kalik Kalik Informatika ISP Dana 11/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše: Hi! radtest fred somepass localhost 1813 somesecret Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = fred User-Password = somepass NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=102, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=102, length=56 User-Name = fred User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ NAS-IP-Address = 127.0.0.1 NAS-Port = 1813 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - fred attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 102 to 127.0.0.1 port 32770 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 102 with timestamp +151 Ready to process requests. cat client.conf client 127.0.0.1 { secret = somesecret shortname = localhost nastype = other } cat users fred Cleartext-Password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP wilma Auth-Type := CHAP, User-password ==somepass Service-Type = Framed-User, Framed-Protocol = PPP barney Auth-Type := MS-CHAP, User-Password == somepass Service-Type = Framed-User, Framed-Protocol = PPP What's wrong with this line User-Password = h\347`\005\270\202\336\336i~e\031\r\021[ ??? Thanks for the support! -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password does NOT match local User-Password
Hi everyone ! I'm a newbie in freeradius. I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5 and i want to bind it with the pppoe-server(accounts are mysql based). This is the ppp auth part of the radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=50, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = qweqwe CHAP-Password = 0x1a490e809284566aa959336e511314fe82 Calling-Station-Id = 00:04:61:5C:14:11 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705 modcall[authorize]: module auth_log returns ok for request 0 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value 'qweqwe' modcall[authorize]: module dwukropki returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = qweqwe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 radius_xlat: 'qweqwe' rlm_sql (sql): sql_set_user escaped user -- 'qweqwe' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id' rlm_sql_mysql: query: SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [qweqwe] (from client localhost port 0 cli 00:04:61:5C:14:11) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:32772 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 486f753f Nothing to do. Sleeping until we see a request. Thanks for the support and sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
On Tue, 08 Jul 2008 18:49:48 +0200, Alan DeKok [EMAIL PROTECTED] wrote: Upgrade to 2.0.5. I had tht version and the same error appeared You are forcing Auth-Type. Don't do that. So, what I must force to don't mess up things? And the passwords don't match. The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. THANKS FOR YOUR SUPPORT! sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html